Test install process, workstation functionality against Qubes 4.0.4

freedomofpress / securedrop-workstation

Qubes-based SecureDrop Journalist Workstation environment for submission handling

GNU Affero General Public License v3.0

141 stars 43 forks source link

Test install process, workstation functionality against Qubes 4.0.4 #640

Closed zenmonkeykstop closed 3 years ago

zenmonkeykstop commented 4 years ago

The Qubes 4.0.4 RC1 iso is now available: https://www.qubes-os.org/news/2020/11/05/qubes-4-0-4-rc1/

Probably the most relevant change is the update to Fedora version from 30 (in 4.0.3) to 32. The workstation installation currently involves installing F31 after the Qubes install, so this would simplify the process.

Testing should involve:

[ ] verifying that the SDW docs correctly describe the Qubes installer process
[ ] verifying that an installation can be completed successfully without installing F31 and with F32 used for sys- VMs
[ ] verifying client functionality after install.

zenmonkeykstop commented 4 years ago

Tried naively installing on 4.0.4-rc1, ignoring the fedora31 setup step (because fedora32, right?)

Installation proceeds happily including installation of fedora31 template until first attempt to update a fedora31-based VM (sys-firewall), which fails due to the upstream issue https://github.com/QubesOS/qubes-issues/issues/6188 . Applying the fix described there (using Qubestesting repo) resolves, and installation completes without error on a second run of sdw-admin --apply.

eloquence commented 4 years ago

Thanks for the report @zenmonkeykstop, that's great news. I've pulled this into the current sprint for visibility, but if the release stars align, we can do the final testing as part of QA for 0.5.1 (#643).

eloquence commented 3 years ago

Qubes 4.0.4 is still not out yet; we'll want to re-test a fresh install once it it is but moving to near-term backlog for now.

eloquence commented 3 years ago

4.0.4~RC2 is out; plan of record is to re-test once the final 4.0.4 is out.

eloquence commented 3 years ago

Just noting that 4.0.4. was in fact released yesterday. According to the release announcement, any updated Qubes 4 system is functionally identical to a 4.0.4 install.

I re-ran sdw-admin --apply on my updates Qubes machine without issues; SecureDrop Client also seems happy. In make test in dom0 I am noticing Whonix policy lines that cause test failures on my machine. I'm not sure when exactly those were added, may have been well before 4.0.4 but I do believe it must have been through some update:

Policy for qubes.VMRootShell is:
disp-mgmt-whonix-gw-15 whonix-gw-15 allow,user=root
### BEGIN securedrop-workstation ###

Policy for qubes.Filecopy is:
disp-mgmt-whonix-gw-15 whonix-gw-15 allow,user=root
### BEGIN securedrop-workstation ###

conorsch commented 3 years ago

Those RPC policies changes appear incidental, they are automatically created by dom0 during updates to a given VM. So, while updating whonix-gw-15 via Salt, dom0 will add a grant for disp-mgmt-whonix-gw-15 to talk to it. Those should be cleaned up automatically after a successful run, but if the updates failed, they'll hang around again. See https://github.com/freedomofpress/securedrop-workstation/pull/351#discussion_r352716217 for reference.

In other words, those changes do not appear to be related to 4.0.4. Thanks for the install report, great to hear it's working well! We'll need to update the docs to match.

eloquence commented 3 years ago

We've been using Qubes 4.0.4 without issue for a while, so closing.