Installs locally built metapackage in staging

The "securedrop-grsec" metapackage isn't included in the "install-local-packages" logic, for the staging environment. That makes evaluationg metapackage changes difficult. Let's add support for local metapackages to aid in adjusting kernel-related settings.
freedomofpress · Jan 6, 2021 · 842787a · 842787a
1 parent 079a130
commit 842787a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml b/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml
@@ -31,6 +31,7 @@
     state: latest
   async: 500
   poll: 10
+  when: not install_local_packages|default(False)
   tags:
     - apt
     - grsec
@@ -42,6 +43,7 @@
   # Read-only task for
   changed_when: false
   register: grsec_str
+  when: ansible_distribution_release == "xenial"
   tags:
     - grsec
     - kernel
@@ -51,6 +53,7 @@
   stat:
     path: /boot/grub/grubenv
   register: grubenv_check_initial_result
+  when: ansible_distribution_release == "xenial"
   tags:
     - grsec
     - grub
@@ -63,6 +66,7 @@
   # so "changed" status can only be determined by comparing
   # checksums on that file. We'll do so in the subsequent task.
   changed_when: false
+  when: ansible_distribution_release == "xenial"
   tags:
     - grsec
     - grub
@@ -80,6 +84,7 @@
   register: grubenv_check_configured_result
   changed_when: grubenv_check_initial_result.stat.checksum !=
                 grubenv_check_configured_result.stat.checksum
+  when: ansible_distribution_release == "xenial"
   tags:
     - grsec
     - grub

diff --git a/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml b/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml
@@ -0,0 +1,8 @@
+---
+- name: Copy locally built securedrop-grsec metapackage
+  copy:
+    src: "../../build/{{ ansible_distribution_release }}/securedrop-grsec-{{ securedrop_pkg_grsec.ver }}{{ '+focal' if securedrop_staging_install_target_distro|default('') == 'focal' else '' }}-amd64.deb"
+    dest: /root/securedrop-grsec.deb
+
+- name: Install locally built securedrop-grsec metapackage
+  command: apt-get install -y -f /root/securedrop-grsec.deb
diff --git a/install_files/ansible-base/roles/grsecurity/tasks/main.yml b/install_files/ansible-base/roles/grsecurity/tasks/main.yml
@@ -15,6 +15,11 @@
   tags:
     - grsec
 
+- include: from_local_pkg_install_grsec.yml
+  when: install_local_packages|default(False)
+  tags:
+    - grsec
+
 - include: clean_packages.yml
 
 - include: apply_grsec_lock.yml