Update test-bench machine setup

[deeplow]

Updates the developer documentation for remote test bench.

Spent some hours removing some dust off of this 7-year-old documentation.

[marmarek]

We should avoid using HTML in markdown files directly, it makes it harder to convert to other formats (like PDF) and also to translate. @andrewdavidwong do you remember an alternative for notes like this?

[andrewdavidwong]

We should avoid using HTML in markdown files directly, it makes it harder to convert to other formats (like PDF) and also to translate. @andrewdavidwong do you remember an alternative for notes like this?

I also remember pointing out this problem and asking for a solution, but I don't recall anyone coming up with a solution.

[andrewdavidwong]

FWIW, I have also been using these alerts throughout the documentation, even though I also hate having HTML in Markdown files. My reasoning is that the value of clarity and preventing users from missing critical information outweighs the cost of having HTML in Markdown files.

[deeplow]

Yes, I am aware. In doubt I decided to copy what was already on another page.

Is the following more acceptable? (block quote included)

Notice:
This setup intentionally weakens some security properties in the testing system. So make sure you understand the risks and use exclusively for testing.

[andrewdavidwong]

Oh, thanks for the link, @deeplow. I had partially forgotten about this. You actually did propose a solution, but it's still not clear to me whether we can implement it (i.e., whether it's compatible with GitHub Pages and such). Will discuss further on that issue.

[deeplow]

I believe I'm done with the proposed changes.

[deeplow]

After enabling internet access in dom0 dnf install <PACKAGE> stops being able to find packages in dom0. It just says they don't exist. And qubes-dom0-update is not usefull because sys-net does not have the network card.

Is there any command parameter that can make it find the packages or is the best way to install packages just re-adding the network interface back to sys-net?

[marmarek]

After enabling internet access in dom0 dnf install <PACKAGE> stops being able to find packages in dom0. It just says they don't exist.

Use dnf --setopt=reposdir=/etc/yum.repos.d install <PAKCAGE>

And qubes-dom0-update is not usefull because sys-net does not have the network card.

In practice I keep one network interface (wifi one) in sys-net for this. But it's only a viable option if you have both wired and wireless network in the system.
There is another way: connect network to dom0 via sys-net. It isn't as reliable as direct connection (you can't for example restart sys-net), but it works (save as dom0-network-via-netvm and call via sudo):

#!/bin/sh

set -x
set -e
xl network-attach 0 ip=10.137.99.1 script=/etc/xen/scripts/vif-route-qubes backend=sys-net
sleep 2
ip a a 10.137.99.1/24 dev eth0
ip l s eth0 up
ip r a default dev eth0
echo -e 'nameserver 10.139.1.1\nnameserver 10.139.1.2' > /etc/resolv.conf
qvm-run -p --no-gui -u root sys-net 'systemctl stop qubes-firewall'
sleep 2
qvm-run -p --no-gui -u root sys-net 'iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT --to 10.137.99.1'
qvm-run -p --no-gui -u root sys-net 'iptables -I FORWARD -p tcp --dport 22 -d 10.137.99.1 -j ACCEPT'
systemctl start sshd

As the other method, this is something suitable on a test system only.

[deeplow]

@marmarek makes sense. I've added the --setopt method to the doc. I've also provided advice in the case the developer has two network cards, one can be left in sys-net.

The dom0 networking through sys-net also looks neat. And that script is quite didactic in itself. But for the sake of brevity, I added the first method.

[deeplow]

I believe I am done with the changes. Ready for final review.

[deeplow]

