Ticket #410 (new enhancement)

Opened 12 years ago

Last modified 5 years ago

We need a public workstation verification script

Reported by: jdreed Owned by:
Priority: normal Milestone: Current Semester
Component: -- Keywords: hackathon
Cc: Fixed in version: debathena-verify 1.0
Upstream bug:

Description

As discussed some time ago, we need some sort of public workstation verification script, even with the login chroots. It should perhaps run debsums, and whitelist known false-positives. Determining the canonical set of installed packages and their versions may be difficult with our update mechanism -- one option is a VM that runs athena-auto-update with no desync and generates the canonical list. Another option is that if the script detects inconsistencies, it forces an update and then checks again.

Change History

comment:1 Changed 11 years ago by jdreed

  • Keywords hackathon added
  • Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future

comment:2 Changed 11 years ago by jdreed

  • Milestone changed from The Distant Future to Natty Alpha

Bumping this for Natty. We've been without such a script for almost 2 years, and I'm concerned we're growing too reliant on the chroot, which is a speed bump, not a locked door.

comment:3 follow-up: ↓ 4 Changed 11 years ago by jdreed

debsums on my 760 (2387 packages installed) took 4m49s to run, which is ... not entirely unreasonable. We could run it out of cron in the middle of the night, and if it fails, have it create a flag file which debathena-gdm-pieces-of-flair checks for, and disables logins if it finds it. Or it could just kick off /usr/sbin/athena-auto-upgrade, I guess. However, debsums only tells us if somebody has mucked with installed packages. It won't, for example, tell us if somebody has installed their own debathena-haxx0r-config (whose md5sums will verify correctly, I'm sure). Is there a way to say "Show me everything that's installed that didn't come from an APT repo?" Which of course assumes that apt{-get,itude} haven't been compromised, but it's a decent start.

comment:4 in reply to: ↑ 3 Changed 11 years ago by amu

Replying to jdreed:

Is there a way to say "Show me everything that's installed that didn't come from an APT repo?"

aptitude search '~o'

comment:5 follow-up: ↓ 6 Changed 11 years ago by jdreed

aptitude search '~o'

As far as I can tell, that will only show me packages that can't be downloaded, but won't tell me if, for example, someone built their own debathena-workstation and installed it with dpkg -i.

I wonder if we should just go back to control files, because it's not like the package-list code doesn't already essentially generate that data for us.

comment:6 in reply to: ↑ 5 Changed 11 years ago by amu

Replying to jdreed:

As far as I can tell, that will only show me packages that can't be downloaded, but won't tell me if, for example, someone built their own debathena-workstation and installed it with dpkg -i.

Right, I'd missed the bit about versions. :-/ To cover that angle, you could search for ~S~i!(~Odebian|~Oubuntu|~Odebathena); that will also list out-of-date packages unless you throw in !~U, but you're probably interested in those anyway, particularly if newer versions include security fixes.

comment:7 Changed 10 years ago by jdreed

  • Milestone changed from Natty Alpha to Natty Release

Re-milestoning this, as it might end up being moot in a mokafive world.

comment:8 follow-up: ↓ 9 Changed 10 years ago by geofft

  • Status changed from new to accepted
  • Owner set to geofft

We're not doing mokafive. :( For a first-order verification script, we can:

  • Make sure every package on the system is a recursive dependency of ubuntu-desktop, debathena-cluster, or possibly at most a dozen other "root" packages (we have some special cases which we explicitly install, for instance)
  • Make sure the apt repos are what we expect
  • Make sure that apt-cache policy believes that the version of each package on the system is actually installable from the apt repos (to catch a too-new version of a package)
  • Run debsums
  • Make sure the list of untracked files matches some known whitelist

release-team (read jdreed) seems fine with just doing this in cron as opposed to on boot as we did on Athena 9, which had the annoying side effect of making boot take like ten minutes.

comment:9 in reply to: ↑ 8 Changed 10 years ago by jweiss

release-team (read jdreed) seems fine with just doing this in cron as opposed to on boot as we did on Athena 9, which had the annoying side effect of making boot take like ten minutes.

As long as it's properly desync'd I think running it out of cron is actually better than running it at boot time, since we know it will get run regularly, and we don't know how often a workstation will be rebooted.

comment:10 Changed 9 years ago by jdreed

  • Status changed from accepted to committed

A first order approximation of this (which does not do the "make sure every package is a recursive dependency" part, because aptitude search syntax hurts my brain) is checked in in r25637 as debathena-verify.

comment:11 Changed 9 years ago by jdreed

  • Status changed from committed to development
  • Fixed in version set to debathena-verify 1.0

I've gone ahead and built this to -development. Nothing pulls it in yet, so please test it. At the moment, I'm primarily interested in testing it on precise cluster machines.

comment:12 Changed 5 years ago by andersk

  • Status changed from development to proposed

comment:13 Changed 5 years ago by andersk

  • Owner geofft deleted
  • Status changed from proposed to new

debathena-verify 1.0 now exists in production, but nothing causes it to be installed or run, so I’m setting this back to new.

Note: See TracTickets for help on using tickets.