- In create/edit network connection form, if the accordion is closed for
'General' section, Network Interface has not be selected yet and Submit button
is pressed, 'General' section should be expanded and focus should go to Network
Interface field. This is not working as expected as the code to expand
accordions didn't match 'select' type input fields properly. Fix this.
- Declare a common class name for both create and edit forms to make writing
queries easier.
- Drop console logs that where meant for debugging.
Tests:
- On both create and edit connection forms, set the value of network interface
to '--select--' and collapse the 'General' section. Press submit. The 'General'
section is expanded, Network Interface field is focus and scrolled into view.
- Do the same check for another field such as Connection Name and that works
too.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This improves the user experience in many ways:
- Help user understand if DNSSEC is being used on the current DNS server in case
'allow-fallback' is supported.
- Nudges the user to explore enabling DNS-over-TLS and DNSSEC.
- Help user understand how global vs. link specific configuration works. Help
user understand if a global DNS is being used.
- Show the list of fallback DNS servers being used (as this poses privacy
concerns).
Also helps with debugging in problematic situations:
- Find out which DNS server is being used (and leading to problems) and show the
cycling mechanism.
Tests:
- Enable/disable fallback DNS server in privacy app. See that fallback servers
line is only shown when enabled.
- Set various global values of DNS-over-TLS and DNSSEC and see the status
changes.
- Set various values of DNS-over-TLS in the network connection settings and see
the changes in status.
- Set DNSSEC to allow-fallback. Perform a query and see that the value of
supported/unsupported changes.
- Set DNS servers with special configuration file in
/etc/systemd/resolved.conf.d/test.conf and restart systemd-resolved. See change
in status page. Notice that if connection specific DNS server is set to an
invalid server, global section has a current DNS server.
- Set SNI domain name and port for the an IPv4 DNS and an IPv6 DNS. See that the
display is as expected.
- Raise an exception in get_status() and notice that an error alert is show
properly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewd-by: Veiko Aasa <veiko17@disroot.org>
Pass remaining failed checks to super.
Tests:
- Remove /etc/letsencrypt/renewal-hooks/deploy/50-freedombox so that
the diagnostic fails. Running repair causes the file to be
re-created.
- Set domain name to non-existing domain so that the diagnostic
fails. Running repair attempts to obtain the certificate.
- Have both diagnostics failing. Running repair will attempt to repair
both.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
So that when users select 'Default' they understand what value applies and how
to change it.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Reloading systemd-resolved does not seem to apply the DNS-over-TLS changes
fully. Although resolvectl shows the new status after a reload, systemd-resolved
seems to be using incorrect DNS-over-TLS setting.
Tests:
- Without the patch, set DNS server that does not support DNS-over-TLS such as
dnsmasq in Network Manager's 'shared' connection. Then enable DNS-over-TLS.
resolvectl shows that DNSOverTLS flag correctly. But name resolutions still
work.
- With the patch, repeat the above and notice that resolution does not work.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Use deb.debian.org because it is already contacted regularly for
checking/downloading packages and updates.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Visit the names app. New 'Domains' heading and configuration section appear.
- DNS-over-TLS configuration option is as expected.
- When the configuration file does not exist, the option selected is 'no'.
- When the configuration option is changed, 'resolvectl' shows the newly set
configuration. Using 'resolvectl query {domain}' does not work when DoT is on
and server does not support DoT. 'opportunistic' and 'no' work on those cases.
- When a DNS server supporting DoT (such as 1.1.1.1) is manually set, resolution
with all three settings works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Without selecting an option, trying to submit the form leads to an error.
Tests:
- Go to the new connection form, notice that the 'auto' method is selected by
default.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- If an existing network manager connection with the missing values is ever
edited, it leads an awkward interface.
- So, complete the setting by allowing values supported by Network Manager.
Tests:
- Create new connections with the new values 'link-local' and 'disabled'.
Connection creation succeeds.
- Editing connection to these values works too.
- When 'link-local' or 'disabled' values are selected, primary and secondary DNS
fields are disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Expose Network Manager per-connection setting for DNS-over-TLS. Support all
four values: default, no, opportunistic, and yes.
- Create a new collapsible section all 'Privacy' for this setting the connection
create/edit form. Strictly speaking this is related to security and censorship
resistance too.
- Don't show the DoT field for PPPoE connection types are DNS servers are not
relevant.
- Show the status of DoT for a connection in the connection status page.
Tests:
- In all Add New Connection forms except PPPoE form, the privacy
section shows up as expected.
- For each value for DoT, create a new connection and set the value for DoT to the
desired value and observe that the connection status page shows DoT to the set
value.
- For each value for DoT, edit an existing connection and set the value for the
DoT to the desired value and observe that the connection status page shows DoT
to the set value.
