Feature #16664: Simplify "Tor has bootstrapped" status check

Feature #16664

Simplify "Tor has bootstrapped" status check

Added by segfault 2019-04-19 16:14:08 . Updated 2019-10-06 03:30:58 .

Status:

Resolved

Priority:

Normal

Assignee:

intrigeri

Category:

Target version:

Tails_4.0

Start date:

Due date:

% Done:

100%

Feature Branch:

feature/16664-simplify-tor-has-bootstrapped+force-all-tests

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

intrigeri and I started discussing this in ~~Bug #16169#note-14~~ and following.

Subtasks

Related issues

Blocks Tails - ~~Feature #16903~~: Refactor tails-documentation	Resolved
Blocked by Tails - ~~Feature #16935~~: Move tailslib to main repo	Resolved

History

#1 Updated by segfault 2019-04-19 16:57:49

Description updated

In reply to ~~Bug #16169#note-18~~:
intrigeri wrote:
> > intrigeri wrote:
> >> Actually, I don’t understand why it has to check the status of tor\default.service. IIRC we correctly stop tails-tor-has-bootstrapped.target@ whenever we stop tor. Perhaps this wrapper is erring on the safe side, which makes some sense.
>
> > No, if I run systemctl stop tor\default.service@ after it has bootstrapped, the current tails-tor-has-bootstrapped.target is still active (because it doesn’t use BindsTo). I think that’s why we currently also check the status of tor\default.service. > > Sorry I was unclear! My claim/guess/assumption was about what happens automatically, i.e.: > > * whenever _Tails_ stopstor\default.service, it also stops tails-tor-has-bootstrapped.target
> * we restart tails-tor-has-bootstrapped.target conservatively every time the network goes up or back up
>
> IMHO we should not worry about the case when a user manually stops tor\default.service@ here, and thus checking tails-tor-has-bootstrapped.target should be enough. Anyway, I’m kinda diverging off topic here :)

BindsTo doesn’t only take care about the case that tor\default.service@ is stopped manually, but also that it stops unexpectedly.

> >> On the one hand, one less unit decreases complexity. OTOH, a target — a “well-known synchronization point” — feels like the exact semantics we want here.
> >> Note that the reason we introduced a target in commit:c195ff18add2ef18be45e133678b5895d8dce255 was ~~Bug #9393~~.
>
> > The way I understand it, a systemd service can be used in exactly the same way as a systemd target. Both are units, and a target is just a unit without any special properties, see https://www.freedesktop.org/software/systemd/man/systemd.target.html. So we should still be able to use it as a well-known synchronization point.
>
> Sure, technically a service will work just the same, at least in the current state of systemd. It’s just that it’s not meant to be used this way, as per the doc:
>
> * A unit configuration file whose name ends in “.service” encodes information about a process controlled and supervised by systemd
> * A unit configuration file whose name ends in “.target” encodes information about a target unit of systemd, which is used for grouping units and as well-known synchronization points during start-up.
>
> So using a service to provide a well-known synchronization point can be somewhat confusing. But that’s certainly not a blocker IMO!

OK, so it does boil down to the trade-of “one less unit to decrease complexity” vs “the unit type conveys that this is a well-known synchronization point”. I still prefer the “one less unit”, but I would also be OK with having an additional tails-tor-has-bootstrapped.target like this (assuming that we then name the service tails-wait-until-tor-has-bootstrapped.service):

[Unit]
Description=Tor has Bootstrapped
Documentation=https://tails.boum.org/contribute/design/
After=tails-wait-until-tor-has-bootstrapped.service
BindsTo=tails-wait-until-tor-has-bootstrapped.service

[Install]
WantedBy=tails-wait-until-tor-has-bootstrapped.service

I didn’t test this yet, but I assume that this is automatically started/stopped whenever the tails-wait-until-tor-has-bootstrapped.service turns active/inactive.

> > I don’t think we would have to change any existing AppArmor profiles. None of the other scripts which use /usr/local/sbin/tor-has-bootstrapped seem to be confined by AppArmor. I also tested that tails-documentation is also allowed to execute systemctl is-active (even though I couldn’t find an AppArmor for it, so I guess it’s not confined at all).
>
> How does that work for opening links from Evince, Pidgin, and Totem? I don’t know if they’re all allowed to execute systemctl (with any argument).

Evince can’t start Tor Browser at all currently, because it’s not allowed to execute /usr/local/bin/tor-browser (I tested this by downloading and opening http://gahp.net/wp-content/uploads/2017/09/sample.pdf and clicking on the reference example, which shows “Unable to open external link” in evince).
Pidgin is allowed to execute systemctl
I couldn’t find a way to open a link via Totem

> >> right now… and every time we change the implementation details again in the future. (Yeah, I’d love this one to be the list time but assuming it’ll be feels a tad presumptuous given the tortuous history of this topic in Tails.)
>
> > OK, I see that it could be a valid concern that the above systemd service might not be sufficient to tell if tor has bootstrapped if tor breaks it’s behavior on that part. But I think the chances that even in that case there are good chances that we will be able to adapt the service so still work as expected.
>
> OK, you’ve convinced me that from a design perspective at least, the status of that service can plausibly serve as a LTS API entry point, whose implementation details we can change without affecting its consumers. At least I’m OK to try it :)

Cool :)

#2 Updated by segfault 2019-07-20 20:24:38

Status changed from Confirmed to In Progress

Applied in changeset commit:tails|d9ae8bf8ad2109b7032383dc25e31cfcad92e08c.

#3 Updated by segfault 2019-07-21 17:52:28

blocks ~~Feature #16903~~: Refactor tails-documentation added

#4 Updated by segfault 2019-07-25 07:06:15

Status changed from In Progress to Needs Validation
Assignee deleted (~~segfault~~)

Tests pass on Jenkins

#5 Updated by intrigeri 2019-07-31 00:31:49

Feature Branch set to feature/16664-simplify-tor-has-bootstrapped+run-all-tests

#6 Updated by intrigeri 2019-07-31 00:32:42

Target version set to Tails_3.17

(Too invasive for a bugfix release IMO.)

#7 Updated by intrigeri 2019-08-07 12:01:49

Target version changed from Tails_3.17 to Tails_4.0

If 3.17 is released, it’ll be a bugfix release.

#8 Updated by intrigeri 2019-08-29 17:09:56

Assignee set to intrigeri

I’ve merged current devel into the branch and solved the submodule conflict, so the branch builds again on Jenkins. All this, in the hope I manage to review this branch in time for 4.0~beta2 (although it’s already too late, if I ask segfault to do some changes; sorry about that).

#9 Updated by intrigeri 2019-09-09 06:32:35

intrigeri wrote:
> I’ve merged current devel into the branch and solved the submodule conflict, so the branch builds again on Jenkins. All this, in the hope I manage to review this branch in time for 4.0~beta2

Ditto, modulo s/beta2/rc1/.

#10 Updated by intrigeri 2019-09-10 06:03:31

Feature Branch changed from feature/16664-simplify-tor-has-bootstrapped+run-all-tests to feature/16664-simplify-tor-has-bootstrapped+force-all-tests

(Renamed the branch so Jenkins actually runs all tests.)

#11 Updated by intrigeri 2019-09-13 05:01:11

blocked by ~~Feature #16935~~: Move tailslib to main repo added

#12 Updated by intrigeri 2019-09-13 05:02:59

Status changed from Needs Validation to In Progress
Assignee changed from intrigeri to segfault

> Blocked by Feature ~~Feature #16935~~: Move tailslib to main repo added

I’d rather merge ~~Feature #16935~~ first, then you can transplant your tailslib changes done here to tails.git. OK?
Feel free to adjust the target version as you see fit.

#13 Updated by segfault 2019-09-16 21:55:45

I merged devel and tested that everything still works as expected. One test failed in Jenkins, which I expect is unrelated (“Scenario Booting Tails from a USB drive upgraded from DVD with persistence enabled”), but I’ll wait for the next Jenkins test results before setting the status to “Needs Validation”.

#14 Updated by segfault 2019-09-20 14:30:50

Status changed from In Progress to Needs Validation
Assignee deleted (~~segfault~~)

segfault wrote:
> I merged devel and tested that everything still works as expected. One test failed in Jenkins, which I expect is unrelated (“Scenario Booting Tails from a USB drive upgraded from DVD with persistence enabled”), but I’ll wait for the next Jenkins test results before setting the status to “Needs Validation”.

In the meantime, there was one test run without failures (https://jenkins.tails.boum.org/job/test_Tails_ISO_feature-16664-simplify-tor-has-bootstrapped-force-all-tests/8/) and a few ones with a few failures. I assume that those tests were fragile before and the failures are unrelated to this change. @intrigeri, please tell me if you think that’s not the case.

#15 Updated by intrigeri 2019-10-05 15:17:20

Assignee set to intrigeri

I’d really like to keep our amount of WIP under control, so even though segfault and I agree this is not particularly urgent, I’ll do this review now, in the hope this can make it into 4.0~rc1.

#16 Updated by intrigeri 2019-10-05 16:05:33

I’ve re-read our past discussion, thought about the systemd implementation details a bit more, and tested various corner cases manually (e.g. offline mode, 1st tor bootstrap succeeds but then after switching networks tor fails to bootstrap). Conclusion: I like the current proposed implementation and I’m reasonably convinced it should not break stuff (famous last words :)

I’ve merged current devel into this branch so it builds again; I’m running the full test suite on it locally. I’ll merge this branch if the test suite is happy!

One note in passing regarding a potential future problem, just so that I’m not the only one who can take this info into account. IIRC, systemctl talks with systemd over DBus. Currently, AppArmor mediation of DBus stuff is not upstream so we don’t have it. Once AppArmor DBus mediation lands in Linux mainline (eventually…), we’ll have to choose between:

Give various apps permission to do whatever DBus operations that systemctl is-active needs.
Re-introduce a wrapper script, that those apps are allowed to start unmediated; that is, reintroduce essentially /usr/local/sbin/tor-has-bootstrapped, that this branch gets rid of for the sake of simplicity.

But that’s not a blocker at all, and as your tests showed wrt. Evince, Pidgin, and Totem, in the end “various apps” might be just 1 or 2, so yeah, whatever.
And well, worst case, we’ll reintroduce the wrapper, and so be it. It’s not a sufficient reason to keep the complexity now, just in case we might need it again later!

#17 Updated by intrigeri 2019-10-06 03:30:58

Status changed from Needs Validation to Resolved
% Done changed from 0 to 100

Applied in changeset commit:tails|34e4e3f2f6ab767d64c03304b8bef8b6167faa45.