Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install securedrop-log and setup #447

Merged
merged 5 commits into from
Feb 20, 2020
Merged

Install securedrop-log and setup #447

merged 5 commits into from
Feb 20, 2020

Conversation

kushaldas
Copy link
Contributor

@kushaldas kushaldas commented Feb 10, 2020

Status

Ready for review

Description of Changes

Resolves #440

Sets up securedrop-log service in related VMs. All logs should be flowing into sd-log vm.

Changes proposed in this pull request:

Testing

  • make all should have logging ready.
  • Checks logs at /home/user/QubesIncomingLogs/ directory in sd-logs vm

Checklist

If you have made changes to the provisioning logic

  • Linting (make flake8) and tests (make test) pass in dom0 of a Qubes install

  • I have added/removed files, and have updated packaging logic in MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have done a quick visual (not functional) review of this PR. It looks good to me, though the ordering here may be an issue, especially with the in-place scenario. I think more explicit ordering of tasks will be helpful here. Some comments inline.

If the goal is to bootstrap logging as early as possible in the provisioning phase (to get some provisioning logs in sd-logs as well), it might make sense to apply the state to dom0 and then to sd-log early in the process, as part of a separate qubesctl call, similar to what was done in

sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys-firewall-files
, where you could end with the reboot task there.

Makefile Show resolved Hide resolved
dom0/sd-workstation.top Show resolved Hide resolved
dom0/sd-workstation.top Show resolved Hide resolved
dom0/sd-workstation-template-files.sls Show resolved Hide resolved
dom0/sd-app-files.sls Show resolved Hide resolved
dom0/sd-app-files.sls Show resolved Hide resolved
@@ -0,0 +1,3 @@
[sd-rsyslog]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 templating

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Templating definitely good. We might be able to use grains["localhost"] to get the VM name, rather than passing in context every time. (See output of e.g. sudo qubesctl --skip-dom0 --show-output --target sys-firewall grains.items.) If that works, we could stick the tasks for 1) install pkg; 2) configure rsyslog in a single state file and include it, reducing a lot of duplication.

dom0/sd-log-reboot.sls Outdated Show resolved Hide resolved
@kushaldas
Copy link
Contributor Author

If the goal is to bootstrap logging as early as possible in the provisioning phase (to get some provisioning logs in sd-logs as well), it might make sense to apply the state to dom0 and then to sd-log early in the process, as part of a separate qubesctl call, similar to what was done in

Okay, trying to get this in.

@kushaldas
Copy link
Contributor Author

We need to get this merged freedomofpress/securedrop-log#12

@kushaldas kushaldas force-pushed the configure_logging_world branch from 134f890 to d082fc0 Compare February 11, 2020 12:58
@kushaldas kushaldas force-pushed the configure_logging_world branch from d082fc0 to fb88d05 Compare February 12, 2020 12:23
@kushaldas kushaldas removed the blocked label Feb 12, 2020
@kushaldas kushaldas marked this pull request as ready for review February 12, 2020 12:26
@@ -17,6 +17,11 @@ sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys-
echo "Set up dom0 config files, including RPC policies, and create VMs"
sudo qubesctl --show-output state.highstate

echo "Setup sd-log vm first"
sudo qubesctl --show-output --skip-dom0 --targets sd-log state.sls sd-log-templates-files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be sd-log-template-files here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the issue here is more than a typo (this is untested, merely suggesting):

sudo qubesctl --show-output --skip-dom0 --targets sd-log-template, sd-log state.highstate

I am getting an error after make clean that sd-log can't download the securedrop-log package (which makes sense because sd-log doesn't have internet connectivity, we need to apply state to sd-log-buster-template

Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kushaldas for the changes. I got (most) of the logging to work (and confirmed logs were flowing ) in an upgrade-type scenario with some packages left over from my previous testing (except for sd-whonix)

However, I ran into some issues after running make clean && make all. See inline for comments / suggestions.