- Connection status page shows the values for DoT as expected.
- Update the primary Internet connection for the machine. Set the value to 'yes'
and notice that DNS resolutions fail. Set the value to 'opportunistic' or 'no'
and the DNS resolutions pass. In each case, 'resolvectl' shows the correct DoT
value for the connection. When 1.1.1.1 is set as DNS server, all values of DoT
in the connection succeed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Package holds are only expected when apps are being installed or
uninstalled, or during distribution upgrade process. At any other
time, package holds are not expected and should be released.
Tests:
- Place a hold on one package. Run the upgrades diagnostics, which
will have a failure. Try to repair the failure, and confirm that the
package is no longer held.
- Repeat with two or three packages being held.
[sunil]
- When the package 'needsrestart' is outdated and another package is held,
running repair unholds the package as well as runs setup() on the upgrades app
leading to 'needsrestart' package getting upgrade.
- When only failed diagnostic is for package holds. Running repair unholds the
packages but does not rung setup().
Helps: #2347
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes: #2432
Tests:
- Without patch install MediaWiki. phpinfo() shows max execution time for 30
seconds. Apply patch, run 'make install' and restart service. Mediawiki app is
updated. Apache2 is reloaded. phpinfo() shows max execution time for 100
seconds.
- Create a script to 100% utilize the CPU for 90 seconds. It works.
- Create a script to 100% utilize the CPU for 110 seconds. It fails and get
killed after about 100 seconds.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- If provision fails and the container is in running state, then running
'./container up' does not lead to re-run of provisioning script. Fix this.
Tests:
- Without patch, insert 'exit 1' in provisioning script. Run './container
destroy; ./container up'. Provision script will fail. Re-run './container up'.
Provision script is not run and message that container is already running is
printed.
- With patch, insert 'exit 1' in provisioning script. Run './container destroy;
./container up'. Provision script will fail. Re-run './container up'. Provision
script is not run and message that container is already running is printed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #1196.
- systemd-resolved always contains the current list of known DNS servers taken
from systemd-networkd, network-manager, or by other means. It also has fallback
DNS servers. Forwarding requests to it allows correct and failsafe way to reach
external DNS servers.
Tests:
- Freshly install bind and notice that the fowarders list is set to 127.0.0.53.
- Install without the patch. Apply patch. Restart service. bind is upgraded to
new version and forwarder is set to 127.0.0.53 if it is blank. Otherwise, it
remains as is.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Without patch, disable bind. Incrementing the app's version number results in
bind getting started.
- With patch, disable bind. Incrementing the app's version number does not
result in bind getting started.
- Without patch, disable bind. Update forwarders. Bind is running again.
- With patch, disable bind. Update forwarders. Bind is not running again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Before this change, when bind is disabled, dns port is removed from firewall
causing all 'shared' connection to not be able to resolve domains. This was
because no other application was declaring a need for 'dns' port to be kept
open. Declare a firewall component in the networks app needing 'dns' and 'dhcp'
services on the internal networks.
Tests:
- Without the patch, install and disable bind. 'dns' port is removed from
'internal' zone of the firewall.
- Install and disable bind. 'dns' port is not removed from 'internal' zone of
the firewall.
- On a fresh Debian machine. Install the freedombox package. 'http', 'https',
'dns' and 'dhcp' port are opened on the firewall as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- To complete the provisioning process with container script and vagrant.
Tests:
- Start a fresh testing container, it should succeed. systemd-resolved is
running and resolving queries.
- Start a fresh stable container, it should succeed. systemd-resolved is running
and resolving queries.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Without the patch, start the service and dismiss the privacy notification.
With the patch, the restart the service. Privacy app is updated and privacy
notification is shown again. Incrementing the version number of the privacy app
does not result in showing of the notification again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Using public DNS servers leads to user's domain queries being known to the
servers, violating privacy. However, it is necessary to address many corner
cases when DNS servers are not known to systemd-resolved but internet
connectivity is working. Allow users to disable fallback DNS servers.
Tests:
- After upgrade to latest version of FreedomBox, the setting is on by default.
- Disabling removes the /etc configuration file and resolvectl shows no fallback
DNS entries.
- Enabling add the /etc configuration file and resolvectl shows fallback
entries. After removing existing DNS servers using resolvectl, one can still
query using fallback servers.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This avoids using fallback DNS servers in systemd-resolved soon after
systemd-resolved takes over /etc/resolv.conf and if network-manager knows some
DNS servers from the connections it has established.
- Version for the names app has already been incremented in this patch series.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Disable mDNS resolution. While we can migrate our DNS-SD service definition
files to systemd-resolved and switch from using avahi to systemd-resolved, many
programs still solely depend on avahi-daemon. Examples include cups and GNOME.
