Add support for Tails 6

[zenmonkeykstop]

Status

Ready for review

Description of Changes

Fixes #7092

• Switches admin test docker container to Debian Bookworm (Tails 6 is based on Bookworm)
• Updates prod dependencies:
  • Ansible-core from 2.13.7 (6.7.0) to 2.15.9 (8.7.0)
  • cffi from 1.14.5 to 1.16.0
  • pyyaml from 5.4.1 to 6.0.1
• Includes ansible 2.13.7 explicitly in dev requirements (for molecule), removing the admin/requirements-ansible.in include
• Updates bootstrap setup to fix apt install command under Tails 6
• Updates OS checks in code and ansible playbooks to detect Tails 6 correctly
• Updates dev and test dependencies for Tails 6 (Bookworm)
• Updates tests and tox.ini for Tails 6
• Updates tasks in Ansible tailsconfig role to clear linting errors.

Testing

Tails 5

Install

• On an admin workstation, check out this branch and perform a production install (VMs are fine), and verify that (with the --force flag as appropriate):
  • ./securedrop-admin setup completes successfully, installing required apt packages and creating a virtualenv with updated dependencies listed above
  • ./securedrop-admin sdconfig completes successfully
  • ./securedrop-admin install completes successfully
  • ./securedrop-admin tailsconfig completes successfully with ssh targets, desktop icons, and SecureDrop menu available.
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection, and the ssh targets, desktop icons, and SecureDrop menu are available.
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs

Update from latest

• On and admin workstation with an existing install of 2.7.1, simulate a GUI update with the following commands:
  • git fetch && git checkout tails6-ftw completes
  • ./securedrop-admin setup completes
  • ./securedropadmin tailsconfig completes
• Verify that ssh targets, desktop icons, and SecureDrop menu are still available and working.
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs
• Verify that:
  • ./securedrop-admin sdconfig lists the expected config settings
  • A rerun of ./securedrop-admin install completes successfully (may take time over Tor)
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection, and the ssh targets, desktop icons, and SecureDrop menu are available.
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
    FAIL: I immediately get ./securedrop-admin: line 26: <path>: Success, but no backup file is saved
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.

Tails 6

Install

• On an admin workstation, check out this branch and perform a production install (VMs are fine), and verify that (with the --force flag as appropriate):
  • ./securedrop-admin setup completes successfully, installing required apt packages and creating a virtualenv with updated dependencies listed above
  • ./securedrop-admin sdconfig completes successfully
  • ./securedrop-admin install completes successfully
  • ./securedrop-admin tailsconfig completes successfully with ssh targets, desktop icons, and SecureDrop menu available.
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection, and the ssh targets, desktop icons, and SecureDrop menu are available.
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs

Migration from Tails 5

• Create a fresh Tails 6 stick and restore the PV from a Tails 5 persistent volume to it
• Do a manual update:
  • git fetch && git checkout tails6-ftw (simulating ./securedrop-admin update)
  • ./securedrop-admin setup - confirm that the tails 5 venv is destroyed and a tails 6 version created
  • ./securedrop-admin tailsconfig - confirm that ssh targets, icons, and menu are created
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs
• Verify that:
  • ./securedrop-admin sdconfig lists the expected config settings
  • A rerun of ./securedrop-admin install completes successfully (may take time over Tor)
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection, and the ssh targets, desktop icons, and SecureDrop menu are available.
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.

Deployment

The updates should work on Tails 5 and 6 - Tails 5 users should be able to upgrade as normal. 2.7.1 cannot be used on Tails 6, so there is no upgrade path available. Users switching to Tails 6 will need to copy the PV to their new Tails 6 stick and do a manual update as described above.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you added or removed a file deployed with the application:

• I have updated AppArmor rules to include the change

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

If you added or updated a reference to a production code dependency:

Production code dependencies are defined in:

• admin/requirements.in
• admin/requirements-ansible.in
• securedrop/requirements/python3/requirements.in
• securedrop/requirements/python3/translation.in (used in the build
  container)

If you changed another requirements.in file that applies only to development
or testing environments, then no diff review is required, and you can skip
(remove) this section.

Choose one of the following:

• TK I have performed a diff review and pasted the contents to the packaging wiki
  • Ansible-core from 2.13.7 to 2.15.9
  • ansible from 6.7.0 to 8.7.0
  • cffi from 1.14.5 to 1.16.0
  • pyyaml from 5.4.1 to 6.0.1
• I would like someone else to do the diff review
• I am silencing an alert related to a production dependency, because (please explain below):

[nathandyer]

Grabbing the Tails 5 Update scenario, since that wasn't part of the work that I did with earlier pairing (so should be a valid test case).

[nathandyer]

Tails 5 Update scenario: everything worked as expected, up until the backup and restore portion. Running the backup command executed immediately, and even though it says it was a success, there are no sd-backup archives stored at ~/Persistent/securedrop/install_files/ansible-base. I get this even when using the official stable release branch, so this is either something on my side, or there is an issue that was present in the earlier releases and is not specific to this branch.

[zenmonkeykstop]

Tails 5 Update scenario: everything worked as expected, up until the backup and restore portion. Running the backup command executed immediately, and even though it says it was a success, there are no sd-backup archives stored at ~/Persistent/securedrop/install_files/ansible-base. I get this even when using the official stable release branch, so this is either something on my side, or there is an issue that was present in the earlier releases and is not specific to this branch.

That worked for me in testing (on a fresh Tails 6 image tho). Can you run it again as ANSIBLE_VERBOSITY=4 ./securedrop-admin --force backup and dump the output here?

[zenmonkeykstop]

Further to the above @nathandyer, I couldn't reproduce, but I did notice some warnings on use of the copy module like "sftp transfer mechanism failed", so I restored the scp_if_ssh directive to quiet them. Backups were still working for me, but worth testing with latest just to be sure.

[nathandyer]

@zenmonkeykstop I tried running the backup again with the Ansible Verbosity set to 4, and the output is exactly the same: it runs instantly and outputs only a single line:

./securedrop-admin: line 26: /home/amnesia/Persistent/securedrop/admin/.venv3/bin/securedrop-admin: Success

This happens with tails6-ftw as well as 2.7.0, so I think we can overlook this as an oddity on my system for now since you could not reproduce, and since this happens in the previous production release for me.

[nathandyer]

Grabbing the migration from Tails 5 case as well

[zenmonkeykstop]

Flipping back to draft temporarily. Tails 6 was released on schedule, but there are some behaviour changes from the RC - most notably, desktop icon support was removed. So it may be necessary to revise this branch a little.

[rocodes]

Tails 6 fresh install scenario

Installing from prod tails 6, documenting a few non-SD related Tails 6 quirks here so that we're aware for support and/or maybe filing as upstream issues.

• Following the Tails instructions (3-dot overflow menu -> restore) results in a bootable disk, following the old instructions (gnome disks gear icon-> "Restore partition image" did not result in a bootable disk, fyi for support purposes or for anyone basing this on their recollection and not the docs :) )
• The "Configure Persistent Volume" screen locked up for me a few times when trying to toggle the options and displayed a "Persistent Volume is not responding" error modal with the option to wait or force quit. (computer with 16GB RAM and an 8gen i7 processor). I waited and was able to resolve the issue.
• The Tor Connection Wizard takes a while to launch Tor Browser, making it appear unresponsive. When Tor Browser does launch, the connection wizard does not close and must be closed manually. Not sure if intentional or not but just documenting again for support purposes.
• First attempt trying to clone the sd repo led to the following connection related error:

error: 19256 bytes of body are still expected MiB | 220.KiB/s
fetch-pack: unexpected disconnect while reading sideband packet
fatal: early EOF
fatal: fetch-pack: invalid index-pack output

• Rebooting I get the same index-pack error as above when I try to re clone the repo (I accidentally had it in the home folder instead of ~/Persistent before, so starting again from that stage). However, it's probably good that I get stuck here, because it leads me to investigate network stuff a bit more. See screenshot. I thought i'd choose a new onion circuit but... (spoilers: I do in fact have network connectivity)
  
• Resolved the git / curl timeout through sheer luck after about 15 attempts.
• I'll keep updating this as I work through the test plan. (Edit: which will be tomorrow)

Install

• On an admin workstation, check out this branch and perform a production install (VMs are fine), and verify that (with the --force flag as appropriate):
  • ./securedrop-admin setup completes successfully, installing required apt packages and creating a virtualenv with updated dependencies listed above yes but required multiple attempts
  • ./securedrop-admin sdconfig completes successfully
  • ./securedrop-admin install completes successfully
  • ./securedrop-admin tailsconfig completes successfully with ssh targets, desktop icons, and SecureDrop menu available.
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection, and the ssh targets, desktop icons, and SecureDrop menu are available.
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs

[zenmonkeykstop]

Looks like we can leave the desktop icon code in place for now. It doesn't break the tailsconfig or network hook, they just don't get added on the desktop. Since we wanna preserve the icons for Tails 5 users, we can defer removal until a subsequent release where we start sending Tails 5 deprecation messages.

[nathandyer]

Completed the "Migration from Tails 5" test plan, and everything worked perfectly - including the backup and restore this time. 🎉

I did encounter an oddity with sudo apt update not being able to read the package lists, but after re-flashing and trying to reproduce it, I was unable to. Only noting in case we happen to stumble upon it again in the future.

[nathandyer]

Going to take the remaining test cases as well - USBs flashing now, will have results this afternoon.

[nathandyer]

I'm getting a consistent error on the Tails 5 clean install scenario. The breaking error is:

TASK [grsecurity : Install the grsecurity-patched kernel from the FPF repo.] ***
fatal: [app]: FAILED! => {"msg": "failed to transfer file to /home/amnesia/.ansible/tmp/ansible-local-40819d2_hy8cx/tmppygq7z8p /home/sdadmin/.ansible/tmp/ansible-tmp-1709150408.6275954-41694-131416808621539/AnsiballZ_apt.py:\n\nunknown option -- O\r\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}
fatal: [mon]: FAILED! => {"msg": "failed to transfer file to /home/amnesia/.ansible/tmp/ansible-local-40819d2_hy8cx/tmpxdqnmv0n /home/sdadmin/.ansible/tmp/ansible-tmp-1709150408.6408768-41695-170679609724149/AnsiballZ_apt.py:\n\nunknown option -- O\r\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}

Full output:

INFO: Skipping update check because --force argument was provided.
INFO: Now installing SecureDrop on remote servers.
INFO: You will be prompted for the sudo password on the servers.
INFO: The sudo password is only necessary during initial installation.

PLAY [Ensure validation is run before prod install] ****************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [validate : include_tasks] ************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml for localhost

TASK [validate : Check /etc/os-release for Tails string] ***********************
ok: [localhost]

TASK [validate : Confirm host OS is Tails.] ************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [validate : Check for persistence volume.] ********************************
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/persistence.conf)
ok: [localhost] => (item=/live/persistence/TailsData_unlocked/openssh-client)
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop)

