Skip to content

Developer Tips & Tricks

Jump to bottom
Erik Moeller edited this page Jul 21, 2022 · 10 revisions

This page contains various tips used by the securedrop-workstation developers. Please add yours below.

Install securedrop-workstation

  1. (skip if you don't need to run a clean install) In dom0: sdw-admin --uninstall to remove the qubes-template-securedrop-workstation-buster RPM
  2. In your dev VM (default name sd-dev): checkout the latest main or tag of the version you want to install
  3. (skip if you already have a securedrop-worksation directory in dom0 from a previous install) In dom0: qvm-run --pass-io sd-dev "tar -c -C /home/user securedrop-workstation" | tar xvf - (assuming default sd-dev name and repo exists in /home/user) ( Rest of the steps are in dom0)
  4. cd securedrop-workstation
  5. To make sure you are using the RPM built in the next step, first delete any existing rpm with the same name in rpm-build/RPMS/noarch/
  6. make clone (this will run make dom0-rpm on your dev VM and copy it cover into the rpm-build/RPMS/noarch/ directory
  7. sudo dnf install rpm-build/RPMS/noarch/securedrop-workstation-dom0-config-<version>.fc25.noarch.rpm
  8. Provision all VMs: sdw-admin --apply

Switch between dev, staging, and prod

  1. Set environment to dev, staging, or prod and update server info in both config files:
    • /usr/share/securedrop-workstation-dom0-config/config.json
    • /srv/salt/sd/config.json (as root)
  2. Update all VMs: sdw-admin --apply

Check securedrop-workstation version

dnf info securedrop-workstation-dom0-config

Check system info

xl info

Check VM disk space

Run the following command in dom0:

qvm-volume info VM_NAME:root

Increase VM disk space

qvm-volume resize VM_NAME:root SIZE

For example: qvm-volume resize sd-large-buster-template:root 15G

Free up space in a VM

Open a terminal in the VM you want to free up space in and run sudo apt autoremove and sudo apt clean, then restart.

Run the updater manually

/opt/securedrop/launcher/sdw-launcher.py --skip-delta 0

The updater checks for network connectivity before attempting to update. If you want to run the updater regardless of network conditions (for example, outside of dom0) you may use the --skip-netcheck flag:

/opt/securedrop/launcher/sdw-launcher.py --skip-netcheck

Note: The updater does not update all VMs. To run a full migration, run sdw-admin --apply

Run a highstate update for one VM

sudo qubesctl --show-output --skip-dom0 --targets VM_NAME state.highstate

To learn more, see https://github.com/freedomofpress/securedrop-workstation/blob/main/scripts/provision-all#L16.

Log into securedrop-client with any password+totp value

In the login method at the Journalist class in models.py, you can add return user as soon as you get the user object (instead of checking password/totp). This will allow the client to login with any 14+ password and 1 char totp.

         # type: (str, str, str) -> Journalist
         try:
             user = Journalist.query.filter_by(username=username).one()
+            return user
         except NoResultFound:
             raise InvalidUsernameException(
                 "invalid username '{}'".format(username))

Make temporary edits to an AppVM (without rebuilding and reinstalling a new deb)

Copy individual files to /opt/venvs/securedrop-packagename/lib/python3.5/site-packages/ in the AppVM. When you reboot, you will get the clean VM back.

Connect to the Journalist Interface in Qubes

If you already have SecureDrop Workstation installed, this is easy. In dom0, create a VM with Tor Browser that uses sd-whonix as its NetVM, e.g.:

$ qvm-create sd-journalist --template whonix-ws-16 --label orange --property netvm=sd-whonix

The use of sd-whonix ensures that the VM has access to the authentication token for the Journalist Interface hidden service. Note: You must temporarily change the NetVM, e.g., to sys-whonix, before uninstalling SecureDrop Workstation or running make clean; otherwise, the destruction of the sd-whonix VM will fail due to it being in use.

Testing of client changes in sd-app

Development machines only: To quickly test or preview changes to the client repo (for example, to review PRs), you may wish to make a few modifications to the sd-app VM. Those include:

  • (in dom0) editing the /etc/qubes-rpc/policy/qubes.ClipboardPaste RPC policy to allow copy/paste in and out of the sd-app VM (optional, useful for development)
  • installing git and python3-vev in the sd-small-buster-template (so you can use them persistently in sd-app), then adding a NetVM (e.g. sys-firewall) to sd-app and cloning the client repo (useful for reviewing PRs or applying diffs that facilitate QA). See Step 8 of the Staging setup instructions

Debugging RPC failures

To see all recent qrexec failures, run in dom0:

sudo journalctl -a -b | grep -F qrexec:

You can add -f to the journalctl command and re-run the failing action to monitor results in real-time.

Qubes Salt cheatsheet

# list all grains (facts) for a given target 
# this is the equivalent of calling .keys() on a python dict: you only get the names
qubesctl --target dom0 grains.ls

# display values for all grains
# this is the equivalent of calling .iter() on a python dict: you get keys and values
qubesctl --target dom0 grains.items

# look up a single grain 
# this is the equivalent of calling .get() on a python dict: you get an answer, or nothing, but no error
qubesctl --target dom0 grains.item osrelease

# look up pillars (vars) for a given target
qubesctl --target dom0 pillar.ls
Clone this wiki locally