1. 13 May, 2020 1 commit
    • intrigeri's avatar
      Disable periodic APT operations (refs: #17278) · 575ae9eb
      intrigeri authored
      We have already masked apt-daily.timer (#12390), but apt-daily-upgrade.timer was
      left enabled. AFAICT it's a no-op by default, but better safe than sorry.
      
      Finally, drop masking of apt-daily.timer: APT::Periodic::Enable effectively
      makes apt-daily*.timer no-ops.
      575ae9eb
  2. 24 Nov, 2019 1 commit
  3. 31 Aug, 2019 1 commit
    • intrigeri's avatar
      Terminate GDM's GNOME session after the amnesia user logs in, in order to free... · 9e6df451
      intrigeri authored
      Terminate GDM's GNOME session after the amnesia user logs in, in order to free memory (refs: #12092)
      
      I've heard rumors that we can drop this hack when we switch to Wayland (#12213).
      We'll see :)
      
      We kill it as part of desktop.target, i.e. during the "Applications" phase of
      the initialization of the GNOME session. We cannot do this earlier reliably:
      
       - basic.target is started by "systemd --user" for almost every command run as
         the amnesia user and may thus be triggered too early, at a time when we still
         need GDM's processes.
      
       - If we do this as part of basic.target, it sometimes happens before amnesia's
         X.Org has started, and sometimes after that, which causes racy behaviour,
         weird bugs, and amnesia's $DISPLAY can be either :0 or :1, which breaks our
         code that relies on that value to be always the same.
      
      We're in no rush to kill GDM's GNOME session super early anyway.
      
      Note that we keep GDM running while we kill its GNOME session,
      otherwise, the amnesia user can't unlock the screen:
      
        Failed to open reauthentication channel: Gio:DBusError:
        GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
        org.gnome.DisplayManager was not provided by any .service files
      
      Also, we ensure gdm-session-worker does not start new sessions once the amnesia
      user has logged in, which should hopefully prevent GDM from activating
      such a session while we want the amnesia's user session to remain active.
      9e6df451
  4. 10 Aug, 2019 6 commits
  5. 27 Jul, 2019 1 commit
  6. 11 Jul, 2019 2 commits
  7. 05 Apr, 2019 1 commit
  8. 12 Jan, 2019 1 commit
    • intrigeri's avatar
      Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run... · 290620df
      intrigeri authored
      Mount a dedicated tmpfs on /run/initramfs instead of trying to remount /run with the "exec" option (refs: #16097).
      
      My previous approach, i.e. "let's remount /run with the exec option via a unit
      file started as part of the shutdown procedure", worked just fine for clean
      shutdown. But it does not work for emergency shutdown, i.e. when the boot medium
      is physically removed: for some reason (possibly missing bits in the memlockd
      configuration), this service is not started, and then systemd-shutdown won't
      return to the initramfs because /run/initramfs/shutdown is not executable.
      
      So let's instead disregard /run and extract the initramfs into a dedicated
      tmpfs, that we mount on /run/initramfs (where systemd-shutdown will look for
      it), and that we mount without the "noexec" option.
      
      Also, remove manual calls to eject(1):
      
       - They increase chances that the shutdown process breaks due to missing
         files locked in memory by memlockd.
      
       - Their sole benefit is to ensure we physically eject the DVD. It's unclear if
         this code is still needed nowadays. Regardless, starting with Tails 3.12, the
         only supported use case for ISO and DVD is virtual machines, which are not
         targeted by the emergency shutdown feature, which is about removing the
         *physical* boot medium.
      290620df
  9. 10 Jan, 2019 1 commit
    • intrigeri's avatar
      Fix memory erasure on shutdown with systemd v239 (refs: #16097). · 634e5a6d
      intrigeri authored
      Remounting /run with the "exec" option in /lib/systemd/system-shutdown/tails
      does not work anymore with systemd v239, while it worked at least until systemd
      v237. I could not find out why by reading systemd's NEWS file.
      
      So let's instead do this there:
      
       - For clean shutdown: in a new, dedicated service, started immediately before
         final.target, which itself is a synchronization point that ensures this
         service is started before the transition to systemd-shutdown and in turn to
         the initramfs, where we finish the unmounting and other clean ups needed to
         erase the memory.
      
       - For emergency shutdown: in the udev watchdog script, before calling the
         unclean shutdown code, which bypasses final.target and thus won't run
         tails-remount-run-exec.service. Too bad we have to duplicate this mount
         command but it seems that both instances will become unnecessary quickly
         enough, once systemd DTRT. Another way would be to manually start
         tails-remount-run-exec.service from the udev watchdog script but I'm
         concerned it will be unreliable when the boot medium has been unplugged.
      634e5a6d
  10. 09 Jan, 2019 1 commit
    • intrigeri's avatar
      Disable live-tools.service (Closes: #16324) · 3ab1c609
      intrigeri authored
      This service is only useful to display the "Please remove the live-medium, close
      the tray (if any) and press ENTER to continue:" prompt on shutdown, that we
      don't want to display in Tails: shutdown and memory erasure should not require
      a confirmation once the user has triggered it. In Stretch this code was broken
      and we were relying on this. But the Buster upgrade of this code has repaired
      it, so I sometimes see that prompt. This might also explain some issues such
      as #16312.
      3ab1c609
  11. 05 Apr, 2018 1 commit
  12. 04 Mar, 2018 1 commit
  13. 15 Dec, 2017 1 commit
  14. 10 Dec, 2017 1 commit
  15. 09 Dec, 2017 1 commit
    • intrigeri's avatar
      Drop our custom update-ca-certificates.service (refs: #14756) · 311845d2
      intrigeri authored
      It was meant to re-create /etc/ssl/certs/java/cacerts at boot time since we used
      to remove it at build time to make the build deterministic. We don't ship
      ca-certificates-java anymore, so we don't delete /etc/ssl/certs/java/cacerts
      anymore, so we don't need to re-create it.
      311845d2
  16. 18 Sep, 2017 1 commit
  17. 14 Sep, 2017 1 commit
  18. 22 May, 2017 1 commit
  19. 18 May, 2017 3 commits
    • intrigeri's avatar
    • intrigeri's avatar
      Return to the initramfs (unpacked in /run/initramfs) on shutdown (refs:... · 888ccc5a
      intrigeri authored
      Return to the initramfs (unpacked in /run/initramfs) on shutdown (refs: #12428, #12354, Debian#778849).
      
      … otherwise the aufs read-write (tmpfs) branch, among possibly other things,
      can't be properly unmounted and its content remains in memory.
      
      Notes:
      
       * We have to handle some unmounting ourselves in initramfs-pre-shutdown-hook:
         systemd-shutdown doesn't manage to unmount the aufs read-write
         branch (/oldroot/lib/live/mount/overlay) as it is needed by the
         aufs (/oldroot) filesystem, and reciprocally it cannot unmount /oldroot as it
         is kept busy by /oldroot/lib/live/mount/*. So we disentangle this mess
         ourselves. And we have to manually empty the aufs read-write (tmpfs) branch,
         otherwise for some reason its content remains in memory. This code will of
         course need to be adapted for overlayfs some day.
      
       * We lock /bin/kill in memory: apparently systemd-exit.service needs it.
      
       * We remount /run on shutdown *before* dropping caches, just in case dropping
         caches removes what we've locked into memory.
      
       * We unpack the initramfs to /run/initramfs at *boot* time: sadly, I was not
         able to have it unpacked reliably in udev-watchdog-wrapper when the boot
         medium is ejected, so we'll use a little bit more RAM (instead of locking the
         compressed initramfs into memory, we're storing the uncompressed one there)
         and probably slow down the boot a bit, in order to make emergency shutdown
         robust. Note, however, that we save some of the RAM used by the uncompressed
         initramfs by deleting the worst offenders (kernel modules).
      
       * For now the whole procedure is quite noisy on the screen: the pre-shutdown
         hook runs under "set -x", doesn't run "clear", and spits out lots of
         debugging information. The goal is to enable users to provide useful
         debugging data if they have problems with emergency shutdown. Once we have
         shipped this code in a few releases and trust it's robust enough, we can
         surely reconsider and polish the UX by making the output less noisy.
      
       * We use absolute paths in many places to avoid $PATH lookup which might
         fail if the root filesystem is not there anymore.
      888ccc5a
    • intrigeri's avatar
      Drop kexec-based memory erasure feature (refs: #12354). · e2caab51
      intrigeri authored
      It's not reliable enough and provides poor UX. Linux memory poisoning
      works well enough to get rid of it.
      e2caab51
  20. 29 Apr, 2017 1 commit
    • intrigeri's avatar
      Fix buggy merge (refs: #12394). · f5b1daa6
      intrigeri authored
      Here we learn once more that waiting for build results from Jenkins before
      submitting for QA, and before merging, is actually useful :)
      f5b1daa6
  21. 29 Mar, 2017 1 commit
  22. 21 Mar, 2017 1 commit
  23. 20 Mar, 2017 1 commit
  24. 15 Mar, 2017 1 commit
  25. 14 Mar, 2017 2 commits
  26. 08 Mar, 2017 1 commit
  27. 06 Mar, 2017 1 commit
  28. 05 Mar, 2017 1 commit
  29. 04 Mar, 2017 2 commits
  30. 28 Feb, 2017 1 commit