dom0/sd-whonix-template-files.sls Show resolved Hide resolved
scripts/provision-all Outdated Show resolved Hide resolved
@@ -17,6 +17,11 @@ sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys-
echo "Set up dom0 config files, including RPC policies, and create VMs"
sudo qubesctl --show-output state.highstate

echo "Setup sd-log vm first"
sudo qubesctl --show-output --skip-dom0 --targets sd-log state.sls sd-log-templates-files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the issue here is more than a typo (this is untested, merely suggesting):

sudo qubesctl --show-output --skip-dom0 --targets sd-log-template, sd-log state.highstate

I am getting an error after make clean that sd-log can't download the securedrop-log package (which makes sense because sd-log doesn't have internet connectivity, we need to apply state to sd-log-buster-template

tests/base.py Outdated
@@ -112,3 +112,19 @@ def _fileExists(self, remote_path):
return False

return True

def logging_configured(self, vmname = ""):
Copy link
Contributor

@emkll emkll Feb 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 nice tests, confirm these are being run as part of make test. Note that they do introduce linting failures: https://circleci.com/gh/freedomofpress/securedrop-workstation/1815

- sd-devices
- sd-gpg
- sd-proxy
- sd-viewer
- sd-app
- sd-whonix
- sd-remove-unused-templates
- sd-log

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: empty line


sd-log-buster-template:
- sd-log-template-files
sd-log:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is required since you are shutting down this machine after provisioning the template

@@ -0,0 +1,10 @@
# -*- coding: utf-8 -*-
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is required anymore, given the qvm-shutdown sd-log call you make in ./scripts/provision-all. Am I missing something?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also run qvm-shutdown && qvm start if we need it to be up, instead of having to maintain this complex logic

@kushaldas
Copy link
Contributor Author

While testing locally, sd-proxy-buster-template is failing to fetch repository data.

W: Failed to fetch https://apt-test.freedom.press/dists/buster/InRelease  Invalid response from proxy: HTTP/1.0 500 Unable to connect   Server: tinyproxy/1.10.0 Content-Type: text/html Connection: close   [IP: 127.0.0.1:8082]

Same for debian-security, buster, whonix repos.

@kushaldas kushaldas force-pushed the configure_logging_world branch from fb88d05 to 9433daf Compare February 13, 2020 14:33
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kushaldas this is looking quite good, most logs are now flowing properly. A couple of remaining issues, specifically with the changes to make clean and pertaining to sd-whonix

  1. make clean fails, see comment inline for the possible cause of the failure
  2. Also related to make clean, there's an order of precedence issue: When running make clean, a popup indicates that the Securedrop.Log RPC policy is not there. I think we should slightly refactor the clean logic to remove the policies until the very end (see image below in [1]). Did you experience that issue yourself? What do you think?
  3. sd-whonix logs still don't flow to sd-log after make all, and the tests fail. This is because the as part of make all, which invokes provision-all script. Because whonix-gw-15 does not have the sd-workstation tag, we must explicitly apply the state to that vm. A local diff appears to resolve for me (see [2] below), but there may be room to optimize.
  4. Could you please rebase on latest master? Some tests are failing due to kernel versions

[1]
log-policy-popup

[2]

diff --git a/scripts/provision-all b/scripts/provision-all
index 72b7a73ca..5f10df63d 100755
--- a/scripts/provision-all
+++ b/scripts/provision-all
@@ -22,6 +22,9 @@ sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.s
 # Make sure that the VM is in shutdown state
 qvm-shutdown sd-log
 
+# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
+sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
+
 # Format list of all VMs comma-separated, for use as qubesctl target
 # We run this after dom0's highstate, so that the VMs are available for listing by tag.
 all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/,/g' | perl -npE 's/,$//' )"

sd-cleanup-whonix-gw-15:
cmd.run:
- names:
- qvm-run whonix-gw-15 'sudo apt remove securedrop-log'
Copy link
Contributor

@emkll emkll Feb 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you probably want to do use apt remove -y here, and make clean fails with the following output at this step:

