[xenial] Ensures server packages required by ./securedrop-admin install are present on Xenial #4115
Conversation
zenmonkeykstop
requested review from
conorsch,
emkll,
kushaldas and
msheiny
as code owners
eloquence
changed the title
|
@zenmonkeykstop This also needs a rebase against the develop to fix the |
There was a problem hiding this comment.
If the apt package manager on the host is vulnerable to CVE-2019-3462 (which is likely currenly the case, since the latest Xenial ISO is 6 months old [0]), it may be possible for an attacker to exploit this vulnerability and run malicious code. The upgrade-apt.yml task introduced in #4061 unfortunately runs after the prepare-servers role specified here.
It might make sense to convert the apt upgrade logic into the prepare-servers task in raw commands, to ensure it is consistently run before everything else.
zenmonkeykstop
requested review from
heartsucker and
redshiftzero
as code owners
zenmonkeykstop
force-pushed
the
4109-prepare-servers
branch
from
e38bae3
to
de2deba
Compare
|
Appended a commit moving the logic already present via #4061 into the new role. The outstanding question I have now is: will the Hardware testing required in order to confirm the above. If it does prove to be a problem, then we're faced with a few options:
Slight preference for 3 and optionally 4, but defer to the team for input. |
(coming to you live from Hut 6 in Bletchley Park...)
zenmonkeykstop
force-pushed
the
4109-prepare-servers
branch
from
77ca5d3
to
ce38eb2
Compare
|
Apologies @conorsch I think I may have nuked your commit (albeit with one doing something similar.) I won't be in a position to test against hardware until Saturday, if someone else can test against hardware I'd appreciate it. I'm optimistic that it will work if raw commands use a similar mechanism to gather_facts. |
We're no longer upgrading apt in this logic, we're simply ensuring that the apt version meets spec before proceeding with the installation.
|
@zenmonkeykstop Thanks for reply, no surprise we're stepping on toes a bit with this one. 😇 Just added some more fixes on top of yours, pulling in some work that was done by @emkll in tandem. I believe this is now ready for review. cc @redshiftzero I remain skeptical about the sudo password behavior, but testing on hardware required to get clarity there. |
There was a problem hiding this comment.
Failed with the following error while installing from the tails vm.
TASK [install-fpf-repo : Setup FPF apt repo.] ******************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: apt.cache.FetchFailedException: W:The repository 'https://apt.freedom.press xenial Release' does not have a Release file., W:Data from such a repository can't be authenticated and is therefore potentially dangerous to use., W:See apt-secure(8) manpage for repository creation and user configuration details., E:Failed to fetch https://apt.freedom.press/dists/xenial/main/binary-amd64/Packages 404 Not Found, E:Some index files failed to download. They have been ignored, or old ones used instead.
fatal: [mon]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_zTOCpM/ansible_module_apt_repository.py\", line 550, in <module>\n main()\n File \"/tmp/ansible_zTOCpM/ansible_module_apt_repository.py\", line 542, in main\n cache.update()\n File \"/usr/lib/python2.7/dist-packages/apt/cache.py\", line 487, in update\n raise FetchFailedException(e)\napt.cache.FetchFailedException: W:The repository 'https://apt.freedom.press xenial Release' does not have a Release file., W:Data from such a repository can't be authenticated and is therefore potentially dangerous to use., W:See apt-secure(8) manpage for repository creation and user configuration details., E:Failed to fetch https://apt.freedom.press/dists/xenial/main/binary-amd64/Packages 404 Not Found, E:Some index files failed to download. They have been ignored, or old ones used instead.\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: apt.cache.FetchFailedException: W:The repository 'https://apt.freedom.press xenial Release' does not have a Release file., W:Data from such a repository can't be authenticated and is therefore potentially dangerous to use., W:See apt-secure(8) manpage for repository creation and user configuration details., E:Failed to fetch https://apt.freedom.press/dists/xenial/main/binary-amd64/Packages 404 Not Found, E:Some index files failed to download. They have been ignored, or old ones used instead.