It is not clear if they will work any mDNS daemon or if they interact with
avahi-daemon in other ways that the mDNS protocol. So, for now, disable mDNS in
systemd-resolved and continue to use avahi-daemon for it. This is also Fedora's
default.
- Re-introduce Fallback DNS servers with the value same as the upstream systemd
project. Debian removes the default fallback DNS servers likely because they
could be considered a privacy violation. However, when systemd-resolved package
is first installed, the post install script recommends a reboot instead of
feeding the currently configured nameservers from /etc/resolve.conf into
systemd-resolved. Immediately, this causes the system not be able to connect to
any external servers. While this may be acceptable solution for interactive
systems and pre-built images, FreedomBox has to a) be available for remote
access b) perform upgrades without user intervention (and without reboot until a
day). To mitigate privacy concerns, an option to disable these fallback servers
will be provided in the UI.
- systemd-resolved's stub resolver runs on 127.0.0.53%lo:53 and 127.0.0.54. This
does not conflict either with shared connections which listen on 10.42.x.1 or
with bind which listens on 127.0.0.1 (and other IP addresses). This MR does not
address the existing conflict between bind and shared network connections.
However, it does not cause any further conflicts.
Tests:
* mDNS
- Avahi diagnostics works. daemon is running. mdns port is exposed in the
firewall.
- systemd-resolved does not listen on mDNS ports.
- Running avahi-browse shows freedombox on local network.
- Running avahi-browse shows the services ssh, sftp-ssh, http and ejabberd.
- Machine can be discovered in Gnome Files.
* NetworkManager shared connections
- After install/upgrade to systemd-resolved, 'shared' connections can be
created.
- With a 'shared' connection configured and active, it is possible to upgrade to
using systemd-resolved.
- Resolving domains from a machine on shared network goes via systemd-resolved
on FreedomBox.
* Bind
- Installing, running tests on bind works.
- Programs connecting from outside network can connect to bind as expected.
- Programs connecting from local machine can connect to bind as expected.
* Upgrading works
- Upgrading to new FreedomBox package works
- systemd-resolved is installed and running. 'resolvectl' shows a proper name
server (or fallback nameserver like 1.1.1.1).
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf.
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares freedombox.org.
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
- 'resolvectl query' resolution works.
- Programs using glibc API resolution such as 'ping' work.
* Fresh image
- Building an image with new freedombox package works without error.
- Booting from fresh images works.
- systemd-resolved is installed and running. 'resolvectl' show proper name
server.
- libnss-resolve is installed and configured in /etc/nsswitch.conf
- /etc/resolv.conf has proper link to /run/systemd/resolve/stub-resolv.conf
- Programs using /etc/resolv.conf directly work. Install python3-pycares.
python3 -m pycares wikipedia.org
- NetworkManager has passed on proper DNS entries. In logs dns=systemd-resolved,
rc-manager=unmanaged, plugin=systemd-resolved
- DNS resolution works after first setup. Installing packages works.
* Installing package on Debian
- Installing new freedombox package in Debian machine works.
- systemd-resolved is installed and running.
- libnss-resolve is installed and configured.
- /etc/resolv.conf has proper link to /run
- NetworkManager has passed on proper DNS entries to systemd-resolved using
'nmcli reload dns-rc'.
- Resolution works with fallback DNS servers when network interfaces are
configured with /etc/network/interfaces
* OpenVPNs works
- As a server, we don't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to OpenVPN server, route traffic to the internet, and resolve
DNS queries.
* WireGuard works
- As a server, we can't push DNS servers to the client. So, a client continues
to use its old DNS servers. With systemd-resolved running on server, the client
is able to connect to WireGuard server, route traffic to the internet, and
resolve DNS queries.
- As a client, server does not push DNS servers to the client. So, a client
continues to use its old DNS servers. With systemd-resolved running on the
client, the client is able to connect to WireGuard server, route traffic to the
internet, and resolve DNS queries.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
On systems where the grub-pc package is not available (e.g. ARM),
dpkg-query will have an exit status of 1. Handle the error that is
raised in this case.
Tests:
- Added unit tests for storage._diagnose_grub_configured.
- Tested on Raspberry Pi 4.
Closes: #2441
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2405.
- When Django module is mocked, there are some cases where modules using django
can't be imported due to errors.
- To fix that, don't mock the django module and require django and related
Debian packages to be installed on the system generate developer documentation.
- Initialize django in Sphinx configuration to allow django modules to be
imported without errors.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes#2420.
Tests performed using Debian stable:
- Set user language to espanol. Install, repair and remove gitweb app.
Check that all app operation messages are in spanish.
