Marek Marczykowski-Górecki:
> Do you have some automated tests for Whonix gw/ws?
Yes, see below.
> In Qubes we have
> tests for some basic functionality - both dom0 and templates. I think it
> is a good idea to extend those tests to also include some Whonix
> specific cases.
Yes.
> Our tests are based on python unittest module, but actually those are
> integration tests. Example tests currently implemented:
> - create + start VM
> - start some GUI application (currently gnome-terminal), check if window appears
> - start Disposable VM, edit some file there
> - networking (ping), directly to netvm, through proxyvm etc.
> - making VMs backup and restoring it - including compatibility with
> older backup formats
Awesome stuff.
ping and Whonix:
Whonix-Gateway has no system DNS on purpose. [6]
With default settings (there are options) only user clearnet is allowed
to use ping.
So if you want a ping test, use:
sudo -u clearnet ping ...
> This is just to give you an idea what type of tests are there.
>
> What do you think of preparing similar tests for Whonix VMs? I guess it
> would include things like:
> - checking tor connectivity
Covered by whonixcheck, see below.
> - checking time sync
Covered by timesync, see below.
> - simple leak tests
Covered by whonixcheck, see below.
> - VM configuration - especially if all Whonix specific things are set
> up (for example "host" as a hostname, UTC timezone, etc).
Hostname:
Covered by whonixcheck, see below.
Timezone:
Not checked yet.
TODO:
https://phabricator.whonix.org/T368
Patches welcome or I'll do it in time for Whonix 12.
Other stuff:
Might be covered by whonixcheck already. See:
https://www.whonix.org/wiki/Whonixcheck#Checks
Please see what stuff isn't covered. Feel free to mention here and/or
create tickets etc.
> Do you have something like that already done? If yes, I'd like to hook
> it into our test runner - to automatically call those tests when going
> through full test run. If not - can you provide some such tests? Or at
> least provide an idea what should be tested and _how_ (what command to
> execute and what should be expected result).
Yes. Done below. If something is missing, please say so.
TLDR:
Existing tests...
(1) general sanity checks (during / after build) [1]:
run as root:
/usr/lib/anon-dist/chroot-scripts-pre.d/20_sanity_checks
(2) check, that no non-free software has been installed (during / after
build) [2]:
run as root:
/usr/lib/anon-dist/chroot-scripts-post.d/75_vrms
(3) security and anonymity check (after VM start) [3] [4]:
run as user:
whonixcheck
Or.
whonixcheck --verbose
(4) For testing timesync, just try. Run.
timesync
Long timeout: 10 minutes. No reliable exit code yet when it fails (bug).
Output is correct. Rewrite in progress. [7] [8]
More:
All tests exit non-zero if major issues are found. For all scripts I am
working on, I have reliable exit codes in mind.
(1) and (2) are supposed to be run (primarily) during or after build
In Whonix, general sanity checks (1) are run during build. In Qubes, for
some reason, nrgaway can tell, qubes-template-whonix, file
whonix-gateway/02_install_groups_pre.sh uses '--sanity-tests false'. If
I remember right, because that speeds up the build. I don't like this as
default (it's okay for personal, occasionally builds), but most of the
time it's better to keep those tests running.
If there is any issues with the tests in Qubes, the tests should be
fixed in Whonix. Not the tests disabled by qubes-template-whonix.
(3) whonixcheck is supposed to be run after a VM has been started. In a
Whonix-Gateway ProxyVM or Whonix-Workstation AppVM. Not in a TemplateVM.
I was wondering if I modify whonixcheck to be able to run in TemplateVMs
also. With fewer tests perhaps.
whonixcheck runs basic leak tests already. Runs Socks- and TransPort in
Whonix-Workstation. SocksPort on Whonix-Gateway (has no transparent
proxying enabled by default).
Cheers,
Patrick
[1]
https://github.com/Whonix/anon-shared-build-sanity-checks/blob/master/usr/lib/anon-dist/chroot-scripts-pre.d/20_sanity_checks
[2]
https://github.com/Whonix/anon-shared-build-ban-nonfree/blob/master/usr/lib/anon-dist/chroot-scripts-post.d/75_vrms
[3]
https://github.com/Whonix/whonixcheck
[4]
https://www.whonix.org/wiki/Whonixcheck
[5]
https://github.com/nrgaway/qubes-template-whonix/blob/eb795b00eac7ed21810dda6ce978b5ed0b27681c/whonix-gateway/02_install_groups_pre.sh#L45
[6]
https://www.whonix.org/wiki/Whonix-Gateway_System_DNS
[7]
https://phabricator.whonix.org/T300
[8]
https://www.whonix.org/forum/index.php/topic,1301.0.html