-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build and test Workstation base template RPM with updated securedrop-keyring package #887
Comments
first steps:
|
Initial update: Building using our qubes-template-securedrop-workstation convenience script does not quite work; the build gets stuck and errors out at the create chroot stage, and following the suggested steps to fix does not resolve the issue while using our script. (The error that appears is also an older error, first noticed in 2020 and ostensibly remedied in the qubes-builder repo already..) log
I was able to make more progress however by continuing with the qubes-builder (v1) repo directly, since by this point our configuration files had already been put in place. I did the following:
I am still running into issues with the log
I also looked at porting the buillder.conf file to the qubes builderv2 yaml format to test the builderv2 repo if these issues aren't resolvable (although it seems they should be). That is still in progress. |
This upstream issue gives us the biggest clue: QubesOS/qubes-issues#5263 (comment) Even though there is a |
I was not able to successfully build a template, still running into permissions issues that look to be chroot-related. @eaon has latest updates from last week. |
After having had repeated mount related trouble in upstream dependencies, we pivoted by coming up with a non-standard procedure that for all intents and purposes should not be any different than a template that was updated in-flight. Instead of building a new template from the ground up, we instead did the following:
Since this wasn't scripted but a series of commands, it doesn't really fit anywhere, so I created a gist describing what's being done and why. Details of the actual build by @rocodes can be found in freedomofpress/build-logs@a3539dc As I pointed out in my comment in freedomofpress/securedrop-yum-test#48, the installed packages for an updated in-flight template are exactly the same as what's contained in the package. |
Thank you so much for testing and instruction @eaon :) Just a heads up that when I tried to install the template on my machine, I ran into this upstream issue: Won't affect vanilla SDW installs but for folks installing lots of other templates we should keep up with this issue from a support perspective. |
Left a note in the issue you referenced so that the whole community may benefit from our new insights 🙂 |
Here are some instructions for anyone testing the rpm, which is now on yum-test.securedrop.org Test PlanHardware:
Testing
|
I removed @nathandyer's assignment since there was actually one step missing from the test plan (manually edit Test plan
|
@rocodes Thanks! I'm happy to step through another reinstall with the edited test plan if that's at all helpful - it's not too far out of the way for me to leave things cooking in the background while I'm doing other things. Just let me know if that's of interest! |
@nathandyer Thanks for your offer, no need at present time - but don't worry, we'll make use of your prod setup for the dom0 config package update coming soon. I would never let a good prod workstation go to waste. ;) |
Now that freedomofpress/securedrop-yum-prod#43 is up, we will close this issue in favour of the release tracking issue: |
Once the Bullseye version of securedrop-keyring is available as per freedomofpress/securedrop-builder#443, a new base template should be built and tested containing it.
The text was updated successfully, but these errors were encountered: