Virtualize Tails for debugging - Githubissues

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!

https://securedrop.org/

Other

3.62k stars 687 forks source link

Virtualize Tails for debugging #1767

Closed msheiny closed 6 years ago

msheiny commented 7 years ago

Part of the march to improving the developer experience is that we need to virtualize tails and get local file sharing wired-up.

I anticipate we may need to maintain a slight fork of tails packed in a vagrant box so it plays nicely with vagrant. In particular, we'll need things like:

ssh enabled and pre-configured
vagrant user dropped in
might want some other pre-installed packages (not sure what yet)

depending on how this effort goes, we could pivot to provide a solution to #1532

ghost commented 7 years ago

Learning how to customize tails with https://tails.boum.org/contribute/customize/

ghost commented 7 years ago

Configuring a debian-live system to run as a virtualbox guest. The required packages are included in tails virtualbox-guest-dkms and virtualbox-guest-x11

ghost commented 7 years ago

Instructionsto rebuild tails-3.0 from a pristine debian 9

$ git clone -b stable https://git-tails.immerda.ch/tails
$ cd tails
$ cat | sudo tee /etc/apt/preferences.d/00-builder-jessie-pinning <<EOF
Package: *
Pin: release o=Debian,a=stable
Pin-Priority: 700

Package: *
Pin: origin deb.tails.boum.org
Pin-Priority: 800
EOF
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository 'deb http://deb.tails.boum.org/ builder-jessie main'
$ sudo apt-key adv --receive-keys C7988EA7A358D82E 
$ sudo apt-get update
$ apt-get install \
  dpkg-dev \
  gettext \
  intltool \
  libfile-slurp-perl \
  liblist-moreutils-perl \
  libyaml-libyaml-perl \
  libyaml-perl \
  libyaml-syck-perl \
  perlmagick \
  po4a \
  syslinux-utils \
  time \
  whois
$ sudo apt-get install bind9
$ sudo systemctl start bind9 # because lb build sets /etc/resolv.conf to 127.0.0.1 in chroot
$ sudo apt-get install ikiwiki
...
Get:6 http://deb.tails.boum.org builder-jessie/main amd64 libmarkdown2 amd64 2.2.1-1~bpo8+1~0.tails1 [35.0 kB]
Get:7 http://deb.tails.boum.org builder-jessie/main amd64 ikiwiki all 3.20160905.0tails1 [1,413 kB]
...
$ sudo apt-get install debootstrap=1.0.89 # because --no-merge-usr is not in builder-jessie debootstrap
$ sudo lb clean --all
$ sudo lb config
$ sudo lb build

ghost commented 7 years ago

Automated tests and remote shell access to tails : https://tails.boum.org/contribute/release_process/test/automated_tests/. But trying to run them fails:

https://labs.riseup.net/code/issues/12731
tails/config/chroot_local-includes/lib/systemd/system/tails-autotest-remote-shell.service activates the ttyS0 remote shell access
additional software tails/config/chroot_local-includes/usr/local/sbin/tails-additional-software

ghost commented 7 years ago

https://tails.boum.org/contribute/build/vagrant-setup/ are instructions to use vagrant to build tails (not to run or test a given build). It is essentially another way to do http://dachary.org/?p=4116

ghost commented 7 years ago

maybe we could patch the https://git-tails.immerda.ch/tails repository to:

install openssh-server

diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index e75f209ff6..081e52bfff 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -183,6 +183,7 @@ libreoffice-l10n-zh-cn
onioncircuits
openpgp-applet
openssh-client
+openssh-server
paperkey
parted
patch

modify the firewall to allow connecting to port 22 ( config/chroot_local-includes/etc/ferm/ferm.conf )

customize the tails greeter to autologin ( https://wiki.debian.org/GDM )

diff --git a/config/chroot_local-hooks/30-autologin-gdm b/config/chroot_local-hooks/30-autologin-gdm
new file mode 100755
index 0000000000..85ad68c73f
--- /dev/null
+++ b/config/chroot_local-hooks/30-autologin-gdm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+set -u
+echo "Autologin GDM"
+sed --in-place --regexp-extended \

's/^# Automatic/Automatic/' /etc/gdm3/daemon.conf +sed --in-place --regexp-extended \
's/^AutomaticLogin.*/AutomaticLogin = amnesia/' /etc/gdm3/daemon.conf
add the public key matching ~/.vagrant.d/insecure_private_key or another public key designed for testing in /root/.ssh/authorized_keys

Then we:

build the iso image (http://dachary.org/?p=4116)
run the iso with kvm ( http://dachary.org/?p=4091 ) with -net nic -net user,hostfwd=tcp::4022-:22
run ansible on 127.0.0.1:4022
run testinfra with127.0.0.1:4022 the tails image

I manually tested the above to work (i.e. I was able to ssh from the host to tails). What do you think ? I realize running kvm/qemu on travis etc. is not going to be possible... but it may be a better option than testing manually

conorsch commented 7 years ago

At least @msheiny and I have been using Tails via libvirt on Linux for months now, to perform QA of the Admin and Journalist Workstation environments. We should add instructions to the developer docs to replicate the workflow—which is only necessary in the staging and prod environments, not for the development VM.

More important, however, is getting the Tails environment into CI so that we can write testing scenarios for bootstrapping the devices and running tasks that contact the servers. That will take a substantial amount of work, but would definitely minimize bugs like the one that required cutting 0.4.1.

conorsch commented 6 years ago

We now have instructions on how to virtualize Tails as part of the developer docs: https://docs.securedrop.org/en/stable/development/virtualizing_tails.html Those changes landed via #2219 and #2607.

ghost commented 6 years ago

Yessss :-)