-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove special casing for sd-whonix #618
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -62,41 +62,33 @@ sd-gpg-remove-rsyslog-qubes-plugin: | |
- require: | ||
- file: sd-gpg-remove-rsyslog-qubes-plugin | ||
|
||
{% elif grains['id'] == "sd-whonix" %} | ||
# We can not place the file on the template under /etc/rsyslog.d/ because of whonix | ||
# template. This sdlog.conf file is the same from the securedrop-log package, to | ||
# make sure that rsyslogd use our logging plugin. | ||
sd-rsyslog-sdlog-conf-for-sd-whonix: | ||
file.managed: | ||
- name: /rw/config/sdlog.conf | ||
- source: "salt://sdlog.conf" | ||
|
||
# Because whonix-gw-15 template is not allowing to create the config file on | ||
# package install time, we do it via rc.local call. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For the record, this was added in 232c56f. @kushaldas, can you elaborate on what you meant at the time with "whonix-gw-15 template is not allowing to create the config file on package install time"? As far as I can tell, the config file There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. #447 this is the PR and as I can see in my logs, the file was still missing even after the package was installed. Here is my note from that work:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @kushaldas, I experienced this once during testing with |
||
sd-rc-enable-logging-for-sd-whonix: | ||
file.blockreplace: | ||
- name: /rw/config/rc.local | ||
- append_if_not_found: True | ||
- marker_start: "### BEGIN securedrop-workstation ###" | ||
- marker_end: "### END securedrop-workstation ###" | ||
- content: | | ||
# Add sd-rsyslog.conf file for syslog | ||
ln -sf /rw/config/sdlog.conf /etc/rsyslog.d/sdlog.conf | ||
cat <<EOF > /etc/sd-rsyslog.conf | ||
[sd-rsyslog] | ||
remotevm = sd-log | ||
localvm = {{ grains['id'] }} | ||
EOF | ||
systemctl restart rsyslog | ||
cmd.run: | ||
- name: /rw/config/rc.local | ||
- require: | ||
- file: sd-rc-enable-logging-for-sd-whonix | ||
|
||
{% else %} | ||
# For all other VMs, configure to send to sd-log | ||
configure-rsyslog-for-sd: | ||
file.managed: | ||
- name: /etc/sd-rsyslog.conf | ||
- source: "salt://sd-rsyslog.conf.j2" | ||
{% endif %} | ||
|
||
# Remove outdated configuration that was previously used to configure the | ||
# sd-whonix VM name for logging purposes, see: | ||
# https://github.com/freedomofpress/securedrop-workstation/issues/583 | ||
# | ||
# Can be removed in a future release once all production workstations have | ||
# been updated. | ||
{% if grains['id'] == "sd-whonix" %} | ||
sd-whonix-cleanup-rc-local: | ||
file.replace: | ||
- names: | ||
- /rw/config/rc.local | ||
- pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*' | ||
- flags: | ||
- MULTILINE | ||
- DOTALL | ||
- repl: '' | ||
- backup: no | ||
|
||
sd-whonix-cleanup-sdlog-conf: | ||
file.absent: | ||
- name: /rw/config/sdlog.conf | ||
{% endif %} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,7 +55,7 @@ def test_sd_whonix_repo_enabled(self): | |
assert self._fileExists(self.whonix_apt_list) | ||
|
||
def test_logging_configured(self): | ||
self.logging_configured(vmname=True) | ||
self.logging_configured() | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed (I misread the inheritance logic). |
||
def test_sd_whonix_verify_tor_config(self): | ||
# User must be debian-tor for v3 Onion, due to restrictive | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that we use
pkg.purged
to remove thesecuredrop-log
package, which removes config files:Removing a configuration file on a Debian system by other means can have unpredictable consequences: the package manager will not reinstate it , because it will assume that the user removed it intentionally. For this reason, I think it's best to rely on
pkg.purged
alone here.