Project

General

Profile

Feature #16664

Simplify "Tor has bootstrapped" status check

Added by segfault 3 months ago. Updated 1 day ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

intrigeri and I started discussing this in #16169#note-14 and following.


Related issues

Blocks Tails - Feature #16903: Refactor tails-documentation In Progress

Associated revisions

Revision d9ae8bf8 (diff)
Added by segfault 1 day ago

Use BindsTo= and After= in tor-has-bootstrapped systemd units (refs: #16664)

Currently, if stops for some reason (either stopped
manually or unexpectedly), tails-tor-has-boostrapped.target is still
active.

Using BindsTo= in conjunction with After= ensures that the unit is
always stopped if the other unit () is stopped.
See https://www.freedesktop.org/software/systemd/man/systemd.unit.html#BindsTo=

This allows us to simplify config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped,
which would only have to check if tails-tor-has-bootstrapped.target is active.
Or, we could get rid of this script altogether, because instead of
calling the script, applications can just run

/bin/systemctl --quiet is-active tails-tor-has-bootstrapped.target

themselves.

Revision 7f7757cd (diff)
Added by segfault 1 day ago

Remove tor-has-bootstrapped script (refs: #16664)

Replace all calls to config/chroot_local-includes/usr/local/sbin/tor-has-bootstrapped
with `/bin/systemctl --quiet is-active tails-tor-has-bootstrapped.target`.

Revision 3cdb6d5a (diff)
Added by segfault 1 day ago

Remove obsolete manual stops of tails-tor-has-bootstrapped.target (refs: #16664)

is stopped above the removed lines, which now
automatically stops tails-tor-has-bootstrapped.target.

History

#1 Updated by segfault 3 months ago

  • Description updated (diff)

In reply to #16169#note-18:
intrigeri wrote:

intrigeri wrote:

Actually, I don't understand why it has to check the status of tor\@default.service. IIRC we correctly stop tails-tor-has-bootstrapped.target whenever we stop tor. Perhaps this wrapper is erring on the safe side, which makes some sense.

No, if I run systemctl stop tor\@default.service after it has bootstrapped, the current tails-tor-has-bootstrapped.target is still active (because it doesn't use BindsTo). I think that's why we currently also check the status of tor\@default.service.

Sorry I was unclear! My claim/guess/assumption was about what happens automatically, i.e.:

  • whenever Tails stops tor\@default.service, it also stops tails-tor-has-bootstrapped.target
  • we restart tails-tor-has-bootstrapped.target conservatively every time the network goes up or back up

IMHO we should not worry about the case when a user manually stops tor\@default.service here, and thus checking tails-tor-has-bootstrapped.target should be enough. Anyway, I'm kinda diverging off topic here :)

BindsTo doesn't only take care about the case that tor\@default.service is stopped manually, but also that it stops unexpectedly.

On the one hand, one less unit decreases complexity. OTOH, a target — a "well-known synchronization point" — feels like the exact semantics we want here.
Note that the reason we introduced a target in c195ff18add2ef18be45e133678b5895d8dce255 was #9393.

The way I understand it, a systemd service can be used in exactly the same way as a systemd target. Both are units, and a target is just a unit without any special properties, see https://www.freedesktop.org/software/systemd/man/systemd.target.html. So we should still be able to use it as a well-known synchronization point.

Sure, technically a service will work just the same, at least in the current state of systemd. It's just that it's not meant to be used this way, as per the doc:

  • A unit configuration file whose name ends in ".service" encodes information about a process controlled and supervised by systemd
  • A unit configuration file whose name ends in ".target" encodes information about a target unit of systemd, which is used for grouping units and as well-known synchronization points during start-up.

So using a service to provide a well-known synchronization point can be somewhat confusing. But that's certainly not a blocker IMO!

OK, so it does boil down to the trade-of "one less unit to decrease complexity" vs "the unit type conveys that this is a well-known synchronization point". I still prefer the "one less unit", but I would also be OK with having an additional tails-tor-has-bootstrapped.target like this (assuming that we then name the service tails-wait-until-tor-has-bootstrapped.service):

[Unit]
Description=Tor has Bootstrapped
Documentation=https://tails.boum.org/contribute/design/
After=tails-wait-until-tor-has-bootstrapped.service
BindsTo=tails-wait-until-tor-has-bootstrapped.service

[Install]
WantedBy=tails-wait-until-tor-has-bootstrapped.service

I didn't test this yet, but I assume that this is automatically started/stopped whenever the tails-wait-until-tor-has-bootstrapped.service turns active/inactive.

I don't think we would have to change any existing AppArmor profiles. None of the other scripts which use /usr/local/sbin/tor-has-bootstrapped seem to be confined by AppArmor. I also tested that tails-documentation is also allowed to execute systemctl is-active (even though I couldn't find an AppArmor for it, so I guess it's not confined at all).

How does that work for opening links from Evince, Pidgin, and Totem? I don't know if they're all allowed to execute systemctl (with any argument).

  • Evince can't start Tor Browser at all currently, because it's not allowed to execute /usr/local/bin/tor-browser (I tested this by downloading and opening http://gahp.net/wp-content/uploads/2017/09/sample.pdf and clicking on the reference example, which shows "Unable to open external link" in evince).
  • Pidgin is allowed to execute systemctl
  • I couldn't find a way to open a link via Totem

right now… and every time we change the implementation details again in the future. (Yeah, I'd love this one to be the list time but assuming it'll be feels a tad presumptuous given the tortuous history of this topic in Tails.)

OK, I see that it could be a valid concern that the above systemd service might not be sufficient to tell if tor has bootstrapped if tor breaks it's behavior on that part. But I think the chances that even in that case there are good chances that we will be able to adapt the service so still work as expected.

OK, you've convinced me that from a design perspective at least, the status of that service can plausibly serve as a LTS API entry point, whose implementation details we can change without affecting its consumers. At least I'm OK to try it :)

Cool :)

#2 Updated by segfault 1 day ago

  • Status changed from Confirmed to In Progress

#3 Updated by segfault about 19 hours ago

Also available in: Atom PDF