Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qubes Integration Proof of Concept #437

Merged
merged 10 commits into from
Jun 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 31 additions & 6 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,16 @@ aliases:
./install/linux/build-rpm.py
ls -lh dist/

- &calculate-cache-key
name: Caculating container cache key
command: |
mkdir -p /caches/
cd dangerzone/conversion/
cat common.py doc_to_pixels.py pixels_to_pdf.py | sha1sum | cut -d' ' -f1 > /caches/cache-id.txt
cd ../../

- &restore-cache
key: v1-{{ checksum "container/Dockerfile" }}-{{ checksum "container/dangerzone.py" }}
key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
paths:
- /caches/container.tar.gz
- /caches/image-id.txt
Expand Down Expand Up @@ -85,17 +93,18 @@ jobs:
- image: docker:dind
steps:
- checkout
- restore_cache:
keys:
- v1-{{ checksum "container/Dockerfile" }}-{{ checksum "container/dangerzone.py" }}
- run: *calculate-cache-key
- restore_cache: *restore-cache
- setup_remote_docker
- run:
name: Build Dangerzone image
command: |
if [ -f "/caches/container.tar.gz" ]; then
echo "Already cached, skipping"
else
docker build --cache-from=dangerzone.rocks/dangerzone --tag dangerzone.rocks/dangerzone container
docker build dangerzone/ -f Dockerfile \
--cache-from=dangerzone.rocks/dangerzone \
--tag dangerzone.rocks/dangerzone
fi
- run:
name: Save Dangerzone image and image-id.txt to cache
Expand All @@ -108,8 +117,9 @@ jobs:
gzip -f /caches/container.tar
docker image ls dangerzone.rocks/dangerzone | grep "dangerzone.rocks/dangerzone" | tr -s ' ' | cut -d' ' -f3 > /caches/image-id.txt
fi
- run: *calculate-cache-key
- save_cache:
key: v1-{{ checksum "container/Dockerfile" }}-{{ checksum "container/dangerzone.py" }}
key: v1-{{ checksum "Dockerfile" }}-{{ checksum "/caches/cache-id.txt" }}
paths:
- /caches/container.tar.gz
- /caches/image-id.txt
Expand All @@ -136,6 +146,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run:
Expand All @@ -155,6 +166,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand All @@ -181,6 +193,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand All @@ -207,6 +220,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand All @@ -233,6 +247,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand All @@ -259,6 +274,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand All @@ -285,6 +301,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand Down Expand Up @@ -328,6 +345,7 @@ jobs:
command: |
sudo mkdir -p /caches
sudo chown -R $USER:$USER /caches
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image

Expand Down Expand Up @@ -365,6 +383,7 @@ jobs:
steps:
- run: *install-dependencies-deb
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
Expand All @@ -376,6 +395,7 @@ jobs:
steps:
- run: *install-dependencies-deb
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
Expand All @@ -388,6 +408,7 @@ jobs:
- run: *install-dependencies-deb
- run: *install-python-all
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
Expand All @@ -399,6 +420,7 @@ jobs:
steps:
- run: *install-dependencies-deb
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
Expand All @@ -410,6 +432,7 @@ jobs:
steps:
- run: *install-dependencies-deb
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-deb
Expand All @@ -421,6 +444,7 @@ jobs:
steps:
- run: *install-dependencies-rpm
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-rpm
Expand All @@ -432,6 +456,7 @@ jobs:
steps:
- run: *install-dependencies-rpm
- checkout
- run: *calculate-cache-key
- restore_cache: *restore-cache
- run: *copy-image
- run: *build-rpm
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v3
- name: Build container image
run: docker build container --tag dangerzone.rocks/dangerzone:latest
run: docker build dangerzone/ -f Dockerfile --tag dangerzone.rocks/dangerzone:latest
# NOTE: Scan first without failing, else we won't be able to read the scan
# report.
- name: Scan container image (no fail)
Expand Down
188 changes: 185 additions & 3 deletions BUILD.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,11 +102,193 @@ Create a .rpm:
./install/linux/build-rpm.py
```

## QubesOS
## Qubes OS

Create a Debian- or Fedora-based standalone VM with at least 8GB of private storage space, and follow the relevant instructions above.
<details>
<summary><i>:memo: Expand this section if you want to use containers instead of disposable qubes.</i></summary>
</br>

Over time, you may need to increase disk space or prune outdated Docker images if you run into build issues on this VM.
Create a Debian or Fedora-based development standalone qube with at least
8GB of private storage space, and follow the relevant instructions above for
the respective template.

Remember to set the environment variable `DZ_USE_CONTAINERS=1`, before executing
Dangerzone.

Over time, you may need to increase disk space or prune outdated container
images if you run into build issues on this VM.
</details>

> :warning: Native Qubes support is in alpha stage, so the instructions below
> require switching between qubes, and are subject to change.

### Initial Setup

The following steps must be completed once. Make sure you run them in the
specified qubes.

#### In `dom0`

1. Create a new Fedora **template** (`fedora-37-dz`) for Dangerzone development:

```
qvm-clone fedora-37 fedora-37-dz
```

> :bulb: Alternatively, you can use your base Fedora 37 template in the
> following instructions. In that case, replace `fedora-37-dz` with
> `fedora-37` in the steps below.

2. Create a **disposable**, offline app qube (`dz-dvm`), based on the
`fedora-37-dz` template. This will be the qube where the documents will be
sanitized:

```
qvm-create --class AppVM --label red --template fedora-37-dz \
--prop netvm="" --prop template_for_dispvms=True \
dz-dvm
```

3. Create an **app** qube (`dz`) that will be used for Dangerzone development
and initiating the sanitization process:

```
qvm-create --class AppVM --label red --template fedora-37-dz dz
```

> :bulb: Alternatively, you can use a different app qube for Dangerzone
> development. In that case, replace `dz` with the qube of your choice in the
> steps below.

4. Add an RPC policy (`/etc/qubes/policy.d/50-dangerzone.policy`) that will
allow launching a disposable qube (`dz-dvm`) when Dangerzone converts a
document, with the following contents:

```
dz.Convert * @anyvm @dispvm:dz-dvm allow
dz.ConvertDev * @anyvm @dispvm:dz-dvm allow
```

#### In the `fedora-37-dz` template

1. Install dependencies:

```
sudo dnf install -y rpm-build pipx qt5-qtbase-gui libreoffice python3-magic \
tesseract*
```

2. Shutdown the `fedora-37-dz` template:

```
shutdown -h now
```

#### In the `dz` app qube

1. Clone the Dangerzone project:

```
git clone https://github.com/freedomofpress/dangerzone
```

2. Install Poetry using `pipx`:

```sh
pipx install poetry
```

3. Change to the `dangerzone` folder, and install the poetry dependencies:

```
poetry install
```

> **Note**: due to an issue with
> [poetry](https://github.com/python-poetry/poetry/issues/1917), if it
> prompts for your keyring, disable the keyring with `keyring --disable` and
> run the command again.

4. Change to the `dangerzone` folder and copy the Qubes RPC calls into the
template for the **disposable** qube that will be used for document
sanitization (`dz-dvm`):

```
qvm-copy-to-vm dz-dvm qubes/
```

#### In the `dz-dvm` template

1. Create the directory that will contain the Dangerzone RPC calls, if it does
not exist already:

```
sudo mkdir -p /rw/usrlocal/etc/qubes-rpc/
```

2. Move the files we copied in the previous step to their proper place:

```
sudo cp ~/QubesIncoming/dz/qubes/* /rw/usrlocal/etc/qubes-rpc/
```

3. Shutdown the `dz-dvm` template:

```
shutdown -h now
```

### Developing Dangerzone

From here on, developing Dangerzone is similar as in other Linux platforms. You
can run the following commands in the `dz` app qube:

```sh
# start a shell in the virtual environment
poetry shell

# run the CLI
./dev_scripts/dangerzone-cli --help

# run the GUI
./dev_scripts/dangerzone
```

Create a .rpm:

```sh
./install/linux/build-rpm.py --qubes
```

For changes in the server side components, you can simply edit them locally,
and they will be mirrored to the disposable qube through the `dz.ConvertDev`
RPC call.

The only reason to update the `fedora-37-dz` template from there on is if:
1. The project requires new server-side components.
2. The code for `dz.ConvertDev` needs to be updated. Copy the updated file
as we've shown in the steps above.

### Installing Dangerzone system-wide

If you want to test the .rpm you just created, you can do the following:

On the `dz` app cube, copy the built `dangerzone.rpm` to `fedora-37-dz`
template:

```
qvm-copy-to-vm fedora-37-dz dist/dangerzone*.noarch.rpm
```

On the `fedora-37-dz` template, install the copied .rpm:

```
sudo dnf install -y ~/QubesIncoming/dz/dangerzone-*.rpm
```

Shutdown the `fedora-37-dz` template and the `dz` app qube, and then you can
refresh the applications on the `dz` qube, find Dangerzone in the list, and use
it to convert a document.

## macOS

Expand Down
5 changes: 4 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or

### Added

- Platform support: Alpha integration with Qubes OS ([issue #411](https://github.com/freedomofpress/dangerzone/issues/411))

### Removed
- Platform support: Drop Fedora 36, since it's end-of-life ([issues #420](https://github.com/freedomofpress/dangerzone/issues/420))

- Platform support: Drop Fedora 36, since it's end-of-life ([issue #420](https://github.com/freedomofpress/dangerzone/issues/420))

### Fixed

Expand Down
Loading