Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: can we deprecate or simplify securedrop-handle-upgrade? #1225

Open
1 task done
rocodes opened this issue Jan 2, 2025 · 1 comment
Open
1 task done

Discussion: can we deprecate or simplify securedrop-handle-upgrade? #1225

rocodes opened this issue Jan 2, 2025 · 1 comment

Comments

@rocodes
Copy link
Contributor

rocodes commented Jan 2, 2025
edited
Loading

  • I have searched for duplicates or related issues

Description

We have a script, securedrop-handle-upgrade, that is invoked via Salt in sd-upgrade-templates.sls. Its main purpose is to make sure that base templates for vms (debian, whonix) are correctly up to date for a given VM (for example, migrating a major OS version and switching templates). Its secondary purpose, via remove, is to clean up old sd templates after an upgrade.

As the script mentions, to update an appvm's template, the vm must be a) powered off, and b) not be appvm template for a disposable VM that is either the default disposable or the system disposable.

The downsides of this approach are:

  • it's convoluted (Salt requsite -> salt state that invokes a script with a defined arg -> script shells out to "qvm" commands, but we're already in the middle of a salt run...)
  • it is applied both in the dom0 top file, but also (inconsistently) as a requisite in some but not all appvms (eg: it's a requisite in sd-gpg.sls but not sd-app.sls or sd-viewer.sls).

It might be better to move this out of a script and into the individual vm configuration. Afaict we can use qvm.vm to ensure that the VM's state is "powered off" (goal 1), and use "prefs" for the VM to ensure that it has the correct template (goal 2).

The original goal of the script was that if a user missed a dom0 update where the template migration took place, they could still successfully upgrade (particularly during template consolidation). But I think we can deprecate this, at least at the individual vm level. Would like a second opinion though (@deeplow @legoktm maybe ?)

How will this impact SecureDrop/SecureDrop Workstation users?

Should be no-op; potentially faster provisioning

How would this affect the SecureDrop Workstation threat model?

Should be no-op

User Stories

(n/a - developer quality of life/ease of maintenance)
This was referenced Jan 2, 2025
Open
Open
@legoktm
Copy link
Member

legoktm commented Jan 3, 2025

It's been a while since I looked at that script, I have no attachment to it and would go on my normal spiel about how that complex logic doesn't belong in bash scripts, etc. :), so I'm down to move it to salt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@legoktm @rocodes