New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always force the use latest kernel by default #3857

Merged
merged 1 commit into from Oct 11, 2018

Conversation

Projects
None yet
3 participants
@emkll
Copy link
Contributor

emkll commented Oct 9, 2018

Status

Ready for review

Description of Changes

Fixes #3842.

  • Bumps kernel metapackage version to 4.4.144-1 so that the version is higher than currently installed version
  • Change postinst to force latest kernel to boot by default

Testing

  • Install 0.9.0 on virtual machines or hardware
  • roll back to 3.14.79 per instructions here: https://docs.securedrop.org/en/release-0.9/kernel_troubleshooting.html
  • checkout this branch and make build-debs and use securedrop-grsec-4.4.144-1-amd64.deb
  • install securedrop-grsec-4.4.144-1-amd64.deb on machines that have been rolled back
  • sudo apt-get autoremove (necessary for local testing only: when using apt servers, this will be done by cron-apt)

Confirm that:

  • The app and mon servers boot into kernel 4.4.144-grsec (uname -r)
  • apt list --installed | grep grsec still includes 3.14.79
  • /etc/default/grub contains GRUB_DEFAULT=0

Deployment

All changes will be deployed as part with the securedrop-grsec package.
Setting the version string to 4.4.144-1 (because we are not shipping a kernel as part of 0.10.0, see #3838 ). We will be removing 3.14.79 kernel at a later date, see #3643

Checklist

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@emkll emkll requested review from conorsch and msheiny as code owners Oct 9, 2018

@emkll emkll added this to the 0.10.0 milestone Oct 9, 2018

@emkll emkll force-pushed the always-use-latest-kernel branch from d4772e0 to b4871b6 Oct 9, 2018

@conorsch conorsch requested a review from zenmonkeykstop Oct 10, 2018

@redshiftzero

This comment has been minimized.

Copy link
Member

redshiftzero commented Oct 10, 2018

hey @zenmonkeykstop, putting this one on your QA list - let's try to get this one in today/tomorrow so we can backport into the release branch

@emkll emkll force-pushed the always-use-latest-kernel branch from b4871b6 to 4105f10 Oct 10, 2018

@emkll

This comment has been minimized.

Copy link
Contributor

emkll commented Oct 10, 2018

Rebased on latest develop. The reason the full kernel string is due to the build logic around the Jinja templating of files: postinst requires executable permissions, but the templates produce files with non-executable permissions.

I see 2 ways to approach this:

@zenmonkeykstop

This comment has been minimized.

Copy link
Contributor

zenmonkeykstop commented Oct 10, 2018

Tested as follows:

sudo dpkg -i securedrop-grsec-4.4.144-1-amd64.deb
sudo apt-get autoremove
sudo reboot

Confirmed that:

[x] The app and mon servers boot into kernel 4.4.144-grsec (uname -r)
[x] apt list --installed | grep grsec still includes 3.14.79
[x] /etc/default/grub contains GRUB_DEFAULT=0

So 👍 for this change on VMs.

Always use latest kernel
Until now, the postinst action for the securedrop-grsec metapackage
would preserve preferences for a rolled back kernel. This will now
remove this preference, by setting GRUB_DEFAUT=0, which will instruct
grub to use the highest kernel version available on the system.

@emkll emkll force-pushed the always-use-latest-kernel branch from 4105f10 to b37ebb2 Oct 10, 2018

@redshiftzero
Copy link
Member

redshiftzero left a comment

thanks @emkll and thanks for the QA @zenmonkeykstop - merging so we can backport into the release branch

@redshiftzero redshiftzero merged commit c2db2a1 into develop Oct 11, 2018

5 checks passed

ci/circleci: admin-tests Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: staging-test-with-rebase Your tests passed on CircleCI!
Details
ci/circleci: tests Your tests passed on CircleCI!
Details
ci/circleci: updater-gui-tests Your tests passed on CircleCI!
Details

@redshiftzero redshiftzero deleted the always-use-latest-kernel branch Oct 11, 2018

@redshiftzero redshiftzero removed the needs/QA label Oct 11, 2018

@zenmonkeykstop zenmonkeykstop referenced this pull request Oct 16, 2018

Closed

Release SecureDrop 0.10.0 #3849

24 of 24 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment