Bug #12211
Adapt GnuPG automated tests after switching to an Onion keyserver
100%
Description
Our use of Chutney prevents us from accessing the configured keyserver, since its onion lives on the real Tor network.
Subtasks
Related issues
|
Related to Tails - |
Resolved | 2017-01-31 | |
|
Related to Tails - |
Resolved | 2016-12-23 | |
|
Related to Tails - |
Resolved | 2017-10-04 | |
| Related to Tails - Feature #9519: Make the test suite more deterministic through network simulation | In Progress | 2015-06-02 |
History
#1 Updated by anonym 2017-02-03 12:43:50
Me and intrigeri discussed this briefly:
We have essentially these options:
- a) Introduce a @
real_tor_networkcucumber tag which makes tagged scenarios use the real Tor network. This re-introduces the robustness issues we solved by moving to Chutney. - b1) Run a local reverse proxy onion service in our Tor network that proxies to the real kerserver onion. This also reintroduces robustness issues.
- b2) Same as (b1), but point our onion service to the clearnet keyserver. This prevents the robustness issues (at least it should be no worse than using Chutney)
- c1) Run a local mock keyserver onion. This doesn’t depend on the Internet => potentially 100% robust.
- c2) Run a local real keyserver onion. Same as (c1), and we don’t have to write mock code, but we might have to deal with complex configuration and orchestration instead.
- d) Revert to a clearnet keyserver in Tails and make sure we can enable IPv6 (see
Bug #12202). This way we lose end-to-end encryption and authentication with the keyserver; i.e. a limitation of the automated test suite makes us downgrade Tails into something worse (!).
We agreed that (c1) was the best approach (but I think a brief investigation of (c2) should be done first; maybe it turns out to be easier?), and an incremental step towards Feature #9519. intrigeri volunteered to write the mock code, anonym will do the integration into the test suite.
#2 Updated by anonym 2017-02-04 14:34:22
- related to
Bug #12202: GnuPG can't talk to keyservers on Stretch added
#3 Updated by anonym 2017-02-04 14:38:27
- Feature Branch set to test/12211-local-keyserver-onion
I marked the affected tests as @fragile for now, and reverted it in the feature branch.
#4 Updated by intrigeri 2017-02-08 11:30:13
- Priority changed from Normal to Elevated
(This prevents us from automatically testing important features of Tails.)
#5 Updated by intrigeri 2017-03-03 14:55:50
- Subject changed from Adapt the automated tests of gnupg after switching to an onion keyserver to Adapt GnuPG automated tests after switching to an Onion keyserver
#6 Updated by intrigeri 2017-03-17 09:01:37
- related to
Bug #12068: The "GnuPG uses the configured keyserver" step needs to be adjusted for Stretch added
#7 Updated by bertagaz 2017-03-17 09:36:54
- Assignee set to intrigeri
anonym wrote:
> intrigeri volunteered to write the mock code, anonym will do the integration into the test suite.
Then I guess the ticket state should reflect this.
#8 Updated by intrigeri 2017-03-17 12:10:37
- Assignee changed from intrigeri to anonym
I believe you’ve missed the “but I think a brief investigation of (c2) should be done first” part.
#9 Updated by anonym 2017-03-18 01:00:28
While I still agree that c1 (or c2) should be the long-term solution, I think I still would like to try a cheap implementation of b2. We run
redir -n 127.0.0.1:11371 pool.sks-keyservers.net:11371
in a subprocess, and tell Chutney to start a hidden service on port 11371, and that should be it.
[Let’s do the domain resolution ourselves and pick a random member + restart redir to force a retry.]
#10 Updated by anonym 2017-03-18 16:08:14
- QA Check set to Ready for QA
b2 is implemented on the feature/stretch branch as of commit:95d1ac0e12c249c07cdbac095c851612699675c4 and I’ve removed the @fragile tags to re-enable the tests. I’ll keep an eye on how robust it is on Jenkins.
#11 Updated by anonym 2017-03-18 17:18:40
- Status changed from Confirmed to In Progress
Applied in changeset commit:90c5e159f3e295e3c6864bd0571707603a713973.
#12 Updated by intrigeri 2017-03-19 21:44:27
It seems that a new dependency (redir) is not documented. We’ll also need it on our infra.
#13 Updated by intrigeri 2017-04-05 06:26:09
FWIW a number of test cases that fetch OpenPGP keys fail quite consistently on Jenkins.
#14 Updated by anonym 2017-04-06 09:42:48
- Assignee changed from anonym to intrigeri
- QA Check changed from Ready for QA to Info Needed
FTR, these tests work perfectly fine for me locally. But, indeed, it seems they never worked on Jenkins. Run 268 (commit:ed83c682b867a1752d487c08f069ced545bd0fc9) was the first one when redir had been installed on the isotesters, and each scenario fails. Given how fast the failures happen:
02:37:00.973768495: calling as amnesia: timeout 120 gpg --batch --recv-key '10CC5BC7'
02:37:01.401249320: call returned: [2, "", "gpg: keyserver receive failed: No keyserver available\n"]
(i.e. in < 0.5 s) I suspect something is wrong with the hidden service. Is there some “interesting” firewall configuration on Jenkins that could prevent the onion service to redir to the clearnet?
Also, could you try to reproduce locally, on sib’s Jenkins setup?
nickm had an interesting suggestion for how we could keep the real world onions we use configured, and tell Tor to redirect them appropriately:
MapAddress <real-onion> <chutney-onion>
Not sure how useful this is, i.e. how much it influencel what we actually want to test. I’m sure Tor takes quite some different code path when this happens.
#15 Updated by intrigeri 2017-04-06 10:12:23
- Assignee changed from intrigeri to anonym
- QA Check changed from Info Needed to Dev Needed
> But, indeed, it seems they never worked on Jenkins.
See https://jenkins.tails.boum.org/view/RM/job/test_Tails_ISO_feature-stretch/292/consoleFull around 18:33:29: redir fails to start and displays usage information. I think that the code you wrote relies on invocation syntax that’s only supported in the testing/sid version of redir.
> Is there some “interesting” firewall configuration on Jenkins that could prevent the onion service to redir to the clearnet?
Our isotesters only have the firewall set up by libvirt.
#16 Updated by anonym 2017-04-06 11:21:11
- % Done changed from 0 to 20
- QA Check changed from Dev Needed to Ready for QA
intrigeri wrote:
> > But, indeed, it seems they never worked on Jenkins.
>
> See https://jenkins.tails.boum.org/view/RM/job/test_Tails_ISO_feature-stretch/292/consoleFull around 18:33:29: redir fails to start and displays usage information. I think that the code you wrote relies on invocation syntax that’s only supported in the testing/sid version of redir.
WTF… sorry for missing this. Both versions should be supported as of commit:f0a1b1eecded6bee7eb3864b9384b01531f73564. Let’s see what Jenkins thinks.
#17 Updated by anonym 2017-04-18 14:37:18
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 20 to 100
- QA Check changed from Ready for QA to Pass
Now Jenkins runs these tests just fine on feature/stretch => closing.
#18 Updated by intrigeri 2017-04-20 06:27:11
- Status changed from Fix committed to Resolved
#19 Updated by intrigeri 2017-10-04 08:21:57
- related to
Bug #14770: "Fetching OpenPGP keys" scenarios are fragile: communication failure with keyserver added
#20 Updated by intrigeri 2017-12-03 21:06:09
- related to Feature #9519: Make the test suite more deterministic through network simulation added