Project

General

Profile

Bug #12211

Feature #12210: Deal with automated tests of onion services vs Chutney

Adapt GnuPG automated tests after switching to an Onion keyserver

Added by anonym over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
Test suite
Target version:
Start date:
02/03/2017
Due date:
% Done:

100%

Feature Branch:
test/12211-local-keyserver-onion
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Our use of Chutney prevents us from accessing the configured keyserver, since its onion lives on the real Tor network.


Related issues

Related to Tails - Bug #12202: GnuPG can't talk to keyservers on Stretch Resolved 01/31/2017
Related to Tails - Bug #12068: The "GnuPG uses the configured keyserver" step needs to be adjusted for Stretch Resolved 12/23/2016
Related to Tails - Bug #14770: "Fetching OpenPGP keys" scenarios are fragile: communication failure with keyserver In Progress 10/04/2017
Related to Tails - Feature #9519: Make the test suite more deterministic through network simulation In Progress 06/02/2015

Associated revisions

Revision b0874d96 (diff)
Added by anonym over 2 years ago

Test suite: mark most of torified_gnupg as @fragile.

Actually these are completely broken since we cannot access the
keyserver onion Tails is configured to use due to Chutney.

Refs: #12211

Revision 90c5e159 (diff)
Added by anonym over 2 years ago

Test stuite: enable GnuPG keyserver tests again.

We replace the onion keyserver we actually use in Tails with an onion
server we run on Chutney, that redirects all TCP traffic to a clearnet
keyserver.

Will-fix: #12211

Revision 3445e328 (diff)
Added by anonym over 2 years ago

Add the 'redir' package to the test suite dependencies.

Fixup on commit:

commit 859acd753d35d9f8f2a58181f185497c71926372
Author: anonym <>
Date: Sat Mar 18 14:58:03 2017 +0100
Test suite: run a redir:ectable onion service on Chutney.
It can be reconfigured to point to any clearnet TCP host and port.

Refs: #12211

History

#1 Updated by anonym over 2 years ago

Me and intrigeri discussed this briefly:

We have essentially these options:

  • a) Introduce a @real_tor_network cucumber tag which makes tagged scenarios use the real Tor network. This re-introduces the robustness issues we solved by moving to Chutney.
  • b1) Run a local reverse proxy onion service in our Tor network that proxies to the real kerserver onion. This also reintroduces robustness issues.
  • b2) Same as (b1), but point our onion service to the clearnet keyserver. This prevents the robustness issues (at least it should be no worse than using Chutney)
  • c1) Run a local mock keyserver onion. This doesn't depend on the Internet => potentially 100% robust.
  • c2) Run a local real keyserver onion. Same as (c1), and we don't have to write mock code, but we might have to deal with complex configuration and orchestration instead.
  • d) Revert to a clearnet keyserver in Tails and make sure we can enable IPv6 (see #12202). This way we lose end-to-end encryption and authentication with the keyserver; i.e. a limitation of the automated test suite makes us downgrade Tails into something worse (!).

We agreed that (c1) was the best approach (but I think a brief investigation of (c2) should be done first; maybe it turns out to be easier?), and an incremental step towards #9519. intrigeri volunteered to write the mock code, anonym will do the integration into the test suite.

#2 Updated by anonym over 2 years ago

  • Related to Bug #12202: GnuPG can't talk to keyservers on Stretch added

#3 Updated by anonym over 2 years ago

  • Feature Branch set to test/12211-local-keyserver-onion

I marked the affected tests as @fragile for now, and reverted it in the feature branch.

#4 Updated by intrigeri over 2 years ago

  • Priority changed from Normal to Elevated

(This prevents us from automatically testing important features of Tails.)

#5 Updated by intrigeri over 2 years ago

  • Subject changed from Adapt the automated tests of gnupg after switching to an onion keyserver to Adapt GnuPG automated tests after switching to an Onion keyserver

#6 Updated by intrigeri over 2 years ago

  • Related to Bug #12068: The "GnuPG uses the configured keyserver" step needs to be adjusted for Stretch added

#7 Updated by bertagaz over 2 years ago

  • Assignee set to intrigeri

anonym wrote:

intrigeri volunteered to write the mock code, anonym will do the integration into the test suite.

