search

freedomofpress / securedrop-workstation

Qubes-based SecureDrop Journalist Workstation environment for submission handling
GNU Affero General Public License v3.0
133 stars 39 forks source link

Call qubesctl from securedrop-admin Python code #539

Open conorsch opened 4 years ago

conorsch commented 4 years ago

We currently use the "provision-all" bash script to serialize calls to qubesctl to configure the SDW VMs. In dev contexts, provision-all is invoked directly. In prod, however, provision-all is called from the securedrop-admin Python script. If an error occurs somewhere in provision-all, the Python subprocess call will swallow that specific error, and report a generalized failure of a non-zero exit code for the script.

Let's move the qubesctl calls into a def within the python script, so that we'll at least know which specific qubesctl call failed in the event of an error. Note that we cannot (yet) invoke the salt management commands via a python interface: the qubessalt code is still python2, so we must use subprocess.

zenmonkeykstop commented 1 year ago

Keeping open, this matches intended direction for provisioning

zenmonkeykstop commented 1 month ago

Should be an easy fix that would vastly improve troubleshooting. Let's do it!