- All unit tests pass.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: Debian bug #1069240
Closes: Debian bug #877935
- libnss-gw-name resolves 'gateway.localhost' to the ip address currently
configured as default route. This has been abandoned upstream[2], deprecated in
Debian[1]. Using libnss-myhostname (part of systemd) instead is recommended[2].
- libnss-gw-name has been removed from testing and unstable. Installing
freedombox package in these distributions no longer installs the libnss-gw-name
package but freedombox installation succeeds as this is only a recommends.
Latest images don't contain the libnss-gw-name package either.
- We already recommend libnss-myhostname and this package is typically installed
along with freedombox package.
- libnss-myhostname resolves '_gateway' where as libnss-gw-name resolves
'gateway.localhost'. This is technically a breaking change. However, we have
neither used nor documented gateway resolution on FreedomBox machines. So, any
disruption is likely minimal.
Tests:
- On a FreedomBox container, running 'ping _gateway' shows that it resolves to
the same IP address as default route shown in 'ip route'.
Links:
1) https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#deprecated-components
2) https://github.com/nomeata/libnss-gw-name
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add a new diagnostic check result for skipped tests.
Tests:
- Put a hold on a package. The diagnostic is failed.
- Remove the hold from the package. The diagnostic is passed.
- Start installing an app, then immediately run the upgrades
diagnostics. The diagnostic is skipped.
Helps: #2347
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Allow i18n for new state 'skipped']
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: Debian bug #961733.
- The version of Linux kernel supported in FreedomBox is from Debian Bookworm
and that is 6.1, released on Sun, 11 Dec 2022[4][5].
- Around 2014, in Linux kernel version 5.4, a way to extract entropy from CPU
execution jitter every second was implemented. This is similar to
HAVAGE/havaged's approach[1][2]. This ensures that user space applications never
hang indefinitely when entropy is not available.
- Since 2020, /dev/random only blocks until it is initialized and after that
never blocks. It provides cryptographically secure psuedo-random numbers after
initialization (which is believed to be as good as blocking pool even for
security sensitive applications). This the same behavior as getrandom() call[6].
This means that even on embedded systems, haveged is not necessary once the
initialization of the random pool has been completed.
- Since Feb/Mar 2022, /dev/urandom no longer provides insecure random
numbers[3]. Earlier, if it was used before full initialization, it provided
insecure random numbers. Now it blocks the caller until initialization and then
provides cryptographically secure pseudo-random numbers. The initialization
itself won't take too much time due to the "Jitter Dance" technique of
extracting entropy from CPU execution jitter. The only way to request for
insecure random number (without even blocking for 1 second) is to use
getrandom(GRND_INSECURE) which systemd uses to initialize hash tables. This
change was reverted because Jitter Dance did not work on several architectures
including arm[3]. Later it was added back as an opportunistic approach, where
secure random numbers would be provided by urandom if Jitter Dance worked.
- Git repository for haveged mentions that it is less relevant now[7]. It also
lists circumstances where haveged might still help (old kernels, user-space RNG,
additional source of entry and early boot). Of these, only early boot scenario is
of interest for us.
- In summary, the understanding of relevance of haveged is as follows:
Request Random Number
---------------------
Is this during initialization of the random pool?
No:
- Linux never blocks after initialization. It uses CSPRNG now instead of
blocking for entropy.
Yes:
Is this for secure purposes?
No:
- It does not block and provides insecure (or secure in most practical
cases) numbers with getrandom(GRND_INSECURE), used by systemd hash tables,
etc.
Yes:
Does the architecture provide hardware random numbers?
Yes:
- Use RDSEED (Intel/AMD) CPU instruction or HWRNG (SOCs) to initialize the
random pool.
- If on virtual machine, use virtio-rng, ACPI VM ID, etc. to initialize the
random pool.
No:
Is this on architectures with time stamp counter?
Yes:
- The system will block for 1-2 seconds and provide secure random numbers
using "Jitter Dance" (similar to haveged).
- ARMv7 (Allwinner A20, etc.) the lowest ARM architecture we support,
seems to have time stamp counters but we not sure kernel uses it and
implements "Jitter Dance".
No:
- On urandom, The system will not block and provide insecure random
numbers. This is as per the original definition of /dev/urandom.
- The system will block until entropy is available through interrupts,
etc.
- haveged will likely not help here because it also requires time stamp
counter provided by CPU.
Links:
1) https://lwn.net/Articles/802360/
2) https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50ee7529ec45
3) https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
4) https://lkml.org/lkml/2022/12/11/206
5) https://packages.debian.org/search?searchon=names&keywords=linux-image-6.1.0
6) https://lwn.net/Articles/808575/
7) https://github.com/jirka-h/haveged
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