----------
          ID: sd-cleanup-whonix-gw-15
    Function: cmd.run
        Name: qvm-run whonix-gw-15 'sudo apt remove securedrop-log'
      Result: False
     Comment: Command "qvm-run whonix-gw-15 'sudo apt remove securedrop-log'" run
     Started: 11:28:08.536188
    Duration: 8211.254 ms
     Changes:   
              ----------
              pid:
                  10820
              retcode:
                  1
              stderr:
                  Running 'sudo apt remove securedrop-log' on whonix-gw-15
                  whonix-gw-15: command failed with code: 1
              stdout:

echo "Setup sd-log-buster-template vm first"
sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files
# Make sure that the VM is in shutdown state
qvm-shutdown sd-log
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is still required? When running make all, I see in standard out:

sd-log: Shutdown error: Domain is powered off: 'sd-log'

@kushaldas kushaldas force-pushed the configure_logging_world branch from 9433daf to e33fe7e Compare February 13, 2020 17:02
@kushaldas
Copy link
Contributor Author

@emkll pushed again.

@kushaldas kushaldas force-pushed the configure_logging_world branch from e33fe7e to a40b46c Compare February 13, 2020 17:21
@emkll
Copy link
Contributor

emkll commented Feb 13, 2020

Thanks for the quick changes @kushaldas . I did another visual pass on this. I expect the order of operations for the RPC grants when running make clean still an issue here. Is this what you've observed locally in your testing?

Perhaps requiring sd-cleanup-whonix-gw-15 as part of the sd-cleanup-rpm-policy-grants step (maybe securedrop-log service needs to be stopped?) and ensuring all securedrop VMs are destroyed before sd-cleanup-rpm-policy-grants is run. The requires syntax should look similar to what you wrote in https://github.com/freedomofpress/securedrop-workstation/pull/447/files#diff-bdc48ae124ff6ab5c5028ec4ca468853R26-R27 .

Once the make clean issues been addressed, I propose the following test plan. Would you mind walking through the test plan on your workstation as well so we have good coverage here?

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • QubesIncomingLogs in sd-log contains sd-whonix logs
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • whonix-gw-15 no longer contains the syslog customizations

@eloquence eloquence changed the title Fixes #440 install securedrop-log and setup Install securedrop-log and setup Feb 13, 2020
@eloquence
Copy link
Member

@kushaldas Small note, can you put "Fixes #xxx" type descriptions in the body of a PR, instead of the title? This makes titles a bit easier to read, and ensures that GitHub picks up the PR as a linked pull request for the issue it references. I tweaked accordingly for this PR. Thanks!

@kushaldas kushaldas force-pushed the configure_logging_world branch from a40b46c to dfa5a03 Compare February 14, 2020 09:33
@kushaldas
Copy link
Contributor Author

kushaldas commented Feb 14, 2020

I have updated the PR with all of the related make clean changes.

But, I am stuck with a different problem now, securedrop-log package is not getting installed on whonix-gw-15 template.

    ----------
            ID: sd-whonix-install-logging
      Function: pkg.installed
        Result: None
       Comment: The following packages would be installed/updated: securedrop-log
       Started: 09:20:08.374351
      Duration: 28.308 ms
       Changes:   
  
  Summary for whonix-gw-15
  ------------
  Succeeded: 8 (unchanged=3)

Then, if I manually install the package, the configuration file /etc/rsyslog.d/sdlog.conf is not getting created in that template, or even in the sd-whonix vm.

I added an auditd rule to trace what is going on, I can see dpkg is creating a /etc/rsyslog.d/sdlog.conf.dpkg-new file, and doing a SYSCALL 87 unlink on that file, but the actual /etc/rsyslog.d/sdlog.conf is never being created.

The other problem I found (I am guessing this is upstream issue) is that when we remove a package (created via dh-virtualenv), the files under /opt/venvs are staying back on the OS. The nearest upstream issue I can find is this one.

I guess we will have to add somewhere in the debian packaging for some steps after uninstallation.

@emkll
Copy link
Contributor

emkll commented Feb 14, 2020

Thanks for the changes, see below for findings that should unblock you (1) as well as a regression in the make clean action I've observed (2). Let me know how the test plan in #447 (comment) goes for you.

