-
Notifications
You must be signed in to change notification settings - Fork 46
Developer Tips & Tricks
This page contains various tips used by the securedrop-workstation
developers. Please add yours below.
- (skip if you don't need to run a clean install) In dom0:
sdw-admin --uninstall
to remove thequbes-template-securedrop-workstation-buster
RPM - In your dev VM (default name
sd-dev
): checkout the latestmain
or tag of the version you want to install - (skip if you already have a
securedrop-worksation
directory in dom0 from a previous install) In dom0:qvm-run --pass-io sd-dev "tar -c -C /home/user securedrop-workstation" | tar xvf -
(assuming defaultsd-dev
name and repo exists in/home/user
) ( Rest of the steps are in dom0) cd securedrop-workstation
- To make sure you are using the RPM built in the next step, first delete any existing rpm with the same name in
rpm-build/RPMS/noarch/
-
make clone
(this will runmake dom0-rpm
on your dev VM and copy it cover into therpm-build/RPMS/noarch/
directory sudo dnf install rpm-build/RPMS/noarch/securedrop-workstation-dom0-config-<version>.fc25.noarch.rpm
- Provision all VMs:
sdw-admin --apply
- Set
environment
todev
,staging
, orprod
and update server info in both config files:/usr/share/securedrop-workstation-dom0-config/config.json
-
/srv/salt/sd/config.json
(as root)
- Update all VMs:
sdw-admin --apply
dnf info securedrop-workstation-dom0-config
xl info
Run the following command in dom0:
qvm-volume info VM_NAME:root
qvm-volume resize VM_NAME:root SIZE
For example: qvm-volume resize sd-large-buster-template:root 15G
Open a terminal in the VM you want to free up space in and run sudo apt autoremove
and sudo apt clean
, then restart.
/opt/securedrop/launcher/sdw-launcher.py --skip-delta 0
The updater checks for network connectivity before attempting to update. If you want to run the updater regardless of network conditions (for example, outside of dom0) you may use the --skip-netcheck
flag:
/opt/securedrop/launcher/sdw-launcher.py --skip-netcheck
Note: The updater does not update all VMs. To run a full migration, run sdw-admin --apply
sudo qubesctl --show-output --skip-dom0 --targets VM_NAME state.highstate
To learn more, see https://github.com/freedomofpress/securedrop-workstation/blob/main/scripts/provision-all#L16.
In the login method at the Journalist
class in models.py
, you can add return user
as soon as you get the user object (instead of checking password/totp). This will allow the client to login with any 14+ password and 1 char totp.
# type: (str, str, str) -> Journalist
try:
user = Journalist.query.filter_by(username=username).one()
+ return user
except NoResultFound:
raise InvalidUsernameException(
"invalid username '{}'".format(username))
Copy individual files to /opt/venvs/securedrop-packagename/lib/python3.5/site-packages/
in the AppVM. When you reboot, you will get the clean VM back.
If you already have SecureDrop Workstation installed, this is easy. In dom0
, create a VM with Tor Browser that uses sd-whonix
as its NetVM, e.g.:
$ qvm-create sd-journalist --template whonix-ws-16 --label orange --property netvm=sd-whonix
The use of sd-whonix
ensures that the VM has access to the authentication token for the Journalist Interface hidden service. Note: You must temporarily change the NetVM, e.g., to sys-whonix
, before uninstalling SecureDrop Workstation or running make clean
; otherwise, the destruction of the sd-whonix
VM will fail due to it being in use.
Development machines only: To quickly test or preview changes to the client repo (for example, to review PRs), you may wish to make a few modifications to the sd-app
VM. Those include:
- (in
dom0
) editing the/etc/qubes-rpc/policy/qubes.ClipboardPaste
RPC policy to allow copy/paste in and out of the sd-app VM (optional, useful for development) - installing
git
andpython3-vev
in thesd-small-buster-template
(so you can use them persistently insd-app
), then adding a NetVM (e.g. sys-firewall) tosd-app
and cloning the client repo (useful for reviewing PRs or applying diffs that facilitate QA). See Step 8 of the Staging setup instructions
To see all recent qrexec failures, run in dom0:
sudo journalctl -a -b | grep -F qrexec:
You can add -f
to the journalctl
command and re-run the failing action to monitor results in real-time.
# list all grains (facts) for a given target
# this is the equivalent of calling .keys() on a python dict: you only get the names
qubesctl --target dom0 grains.ls
# display values for all grains
# this is the equivalent of calling .iter() on a python dict: you get keys and values
qubesctl --target dom0 grains.items
# look up a single grain
# this is the equivalent of calling .get() on a python dict: you get an answer, or nothing, but no error
qubesctl --target dom0 grains.item osrelease
# look up pillars (vars) for a given target
qubesctl --target dom0 pillar.ls