TASK [validate : Confirm persistence volume is configured.] ********************
ok: [localhost] => (item={'changed': False, 'stat': {'exists': True, 'path': '/live/persistence/TailsData_unlocked/persistence.conf', 'mode': '0600', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 115, 'gid': 122, 'size': 596, 'inode': 14, 'dev': 64768, 'nlink': 1, 'atime': 1709149331.388006, 'mtime': 1709149331.016006, 'ctime': 1709149331.352006, 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False, 'blocks': 8, 'block_size': 4096, 'device_type': 0, 'readable': False, 'writeable': False, 'executable': False, 'pw_name': 'tails-persistent-storage', 'gr_name': 'tails-persistent-storage', 'mimetype': 'unknown', 'charset': 'unknown', 'version': None, 'attributes': [], 'attr_flags': ''}, 'invocation': {'module_args': {'path': '/live/persistence/TailsData_unlocked/persistence.conf', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/live/persistence/TailsData_unlocked/persistence.conf', 'ansible_loop_var': 'item'}) => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": {
        "ansible_loop_var": "item",
        "changed": false,
        "failed": false,
        "invocation": {
            "module_args": {
                "checksum_algorithm": "sha1",
                "follow": false,
                "get_attributes": true,
                "get_checksum": true,
                "get_md5": false,
                "get_mime": true,
                "path": "/live/persistence/TailsData_unlocked/persistence.conf"
            }
        },
        "item": "/live/persistence/TailsData_unlocked/persistence.conf",
        "stat": {
            "atime": 1709149331.388006,
            "attr_flags": "",
            "attributes": [],
            "block_size": 4096,
            "blocks": 8,
            "charset": "unknown",
            "ctime": 1709149331.352006,
            "dev": 64768,
            "device_type": 0,
            "executable": false,
            "exists": true,
            "gid": 122,
            "gr_name": "tails-persistent-storage",
            "inode": 14,
            "isblk": false,
            "ischr": false,
            "isdir": false,
            "isfifo": false,
            "isgid": false,
            "islnk": false,
            "isreg": true,
            "issock": false,
            "isuid": false,
            "mimetype": "unknown",
            "mode": "0600",
            "mtime": 1709149331.016006,
            "nlink": 1,
            "path": "/live/persistence/TailsData_unlocked/persistence.conf",
            "pw_name": "tails-persistent-storage",
            "readable": false,
            "rgrp": false,
            "roth": false,
            "rusr": true,
            "size": 596,
            "uid": 115,
            "version": null,
            "wgrp": false,
            "woth": false,
            "writeable": false,
            "wusr": true,
            "xgrp": false,
            "xoth": false,
            "xusr": false
        }
    },
    "msg": "All assertions passed"
}
ok: [localhost] => (item={'changed': False, 'stat': {'exists': True, 'path': '/live/persistence/TailsData_unlocked/openssh-client', 'mode': '0700', 'isdir': True, 'ischr': False, 'isblk': False, 'isreg': False, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 1000, 'gid': 1000, 'size': 4096, 'inode': 1044483, 'dev': 64768, 'nlink': 2, 'atime': 1709149584.200002, 'mtime': 1709149573.6800015, 'ctime': 1709149573.6800015, 'wusr': True, 'rusr': True, 'xusr': True, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False, 'blocks': 8, 'block_size': 4096, 'device_type': 0, 'readable': True, 'writeable': True, 'executable': True, 'pw_name': 'amnesia', 'gr_name': 'amnesia', 'mimetype': 'inode/directory', 'charset': 'binary', 'version': '2716672948', 'attributes': ['extents'], 'attr_flags': 'e'}, 'invocation': {'module_args': {'path': '/live/persistence/TailsData_unlocked/openssh-client', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/live/persistence/TailsData_unlocked/openssh-client', 'ansible_loop_var': 'item'}) => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": {
        "ansible_loop_var": "item",
        "changed": false,
        "failed": false,
        "invocation": {
            "module_args": {
                "checksum_algorithm": "sha1",
                "follow": false,
                "get_attributes": true,
                "get_checksum": true,
                "get_md5": false,
                "get_mime": true,
                "path": "/live/persistence/TailsData_unlocked/openssh-client"
            }
        },