Then I guess the ticket state should reflect this.

#8 Updated by intrigeri over 2 years ago

  • Assignee changed from intrigeri to anonym

I believe you've missed the "but I think a brief investigation of (c2) should be done first" part.

#9 Updated by anonym over 2 years ago

While I still agree that c1 (or c2) should be the long-term solution, I think I still would like to try a cheap implementation of b2. We run

redir -n 127.0.0.1:11371 pool.sks-keyservers.net:11371

in a subprocess, and tell Chutney to start a hidden service on port 11371, and that should be it.

[Let's do the domain resolution ourselves and pick a random member + restart redir to force a retry.]

#10 Updated by anonym over 2 years ago

  • QA Check set to Ready for QA

b2 is implemented on the feature/stretch branch as of 95d1ac0e12c249c07cdbac095c851612699675c4 and I've removed the @fragile tags to re-enable the tests. I'll keep an eye on how robust it is on Jenkins.

#11 Updated by anonym over 2 years ago

  • Status changed from Confirmed to In Progress

#12 Updated by intrigeri over 2 years ago

It seems that a new dependency (redir) is not documented. We'll also need it on our infra.

#13 Updated by intrigeri over 2 years ago

FWIW a number of test cases that fetch OpenPGP keys fail quite consistently on Jenkins.

#14 Updated by anonym over 2 years ago

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Info Needed

FTR, these tests work perfectly fine for me locally. But, indeed, it seems they never worked on Jenkins. Run 268 (ed83c682b867a1752d487c08f069ced545bd0fc9) was the first one when redir had been installed on the isotesters, and each scenario fails. Given how fast the failures happen:

02:37:00.973768495: calling as amnesia: timeout 120 gpg --batch --recv-key '10CC5BC7'
02:37:01.401249320: call returned: [2, "", "gpg: keyserver receive failed: No keyserver available\n"] 

(i.e. in < 0.5 s) I suspect something is wrong with the hidden service. Is there some "interesting" firewall configuration on Jenkins that could prevent the onion service to redir to the clearnet?

Also, could you try to reproduce locally, on sib's Jenkins setup?


nickm had an interesting suggestion for how we could keep the real world onions we use configured, and tell Tor to redirect them appropriately:

MapAddress <real-onion> <chutney-onion>

Not sure how useful this is, i.e. how much it influencel what we actually want to test. I'm sure Tor takes quite some different code path when this happens.

#15 Updated by intrigeri over 2 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Info Needed to Dev Needed

But, indeed, it seems they never worked on Jenkins.

See https://jenkins.tails.boum.org/view/RM/job/test_Tails_ISO_feature-stretch/292/consoleFull around 18:33:29: redir fails to start and displays usage information. I think that the code you wrote relies on invocation syntax that's only supported in the testing/sid version of redir.

Is there some "interesting" firewall configuration on Jenkins that could prevent the onion service to redir to the clearnet?

Our isotesters only have the firewall set up by libvirt.

#16 Updated by anonym over 2 years ago

  • % Done changed from 0 to 20
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:

But, indeed, it seems they never worked on Jenkins.

See https://jenkins.tails.boum.org/view/RM/job/test_Tails_ISO_feature-stretch/292/consoleFull around 18:33:29: redir fails to start and displays usage information. I think that the code you wrote relies on invocation syntax that's only supported in the testing/sid version of redir.

WTF... sorry for missing this. Both versions should be supported as of f0a1b1eecded6bee7eb3864b9384b01531f73564. Let's see what Jenkins thinks.

#17 Updated by anonym over 2 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 20 to 100
  • QA Check changed from Ready for QA to Pass

Now Jenkins runs these tests just fine on feature/stretch => closing.

#18 Updated by intrigeri over 2 years ago

  • Status changed from Fix committed to Resolved

#19 Updated by intrigeri almost 2 years ago

  • Related to Bug #14770: "Fetching OpenPGP keys" scenarios are fragile: communication failure with keyserver added

#20 Updated by intrigeri almost 2 years ago

  • Related to Feature #9519: Make the test suite more deterministic through network simulation added

Also available in: Atom PDF