  1. I suspect securedrop-log isn't getting installed in whonix-ws-15 because you were not specifying highstate but rather applying the sd-whonix-template-files.sls file to it. Which means it doesnt configure the fpf apt repo for whonix-ws-15, as configured in sd-workstation.top. The diff below resolved the issue for me.

  2. One other issue in make-clean doesn't remove the apt-test repo, nor the apt-test key in whonix-gw-15

one last request: let's reserve squashing prior to final merge, to make debugging/review easier moving forward.

diff --git a/scripts/provision-all b/scripts/provision-all
index 95498f424..484a1b93d 100755
--- a/scripts/provision-all
+++ b/scripts/provision-all
@@ -18,9 +18,9 @@ echo "Set up dom0 config files, including RPC policies, and create VMs"
 sudo qubesctl --show-output state.highstate
 
 echo "Setup sd-log-buster-template vm first"
-sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files
+sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate
 # Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
-sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate sd-whonix-template-files
+sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
 
 # Format list of all VMs comma-separated, for use as qubesctl target
 # We run this after dom0's highstate, so that the VMs are available for listing by tag.

@kushaldas
Copy link
Contributor Author

@emkll the branch is ready to review again, the missing part is for make clean to remove gpg key and apt repo from whonix-gw-15 template.

Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes @kushaldas , still some sd-whonix (cleanup and log configuration). I've also opened https://github.com/freedomofpress/securedrop-debian-packaging/issues/145 as a follow-up to your finding.
See inline for salt optimization (it seems like we are applying the same state twice). Could you please try running the test plan and sharing your results? Are they different from the ones I've observed below?

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • ❌ QubesIncomingLogs in sd-log contains sd-whonix logs: logs are not flowing properly with sd-whonix, it seems like /etc/rsyslog.d/sdlog.conf is not populated.
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • ❌ whonix-gw-15 no longer contains the syslog customizations: apt sources for apt-test.freedom.press are still present (this is consistent with your report)

sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate
# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is not necessary: sd-whonix-template-files is specified in sd-worksation.top so will be applied as part of the qubesctl invocation of the line directly above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sadly it did not for me when I tried. I had to add that line to get it working :(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you try again? Based on my local testing, removing L24 works. If the issue is the rebooting of whonix-gw-15, it may be best to qvm-shutdown --wait sd-whonix here intead of re-applying a salt file that has already been applied, as it will be more reliable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sd-whonix or whonix-gw-15 ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