        "item": "/live/persistence/TailsData_unlocked/openssh-client",
        "stat": {
            "atime": 1709149584.200002,
            "attr_flags": "e",
            "attributes": [
                "extents"
            ],
            "block_size": 4096,
            "blocks": 8,
            "charset": "binary",
            "ctime": 1709149573.6800015,
            "dev": 64768,
            "device_type": 0,
            "executable": true,
            "exists": true,
            "gid": 1000,
            "gr_name": "amnesia",
            "inode": 1044483,
            "isblk": false,
            "ischr": false,
            "isdir": true,
            "isfifo": false,
            "isgid": false,
            "islnk": false,
            "isreg": false,
            "issock": false,
            "isuid": false,
            "mimetype": "inode/directory",
            "mode": "0700",
            "mtime": 1709149573.6800015,
            "nlink": 2,
            "path": "/live/persistence/TailsData_unlocked/openssh-client",
            "pw_name": "amnesia",
            "readable": true,
            "rgrp": false,
            "roth": false,
            "rusr": true,
            "size": 4096,
            "uid": 1000,
            "version": "2716672948",
            "wgrp": false,
            "woth": false,
            "writeable": true,
            "wusr": true,
            "xgrp": false,
            "xoth": false,
            "xusr": true
        }
    },
    "msg": "All assertions passed"
}
ok: [localhost] => (item={'changed': False, 'stat': {'exists': True, 'path': '/home/amnesia/Persistent/securedrop', 'mode': '0755', 'isdir': True, 'ischr': False, 'isblk': False, 'isreg': False, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 1000, 'gid': 1000, 'size': 4096, 'inode': 130563, 'dev': 64768, 'nlink': 21, 'atime': 1709149906.184014, 'mtime': 1709150389.3840322, 'ctime': 1709150389.3840322, 'wusr': True, 'rusr': True, 'xusr': True, 'wgrp': False, 'rgrp': True, 'xgrp': True, 'woth': False, 'roth': True, 'xoth': True, 'isuid': False, 'isgid': False, 'blocks': 8, 'block_size': 4096, 'device_type': 0, 'readable': True, 'writeable': True, 'executable': True, 'pw_name': 'amnesia', 'gr_name': 'amnesia', 'mimetype': 'inode/directory', 'charset': 'binary', 'version': '2582611470', 'attributes': ['extents'], 'attr_flags': 'e'}, 'invocation': {'module_args': {'path': '/home/amnesia/Persistent/securedrop', 'follow': False, 'get_md5': False, 'get_checksum': True, 'get_mime': True, 'get_attributes': True, 'checksum_algorithm': 'sha1'}}, 'failed': False, 'item': '/home/amnesia/Persistent/securedrop', 'ansible_loop_var': 'item'}) => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": {
        "ansible_loop_var": "item",
        "changed": false,
        "failed": false,
        "invocation": {
            "module_args": {
                "checksum_algorithm": "sha1",
                "follow": false,
                "get_attributes": true,
                "get_checksum": true,
                "get_md5": false,
                "get_mime": true,
                "path": "/home/amnesia/Persistent/securedrop"
            }
        },
        "item": "/home/amnesia/Persistent/securedrop",
        "stat": {
            "atime": 1709149906.184014,
            "attr_flags": "e",
            "attributes": [
                "extents"
            ],
            "block_size": 4096,
            "blocks": 8,
            "charset": "binary",
            "ctime": 1709150389.3840322,
            "dev": 64768,
            "device_type": 0,
            "executable": true,
            "exists": true,
            "gid": 1000,
            "gr_name": "amnesia",
            "inode": 130563,
            "isblk": false,
            "ischr": false,
            "isdir": true,
            "isfifo": false,
            "isgid": false,
            "islnk": false,
            "isreg": false,
            "issock": false,
            "isuid": false,
            "mimetype": "inode/directory",
            "mode": "0755",
            "mtime": 1709150389.3840322,
            "nlink": 21,
            "path": "/home/amnesia/Persistent/securedrop",
            "pw_name": "amnesia",
            "readable": true,
            "rgrp": true,
            "roth": true,
            "rusr": true,
            "size": 4096,
            "uid": 1000,
            "version": "2582611470",
            "wgrp": false,
            "woth": false,
            "writeable": true,
            "wusr": true,
            "xgrp": true,
            "xoth": true,
            "xusr": true
        }
    },
    "msg": "All assertions passed"
}

