Project

General

Profile

coordination #9536

Test all DMs for working encrypted home support

Added by scarabeus_iv over 5 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Start date:
2020-05-05
Due date:
% Done:

100%

Estimated time:
(Total: 16.00 h)

Description

We are currently testing only "encrypt all" scenario. But seems few people are encrypting home partition only.

We need to tweak install phase to allow disk layout change for the encryption of home only
Then we need to have test for each DM (xdm/kdm/sddm/whatever) to see they still can log to the machine just fine.

This is spin-off bnc#954419.

Suggestions

  • Cover three most common display managers: sddm, gdm, xdm
  • Add test suite that encrypt home for a user and then logs in to those three DM's
  • Talk to Yast team to sync work.
j.log (6.03 KB) j.log dheidler, 2016-04-06 11:54

Subtasks

action #65172: [functional][y] Enable scenario with gnome installation with /home partition encryptedResolvedybonatakis

action #66862: [functional][y] Test interactive installation with encrypted /home partitionResolvedsyrianidou_sofia


Related issues

Related to openQA Tests - action #29986: [functional][u][opensuse][hard]test fails in multi_users_dmResolved2018-01-042018-04-24

History

#1 Updated by RBrownSUSE over 5 years ago

  • Category set to New test
  • Priority changed from Normal to Low
  • Target version set to 154

#2 Updated by scarabeus_iv over 5 years ago

Copy from the bug:

To create the encrypted home, I just opened YAST, User and Group management, selected the user, Edit, and select to encrypt home, give a size, password is asked, and that's all.
One thing that never happens is that the user's files are moved. They are copied but remain in the home folder.

#3 Updated by scarabeus_iv over 5 years ago

To create the encrypted home, I just opened YAST, User and Group management, selected the user, Edit, and select to encrypt home, give a size, password is asked, and that's all.
One thing that never happens is that the user's files are moved. They are copied but remain in the home folder.

This morning I added a comment but it is gone, so here again.

I fixed the problem by changing /etc/pa.d/sddm to

auth optional pam_mount.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_cryptpass.so
session optional pam_mount.so

The first line and last two lines were added, and since then I was able to log in.

What still is an issue is that the encrypted home is not properly dismounted after log out, which could result in corrupted files, as I discovered in earlier opensuse versions.

#4 Updated by RBrownSUSE over 5 years ago

  • Checklist set to [ ] TW, [ ] SLE, [ ] Leap
  • Target version deleted (154)

#5 Updated by RBrownSUSE over 5 years ago

  • Assignee set to dheidler
  • Priority changed from Low to Normal

#6 Updated by dheidler over 5 years ago

  • File j.log j.log added
  • Subject changed from Test all DMs for working encrypted home support to [BLOCKED] Test all DMs for working encrypted home support

Blocked on bnc#954419.
Also I tried it with tumbleweed:

  • I created a user 'tux'
  • I changed its home to encrypted using yast
  • I rebooted
  • I cannot login using gdm (It asks me for 2 passwords: pam and keyfile and then behaves as described in bnc#954419)
  • I can login to tty but I seem to get the old unencrypted version of the home directory (with the files I created before setting the home to encrypted). Also I get error messages (see attached log).

#7 Updated by okurz over 4 years ago

bump

#8 Updated by okurz over 4 years ago

so the bug is still open and looks like will never be fixed. dheidler, what do you propose?

#9 Updated by dheidler over 4 years ago

If the bug won't get fixed, we can't do anything but drop the feature.

#10 Updated by scarabeus_iv over 4 years ago

dheidler wrote:

If the bug won't get fixed, we can't do anything but drop the feature.

As the bug still talks about gdm only why didn't you put the information it fails on gdm too there?
Also maybe it could be reassigned to pam people...

#11 Updated by scarabeus_iv over 4 years ago

I mean the bug now describes the issue only on sddm.

#12 Updated by okurz over 3 years ago

  • Related to action #29986: [functional][u][opensuse][hard]test fails in multi_users_dm added

#13 Updated by okurz about 3 years ago

  • Subject changed from [BLOCKED] Test all DMs for working encrypted home support to [functional][u] Test all DMs for working encrypted home support
  • Target version set to future

Let's put it on the QSF backlog

#14 Updated by dheidler about 3 years ago

  • Assignee deleted (dheidler)

#15 Updated by okurz over 2 years ago

  • Checklist deleted ([ ] TW, [ ] SLE, [ ] Leap)
  • Priority changed from Normal to Low

let's focus more on improving our current tests and workflows first. Putting to "holding tank" :)

#16 Updated by szarate over 1 year ago

  • Priority changed from Low to High
  • Target version changed from future to Milestone 30

Let's look at this for the next grooming session perhaps? ask the y team about possible scenarios already implemented

#17 Updated by szarate over 1 year ago

Spoke to Rodion, they don't have said scenarios, so we could simply create them, but he's also proposing to automate them with autoyast (which is a great idea)

A quick idea:

  • gnome + separate home encrypted on btrfs with snapshots
  • minimal x + lvm with encrypted separate home + xfs

Having HDD with these on the functional job group we could spin up other tests that touch the x11 applications mostly, and maybe things like evolution (although SLED might have more interest?)

