Configures Tails workstations via Ansible #1803
Conversation
Reuses validation logic from the `validate` role, because why not. Added some checks for the Persistence volume, since it's required, otherwise the custom config options will be lost. Includes dedicated playbook, intended for use after the `securedrop-prod.yml` playbook finishes. Works against both Admin and Journalist Workstations. Sets the playbook to be executable as with the others.
Porting over changes from the install.sh script.
Hurray for templates! Lost the SSH username handling, however, since we don't have a stable strategy for determining whether the YAML var `ssh_users` is a list or a string. Settle that in a separate issue.
Similar to the exit message in the old `install.sh` script, we'll provide informative output to state that the configuration run is complete. It's probably not necessary to provide explicit URLs, since we have desktop icons, but preserving the messages on the web interfaces just in case it's useful. Omitted the Onion URLs for the SSH addresses, since we have SSH alias configuration, as well as a dynamic inventory script incoming.
The bash setup logic has been replaced entirely with Ansible playbooks, which afford much better error handling, along with an idempotent setup. Updates the securedrop-admin script's `tailsconfig` subcommand to target the new playbook, rather than the old install.sh script. Activates the virtualenv prior to running the playbook, same as in the `install` subcommand, otherwise the ansible-playbook binary won't be found.
Should have been included in #1782, but was missed during QA (since testing in Tails is still difficult, but getting simpler fast). We're not using a straight tor-generated "hostname" file for reading; for better or for worse, the SecureDrop playbook formats the hostname files fetched back from the servers with the `HidServAuth` prefix, so we actually need the second field in the file, not the first. Exception handling is in place to catch any IndexErrors if for some reason the file is not formatted as expected. Also made a minor stylistic cleanup to move the return statement to the end of the function, to aid in readability.
|
Had some problems connecting to SSH over Tor post-provisioning during local testing. Might have screwed up my network settings though, so will need to try again. Also noticed that the desktop icons do not appear immediately—only after a reboot of Tails. That's different behavior than we saw in Tails 2, although I'm not sure what the root cause is yet. Note that there's a minor regression presented in the Ansible logic, in that the Admin SSH username is omitted from the SSH aliases. Opened #1796 to discuss separately, so not handling in this PR. |
|
|
||
| tails_config_deprecated_config_files: | ||
| - 70-tor-reload.sh | ||
| - 99-tor-reload.sh |
There was a problem hiding this comment.
Logic like these legacy cleanup tasks isn't strictly necessary, since we're requiring Admins to install Tails 3 on a fresh stick during upgrade to 0.4. Depending on how they copy the dotfiles over, though, it's conceivable something could be dangling, so I figured better safe than sorry. Also, we know have a dedicated task list for handling legacy cleanup tasks on Tails in the future.
| subprocess.check_call(['sudo', | ||
| os.path.join(SD_DIR, 'tails_files/install.sh')]) | ||
| activate_venv() | ||
| subprocess.check_call([os.path.join(ANSIBLE_PATH, 'securedrop-tails.yml'), |
There was a problem hiding this comment.
shouldn't there be an ['ansible'... before os.path.join ? Or is there some magic making the .yml executable ?
There was a problem hiding this comment.
There was a problem hiding this comment.
I'm actually not much of a fan of the executable playbook pragma, simply because it's not common in the Ansible community. Added it here to be consistent with the tooling changes as of #1781.
|
Burning through a local install on tails now |
|
Ohhh so I hit an interesting issue -- my securedrop is cloned to |
|
To clarify -- the issue is the script is breaking in certain areas at the tailsconfig where it is looking for the tor files to mix them in the system torrc. |
|
@msheiny The new validation checks should fail out if |
|
😆 okay i see --- i had a left over So I guess we need a ticket to cover the case |
|
This messaging is confusing because I forgot that we have to specify the username currently. Would recommend taking that from the config and dropping into the sshconfig file... yes i realize there is another ticket covering the user stuff ;) |
| path: "{{ item }}" | ||
| with_items: | ||
| - "{{ tails_config_amnesia_home }}/Desktop/document.desktop" | ||
| - "{{ tails_config_amnesia_home }}/.local/share/applications/document.desktop" |
There was a problem hiding this comment.
I would add that you should also remove Report_an_error.desktop and tails-documentation.desktop. These icons clutter the desktop and our users are likely hitting errors with SD --- if anything I would add a link to OUR website and OUR docs. That second part can be a new PR (up to you) but I think the removal of existing icons should go in this PR.
There was a problem hiding this comment.
Great idea. Will need to confirm that one-time removal sticks after rebooting. If that's the case, will push up changes.
| - name: Configuration complete. | ||
| debug: | ||
| msg: >- | ||
| Successfully configured Tor and set up desktop bookmarks for SecureDrop! |
There was a problem hiding this comment.
so one issue i hit was that my desktop icons didnt show up right away -- i know thats not a new issue and cant find a specific fix online (gnome's refresh alt+f2 --> r) didnt resolve it for me. rebooting did tho. so i dunno if we want to say hey if your icons arent showing up on desktop, please reboot
@conorsch responded in chat: i noticed that too mike, you can quote my observation when you comment on github. my gut tells me there's some handler we can run to refresh the desktop, bu ti don't know what it is
There was a problem hiding this comment.
This is a really solid set of changes @conorsch !! I have nothing to add on the script changes 🎩 My only comment I would consider would be the modification of the desktop icons (remove standard tails icons and add ours). This is not critical for passage of this PR but if you decide to pass on those action items let me know and I'll make a new ticket to cover em.
|
Unfortunately the Tails desktop icons are baked in. Removing them from Technically we could shoehorn some customization logic into the |
Status
Ready for review.
Description of Changes
Removes
tails_files/install.shbash script and ports all Tails configuration logic to Ansible. Updates thesecuredrop-admin tailsconfigcommand to trigger the dedicated Tails config playbook. Works for both Admin and Journalist Workstations. Does not require specification by Admin—if theapp-ssh-athsandmon-ssh-athsfiles are present in theinstall_files/ansible-basedirectory, then the SSH access is configured. If the Journalist Interface ATHS info is missing, configuration halts with an informative error message.Fixes #1793.
Testing
./securedrop-admin install../securedrop-admin tailsconfigto use the new Ansible-based Tails setup logic.Note that 2) is optional, since you may already have
-athsfiles locally. As long as those still refer to machines with active Tor interfaces (so you can test the interfaces), it's OK to reuse them, since the subject of this PR is the Tails config. Note that 1) is required!After running 3), confirm the following:
ansible all -m pingwithin theansible-basedirectory returns a green OK message for each host.Then reboot Tails, and confirm that 1-3 above are still true. Doing so will confirm that the persistence options were correctly configured.
Remember that use of prod VMs will cause failure due discrepancies in the AppArmor profile for Apache, caused by the Document -> Journalist Interface renaming (#1614). Edit the
/etc/apparmor.d/usr.sbin.apache2file on the Application Server and add an exemption for the journalist.conf file in sites-available, then bounce apparmor and apache.Deployment
Makes first-time setup of a new instance substantially easier for Admins. Should greatly reduce the opportunity for user error during the configuration and install process. Not as relevant for existing Admins, although the new
tailsconfiglogic will run if/when new Journalists are onboarded to an existing instance.Checklist
Relying on manual testing to validate Tails-based config.
If you made changes to documentation: