Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh-over-tor and v2/v3 service migration test scenarios #4804

Closed
42 of 44 tasks
zenmonkeykstop opened this issue Sep 12, 2019 · 9 comments
Closed
42 of 44 tasks

ssh-over-tor and v2/v3 service migration test scenarios #4804

zenmonkeykstop opened this issue Sep 12, 2019 · 9 comments
Labels
QA: Release
Milestone
1.0.0

Comments

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Sep 12, 2019
edited
Loading

Overview

This is a tracking issue for manual tests for onion service migration scenarios for Securedrop 1.0.0, including potential changes to the SSH-over-Tor setting.

In each scenario below, install to prod VMs or HW with the settings listed, then update settings via ./securedrop-admin sdconfig, ./securedrop-admin install, and ./securedrop-admin tailsconfig.

The scenario passes if the Source and Journalist desktop shortcuts work and use the appropriate service URL, and ssh app and ssh mon also work with the expected values in ~/.ssh/config/.

Do not attempt all scenarios! Pick a couple and claim them with a comment below, then check them off if they pass, or flag it in your comment if they don't. Scenarios are listed roughly in order of relative probability. Most live instances likely use the default SSH-over-Tor option, and switching SSH options after an install is unlikely. Individual cases are chained together to reduce the number of scenarios while keeping the effort required for each manageable.

ssh-over-tor, service-only change:

Scenario 1 (@kushaldas):

  • Install (ssh-over-tor, v2) and update to (ssh-over-tor, v2+v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v3)
    • verify shortcuts and ssh

Scenario 2 (@kushaldas):

  • Install (ssh-over-tor, v2) and update to (ssh-over-tor, v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v2+v3)
    • verify shortcuts and ssh

ssh-over-lan, service-only change:

Scenario 3 (@emkll):

  • Install (ssh-over-lan, v2) and update to (ssh-over-lan, v2+v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-lan, v3)
    • verify shortcuts and ssh

Scenario 4 (@emkll):

  • Install (ssh-over-lan, v2) and update to (ssh-over-lan, v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-lan, v2+v3)
    • verify shortcuts and ssh

ssh-only change:

Scenario 5 (@conorsch):

  • Install (ssh-over-tor, v2) and update to (ssh-over-lan, v2)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v2)
    • verify shortcuts and ssh

Scenario 6 (@emkll ):

  • Install (ssh-over-tor, v2+v3) and update to (ssh-over-lan, v2+v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v2+v3)
    • verify shortcuts and ssh

Scenario 7 (@zenmonkeykstop):

  • Install (ssh-over-tor, v3) and update to (ssh-over-lan, v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v3) Failed initially with fatal:failed to fork error on app from aptitude safe-upgrade during "Performing safe update.." task. No obvious resource hogs, install completed after app was rebooted.
    • verify shortcuts and ssh

Both change

Scenario 8 (@emkll ):

  • Install (ssh-over-tor, v3) and update to (ssh-over-lan, v2+v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v3)
    • verify shortcuts and ssh

Scenario 9 (@emkll ):

  • Install (ssh-over-tor, v2+v3) and update to (ssh-over-lan, v3)
    • verify shortcuts and ssh

Scenario 10 (@zenmonkeykstop ):

  • Install (ssh-over-tor, v2) and update to (ssh-over-lan, v2+v3)
    • verify shortcuts and ssh
  • Next, update to (ssh-over-tor, v3) Failed initially with fatal:failed to fork error on app from aptitude safe-upgrade during "Performing safe update.." task. No obvious resource hogs, install completed after app was rebooted.
    • verify shortcuts and ssh

Scenario 11 (@conorsch):

  • Install (ssh-over-tor, v2) and update to (ssh-over-lan, v3)
    • verify shortcuts and ssh

Scenario 12 (@rocodes):

  • Install (ssh-over-lan, v2) and update to (ssh-over-tor, v2+v3)
    • verify shortcuts and ssh

Scenario 13 (@rocodes):

  • Install (ssh-over-lan, v2) and update to (ssh-over-tor, v3)
    • verify shortcuts and ssh
@zenmonkeykstop zenmonkeykstop added this to the 1.0.0 milestone Sep 12, 2019
@emkll
Copy link
Contributor

emkll commented Sep 12, 2019

noting that ./securedrop-admin setup is required prior to enabling v3 on the admin workstation, to avoid the following error when generating v3 onion service secrets:

TASK [tor-hidden-services : Generate Onion v3 keys if required the Tails admin system] *************************
fatal: [app -> localhost]: FAILED! => {"changed": false, "cmd": ["python", "/home/amnesia/Persistent/securedrop/admin/securedrop_admin/__init__.py", "--root", "/home/amnesia/Persistent/securedrop", "generate_v3_keys"], "delta": "0:00:01.352706", "end": "2019-09-12 14:45:07.696140", "msg": "non-zero return code", "rc": 1, "start": "2019-09-12 14:45:06.343434", "stderr": "ERROR (run with -v for more): '_X25519PrivateKey' object has no attribute 'private_bytes'", "stderr_lines": ["ERROR (run with -v for more): '_X25519PrivateKey' object has no attribute 'private_bytes'"], "stdout": "", "stdout_lines": []}
fatal: [mon -> localhost]: FAILED! => {"changed": false, "cmd": ["python", "/home/amnesia/Persistent/securedrop/admin/securedrop_admin/__init__.py", "--root", "/home/amnesia/Persistent/securedrop", "generate_v3_keys"], "delta": "0:00:01.231543", "end": "2019-09-12 14:45:07.692414", "msg": "non-zero return code", "rc": 1, "start": "2019-09-12 14:45:06.460871", "stderr": "ERROR (run with -v for more): '_X25519PrivateKey' object has no attribute 'private_bytes'", "stderr_lines": ["ERROR (run with -v for more): '_X25519PrivateKey' object has no attribute 'private_bytes'"], "stdout": "", "stdout_lines": []}

@rocodes
Copy link
Contributor

rocodes commented Sep 13, 2019
edited
Loading

(I can't edit the above comment)

Scenario 12 (ssh-over-lan + v2 -> ssh-over-tor + v2/v3)

  • Desktop Shortcuts are generated for v3 Source Interface and Journalist Interfaces addresses (you were only expecting this set of shortcuts, not these and legacy ones, correct?)
  • ssh app and ssh mon work
  • all 4 values in ~/.ssh/config work

(Note: desktop shortcuts use old SD logo.)

@conorsch
Copy link
Contributor

Scenario 5 complete (updated above), no problems, moving on to scenario 11.

@zenmonkeykstop
Copy link
Contributor Author

Ye are scenario-demolishing machines! @kushaldas I can take #10, haven't done my share yet.

@conorsch
Copy link
Contributor

Scenario 11 complete, no problems. Thanks for preparing the wonderfully clear test plan, @zenmonkeykstop!

@rocodes
Copy link
Contributor

rocodes commented Sep 14, 2019

Scenario 13 pass, no problems. Thank you @zenmonkeykstop !

@zenmonkeykstop
Copy link
Contributor Author

Scenario 7 done. Ran into reproducible issue on second upgrade, but it wasn't related to the ssh-over-tor toggle, looked more like memory constrains on the VMs

@zenmonkeykstop
Copy link
Contributor Author

Scenario 10 done. Same issue on second upgrade.

@zenmonkeykstop
Copy link
Contributor Author

Resolving - release is done, thanks all for your efforts!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
QA: Release
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
4 participants
@conorsch @zenmonkeykstop @emkll @rocodes