From 14b0c56e9a10031e370031f4dc3cc360b505785b Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 23 Nov 2023 11:37:31 -0500 Subject: [PATCH 1/6] Adding migration flag --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 4d16545b..98d69acf 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -123,9 +123,9 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | sed -e 's/\.top$$//g' \ | xargs qubesctl top.enable > /dev/null -# Force full run of all Salt states - uncomment in release branch -# mkdir -p /tmp/sdw-migrations -# touch /tmp/sdw-migrations/f38-update +# Force full run of all Salt states +mkdir -p /tmp/sdw-migrations +touch /tmp/sdw-migrations/f38-update %changelog * Thu Nov 23 2023 SecureDrop Team - 0.9.0 From a358c2bba16996dfb618ab5e7e8df8cd2bf7b49e Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 23 Nov 2023 15:27:45 -0500 Subject: [PATCH 2/6] fix up version updater to set RPM spec Version: field correctly --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 98d69acf..1789f342 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -23,8 +23,7 @@ Summary: SecureDrop Workstation License: AGPLv3 URL: https://github.com/freedomofpress/securedrop-workstation -# See: https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/#_troublesome_urls -Source: %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: securedrop-workstation-dom0-config-0.8.1.tar.gz BuildArch: noarch BuildRequires: python3-devel From 97b7c7fecf1a9396476608e578c7b32941599575 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 23 Nov 2023 17:34:20 -0500 Subject: [PATCH 3/6] updated version to 0.9.0-rc1 --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 1789f342..ce24386c 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -23,7 +23,7 @@ Summary: SecureDrop Workstation License: AGPLv3 URL: https://github.com/freedomofpress/securedrop-workstation -Source0: securedrop-workstation-dom0-config-0.8.1.tar.gz +Source0: securedrop-workstation-dom0-config-0.9.0rc1.tar.gz BuildArch: noarch BuildRequires: python3-devel @@ -43,7 +43,7 @@ configuration over time. %prep -%setup -q -n %{name}-%{version} +%setup -q -n securedrop-workstation-dom0-config-0.9.0rc1 %build @@ -103,7 +103,7 @@ install -m 644 files/config.json.example %{buildroot}/%{_datadir}/%{name}/ %attr(755, root, root) %{_datadir}/%{name}/scripts/validate_config.py %attr(755, root, root) %{_bindir}/sdw-admin # The name of the dist-info dir uses _ instead of -, so we use wildcards -%{python3_sitelib}/*%{version}.dist-info/* +%{python3_sitelib}/*0.9.0rc1.dist-info/* %{_datadir}/%{name}/config.json.example /opt/securedrop/launcher/**/*.py /srv/salt/sd* From 181d7960cc75ba41f2bcf2744550cd7dc9e72d9e Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Mon, 27 Nov 2023 17:47:54 -0500 Subject: [PATCH 4/6] Updated spec file to reflect versioning fix in #922 --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index ce24386c..a1192a4b 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -23,7 +23,8 @@ Summary: SecureDrop Workstation License: AGPLv3 URL: https://github.com/freedomofpress/securedrop-workstation -Source0: securedrop-workstation-dom0-config-0.9.0rc1.tar.gz +# See: https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/#_troublesome_urls +Source: %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildArch: noarch BuildRequires: python3-devel @@ -43,7 +44,7 @@ configuration over time. %prep -%setup -q -n securedrop-workstation-dom0-config-0.9.0rc1 +%setup -q -n %{name}-%{version} %build @@ -103,7 +104,7 @@ install -m 644 files/config.json.example %{buildroot}/%{_datadir}/%{name}/ %attr(755, root, root) %{_datadir}/%{name}/scripts/validate_config.py %attr(755, root, root) %{_bindir}/sdw-admin # The name of the dist-info dir uses _ instead of -, so we use wildcards -%{python3_sitelib}/*0.9.0rc1.dist-info/* +%{python3_sitelib}/*%{version}.dist-info/* %{_datadir}/%{name}/config.json.example /opt/securedrop/launcher/**/*.py /srv/salt/sd* @@ -122,7 +123,7 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | sed -e 's/\.top$$//g' \ | xargs qubesctl top.enable > /dev/null -# Force full run of all Salt states +# Force full run of all Salt states - uncomment in release branch mkdir -p /tmp/sdw-migrations touch /tmp/sdw-migrations/f38-update From ac9eb2f34baccc303eae5a4633f02b9257b0a474 Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 19 Jan 2024 10:36:15 -0500 Subject: [PATCH 5/6] Support Whonix 17. Specify whonix template version and use qvm.template_installed to ensure it is present. Update migration flag and vm_tests. --- Makefile | 2 +- dom0/sd-dom0-files.sls | 12 ----- dom0/sd-sys-whonix-vms.sls | 45 +++++++++++++++++-- dom0/sd-whonix.sls | 4 +- dom0/securedrop-handle-upgrade | 4 +- launcher/sdw_updater_gui/Updater.py | 2 +- launcher/tests/test_updater.py | 4 +- .../securedrop-workstation-dom0-config.spec | 2 +- tests/base.py | 2 +- tests/test_vms_exist.py | 2 +- tests/test_vms_platform.py | 3 +- 11 files changed, 56 insertions(+), 26 deletions(-) diff --git a/Makefile b/Makefile index 6a992474..bb3d89ee 100644 --- a/Makefile +++ b/Makefile @@ -78,7 +78,7 @@ sd-app: prep-dev ## Provisions SD APP VM sd-whonix: prep-dev ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix - sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-16,sd-whonix state.highstate + sudo qubesctl --show-output --skip-dom0 --targets whonix-gateway-17,sd-whonix state.highstate sd-viewer: prep-dev ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 4d961550..ba17e91c 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -94,18 +94,6 @@ dom0-securedrop-icon: - require: - file: dom0-securedrop-icons-directory -dom0-enabled-apparmor-on-whonix-gw-template: - qvm.vm: - - name: whonix-gw-16 - - prefs: - - kernelopts: "nopat apparmor=1 security=apparmor" - -dom0-enabled-apparmor-on-whonix-ws-template: - qvm.vm: - - name: whonix-ws-16 - - prefs: - - kernelopts: "nopat apparmor=1 security=apparmor" - dom0-create-opt-securedrop-directory: file.directory: - name: /opt/securedrop diff --git a/dom0/sd-sys-whonix-vms.sls b/dom0/sd-sys-whonix-vms.sls index 80da58ee..fcd3325a 100644 --- a/dom0/sd-sys-whonix-vms.sls +++ b/dom0/sd-sys-whonix-vms.sls @@ -1,9 +1,46 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : +## +# Install latest Whonix template, configure apparmor on installed templates, +# and ensure sys-whonix and anon-whonix use latest version. +## + include: - sd-upgrade-templates +{% set sd_supported_whonix_version = '17' %} + +whonix-gateway-installed: + qvm.template_installed: + - name: whonix-gateway-{{ sd_supported_whonix_version }} + - fromrepo: qubes-templates-community + +whonix-workstation-installed: + qvm.template_installed: + - name: whonix-workstation-{{ sd_supported_whonix_version }} + - fromrepo: qubes-templates-community + +dom0-enabled-apparmor-on-whonix-gw-template: + qvm.vm: + - name: whonix-gateway-{{ sd_supported_whonix_version }} + - prefs: + - kernelopts: "nopat apparmor=1 security=apparmor" + - require: + - sls: sd-upgrade-templates + - qvm: whonix-gateway-installed + - qvm: whonix-workstation-installed + +dom0-enabled-apparmor-on-whonix-ws-template: + qvm.vm: + - name: whonix-workstation-{{ sd_supported_whonix_version }} + - prefs: + - kernelopts: "nopat apparmor=1 security=apparmor" + - require: + - sls: sd-upgrade-templates + - qvm: whonix-gateway-installed + - qvm: whonix-workstation-installed + # The Qubes logic is too polite about enforcing template # settings, using "present" rather than "prefs". Below # we force the template updates. @@ -11,12 +48,14 @@ sys-whonix-template-config: qvm.vm: - name: sys-whonix - prefs: - - template: whonix-gw-16 + - template: whonix-gateway-{{ sd_supported_whonix_version }} - require: - - sls: sd-upgrade-templates + - qvm: dom0-enabled-apparmor-on-whonix-gw-template anon-whonix-template-config: qvm.vm: - name: anon-whonix - prefs: - - template: whonix-ws-16 + - template: whonix-workstation-{{ sd_supported_whonix_version }} + - require: + - qvm: dom0-enabled-apparmor-on-whonix-ws-template diff --git a/dom0/sd-whonix.sls b/dom0/sd-whonix.sls index 9f9c09aa..b2f7152f 100644 --- a/dom0/sd-whonix.sls +++ b/dom0/sd-whonix.sls @@ -16,6 +16,7 @@ include: - sd-upgrade-templates + - sd-sys-whonix-vms sd-whonix: qvm.vm: @@ -24,7 +25,7 @@ sd-whonix: - label: purple - mem: 500 - prefs: - - template: whonix-gw-16 + - template: whonix-gateway-17 - provides-network: true - netvm: "sys-firewall" - autostart: true @@ -35,3 +36,4 @@ sd-whonix: - sd-{{ sdvars.distribution }} - require: - sls: sd-upgrade-templates + - sls: sd-sys-whonix-vms diff --git a/dom0/securedrop-handle-upgrade b/dom0/securedrop-handle-upgrade index 0026a347..127333c2 100755 --- a/dom0/securedrop-handle-upgrade +++ b/dom0/securedrop-handle-upgrade @@ -62,7 +62,7 @@ if [[ $TASK == "prepare" ]]; then # is not, we want to ensure a smooth upgrade. if qvm-check --quiet sd-whonix; then BASE_TEMPLATE=$(qvm-prefs sd-whonix template) - if [[ ! $BASE_TEMPLATE =~ "16" ]]; then + if [[ ! $BASE_TEMPLATE =~ "17" ]]; then qvm-shutdown --wait sd-proxy qvm-shutdown --wait sd-whonix fi @@ -71,7 +71,7 @@ if [[ $TASK == "prepare" ]]; then # Kill sys-whonix, to make sure connected clients don't prevent shutdown. if qvm-check --quiet sys-whonix; then BASE_TEMPLATE=$(qvm-prefs sys-whonix template) - if [[ ! $BASE_TEMPLATE =~ "16" ]]; then + if [[ ! $BASE_TEMPLATE =~ "17" ]]; then if qvm-check --quiet --running sys-whonix; then qvm-kill sys-whonix # Wait for machine to stop fully, since qvm-kill doesn't block diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 6718958b..c42f0a79 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -46,7 +46,7 @@ "sd-log": "sd-small-{}-template".format(DEBIAN_VERSION), "sd-devices": "sd-large-{}-template".format(DEBIAN_VERSION), "sd-proxy": "sd-small-{}-template".format(DEBIAN_VERSION), - "sd-whonix": "whonix-gw-16", + "sd-whonix": "whonix-gateway-17", "sd-gpg": "sd-small-{}-template".format(DEBIAN_VERSION), } diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index 62bb1b96..2ce29bb1 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -495,7 +495,7 @@ def test_shutdown_and_start_vms( call("fedora-38"), call("sd-large-{}-template".format(DEBIAN_VERSION)), call("sd-small-{}-template".format(DEBIAN_VERSION)), - call("whonix-gw-16"), + call("whonix-gateway-17"), ] app_vm_calls = [ call("sd-app"), @@ -541,7 +541,7 @@ def test_shutdown_and_start_vms_sysvm_fail( call("fedora-38"), call("sd-large-{}-template".format(DEBIAN_VERSION)), call("sd-small-{}-template".format(DEBIAN_VERSION)), - call("whonix-gw-16"), + call("whonix-gateway-17"), ] error_calls = [ call("Error while killing system VM: sys-firewall"), diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index a1192a4b..e652b0c5 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -125,7 +125,7 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ # Force full run of all Salt states - uncomment in release branch mkdir -p /tmp/sdw-migrations -touch /tmp/sdw-migrations/f38-update +touch /tmp/sdw-migrations/whonix-17-update %changelog * Thu Nov 23 2023 SecureDrop Team - 0.9.0 diff --git a/tests/base.py b/tests/base.py index 9868c528..c0810c6c 100644 --- a/tests/base.py +++ b/tests/base.py @@ -9,7 +9,7 @@ WANTED_VMS = ["sd-gpg", "sd-log", "sd-proxy", "sd-app", "sd-viewer", "sd-whonix", "sd-devices"] CURRENT_FEDORA_VERSION = "38" CURRENT_FEDORA_TEMPLATE = "fedora-" + CURRENT_FEDORA_VERSION -CURRENT_WHONIX_VERSION = "16" +CURRENT_WHONIX_VERSION = "17" # Lifted from launcher/sdw_util/Util.py diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 0b0cafa3..8bfd3ad2 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -51,7 +51,7 @@ def test_sd_whonix_config(self): self.assertTrue(nvm.name == "sys-firewall") wanted_kernelopts = "nopat apparmor=1 security=apparmor" self.assertEqual(vm.kernelopts, wanted_kernelopts) - self.assertTrue(vm.template == "whonix-gw-16") + self.assertTrue(vm.template == "whonix-gateway-17") self.assertTrue(vm.provides_network) self.assertTrue(vm.autostart is True) self.assertFalse(vm.template_for_dispvms) diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index 60d74846..a9fe86e0 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -7,9 +7,10 @@ BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)" +BOOKWORM_STRING = "Debian GNU/Linux 12 (bookworm)" SUPPORTED_SD_DEBIAN_DIST = "bullseye" -SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING] +SUPPORTED_WHONIX_PLATFORMS = [BOOKWORM_STRING] apt_url = "" From 66b737bfa06bb628f5a887e07aa58ea8af94fc96 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Tue, 6 Feb 2024 15:03:16 -0500 Subject: [PATCH 6/6] commenting out migration flag for main merge --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index e652b0c5..962edd92 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -124,8 +124,8 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | xargs qubesctl top.enable > /dev/null # Force full run of all Salt states - uncomment in release branch -mkdir -p /tmp/sdw-migrations -touch /tmp/sdw-migrations/whonix-17-update +# mkdir -p /tmp/sdw-migrations +# touch /tmp/sdw-migrations/whonix-17-update %changelog * Thu Nov 23 2023 SecureDrop Team - 0.9.0