Running ./securedrop-admin tailsconfig fails on the Tails 3 Admin Workstation.
./securedrop-admin tailsconfig script noted in the upgrade guide.Successful playbook completion.
Playbook fails at task TASK [tails-config : Remove deprecated Document Interface desktop icons.] ******
document.desktop icon has been removed.
I'm concerned the playbook didn't finish all tasks as I don't have install_files/ansible-base/group_vars/all/site-specific I have install_files/ansible-base/group_vars/all/securedrop
Error in Terminal:
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin tailsconfig
INFO: Configuring Tails workstation environment
INFO: You'll be prompted for the temporary Tails admin password, which was set on Tails login screen
SUDO password:
[WARNING]: provided hosts list is empty, only localhost is available
PLAY [Configure Tails workstation.] ********************************************
TASK [setup] *******************************************************************
ok: [localhost]
TASK [tails-config : include] **************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml for localhost
TASK [tails-config : Confirm host OS is Tails.] ********************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [tails-config : Check for persistence volume.] ****************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)
TASK [tails-config : Confirm persistence volume is configured.] ****************
ok: [localhost] => (item={SNIP},
"msg": "All assertions passed"
}
ok: [localhost] => (item={SNIP},
"msg": "All assertions passed"
}
ok: [localhost] => (item={SNIP},
"msg": "All assertions passed"
}
TASK [tails-config : Remove deprecated network hook config files.] *************
ok: [localhost] => (item=[u'/live/persistence/TailsData_unlocked', u'70-tor-reload.sh'])
ok: [localhost] => (item=[u'/live/persistence/TailsData_unlocked', u'99-tor-reload.sh'])
ok: [localhost] => (item=[u'/home/amnesia/Persistent/.securedrop', u'70-tor-reload.sh'])
ok: [localhost] => (item=[u'/home/amnesia/Persistent/.securedrop', u'99-tor-reload.sh'])
ok: [localhost] => (item=[u'/etc/NetworkManager/dispatcher.d', u'70-tor-reload.sh'])
ok: [localhost] => (item=[u'/etc/NetworkManager/dispatcher.d', u'99-tor-reload.sh'])
ok: [localhost] => (item=[u'/etc/NetworkManager/dispatcher.d/custom-nm-hooks', u'70-tor-reload.sh'])
ok: [localhost] => (item=[u'/etc/NetworkManager/dispatcher.d/custom-nm-hooks', u'99-tor-reload.sh'])
TASK [tails-config : Remove deprecated xsessionrc file.] ***********************
ok: [localhost]
TASK [tails-config : Remove deprecated Document Interface desktop icons.] ******
changed: [localhost] => (item=/home/amnesia/Desktop/document.desktop)
ok: [localhost] => (item=/home/amnesia/.local/share/applications/document.desktop)
ok: [localhost] => (item=/home/amnesia/.securedrop/document.desktop)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/Desktop/document.desktop)
changed: [localhost] => (item=/live/persistence/TailsData_unlocked/dotfiles/Desktop/document.desktop)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications/document.desktop)
failed: [localhost] (item=/live/persistence/TailsData_unlocked/Persistent/.securedrop/document.desktop) => {"failed": true, "gid": 0, "group": "root", "item": "/live/persistence/TailsData_unlocked/Persistent/.securedrop/document.desktop", "mode": "0600", "msg": "unlinking failed: [Errno 13] Permission denied: '/live/persistence/TailsData_unlocked/Persistent/.securedrop/document.desktop' ", "owner": "root", "path": "/live/persistence/TailsData_unlocked/Persistent/.securedrop/document.desktop", "size": 368, "state": "file", "uid": 0}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-tails.retry
PLAY RECAP *********************************************************************
localhost : ok=7 changed=0 unreachable=0 failed=1
TASK: tails-config : Remove deprecated network hook config files. ------- 3.72s
TASK: tails-config : Remove deprecated Document Interface desktop icons. --- 3.04s
TASK: setup ------------------------------------------------------------- 1.85s
TASK: tails-config : Check for persistence volume. ---------------------- 1.57s
TASK: tails-config : Remove deprecated xsessionrc file. ----------------- 0.49s
TASK: tails-config : include -------------------------------------------- 0.26s
TASK: tails-config : Confirm persistence volume is configured. ---------- 0.17s
TASK: tails-config : Confirm host OS is Tails. -------------------------- 0.10s
Playbook finished: Thu Jul 27 02:31:05 2017, 8 total tasks. 0:00:11 elapsed.
Traceback (most recent call last):
File "./securedrop-admin", line 311, in <module>
args.func(args)
File "./securedrop-admin", line 266, in run_tails_config
cwd=ANSIBLE_PATH)
File "/usr/lib/python2.7/subprocess.py", line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-tails.yml', '--ask-become-pass', '-i', '/dev/null']' returned non-zero exit status 2
amnesia@amnesia:~/Persistent/securedrop$
amnesia@amnesia:~/Desktop$ ls -alh
total 8.0K
drwx------ 2 amnesia amnesia 100 Jul 27 02:31 .
drwx------ 29 amnesia amnesia 760 Jul 27 02:36 ..
-rwx------ 1 amnesia amnesia 1.6K Jul 27 02:03 Report_an_error.desktop
lrwxrwxrwx 1 amnesia amnesia 78 Jul 27 02:04 source.desktop -> /lib/live/mount/persistence/TailsData_unlocked/dotfiles/Desktop/source.desktop
-rwx------ 1 amnesia amnesia 1.6K Jul 27 02:03 tails-documentation.desktop
amnesia@amnesia:~/Desktop$
@sighmon Thanks for the detailed report! The changes in #2021 were designed to address the problem you describe.
Possibly enter a wrong passphrase the first run.. (not sure if this is relevant or not)
That very well could be affecting the behavior. Regardless, simply rerun ./securedrop-admin tailsconfig. That configuration flow is fully idempotent, so you won't risk breaking your workstation setup by running it again. (The previous tails_files/install.sh bash script was not nearly so friendly.)
Regardless, simply rerun
./securedrop-admin tailsconfig
I tried running it again, and also after a reboot, but still get the same error at unlink failed: [Errno 13] Permission denied: '/live/persistence/TailsData_unlocked/Persistent/.securedrop/document.desktop even though that file doesn't exist now.
I also tried re-creating it by copying source.desktop and re-creating the symlink on the Desktop, but that doesn't work either.
Drat, thanks for reproducing. Try this patch:
diff --git a/install_files/ansible-base/roles/tails-config/tasks/cleanup_legacy_artifacts.yml b/install_files/ansible-base/roles/tails-config/tasks/cleanup_legacy_artifacts.yml
index aed5385c..6eba0ebd 100644
--- a/install_files/ansible-base/roles/tails-config/tasks/cleanup_legacy_artifacts.yml
+++ b/install_files/ansible-base/roles/tails-config/tasks/cleanup_legacy_artifacts.yml
@@ -17,6 +17,7 @@
state: absent
- name: Remove deprecated Document Interface desktop icons.
+ become: yes
file:
state: absent
path: "{{ item }}"
You can save that to a file called tails-workstation-document-icon-fix.patch, then run patch -p 1 < tails-workstation-document-icon-fix.patch inside the local securedrop git repository on the Tails workstation. Then try the ./securedrop-admin tailsconfig and see if that resolves the issue for you.
@conorsch Awesome thanks, that patch worked and let the playbook finish - and I have two icons after a reboot, Journalist & Source. 馃憤
Thanks for confirming, @sighmon! I'm reopening the issue to track implementation of this change into the prod config, so the same problem doesn't bite anyone else.
Closed by #2051
Thanks again for reporting this @sighmon. We made a release today to fix this for all SecureDrop admins: https://securedrop.org/news/securedrop-041-released
Most helpful comment
Thanks again for reporting this @sighmon. We made a release today to fix this for all SecureDrop admins: https://securedrop.org/news/securedrop-041-released