woops sorry, whonix-gw-15, if it is required

@kushaldas
Copy link
Contributor Author

Now new error for me in make all

sd-proxy-buster-template:
  ----------
            ID: topd-always-passes
      Function: test.succeed_without_changes
          Name: foo
        Result: True
       Comment: Success!
       Started: 16:27:50.119208
      Duration: 0.373 ms
       Changes:   
  ----------
            ID: dsa-4371-update
      Function: cmd.script
        Result: True
       Comment: Nothing to do, apt already fixed.
       Started: 16:27:50.139560
      Duration: 621.119 ms
       Changes:   
  ----------
            ID: /etc/yum.repos.d/qubes-r4.repo
      Function: file.replace
        Result: True
       Comment: onlyif condition is false
       Started: 16:27:50.796115
      Duration: 7676.929 ms
       Changes:   
  ----------
            ID: /etc/apt/sources.list.d/qubes-r4.list
      Function: file.replace
        Result: True
       Comment: No changes needed to be made
       Started: 16:27:58.480275
      Duration: 45.276 ms
       Changes:   
  ----------
            ID: update
      Function: pkg.uptodate
        Result: True
       Comment: System is already up-to-date
       Started: 16:27:58.535297
      Duration: 10078.442 ms
       Changes:   
  ----------
            ID: install-python-apt-for-repo-config
      Function: pkg.installed
        Result: True
       Comment: All specified packages are already installed
       Started: 16:28:09.106107
      Duration: 940.491 ms
       Changes:   
  ----------
            ID: configure-apt-test-apt-repo
      Function: pkgrepo.managed
          Name: deb [arch=amd64] https://apt-test.freedom.press buster main
        Result: True
       Comment: Configured package repo 'deb [arch=amd64] https://apt-test.freedom.press buster main'
       Started: 16:28:10.049209
      Duration: 10369.041 ms
       Changes:   
                ----------
                repo:
                    deb [arch=amd64] https://apt-test.freedom.press buster main
  ----------
            ID: sd-proxy-do-not-open-here-script
      Function: file.managed
          Name: /usr/bin/do-not-open-here
        Result: True
       Comment: File /usr/bin/do-not-open-here updated
       Started: 16:28:20.447646
      Duration: 109.193 ms
       Changes:   
                ----------
                diff:
                    New file
                mode:
                    0755
  ----------
            ID: sd-proxy-do-not-open-here-desktop-file
      Function: file.managed
          Name: /usr/share/applications/do-not-open.desktop
        Result: True
       Comment: File /usr/share/applications/do-not-open.desktop updated
       Started: 16:28:20.557018
      Duration: 6.612 ms
       Changes:   
                ----------
                diff:
                    New file
                mode:
                    0644
  ----------
            ID: sd-proxy-configure-mimetypes
      Function: file.managed
          Name: /usr/share/applications/mimeapps.list
        Result: True
       Comment: File /usr/share/applications/mimeapps.list updated
       Started: 16:28:20.564299
      Duration: 5.09 ms
       Changes:   
                ----------
                diff:
                    New file
                group:
                    user
                mode:
                    0644
                user:
                    user
  ----------
            ID: sd-proxy-configure-mimetypes
      Function: cmd.run
          Name: sudo update-desktop-database /usr/share/applications
        Result: True
       Comment: Command "sudo update-desktop-database /usr/share/applications" run
       Started: 16:28:20.572030
      Duration: 367.583 ms
       Changes:   
                ----------
                pid:
                    2480
                retcode:
                    0
                stderr:
                stdout:
  ----------
            ID: install-securedrop-proxy-package
      Function: pkg.installed
        Result: False
       Comment: Problem encountered installing package(s). Additional info follows:
                
                errors:
                    - E: Unable to locate package securedrop-proxy
       Started: 16:28:20.941578
      Duration: 678.671 ms
       Changes:   
  ----------
            ID: install-securedrop-log-package
      Function: pkg.installed
        Result: False
       Comment: Problem encountered installing package(s). Additional info follows:
                
                errors:
                    - E: Unable to locate package securedrop-log
       Started: 16:28:21.620624
      Duration: 742.331 ms
       Changes:   
  ----------
            ID: install-securedrop-proxy-yaml-config
      Function: file.managed
          Name: /etc/sd-proxy.yaml
        Result: True
       Comment: File /etc/sd-proxy.yaml updated
       Started: 16:28:22.363231
      Duration: 197.961 ms
       Changes:   
                ----------
                diff:
                    New file
                mode:
                    0644
  ----------
            ID: sd-rsyslog-for-sd-proxy
      Function: file.managed
          Name: /etc/sd-rsyslog.conf
        Result: True
       Comment: File /etc/sd-rsyslog.conf updated
       Started: 16:28:22.562321
      Duration: 39.323 ms
       Changes:   
                ----------
                diff:
                    New file
                mode:
                    0644
  
  Summary for sd-proxy-buster-template
  -------------
  Succeeded: 13 (changed=7)
  Failed:     2

@kushaldas
Copy link
Contributor Author

Found the error. The network.

@kushaldas
Copy link
Contributor Author

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • QubesIncomingLogs in sd-log contains sd-whonix logs
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • whonix-gw-15 no longer contains the syslog customizations (removing gpg key and apt repo is still left.

@kushaldas
Copy link
Contributor Author

@emkll Pushed again.

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • QubesIncomingLogs in sd-log contains sd-whonix logs
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • whonix-gw-15 no longer contains the syslog customizations

Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kushaldas this looks great 🎉 , working well on my end

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • QubesIncomingLogs in sd-log contains sd-whonix logs
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • whonix-gw-15 no longer contains the syslog customizations

Three comments inline to help with maintainability, otherwise good to merge from my perspective

- context:
vmname: sd-whonix

sd-rsyslog-sdlog-conf-for-sd-whonix:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a comment here, for future maintainers, as to why this is required here and not in other VMs, where this file is handled by the sd-log package: https://github.com/freedomofpress/securedrop-log/blob/d1799b2477f4250eae43b472472df19a49f5cb75/sdlog.conf

sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate
# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you try again? Based on my local testing, removing L24 works. If the issue is the rebooting of whonix-gw-15, it may be best to qvm-shutdown --wait sd-whonix here intead of re-applying a salt file that has already been applied, as it will be more reliable

- qvm-run whonix-gw-15 'sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list'
- qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log'
- qvm-run whonix-gw-15 'sudo systemctl restart rsyslog'
- qvm-run whonix-gw-15 'sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also remove the prod key here: "22245C81E3BAEB4138B36061310F561200F4AD77" (the command will always return zero so we can run both even in dev, and not worry about split logic in the cleanup action.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, i will add that too.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apt remove -y securedrop-log line is not idempotent. So far, we've been careful to ensure that make clean exits zero even if run multiple times.

Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few thoughts in-line based on visual review. To be clear, I've not performed a functional review of the changes.

dom0/sd-app-files.sls Show resolved Hide resolved
- qvm-run whonix-gw-15 'sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list'
- qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log'
- qvm-run whonix-gw-15 'sudo systemctl restart rsyslog'
- qvm-run whonix-gw-15 'sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The apt remove -y securedrop-log line is not idempotent. So far, we've been careful to ensure that make clean exits zero even if run multiple times.

@@ -0,0 +1,3 @@
[sd-rsyslog]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Templating definitely good. We might be able to use grains["localhost"] to get the VM name, rather than passing in context every time. (See output of e.g. sudo qubesctl --skip-dom0 --show-output --target sys-firewall grains.items.) If that works, we could stick the tasks for 1) install pkg; 2) configure rsyslog in a single state file and include it, reducing a lot of duplication.

@kushaldas
Copy link
Contributor Author

Templating definitely good. We might be able to use grains["localhost"] to get the VM name, rather than passing in context every time. (See output of e.g. sudo qubesctl --skip-dom0 --show-output --target sys-firewall grains.items.) If that works, we could stick the tasks for 1) install pkg; 2) configure rsyslog in a single state file and include it, reducing a lot of duplication.

The whonix vms are showing the right vmname for grains["localhost"] or for grains["node"]. I am keeping the installation step same for now. If you say, then we can move out all the other log installations to a separate .sls file. But, then the sd-log also needs different installation (as it is the server, not the client).

@@ -15,9 +15,9 @@ sd-cleanup-whonix-gw-15:
- names:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason this cmd.run block was not moved to sd-clean-whonix.sls` ? it might make sense to centralize whonix-ws-15-specific cleanup tasks there

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doing this.

@@ -12,20 +12,15 @@ include:
- fpf-apt-test-repo

# FPF repo is setup in "securedrop-workstation" template
install-securedrop-client-package:
install-securedrop-client-and-securedrop-log-package:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kushaldas for your patience and for your excellent work. Tested your latest change as follows:

  • make clean
  • make all on this branch
  • QubesIncomingLogs in sd-log contains sd-app logs
  • QubesIncomingLogs in sd-log contains sd-proxy logs
  • QubesIncomingLogs in sd-log contains sd-whonix logs
  • QubesIncomingLogs in sd-log contains sd-devices logs (after exporting a file to drive or print)
  • QubesIncomingLogs in sd-log contains sd-viewer logs (after opening a submission in a dispvm)
  • make clean works as expected
  • There are no RPC popups after make clean
  • whonix-gw-15 no longer contains the syslog customizations

A couple of follow-ups have been identified in the reviews of this PR:

I'll leave this PR open for comments from the rest of the team, barring any objections will merge this tomorrow morning.

sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.highstate
# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
#sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-whonix-template-files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: commented out instead of deleted, might lead to confusion

@conorsch
Copy link
Contributor

Looks great. Given @emkll's thorough testing and formal approval, fine for merge. The few comments I'd given earlier are also addressed, plus we have some follow-up tickets to track (post-pilot).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Install and configure securedrop-log as part of provisioning
4 participants