Remove special casing for sd-whonix #618
Conversation
eloquence
force-pushed
the
583-host-to-ghost
branch
from
4c22e73 to
07c877f
Compare
| - source: "salt://sdlog.conf" | ||
|
|
||
| # Because whonix-gw-15 template is not allowing to create the config file on | ||
| # package install time, we do it via rc.local call. |
There was a problem hiding this comment.
For the record, this was added in 232c56f. @kushaldas, can you elaborate on what you meant at the time with "whonix-gw-15 template is not allowing to create the config file on package install time"? As far as I can tell, the config file /etc/rsyslog.d/sdlog.conf is installed just fine from the securedrop-log package, and I've not observed any behavior specific to whonix-gw-15 that would prevent this from being the case.
There was a problem hiding this comment.
#447 this is the PR and as I can see in my logs, the file was still missing even after the package was installed.
Here is my note from that work:
* https://github.com/freedomofpress/securedrop-workstation/pull/447 howt to remove the files?
- how to remove gpg key? sudo apt-key del KEY_ID
- `make clean`
- remove works properly
- `make all` agagin.
- most of the vms decided not to reply to Qubes calls :(
- cleaned, and `make all` again
- Someday Qubes and Salt will play nicely together. Question is in which year?
- this try, the package is there, but, no logs.
- because the sdlog.conf file is missing, WHY WHY WHY
- I this before, i commented on the issue, dpkg did not create the sdlog.conf file at all on the system.
- one idea, if the file is missing, just copy it over via rc.local file
- testing again
- testing again, adding sdlog.conf only for sd-whonix if missing.
- testing once more, things look better now
- meeting with Mickael
- need to test some more changes
- make clean and make all again at super late night :)
There was a problem hiding this comment.
Hi @kushaldas, I experienced this once during testing with dpkg, and in my experience it happens when you've previously removed the file by hand and uninstalled (rather than purged) the package - regardless of the order of the two operations. It's not specific to Whonix, and is just how Debian handles configuration files. Because we purge the file correctly with our uninstall logic, I don't believe it should be an issue on production systems.
| @@ -14,7 +14,6 @@ remove-securedrop-log-package-from-whonix: | |||
| sd-cleanup-whonix-gw-15: | |||
| cmd.run: | |||
| - names: | |||
| - sudo rm -f /etc/rsyslog.d/sdlog.conf | |||
There was a problem hiding this comment.
Note that we use pkg.purged to remove the securedrop-log package, which removes config files:
Verify that a package is not installed, calling pkg.purge if necessary to purge the package. All configuration files are also removed.
Removing a configuration file on a Debian system by other means can have unpredictable consequences: the package manager will not reinstate it , because it will assume that the user removed it intentionally. For this reason, I think it's best to rely on pkg.purged alone here.
|
I've added a test plan. I would recommend the following order of operations:
|
|
See comment in freedomofpress/securedrop-log#18 (review): we must also update the |
Roger that, will update the tests on Tuesday and then promote to ready. :) |
|
This is ready for review, but to take it for a spin with the associated securedrop-log changes, it would IMO be best to kick off a nightly build of that package; nightlies seem to have gotten stuck around October 5. |
| @@ -54,9 +54,6 @@ def test_sd_whonix_repo_enabled(self): | |||
| """ | |||
| assert self._fileExists(self.whonix_apt_list) | |||
|
|
|||
| def test_logging_configured(self): | |||
| self.logging_configured(vmname=True) | |||
|
|
|||
There was a problem hiding this comment.
The test_logging_configured shouldn't be removed, it should just have its call updated to pass no args (matching the modified test logic).
There was a problem hiding this comment.
Fixed (I misread the inheritance logic).
You're right! Resolved out of band. Latest version of Started, but did not finish review. Left one comment about the test logic—to any future reviewers, e.g. @zenmonkeykstop, please tack on a test if you agree. Also make sure to run |
We now handle this in the logger by avoiding reliance on gethostname(). Enforce removal of sd-whonix configuration in /rw/config/rc.local and ensure that /rw/config/sdlog.conf is absent. Don't rm a file that's already being purged as part of package removal.
eloquence
force-pushed
the
583-host-to-ghost
branch
from
8bd155e to
c81c29b
Compare
|
Reviewing now! |
There was a problem hiding this comment.
👍 Ran through the test plan, and other than sd-app not being started by make staging, the changes specific to this PR look good and worked.
- Remove
~/QubesIncomingLogs/hostdirectory onsd-logif it exists from previous runs make clonefrom this branch.make stagingwith a valid config. This will apply the Salt states from this PR.- Ensure the
sd-whonixVM, thesd-appVM, and thesd-logVM are all booted.
sd-app was not booted after make staging completed.
- On
sd-whonix: Observe that/rw/config/rc.localno longer contains any customizations - On
sd-whonix: Observe that/rw/config/sdlog.confno longer exists. - On
sd-log: Observe that no files exist underhostin~/QubesIncomingLogs - On
sd-log: Observe that logs are correctly ingested undersd-whonix. - On
sd-log: Observe that logs are correctly ingested undersd-app.
make cleanindom0.
- On
whonix-gw-15: Observe that/etc/rsyslog.d/sdlog.confhas been removed
That makes sense: we don't actually enforce that state (although we should). So, my read of the test plan is "manually start those VMs before you proceed to the next step." |
Part of #583
Description
Removes Salt logic for custom handling of
whonix-gw-15integration withsd-logand instead treats it like any other TemplateVM.Removes the
vmnametesting fromdom0tests. The functionality remains insecuredrop-log, but is only likely to be used during development.Status
Ready for review.
Test plan
Prerequisites
mainofsecuredrop-workstation.Instructions
~/QubesIncomingLogs/hostdirectory onsd-logif it exists from previous runsmake clonefrom this branch.make stagingwith a valid config. This will apply the Salt states from this PR.sd-whonixVM, thesd-appVM, and thesd-logVM are all booted.sd-whonix: Observe that/rw/config/rc.localno longer contains any customizationssd-whonix: Observe that/rw/config/sdlog.confno longer exists.sd-log: Observe that no files exist underhostin~/QubesIncomingLogssd-log: Observe that logs are correctly ingested undersd-whonix.sd-log: Observe that logs are correctly ingested undersd-app.make cleanindom0.whonix-gw-15: Observe that/etc/rsyslog.d/sdlog.confhas been removed