TASK [validate : Check for v3 SSH auth files] **********************************
ok: [localhost] => (item=app-ssh.auth_private)
ok: [localhost] => (item=mon-ssh.auth_private)

TASK [validate : Count the number of v3 SSH auth files] ************************
ok: [localhost]

TASK [validate : Check for Journalist client auth file] ************************
ok: [localhost]

TASK [validate : Check for Source THS file] ************************************
ok: [localhost]

TASK [validate : Check for Tor v3 key file] ************************************
ok: [localhost]

TASK [validate : Confirm that a valid set of SSH auth files is present] ********
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [validate : Confirm that the Journalist auth file is present] *************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY [Prepare servers for installation] ****************************************

TASK [prepare-servers : Install python and packages required by installer] *****
ok: [mon]
ok: [app]

TASK [prepare-servers : Check SecureBoot status] *******************************
ok: [app]
ok: [mon]

TASK [prepare-servers : Verify that SecureBoot is not enabled] *****************
ok: [app] => {
    "changed": false,
    "msg": "All assertions passed"
}
ok: [mon] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [prepare-servers : Remove cloud-init] *************************************
ok: [app]
ok: [mon]

TASK [prepare-servers : Ensure dist-upgrade before SecureDrop install] *********
ok: [app]
ok: [mon]

PLAY [Add FPF apt repository and install base packages.] ***********************

TASK [Gathering Facts] *********************************************************
ok: [app]
ok: [mon]

TASK [Check if install has been done before] ***********************************
ok: [app]
ok: [mon -> app(10.20.2.2)]

TASK [Include restrict role early when using ssh over localnet] ****************

TASK [restrict-direct-access : include_vars] ***********************************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : include_tasks] **********************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/restrict-direct-access/tasks/dh_moduli.yml for app, mon

TASK [restrict-direct-access : Check whether Diffie-Hellman groups have been updated] ***
ok: [app]
ok: [mon]

TASK [restrict-direct-access : include_tasks] **********************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/restrict-direct-access/tasks/ssh.yml for app, mon

TASK [restrict-direct-access : Copy SSH client config file.] *******************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Copy SSH server config file.] *******************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Copy pam common-auth config file.] **************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Ensure sshd is running.] ************************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : include_tasks] **********************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml for app, mon

TASK [restrict-direct-access : Gather localhost facts first] *******************
ok: [app -> localhost]
ok: [mon -> localhost]

TASK [restrict-direct-access : Determine local platform specific routing info] ***
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Record admin network interface] *****************
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Hacky work-around for Mac/Linux interface structure divergence] ***
ok: [app]
ok: [mon]

TASK [restrict-direct-access : Compute admin network CIDR] *********************
ok: [app -> localhost]
ok: [mon -> localhost]

TASK [restrict-direct-access : Copy IPv4 iptables rules.] **********************
ok: [mon]
ok: [app]

TASK [restrict-direct-access : Copy IPv6 iptables rules.] **********************
ok: [app]
ok: [mon]

TASK [include_tasks] ***********************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/tasks/transition_ssh_local.yml for app, mon

TASK [Seek for existing tor aths ssh files] ************************************
ok: [app -> localhost]

TASK [install-fpf-repo : Install SecureDrop apt repo GPG signing key.] *********
ok: [app] => (item=fpf-signing-key-2021.pub)
ok: [mon] => (item=fpf-signing-key-2021.pub)

TASK [install-fpf-repo : Setup FPF apt repo.] **********************************
ok: [app]
ok: [mon]

TASK [install-fpf-repo : Install the securedrop-keyring package for managing the apt gpg key.] ***
ok: [app]
ok: [mon]

TASK [grsecurity : include_tasks] **********************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/grsecurity/tasks/check_installation.yml for app, mon

TASK [grsecurity : Check if reboot is required due to inactive grsecurity lock.] ***
ok: [app]
ok: [mon]

TASK [grsecurity : include_tasks] **********************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml for app, mon

TASK [grsecurity : Remove MOTD pam module from SSH logins.] ********************
ok: [app]
ok: [mon]

TASK [grsecurity : Install the grsecurity-patched kernel from the FPF repo.] ***
fatal: [app]: FAILED! => {"msg": "failed to transfer file to /home/amnesia/.ansible/tmp/ansible-local-40819d2_hy8cx/tmppygq7z8p /home/sdadmin/.ansible/tmp/ansible-tmp-1709150408.6275954-41694-131416808621539/AnsiballZ_apt.py:\n\nunknown option -- O\r\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}
fatal: [mon]: FAILED! => {"msg": "failed to transfer file to /home/amnesia/.ansible/tmp/ansible-local-40819d2_hy8cx/tmpxdqnmv0n /home/sdadmin/.ansible/tmp/ansible-tmp-1709150408.6408768-41695-170679609724149/AnsiballZ_apt.py:\n\nunknown option -- O\r\nusage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n            [-J destination] [-l limit] [-o ssh_option] [-P port]\n            [-S program] source ... target\n"}

NO MORE HOSTS LEFT *************************************************************

NO MORE HOSTS LEFT *************************************************************

PLAY RECAP *********************************************************************
app                        : ok=32   changed=0    unreachable=0    failed=1    skipped=6    rescued=0    ignored=0   
localhost                  : ok=13   changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   
mon                        : ok=31   changed=0    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0   

[zenmonkeykstop]

The extra -O is added via ansible.cfg to force the use of scp in OpenSSH 9.0, but looks like it's not valid for 8.0. Will investigate alternatives.