#18 Updated by riafarov over 1 year ago

After discussion with Yifan, we will wait for the feedback to know if such scenario is supported and if so what are expectations and then act on this accordingly.

#19 Updated by SLindoMansilla over 1 year ago

  • Description updated (diff)
  • Status changed from New to Workable
  • Estimated time set to 42.00 h

#20 Updated by szarate over 1 year ago

  • Status changed from Workable to New
  • Estimated time deleted (42.00 h)

For now, we're waiting on Yfan's feedback. Kicking this back to the backlog

#21 Updated by yfjiang over 1 year ago

Hi folks,

Checked with release and product side, and talked to people who had experiences with this. The encrypted home is indeed a supported use case for SLED, though the techniques of implementing it evolves.

Thank you for bringing it up, it is worthy of doing, and I think the implementation timeline is best scheduled by the agile team :-) Hope the information helps.

#22 Updated by riafarov over 1 year ago

  • Target version changed from Milestone 30 to Milestone 33

yfjiang wrote:

Hi folks,

Checked with release and product side, and talked to people who had experiences with this. The encrypted home is indeed a supported use case for SLED, though the techniques of implementing it evolves.

Thank you for bringing it up, it is worthy of doing, and I think the implementation timeline is best scheduled by the agile team :-) Hope the information helps.

Hi Yifan! Thanks a lot for the confirmation! We can start with SLES+WE which will be easy to migrate to SLED afterwards.

#23 Updated by szarate over 1 year ago

@Rodion, would you like to move forward with the autoyast approach? This sparked the idea to have an autoyast workshop for the QSFU team, and would then... be a perfect candidate, wdyt?

#24 Updated by riafarov over 1 year ago

  • Subject changed from [functional][u] Test all DMs for working encrypted home support to [functional][epic][u][y] Test all DMs for working encrypted home support
  • Assignee set to riafarov
  • Target version changed from Milestone 33 to Milestone 35+

szarate wrote:

@Rodion, would you like to move forward with the autoyast approach? This sparked the idea to have an autoyast workshop for the QSFU team, and would then... be a perfect candidate, wdyt?

I will convert this one in epic and create subtasks for autoyast for now and we can proceed from there. I did some autoyast sessions before, so even have some slides. Will talk to Mazte to organize it, sounds like a good idea.

#25 Updated by riafarov over 1 year ago

  • Due date changed from 2020-04-21 to 2020-05-05

due to changes in a related task

#26 Updated by riafarov about 1 year ago

  • Due date changed from 2020-05-05 to 2020-05-19

due to changes in a related task: #65172

#27 Updated by ybonatakis about 1 year ago

  • Due date changed from 2020-05-19 to 2020-05-05

due to changes in a related task: #65172

#28 Updated by ybonatakis about 1 year ago

  • Due date changed from 2020-05-05 to 2020-05-19
  • Start date changed from 2020-04-02 to 2020-05-05

due to changes in a related task: #65172

#29 Updated by riafarov about 1 year ago

  • Target version changed from Milestone 35+ to SLE 15 SP3

#30 Updated by riafarov about 1 year ago

  • Due date changed from 2020-05-19 to 2020-09-08

due to changes in a related task: #66862

#31 Updated by riafarov 11 months ago

  • Due date changed from 2020-09-08 to 2020-09-22

due to changes in a related task: #66862

#32 Updated by riafarov 10 months ago

  • Project changed from openQA Tests to qe-yast
  • Category deleted (New test)

#33 Updated by riafarov 10 months ago

  • Project changed from qe-yast to openQA Tests

#34 Updated by szarate 10 months ago

  • Tracker changed from action to coordination

#36 Updated by riafarov 10 months ago

  • Project changed from openQA Tests to qe-yast

#37 Updated by riafarov 9 months ago

  • Subject changed from [functional][epic][u][y] Test all DMs for working encrypted home support to Test all DMs for working encrypted home support
  • Target version changed from SLE 15 SP3 to future

Gnome is covered, other DMs are low prio at the moment.

#38 Updated by riafarov 3 months ago

  • Assignee changed from riafarov to oorlov

Also available in: Atom PDF