fatal: [app]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_J_kKjC/ansible_module_apt_repository.py\", line 550, in <module>\n main()\n File \"/tmp/ansible_J_kKjC/ansible_module_apt_repository.py\", line 542, in main\n cache.update()\n File \"/usr/lib/python2.7/dist-packages/apt/cache.py\", line 487, in update\n raise FetchFailedException(e)\napt.cache.FetchFailedException: W:The repository 'https://apt.freedom.press xenial Release' does not have a Release file., W:Data from such a repository can't be authenticated and is therefore potentially dangerous to use., W:See apt-secure(8) manpage for repository creation and user configuration details., E:Failed to fetch https://apt.freedom.press/dists/xenial/main/binary-amd64/Packages 404 Not Found, E:Some index files failed to download. They have been ignored, or old ones used instead.\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
NO MORE HOSTS LEFT *********************************************************************************************
NO MORE HOSTS LEFT *********************************************************************************************
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.retry
PLAY RECAP *****************************************************************************************************
app : ok=8 changed=3 unreachable=0 failed=1
localhost : ok=4 changed=0 unreachable=0 failed=0
mon : ok=8 changed=3 unreachable=0 failed=1
ERROR (run with -v for more): Command '['/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-prod.yml', '--ask-become-pass']' returned non-zero exit status 2
|
Hey @kushaldas it seems like you are using the prod apt server (apt.freedom.press) to test under xenial. There is currently no Xenial channel hosted on that server: You must use apt-test.freedom.press. The Xenial channel will be hosted on prod apt servers starting with the 0.12.0 release |
emkll
dismissed
their stale review
Dismissing based on recent changes to the branch
@emkll can you please add the steps for the same in the test plan? This will help in future reference. |
|
Apologies for the omission @kushaldas, I've updated the test plan. |
|
@kushaldas please take another look at this one when you get a chance today, let's try to get this merged in for 0.12.0~rc2 which we should get done before the weekend |
There was a problem hiding this comment.
- Modify Vagrantfile if necessary to use 16.04 images for
app-prodandmon-prod - Create prod VMs:
vagrant up --no-provision /prod/ - Use
vagrant ssh <vm-name-hereto connect to VMs, and remove the packages listed above. Verify that/usr/bin/pythonin particular has been removed. - On your Tails VM Admin Workstation, modify
/Persistent/securedrop/install_files/ansible-base/roles/install-fpf-repo/defaults/main.ymlto point to theapt-test.freedom.presstest repo and to useapt-test-signing-key.pubas the repo signing key - proceed with the SecureDrop installation and it finished and worked as expected.
Status
Ready for review
Description of Changes
Fixes #4109 .
Adds an Ansible role that ensures
securedrop-admin install's missing package prerequisites (python, apt-transport-https, dnsutils) are installed on Xenial systems set up with only theOpenSSH serveroption checked in the OS installer's 'Software selection` dialog.Testing
Prod VMs
app-prodandmon-prodvagrant up --no-provision /prod/vagrant ssh <vm-name-hereto connect to VMs, and remove the packages listed above. Verify that/usr/bin/pythonin particular has been removed./Persistent/securedrop/install_files/ansible-base/roles/install-fpf-repo/defaults/main.ymlto point to theapt-test.freedom.presstest repo and to useapt-test-signing-key.pubas the repo signing keyHardware
standard system utilitiesis deselected andOpenSSH serveris selected on the Software Selection dialog.~/Persistent/securedrop/install_files/ansible-base/roles/install-fpf-repo/defaults/main.ymlto point to theapt-test.freedom.presstest repo and to useapt-test-signing-key.pubas the repo signing keyDeployment
This only affects new Xenial installs, and nothing special is required for deployment.
Checklist
If you made non-trivial code changes:
(note: tested on prod VMs)