[nathandyer]

Worked through the Tails 6 clean install scenario.

Installation, setup, and tailsconfig all worked without issue.

./securedrop-admin backup and ./securedrop-admin logs gave the exact same output as I was seeing before in the other scenario that failed: it runs immediately, has only one line of output, and says "./securedrop-admin line 26: : Success"

It's curious that both the backup and logs operation report success on the same line in the admin script 🤔

It's also curious that those operations did work without issue using the exact same app and mon servers on the Tails 5 migration scenario

[zenmonkeykstop]

Worked through the Tails 6 clean install scenario.

Installation, setup, and tailsconfig all worked without issue.

./securedrop-admin backup and ./securedrop-admin logs gave the exact same output as I was seeing before in the other scenario that failed: it runs immediately, has only one line of output, and says "./securedrop-admin line 26: : Success"

It's curious that both the backup and logs operation report success on the same line in the admin script 🤔

It's also curious that those operations did work without issue using the exact same app and mon servers on the Tails 5 migration scenario

Do they take the --force flag when run not on the latest release?

[nathandyer]

Worked through the Tails 6 clean install scenario.
Installation, setup, and tailsconfig all worked without issue.
./securedrop-admin backup and ./securedrop-admin logs gave the exact same output as I was seeing before in the other scenario that failed: it runs immediately, has only one line of output, and says "./securedrop-admin line 26: : Success"
It's curious that both the backup and logs operation report success on the same line in the admin script 🤔
It's also curious that those operations did work without issue using the exact same app and mon servers on the Tails 5 migration scenario

Do they take the --force flag when run not on the latest release?

It didn't seem to require the --force flag, but I did try it with and without on both; same results.

[legoktm]

Suggested change

	# debian:bookworm 2021-01-12
	# debian:bookworm 2024-01-12

[zenmonkeykstop]

lol, will update.

[legoktm]

comment needs an update?

[legoktm]

If we're updating this, should we change it to securedrop@freedom.press?

[zenmonkeykstop]

Disinclined to change attributions without checking with original authors. But we probably could.

[nathandyer]

With the latest commit, I'm happy to report that the Tails 5 fresh install scenario works as expected (including install, backup, and restore, which were all previously broken for me).

[rocodes]

Tails 6 Install

• On an admin workstation, check out this branch and perform a production install (VMs are fine), and verify that (with the --force flag as appropriate):
  • ./securedrop-admin setup completes successfully, installing required apt packages and creating a virtualenv with updated dependencies listed above
  • ./securedrop-admin sdconfig completes successfully
  • ./securedrop-admin install completes successfully
  • ./securedrop-admin tailsconfig completes successfully with ssh targets, desktop icons, and SecureDrop menu available.
• reboot the admin workstation and verify that:
  • The network hook runs successfully on network connection
  • .... and the ssh targets, desktop icons, and SecureDrop menu are available. (no desktop icons, SD bookmarks are searchable - expected tails 6 bhvr ✔️ )
• Submit via the source interface, create a journalist account, and reply via the journalist interface. Then, confirm that:
  • ./securedrop-admin backup completes successfully
• Reply again, run ./securedrop-admin restore <backupname> and confirm that
  • the restore command completes successfully
  • the second reply is not present.
• Confirm that ./securedrop-admin logs completes successfully, capturing the expected logs

[zenmonkeykstop]

Looking good, thanks all - once flaky CI is passing and I get an approval will go ahead and merge and cut release/2.8.0 etc.

[rocodes]

I've got 11137e7 locally from a git pull, but I'm not seeing it in the web UI yet. ? Edit: there we go

[rocodes]

So nice I had to stamp it twice! waiting on CI then let's do it