Rebased from master

[marmarek]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Approved as of 99083295b0a39cd03cd688bb85c363f381d3b934
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEnYWYU8Ll1fIX9iss8yiUvpaEk4oFAmDWZSwACgkQ8yiUvpaE
k4qrOQ/+NMe0hrvqnRuKm4kEiO/CS/8QquDY/OzRdefMfGU/Xcz+RmLm1NDzYr7p
hqbFMs7yPJr5nIby5A/rX9+xAFQm4Zv/OEDdyVjoVUU50IztxGmoMrFCKO0Fh0In
gIK+o4HU1bZm6mWD0Fr1MbuB7LXZ1a8BUsd9ssRm65EQDXLmNxBTFe+/DD3JLxD1
LboXv8MJh7Aj2LUw3SxEAygvA02v5SExsQvnWa1tuItBUzFlFmTlDMTGgH10l28P
7FBXvaoMuGS113OysWt1GhDt8TQXnbbQ91MTcCeDgUklgabVyODrBt5cCZ0CEFSK
msU7tVI5i+Z8xO6ufJu4X7VVoxZegVp8+Uqju8JK7H0X9w3sQNL+Ki0gj3y0rp0m
bU23kCUlcigUz3m3jTnkCYVtd8z5IXTHzG6JaPHoilr0k7YFn+d30w2XDxBxNYR1
GH0FbvA5LEvMmkabGV2ruPXQGsk+c92+YOYnMR88grlLFMIitVk1x4LlaMoPUW+Q
qrUDnVeqKDr7HXg6kREQxxJalHawp/C89/DTEhj/kPNs9DLCUt8E19ME65PYyke8
zCzyibe6WQ/Z9xgiCkSUVFPsdhZLzvBT69b4ucJWKeJ/2COP/KnZWOxErkFiWwpm
p0tFIZMYLIO6UlnbRocxNbK1VOFqyq+GV4Y8ufu7B/B5sAh53DU=
=qUaA
-----END PGP SIGNATURE-----

[andrewdavidwong]

Hi all,

There are a ton of errors in the CI log, but I think this is because CI is checking an outdated version of the repository. (For example, I see it flagging something that I know has already been removed.) I'm guessing this is because this PR has not been updated with the master branch, so I'm going to try pushing to this PR to see if that updates things correctly. (Unfortunately, this is cumbersome to do, but oh well.)

[andrewdavidwong]

Wow, that's a lot of commits (and, unfortunately, some unrelated comments came along with it). If there's a better way to handle this in the future, please let me know.

Now to wait and see whether this solves the CI problem...

[andrewdavidwong]

Wow, that's a lot of commits (and, unfortunately, some unrelated comments came along with it). If there's a better way to handle this in the future, please let me know.

@marmarek, I have the vague sense that you might have already told me how I should handle this, but I can't remember and can't find the conversation anywhere... I hate having a terrible memory. ☹️

This time I'll document it so that I can reference it later.

[andrewdavidwong]

On the plus side, no more CI errors!

[fepitre]

@andrewdavidwong to be sure you can type 'PipelineRetry' (without quotes directly)

[andrewdavidwong]

@andrewdavidwong to be sure you can run 'PipelineRetry'

Wait, is that necessary? If so, why? I believe it just ran a fresh check after I pushed all the commits from origin/master, so shouldn't the current (passing) check be good enough?

[fepitre]

@andrewdavidwong to be sure you can run 'PipelineRetry'

Wait, is that necessary? If so, why? I believe it just ran a fresh check after I pushed all the commits from origin/master, so shouldn't the current (passing) check be good enough?

Yes it's fine it you merged it recently.

[andrewdavidwong]

@andrewdavidwong to be sure you can run 'PipelineRetry'

Wait, is that necessary? If so, why? I believe it just ran a fresh check after I pushed all the commits from origin/master, so shouldn't the current (passing) check be good enough?

Yes it's fine it you merged it recently.

Well, I haven't merged this PR yet, but there was some kind of automerge when I pulled this PR. Is that what you mean?

[fepitre]

@andrewdavidwong to be sure you can run 'PipelineRetry'

Wait, is that necessary? If so, why? I believe it just ran a fresh check after I pushed all the commits from origin/master, so shouldn't the current (passing) check be good enough?

Yes it's fine it you merged it recently.

Well, I haven't merged this PR yet, but there was some kind of automerge when I pulled this PR. Is that what you mean?

Yes I meant when merge some commits into this PR.

[marmarek]

There are a ton of errors in the CI log, but I think this is because CI is checking an outdated version of the repository.

There shouldn't be the need to do anything manually, CI tests PR branch merged into master, so recent changes in master should be included too. But, there is some issue with CI that we haven't figured out yet and sometimes it uses outdated branch. The workaround is to trigger the run again with "PipelineRetry" comment.

[andrewdavidwong]

There shouldn't be the need to do anything manually, CI tests PR branch merged into master, so recent changes in master should be included too. But, there is some issue with CI that we haven't figured out yet and sometimes it uses outdated branch. The workaround is to trigger the run again with "PipelineRetry" comment.

Thank you! I've documented the PipelineRetry command here: decc413. @marmarek, @fepitre, please add any other CI commands that should be documented.