Fixes #348 resizes private volume sises of sd-svs sd-log

The config.json now must have sizes defined for sd-svs and sd-log private volumes. "vmsizes": { "sd_svs": 10, "sd_log": 5 }, The values must be an integer. The Makefile prep-salt target will also run the validate-config check to make sure that size checks are done in case of: make sd-app make sd-log The validate-config will fail in case the given size is smaller than the current size of the private volumes in the existsing VMs.
freedomofpress · Jan 23, 2020 · 3e39647 · 3e39647
1 parent 08a064e
commit 3e39647
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -61,6 +61,7 @@ clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
 
 prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-salt
+	@./scripts/validate-config
 
 remove-sd-whonix: assert-dom0 ## Destroys SD Whonix VM
 	@./scripts/destroy-vm sd-whonix

diff --git a/config.json.example b/config.json.example
@@ -3,5 +3,9 @@
   "hidserv": {
     "hostname": "avgfxawdn6c3coe3.onion",
     "key": "Il8Xas7uf6rjtc0LxYwhrx"
-  }
+  },
+  "vmsizes": {
+        "sd_app": 10,
+        "sd_log": 5
+      }
 }
diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls
@@ -45,6 +45,16 @@ sd-app:
     - require:
       - qvm: sd-app-buster-template
 
+{% import_json "sd/config.json" as d %}
+
+# The private volume size should be defined in the config.json
+sd-app-private-volume-size:
+  cmd.run:
+    - name: >
+        qvm-volume resize sd-app:private {{ d.vmsizes.sd_app }}GiB
+    - require:
+      - qvm: sd-app
+
 # Ensure the Qubes menu is populated with relevant app entries,
 # so that Nautilus/Files can be started via GUI interactions.
 sd-app-template-sync-appmenus:

diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls
@@ -47,3 +47,13 @@ sd-log-dom0-securedrop.Log:
     - text: |
         @tag:sd-workstation sd-log allow
         @anyvm @anyvm deny
+
+{% import_json "sd/config.json" as d %}
+
+# The private volume size should be set in config.json
+sd-log-private-volume-size:
+  cmd.run:
+    - name: >
+        qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB
+    - require:
+      - qvm: sd-log
diff --git a/scripts/validate-config b/scripts/validate-config
@@ -7,6 +7,7 @@ import json
 import re
 import os
 import subprocess
+from qubesadmin import Qubes
 
 
 TOR_V3_HOSTNAME_REGEX = r'^[a-z2-7]{56}\.onion$'
@@ -31,6 +32,7 @@ class SDWConfigValidator(object):
         self.confirm_onion_config_valid()
         self.confirm_submission_privkey_file()
         self.confirm_submission_privkey_fingerprint()
+        self.validate_existing_size()
 
     def confirm_config_file_exists(self):
         try:
@@ -88,6 +90,33 @@ class SDWConfigValidator(object):
             j = json.load(f)
         return j
 
+    def validate_existing_size(self):
+        """This method checks for existing private volume size and new
+        values in the config.json"""
+        assert "vmsizes" in self.config
+        assert "sd_app" in self.config["vmsizes"]
+        assert "sd_log" in self.config["vmsizes"]
+
+        assert isinstance(self.config["vmsizes"]["sd_app"], int), \
+            "Private volume size of sd-app must be an integer value."
+        assert isinstance(self.config["vmsizes"]["sd_log"], int), \
+            "Private volume size of sd-log must be an integer value."
+
+        app = Qubes()
+        if "sd-app" in app.domains:
+            vm = app.domains["sd-app"]
+            vol = vm.volumes["private"]
+            assert (
+                vol.size <= self.config["vmsizes"]["sd_app"] * 1024 * 1024 * 1024
+            ), "sd-app private volume is already bigger than configuration."
+
+        if "sd-log" in app.domains:
+            vm = app.domains["sd-log"]
+            vol = vm.volumes["private"]
+            assert (
+                vol.size <= self.config["vmsizes"]["sd_log"] * 1024 * 1024 * 1024
+            ), "sd-log private volume is already bigger than configuration."
+
 
 if __name__ == "__main__":
     validator = SDWConfigValidator()
diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -1,4 +1,5 @@
 import unittest
+import json
 
 from qubesadmin import Qubes
 from base import WANTED_VMS
@@ -10,6 +11,8 @@
 class SD_VM_Tests(unittest.TestCase):
     def setUp(self):
         self.app = Qubes()
+        with open("config.json") as c:
+            self.config = json.load(c)
 
     def tearDown(self):
         pass
@@ -78,6 +81,12 @@ def test_sd_app_config(self):
         self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
         self.assertTrue('sd-client' in vm.tags)
+        # Check the size of the private volume
+        # Should be 10GB
+        # >>> 1024 * 1024 * 10 * 1024
+        size = self.config["vmsizes"]["sd_app"]
+        vol = vm.volumes["private"]
+        self.assertEqual(vol.size, size * 1024 * 1024 * 1024)
 
     def test_sd_viewer_config(self):
         vm = self.app.domains["sd-viewer"]
@@ -114,6 +123,12 @@ def test_sd_log_config(self):
         self._check_service_running(vm, "paxctld")
         self.assertFalse(vm.template_for_dispvms)
         self.assertTrue('sd-workstation' in vm.tags)
+        # Check the size of the private volume
+        # Should be same of config.json
+        # >>> 1024 * 1024 * 5 * 1024
+        size = self.config["vmsizes"]["sd_log"]
+        vol = vm.volumes["private"]
+        self.assertEqual(vol.size, size * 1024 * 1024 * 1024)
 
     def test_sd_workstation_template(self):
         vm = self.app.domains["securedrop-workstation-buster"]