Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fully power off workstation after lid close #473

Merged
merged 2 commits into from
Mar 2, 2020
Merged

Fully power off workstation after lid close #473

merged 2 commits into from
Mar 2, 2020

Conversation

eloquence
Copy link
Member

@eloquence eloquence commented Feb 28, 2020
edited by kushaldas
Loading

Description

In production or staging environment, fully powers off the workstation instead of merely suspending to disk if the laptop lid is closed, in order to protect full-disk encryption key.

Status

Ready for review. Towards #178, but does not resolve as "suspend" is still an option in the logout menu.

Test plan

Since we've not issued a new prod release yet, I suggest testing this PR by running the Salt state on its own.

Testing production config

  1. make clone this branch into dom0
  2. Ensure you have a valid config.json. Run scripts/configure-environment --environment prod to switch it to production. (Note: That script currently messes up JSON formatting, make sure you have a copy if you care about that.)
  3. make prep-salt to deploy salt config in dom0
  4. Open a new dom0 terminal and follow the logind logs with journalctl -f -u systemd-logind
  5. In the original terminal, deploy the salt state added in this PR with sudo qubesctl --show-output --targets dom0 state.sls sd-dom0-systemd
    • Observe in the journal that systemd-logind was restarted
    • Observe that /etc/systemd/logind.conf now contains the HandleLidSwitch=poweroff directive.
  8. Detach any external displays.
    • Close the laptop lid and observe that the system is ultimately powered off (this can take up to a minute or so).
  10. Reboot (sorry!).

Testing cleanup

  1. Follow the logind logs again in a separate terminal.
  2. In a dom0 terminal, run sudo qubesctl --show-output --targets dom0 state.sls sd-clean-all to undo the changes from the previous run. (Note: This will remove other files in dom0 and force you to re-run make all for a working environment.)
    • Observe in the journal that systemd-logind is restarted.
    • Observe that /etc/systemd/logind.conf no longer contains the line in question.
  5. Close your laptop lid.
    • Observe that the system is again suspended, if that was your previous configuration.

Testing that change has no impact in dev env

  1. Set your config.json to dev using the same method as before.
  2. Re-deploy it with make prep-salt.
  3. Re-run the salt state sd-dom0-systemd as before.
    • Observe that /etc/systemd/logind.conf has not been modified and systemd-logind has not been restarted.

Checklist

  • Linter (make flake8) passes
  • make test not re-run yet
  • Adds files to RPM contents implicitly through existing wildcard rules
  • Does not bump RPM version

@eloquence
Copy link
Member Author

eloquence commented Feb 28, 2020
edited
Loading

There is in fact an easy way to disable the UI options as well, using xfconf-query (see here); haven't verified if it's sticky yet. Moving this back to development for a bit. Might indeed be best to use the xfce4-settings for all of this, since its power manager offers additional options (e.g., changing the behavior of the power button).

@eloquence
Copy link
Member Author

eloquence commented Feb 29, 2020
edited
Loading

Unfortunately there's no way to force a shutdown on lid close using xfce's power management settings, so we're back to the logind method. But we can hide the options we don't want. I'll make that part of a separate PR to tweak misc. XFCE settings, including the default icon size. We can land this PR if it looks good, marking as ready for review.

@eloquence eloquence mentioned this pull request Feb 29, 2020
Merged
6 tasks
@kushaldas
Copy link
Contributor

Updated the clean-up test command step.

@kushaldas kushaldas self-assigned this Mar 2, 2020
kushaldas
kushaldas approved these changes Mar 2, 2020
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing production config

  1. make clone this branch into dom0
  2. Ensure you have a valid config.json. Run scripts/configure-environment --environment prod to switch it to production. (Note: That script currently messes up JSON formatting, make sure you have a copy if you care about that.)
  3. make prep-salt to deploy salt config in dom0
  4. Open a new dom0 terminal and follow the logind logs with journalctl -f -u systemd-logind
  5. In the original terminal, deploy the salt state added in this PR with sudo qubesctl --show-output --targets dom0 state.sls sd-dom0-systemd
    • Observe in the journal that systemd-logind was restarted
    • Observe that /etc/systemd/logind.conf now contains the HandleLidSwitch=poweroff directive.
  8. Detach any external displays.
    • Close the laptop lid and observe that the system is ultimately powered off (this can take up to a minute or so).
  10. Reboot (sorry!).

Testing cleanup

  1. Follow the logind logs again in a separate terminal.
  2. In a dom0 terminal, run sudo qubesctl --show-output --targets dom0 state.sls sd-clean-all to undo the changes from the previous run. (Note: This will remove other files in dom0 and force you to re-run make all for a working environment.)
    • Observe in the journal that systemd-logind is restarted.
    • Observe that /etc/systemd/logind.conf no longer contains the line in question.
  5. Close your laptop lid.
    • Observe that the system is again suspended, if that was your previous configuration.

Testing that change has no impact in dev env

  1. Set your config.json to dev using the same method as before.
  2. Re-deploy it with make prep-salt.
  3. Re-run the salt state sd-dom0-systemd as before.
    • Observe that /etc/systemd/logind.conf has not been modified and systemd-logind has not been restarted.

Everything worked as excepted. Approving.

@kushaldas kushaldas merged commit c54d5dd into master Mar 2, 2020
@kushaldas kushaldas deleted the poweroff-on-lid-close branch March 2, 2020 11:38
@emkll emkll mentioned this pull request Mar 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

Assignees

@kushaldas kushaldas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eloquence @kushaldas