diff --git a/Makefile b/Makefile index 6a992474..bb3d89ee 100644 --- a/Makefile +++ b/Makefile @@ -78,7 +78,7 @@ sd-app: prep-dev ## Provisions SD APP VM sd-whonix: prep-dev ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix - sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-16,sd-whonix state.highstate + sudo qubesctl --show-output --skip-dom0 --targets whonix-gateway-17,sd-whonix state.highstate sd-viewer: prep-dev ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 4d961550..ba17e91c 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -94,18 +94,6 @@ dom0-securedrop-icon: - require: - file: dom0-securedrop-icons-directory -dom0-enabled-apparmor-on-whonix-gw-template: - qvm.vm: - - name: whonix-gw-16 - - prefs: - - kernelopts: "nopat apparmor=1 security=apparmor" - -dom0-enabled-apparmor-on-whonix-ws-template: - qvm.vm: - - name: whonix-ws-16 - - prefs: - - kernelopts: "nopat apparmor=1 security=apparmor" - dom0-create-opt-securedrop-directory: file.directory: - name: /opt/securedrop diff --git a/dom0/sd-sys-whonix-vms.sls b/dom0/sd-sys-whonix-vms.sls index 80da58ee..fcd3325a 100644 --- a/dom0/sd-sys-whonix-vms.sls +++ b/dom0/sd-sys-whonix-vms.sls @@ -1,9 +1,46 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : +## +# Install latest Whonix template, configure apparmor on installed templates, +# and ensure sys-whonix and anon-whonix use latest version. +## + include: - sd-upgrade-templates +{% set sd_supported_whonix_version = '17' %} + +whonix-gateway-installed: + qvm.template_installed: + - name: whonix-gateway-{{ sd_supported_whonix_version }} + - fromrepo: qubes-templates-community + +whonix-workstation-installed: + qvm.template_installed: + - name: whonix-workstation-{{ sd_supported_whonix_version }} + - fromrepo: qubes-templates-community + +dom0-enabled-apparmor-on-whonix-gw-template: + qvm.vm: + - name: whonix-gateway-{{ sd_supported_whonix_version }} + - prefs: + - kernelopts: "nopat apparmor=1 security=apparmor" + - require: + - sls: sd-upgrade-templates + - qvm: whonix-gateway-installed + - qvm: whonix-workstation-installed + +dom0-enabled-apparmor-on-whonix-ws-template: + qvm.vm: + - name: whonix-workstation-{{ sd_supported_whonix_version }} + - prefs: + - kernelopts: "nopat apparmor=1 security=apparmor" + - require: + - sls: sd-upgrade-templates + - qvm: whonix-gateway-installed + - qvm: whonix-workstation-installed + # The Qubes logic is too polite about enforcing template # settings, using "present" rather than "prefs". Below # we force the template updates. @@ -11,12 +48,14 @@ sys-whonix-template-config: qvm.vm: - name: sys-whonix - prefs: - - template: whonix-gw-16 + - template: whonix-gateway-{{ sd_supported_whonix_version }} - require: - - sls: sd-upgrade-templates + - qvm: dom0-enabled-apparmor-on-whonix-gw-template anon-whonix-template-config: qvm.vm: - name: anon-whonix - prefs: - - template: whonix-ws-16 + - template: whonix-workstation-{{ sd_supported_whonix_version }} + - require: + - qvm: dom0-enabled-apparmor-on-whonix-ws-template diff --git a/dom0/sd-whonix.sls b/dom0/sd-whonix.sls index 9f9c09aa..b2f7152f 100644 --- a/dom0/sd-whonix.sls +++ b/dom0/sd-whonix.sls @@ -16,6 +16,7 @@ include: - sd-upgrade-templates + - sd-sys-whonix-vms sd-whonix: qvm.vm: @@ -24,7 +25,7 @@ sd-whonix: - label: purple - mem: 500 - prefs: - - template: whonix-gw-16 + - template: whonix-gateway-17 - provides-network: true - netvm: "sys-firewall" - autostart: true @@ -35,3 +36,4 @@ sd-whonix: - sd-{{ sdvars.distribution }} - require: - sls: sd-upgrade-templates + - sls: sd-sys-whonix-vms diff --git a/dom0/securedrop-handle-upgrade b/dom0/securedrop-handle-upgrade index 0026a347..127333c2 100755 --- a/dom0/securedrop-handle-upgrade +++ b/dom0/securedrop-handle-upgrade @@ -62,7 +62,7 @@ if [[ $TASK == "prepare" ]]; then # is not, we want to ensure a smooth upgrade. if qvm-check --quiet sd-whonix; then BASE_TEMPLATE=$(qvm-prefs sd-whonix template) - if [[ ! $BASE_TEMPLATE =~ "16" ]]; then + if [[ ! $BASE_TEMPLATE =~ "17" ]]; then qvm-shutdown --wait sd-proxy qvm-shutdown --wait sd-whonix fi @@ -71,7 +71,7 @@ if [[ $TASK == "prepare" ]]; then # Kill sys-whonix, to make sure connected clients don't prevent shutdown. if qvm-check --quiet sys-whonix; then BASE_TEMPLATE=$(qvm-prefs sys-whonix template) - if [[ ! $BASE_TEMPLATE =~ "16" ]]; then + if [[ ! $BASE_TEMPLATE =~ "17" ]]; then if qvm-check --quiet --running sys-whonix; then qvm-kill sys-whonix # Wait for machine to stop fully, since qvm-kill doesn't block diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 6718958b..c42f0a79 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -46,7 +46,7 @@ "sd-log": "sd-small-{}-template".format(DEBIAN_VERSION), "sd-devices": "sd-large-{}-template".format(DEBIAN_VERSION), "sd-proxy": "sd-small-{}-template".format(DEBIAN_VERSION), - "sd-whonix": "whonix-gw-16", + "sd-whonix": "whonix-gateway-17", "sd-gpg": "sd-small-{}-template".format(DEBIAN_VERSION), } diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index 62bb1b96..2ce29bb1 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -495,7 +495,7 @@ def test_shutdown_and_start_vms( call("fedora-38"), call("sd-large-{}-template".format(DEBIAN_VERSION)), call("sd-small-{}-template".format(DEBIAN_VERSION)), - call("whonix-gw-16"), + call("whonix-gateway-17"), ] app_vm_calls = [ call("sd-app"), @@ -541,7 +541,7 @@ def test_shutdown_and_start_vms_sysvm_fail( call("fedora-38"), call("sd-large-{}-template".format(DEBIAN_VERSION)), call("sd-small-{}-template".format(DEBIAN_VERSION)), - call("whonix-gw-16"), + call("whonix-gateway-17"), ] error_calls = [ call("Error while killing system VM: sys-firewall"), diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 4d16545b..962edd92 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -125,7 +125,7 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ # Force full run of all Salt states - uncomment in release branch # mkdir -p /tmp/sdw-migrations -# touch /tmp/sdw-migrations/f38-update +# touch /tmp/sdw-migrations/whonix-17-update %changelog * Thu Nov 23 2023 SecureDrop Team - 0.9.0 diff --git a/tests/base.py b/tests/base.py index 9868c528..c0810c6c 100644 --- a/tests/base.py +++ b/tests/base.py @@ -9,7 +9,7 @@ WANTED_VMS = ["sd-gpg", "sd-log", "sd-proxy", "sd-app", "sd-viewer", "sd-whonix", "sd-devices"] CURRENT_FEDORA_VERSION = "38" CURRENT_FEDORA_TEMPLATE = "fedora-" + CURRENT_FEDORA_VERSION -CURRENT_WHONIX_VERSION = "16" +CURRENT_WHONIX_VERSION = "17" # Lifted from launcher/sdw_util/Util.py diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 0b0cafa3..8bfd3ad2 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -51,7 +51,7 @@ def test_sd_whonix_config(self): self.assertTrue(nvm.name == "sys-firewall") wanted_kernelopts = "nopat apparmor=1 security=apparmor" self.assertEqual(vm.kernelopts, wanted_kernelopts) - self.assertTrue(vm.template == "whonix-gw-16") + self.assertTrue(vm.template == "whonix-gateway-17") self.assertTrue(vm.provides_network) self.assertTrue(vm.autostart is True) self.assertFalse(vm.template_for_dispvms) diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index 60d74846..a9fe86e0 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -7,9 +7,10 @@ BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)" +BOOKWORM_STRING = "Debian GNU/Linux 12 (bookworm)" SUPPORTED_SD_DEBIAN_DIST = "bullseye" -SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING] +SUPPORTED_WHONIX_PLATFORMS = [BOOKWORM_STRING] apt_url = ""