Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use qvm.anon-whonix, deprecate securedrop-handle-upgrade for sys-whonix #1227

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use qvm.anon-whonix, deprecate securedrop-handle-upgrade for sys-whonix #1227

wants to merge 1 commit into from

Conversation

rocodes
Copy link
Contributor

@rocodes rocodes commented Jan 2, 2025
edited
Loading

Status

Ready for Review

Description of Changes

Refs #1060
Refs #1225
Refs / (possible fix) freedomofpress/securedrop-workstation-ci#68

Changes proposed in this pull request:

  • Use qvm.anon-whonix state as requisite for whonix template config + preferred way to download whonix templates and create anon-whonix VM.
  • Use Salt instead of securedrop-handle-upgrade to force shutdown sys-whonix in order to apply changes.

Testing

  • Visual review
  • CI
  • Manual upgrade testing (see below)

** Manual upgrade testing (existing SDW install) **

  • Start with Qubes 4.2 SDW.
  • On your system, change the template of sys-whonix and anon-whonix to any other template, or make changes to the existing template such as disabling apparmor. (Don't run/use these vms while you are making a mess, of course. This is basically to simulate a template upgrade/template change).
  • Build rpm from the tip of this branch and run apply.
  • Provisioning is successful
  • sys-whonix and anon-whonix have correct whonix 17 gw and ws templates, respectively, have apparmor configured, and sys-whonix has the anon-gateway tag.
  • sd-whonix has the anon-gateway tag.

Deployment

Any special considerations for deployment? Consider both:

  1. Upgrading existing pilot instances
  2. New installs

n/a.

Upgrading: todo. on existing installs, sd-whonix will be missing the tags that it should have inherited from whonix-gateway-17. Since sd-whonix is based on the sys-whonix template, and not cloned, it should have the anon-gateway tag after a successful Salt run.

Checklist

If you have made changes to the provisioning logic

  • All tests (make test) pass in dom0

If you have added or removed files

  • I have updated MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

If documentation is required

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation

@rocodes rocodes force-pushed the 1060-qvm-whonix-state branch 2 times, most recently from b428544 to a53d4f3 Compare January 3, 2025 14:38
@rocodes rocodes force-pushed the 1060-qvm-whonix-state branch from a53d4f3 to 0def809 Compare January 10, 2025 16:36
@rocodes rocodes marked this pull request as ready for review January 10, 2025 16:48
@rocodes rocodes requested a review from a team January 10, 2025 16:58
@rocodes
Use qvm.anon-whonix to download Whonix templates. Use Salt to power o…
6d4149d 
…ff sys-whonix instead of securedrop-handle-upgrade script.
@rocodes rocodes force-pushed the 1060-qvm-whonix-state branch from 0def809 to 6d4149d Compare January 10, 2025 18:22
@rocodes rocodes mentioned this pull request Jan 10, 2025
Open
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
SecureDrop dev cycle
Status: Ready For Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rocodes