Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce dom0 salt state as part of preflight updates #427

Closed
eloquence opened this issue Jan 23, 2020 · 2 comments · Fixed by #458
Closed

Enforce dom0 salt state as part of preflight updates #427

eloquence opened this issue Jan 23, 2020 · 2 comments · Fixed by #458
Labels
release blocker security
Milestone
Initial beta release

Comments

@eloquence
Copy link
Member

eloquence commented Jan 23, 2020
edited

Some urgent security updates on deployed workstations (e.g., RPC policy changes) may need to be applied via provisioning logic that is managed via Salt. As an interim solution, we've agreed that it makes sense to enforce the dom0 salt state as part of the preflight updater merged in #396. This will add some time to the preflight update process; as before/after comparison, it would be good to stopwatch this added time as part of the review process.
This was referenced Jan 23, 2020
Closed
Merged
@conorsch
Copy link
Contributor

See previous discussion in #412 (comment). Specifically, it's qubesctl state.highstate that we want to make sure runs as part of the preflight updater. The drawback to targeting only dom0 is that state inside domUs can only be updated via deb packages, but we can reevaluate that strategy down the road if it proves insufficient. For the purposes of the pilot, we'll make sure there's a one-shot action to apply all state ad-hoc, exposed to Admins, for the purposes of support—that's tracked as a subtask of #406.

@eloquence eloquence added this to the 0.2.0beta milestone Jan 27, 2020
@emkll emkll mentioned this issue Feb 4, 2020
Closed
8 tasks
@eloquence eloquence added this to Nominated for next sprint in SecureDrop Team Board Feb 5, 2020
@emkll
Copy link
Contributor

emkll commented Feb 5, 2020

Noting for the implementer that the order of operations is important: we should apply the dom0 configuration before rebooting the AppVMs, to ensure changes to the templates are applied, in the event a reboot is not required.

In #432 , we introduced a securedrop-admin command. We should call it with --validate to validate the config (fail accordingly), and then --apply to apply the configuration (also fail accordingly).

@eloquence eloquence moved this from Nominated for next sprint to Current Sprint (2/5-2/19) in SecureDrop Team Board Feb 5, 2020
@emkll emkll self-assigned this Feb 7, 2020
@emkll emkll moved this from Current Sprint (2/5-2/20) to In Development in SecureDrop Team Board Feb 7, 2020
@emkll emkll moved this from In Development to Current Sprint (2/5-2/20) in SecureDrop Team Board Feb 7, 2020
@emkll emkll removed their assignment Feb 7, 2020
@emkll emkll mentioned this issue Feb 17, 2020
Merged
3 tasks
@emkll emkll removed this from Current Sprint (2/5-2/20) in SecureDrop Team Board Feb 17, 2020
@emkll emkll mentioned this issue Feb 21, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
release blocker security
Projects
None yet
Milestone
Initial beta release
Development

Successfully merging a pull request may close this issue.

Apply dom0 state as part of updater freedomofpress/securedrop-workstation
3 participants
@eloquence @conorsch @emkll