Conversation
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
6 times, most recently
from
5dfd030 to
3ecdfbb
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
2 times, most recently
from
cd02e0b to
8eeae1a
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
11 times, most recently
from
9d9303f to
e31a66b
Compare
|
This is now passing installation with a few hacks. It's only running into issues in the tests, but I haven't taken a look at those yet. |
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
e45451c to
66bceaa
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
from
66bceaa to
7fad531
Compare
deeplow
force-pushed
the
1245-qubes-4.3-compat
branch
2 times, most recently
from
ffef033 to
31a1e00
Compare
nathandyer
requested review from
legoktm
and removed request for
zenmonkeykstop
When running "sdw-admin --apply" "run-prep-upgrade-scripts" in "sd-upgrade-templates.sls" and "sd-remove-unused-templates" as it fails with the message: stdout: Please specify prepare or remove This indicated that the 'args' parameter is not being properly recognized. I looked at the saltstack documentation for the cmd module and nothing indicates an 'args' parameters change. I've checked with changelogs as well comparing the version in Qubes 4.2 with the one in Qubes 4.3. Instead of investigating how to get "cmd.script" this simply uses another way to call the command as a temporary fix. For a more permanent solution we need to fix this in all different places and if we choose to go the 'cmd.run' route, we should place the script in some place other than '/srv/salt/'. Fixes #1499
Preloaded qubes do not need to be configured as they automatically get restarted when its template is changed and saved to disk. These preloaded sd-viewer qubes were getting included for configuration due to the inheritance of the 'sd-workstation' tag. Fruthermore, this attempt at configuration was causing issues as preloaded qubes would time-out when ordered to shut down (See #1475). The implementation choice was to include this fix in configure() rather than pre-filtering out preloaded qubes from the list of targets before passing them on to the 'configure()' function. This was due to the fact that the calling function should not need to be aware that preloaded qubes do not (and should not) have configurations applied to them. Fixes #1475
Presence of preloaded qubes was interfering with the expected test results [1]. For the most part, preloaded qubes are background elements, whose management can be largely ignore.
Build the correct RPM for the dom0 Fedora version in dom0. If building
on Qubes 4.3, it'll internall call 'build-rpm' with 'FEDORA_VERSION=41'.
This is implemented in a way that should work also for future Qubes
versions (assuming dom0 is still Fedora, of course).
Implementation takes advantage of '%{fedora}' RPM macro, made available
by the qubes-release package [1].
[1]: https://github.com/QubesOS/qubes-qubes-release/blob/26f2a3c/qubes-release.spec.in#L97
Upon test failure, from an error message, it's not possible to easily understand what VM failed: > assert not policy_exists(vm, "sd-log", "securedrop.Log") E AssertionError: assert not True E + where True = policy_exists(<qubesadmin.vm.QubesVM object at 0x77effbba0d10>, 'sd-log', 'securedrop.Log') In the future, this will be made more apparent with the use of pytest fixture, but for the time being, this is already an improvement, without modifying much of test code (out of scope for this PR).
Used in strategy matrix to ensure there is one single place where the Qubes version needs to be updated.
legoktm
force-pushed
the
1245-qubes-4.3-compat
branch
from
575fc06 to
6473630
Compare
|
Rebased on main. Note that it said: dropping f79df8d Fix DeprecationWarning: The 'warn' method is deprec. -- patch contents already upstream |
legoktm
left a comment
legoktm
left a comment
There was a problem hiding this comment.
This is really great, the inline comments are very minor. I was able to provision with make dev, have make test pass, and then the App worked fine, plus export + print.
I want to flag one thing that I'm not sure if it's a regression or not. I had two sd-viewer dispVMs open and then ran make test, which failed with:
FAILED tests/test_vms_exist.py::test_all_sdw_vms_present - AssertionError: assert {<qubesadmin.vm.QubesVM object at 0x7830b8121d90>, <qubesadmin.vm.QubesVM object at 0x7830c0b05ba0>, <qubesadmin.vm.QubesVM object at 0x7830b8122810>, <qubesadmin.vm.QubesVM object at 0x7830b8122690>, <qubesadmin.vm.QubesVM object at 0x7830b81bf6c0>, <qubesadmin.vm.QubesVM object at 0x7830b8122990>, <qubesadmin.vm.QubesVM object at 0x7830b81c5250>, <qubesadmin.vm.QubesVM object at 0x7830b8122750>, <qubesadmin.vm.QubesVM object at 0x7830b81228d0>, <qubesadmin.vm.QubesVM object at 0x7830b8122a50>, <qubesadmin.vm.QubesVM object at 0x7830b81225d0>, <qubesadmin.vm.QubesVM object at 0x7830b81aaa50>, <qubesadmin.vm.QubesVM object at 0x7830b81aaeb0>} == {'sd-devices-dvm', 'sd-large-bookworm-template', 'sd-devices', 'sd-small-bookworm-template', 'sd-proxy', 'sd-proxy-dvm', 'sd-viewer', 'sd-log', 'sd-gpg', 'sd-app', 'sd-base-bookworm-template'}
Extra items in the left set:
<qubesadmin.vm.QubesVM object at 0x7830c0b05ba0>
<qubesadmin.vm.QubesVM object at 0x7830b81c5250>
Full diff:
{
- 'sd-app',
- 'sd-base-bookworm-template',
- 'sd-devices',
- 'sd-devices-dvm',
- 'sd-gpg',
- 'sd-large-bookworm-template',
- 'sd-log',
- 'sd-proxy',
- 'sd-proxy-dvm',
- 'sd-small-bookworm-template',
- 'sd-viewer',
+ <qubesadmin.vm.QubesVM object at 0x7830c0b05ba0>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81c5250>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81aaa50>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81aaeb0>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81bf6c0>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8121d90>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81225d0>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8122690>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8122750>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8122810>,
+ <qubesadmin.vm.QubesVM object at 0x7830b81228d0>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8122990>,
+ <qubesadmin.vm.QubesVM object at 0x7830b8122a50>,
}
I assume the two extra objects are the two dispVMs, which I suppose should be ignored, or we need to set something is a subset of another set. Also it would be good to compare strings with strings, instead of relying on the casting. But if this isn't a regression I can just file it as a separate issue and we can land this.
|
We also need to have infra update the CI labels, which we can ask them to do when this is approved and ready to land |
VM names were being compared to VM objects, which fails in newer python versions (as it should).
No need to keep updating this.
Being two, I'd guess as well that they are the preloaded ones, but supposedly the fixture |
legoktm
left a comment
legoktm
left a comment
There was a problem hiding this comment.
LGTM!! Nice work :)
Will file a task with infra to get the labels updated so this can land.
I have filed a follow-up issue on this #1571 |
4 participants
Description of Changes
Towards #1245. Base Qubes 4.3 compatibility. Opening so we can iterate on OpenQA.
NOTES:
Testing
Requirements:
Preparation:
Temporary: until the fixdebian-12-minimalin Qubes 4.3 has held broken Packages QubesOS/qubes-issues#10598 is in the stable repos, you need to enabledebian-12-minimal's testing repos:debian-12-minimaltemplate manuallydom0:qvm-run -u root debian-12-minimal xtermsudo apt update && sudo apt upgradesd-dev:poetry env use python3.13dom0:make clonemake devTesting:
make devsucceedsDeployment
Any special considerations for deployment? Consider both:
Checklist
If you have made changes to the provisioning logic
make test) pass indom0If you have added or removed files
MANIFEST.inandrpm-build/SPECS/securedrop-workstation-dom0-config.specIf documentation is required