Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disables haveged service in preinst, if unit file is present #6008

Merged
merged 1 commit into from Jun 21, 2021
Merged

Disables haveged service in preinst, if unit file is present #6008

merged 1 commit into from Jun 21, 2021

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented Jun 21, 2021
edited

Status

Ready for review

Description of Changes

Adds to fix for #6005 .

If haveged is present, stop/disable/mask the service - this is a compromise vs removing the package altogether.

Testing

  • Make sure you're using libvirt-based VMs (upgrade scenario does not support Qubes env)
  • molecule create -s libvirt-prod-focal
  • Boot up admin workstation and install against those prod VMs with ./securedrop-admin install
  • make build-debs on this branch on host (ok to run this in parallel with step 2 to save time)
  • make upgrade-start on host, to set up local apt repo
  • Back in admin workstation, run the playbook securedrop-apt-local.yml in the ansible-base directory (make sure to source the admin venv first, see docs), ansible-playbook --diff -vv ./securedrop-apt-local.yml
  • ssh app and then sudo apt-get update && sudo unattended-upgrade -d
    • the unattended upgrade command completes successfully
    • apt-cache policy securedrop-app-code shows package is upgraded
    • systemctl status haveged shows haveged is stopped, disabled, and masked.

Deployment

Any special considerations for deployment? Consider both:

  1. Upgrades: script change has been tested as above - in cases where haveged is present it should just be disabled
  2. New installs: since havaged will not be installed on fresh SD installs from 2.0.0 on, the script won't do anything.

Checklist

If you made changes to the server application code:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

@zenmonkeykstop zenmonkeykstop requested a review from a team as a code owner June 21, 2021 16:30
@zenmonkeykstop zenmonkeykstop added this to Ready for Review in SecureDrop Team Board Jun 21, 2021
rmol
rmol approved these changes Jun 21, 2021
View reviewed changes
Copy link
Contributor

@rmol rmol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to test using my Qubes prod VMs, as I didn't have a virtualized admin environment on Debian. I started from 1.8.2, with haveged installed, enabled, and running, and set up a local apt repo instead of using the upgrade scenario's server. With that in place, unattended-upgrades completed the upgrade of securedrop-app-code, and the haveged service was disabled and masked according to plan.

@rmol rmol merged commit 6c9fd2f into develop Jun 21, 2021
SecureDrop Team Board automation moved this from Ready for Review to Done Jun 21, 2021
@rmol rmol deleted the disable-haveged-in-preinst branch June 21, 2021 21:17
@zenmonkeykstop zenmonkeykstop mentioned this pull request Jun 21, 2021
Merged
3 tasks
@rmol rmol mentioned this pull request Jun 23, 2021
Closed
39 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmol rmol rmol approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zenmonkeykstop @rmol