Project

General

Profile

Bug #10092

Use di-netboot-assistant in a safer way

Added by intrigeri over 4 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Infrastructure
Target version:
Start date:
08/25/2015
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

As discussed on #8507, our current usage is not super safe. With di-netboot-assistant 0.39 we could do better, as its changelog reads:

  • Implement the inclusion of debian-installer packages. Add
    instructions to the README and a warning when installing insecurely.

Let's try that!


Related issues

Related to Tails - Feature #8507: Evaluate how safe our usage of di-netboot-assistant is Resolved 01/01/2015

History

#1 Updated by intrigeri over 4 years ago

  • Related to Feature #8507: Evaluate how safe our usage of di-netboot-assistant is added

#2 Updated by intrigeri about 4 years ago

  • Target version changed from Tails_1.7 to 2016

#3 Updated by intrigeri over 3 years ago

  • Target version deleted (2016)

#4 Updated by intrigeri about 3 years ago

  • Description updated (diff)

#5 Updated by intrigeri about 3 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to bertagaz
  • Target version set to Tails_2.7
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA

Done (mostly in puppet-libvirt), applied.

#11 Updated by bertagaz about 3 years ago

  • Assignee changed from bertagaz to intrigeri
  • QA Check changed from Ready for QA to Info Needed

Had a look and I like it, except I have one question:

Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp:

  apt::preferences_snippet { 'di-netboot-assistant':
    ensure   => $di_netboot_assistant_pinning_ensure,
    pin      => 'release o=Debian,n=stretch',
    priority => '991',
  } 
  package { ['di-netboot-assistant', 'syslinux']:
    ensure  => installed,
    require => Apt::Preferences_snippet['di-netboot-assistant'],
  }

if $di_netboot_assistant_pinning_ensure is absent, won't we have a missing dependency for the packages as the apt::preferences_snippet resource won't be installed?

#12 Updated by intrigeri about 3 years ago

  • Assignee changed from intrigeri to bertagaz
  • QA Check changed from Info Needed to Ready for QA

Had a look and I like it,

:)

except I have one question:

Line 12-20 in puppet-libvirt:manifests/host/di_netboot_assistant.pp:

>   apt::preferences_snippet { 'di-netboot-assistant':
>     ensure   => $di_netboot_assistant_pinning_ensure,
>     pin      => 'release o=Debian,n=stretch',
>     priority => '991',
>   } 
>   package { ['di-netboot-assistant', 'syslinux']:
>     ensure  => installed,
>     require => Apt::Preferences_snippet['di-netboot-assistant'],
>   }
> 

if $di_netboot_assistant_pinning_ensure is absent, won't we have a missing dependency for the packages as the apt::preferences_snippet resource won't be installed?

Either I'm misunderstanding what you mean with "missing dependency", or you're confused wrt. how Puppet resources work, or I am myself :)

In my book, Apt::Preferences_snippet['di-netboot-assistant'] will be applied regardless of its ensure parameter: if that parameter is 'present', then the resource will ensure that the APT preferences snippet is there; else, it will ensure it's not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant'] ensures that package { ['di-netboot-assistant', 'syslinux'] is applied only after Apt::Preferences_snippet['di-netboot-assistant'] is itself applied.

#13 Updated by bertagaz about 3 years ago

  • Target version changed from Tails_2.7 to Tails_2.9.1

#14 Updated by anonym almost 3 years ago

  • Target version changed from Tails_2.9.1 to Tails 2.10

#15 Updated by anonym almost 3 years ago

  • Target version changed from Tails 2.10 to Tails_2.11

#16 Updated by bertagaz almost 3 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (bertagaz)
  • % Done changed from 50 to 100
  • QA Check deleted (Ready for QA)

intrigeri wrote:

Either I'm misunderstanding what you mean with "missing dependency", or you're confused wrt. how Puppet resources work, or I am myself :)

In my book, Apt::Preferences_snippet['di-netboot-assistant'] will be applied regardless of its ensure parameter: if that parameter is 'present', then the resource will ensure that the APT preferences snippet is there; else, it will ensure it's not there. In both cases, require => Apt::Preferences_snippet['di-netboot-assistant'] ensures that package { ['di-netboot-assistant', 'syslinux'] is applied only after Apt::Preferences_snippet['di-netboot-assistant'] is itself applied.

Right, I must have been confused when writing this, don't know where it comes from.

Anyway, I've looked again as I needed to re-install isobuilder1 and wanted the Stretch installer. So I added this codename support to the libvirt module in passing, and it works well (except a Stretch installer/Debian archive kernel mismatch). So I guess it means this ticket is good to close! Sorry for the delay.

#17 Updated by intrigeri almost 3 years ago

Thank you!

Also available in: Atom PDF