We currently use the "provision-all" bash script to serialize calls to qubesctl to configure the SDW VMs. In dev contexts, provision-all is invoked directly. In prod, however, provision-all is called from the securedrop-admin Python script. If an error occurs somewhere in provision-all, the Python subprocess call will swallow that specific error, and report a generalized failure of a non-zero exit code for the script.
Let's move the qubesctl calls into a def within the python script, so that we'll at least know which specific qubesctl call failed in the event of an error. Note that we cannot (yet) invoke the salt management commands via a python interface: the qubessalt code is still python2, so we must use subprocess.
We currently use the "provision-all" bash script to serialize calls to
qubesctl
to configure the SDW VMs. In dev contexts, provision-all is invoked directly. In prod, however, provision-all is called from thesecuredrop-admin
Python script. If an error occurs somewhere in provision-all, the Python subprocess call will swallow that specific error, and report a generalized failure of a non-zero exit code for the script.Let's move the
qubesctl
calls into a def within the python script, so that we'll at least know which specific qubesctl call failed in the event of an error. Note that we cannot (yet) invoke the salt management commands via a python interface: the qubessalt code is still python2, so we must use subprocess.