Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kolibri/tasks/install.yml: Modern apt keyring approach [& apt upgrading Kolibri very risky!] #3356

Merged
merged 4 commits into from
Sep 1, 2022
Merged

kolibri/tasks/install.yml: Modern apt keyring approach [& apt upgrading Kolibri very risky!] #3356

merged 4 commits into from
Sep 1, 2022

Conversation

holta
Copy link
Member

@holta holta commented Sep 1, 2022
edited

@holta holta added this to the 8.0 milestone Sep 1, 2022
@holta
Copy link
Member Author

holta commented Sep 1, 2022

Test installed on a Ubuntu 22.10 pre-release.

The apt configuration file auto-generated by Ansible...has a very long filename here: (but that's Ok!)

root@box:~# cat /etc/apt/sources.list.d/ppa_launchpad_net_learningequality_kolibri_ubuntu.list
deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu jammy main

Just FYI this test install of Kolibri on IIAB was done on the latest daily build of Ubuntu 22.10 [pre-release] "Kinetic Kudu".

@holta
Copy link
Member Author

holta commented Sep 1, 2022

FYI here are some of the ~3 pink/blue screens that arise if one apt upgrades from Kolibri 0.15.6 to 0.15.7:

(unfortunately these will lead to quite serious problems, as everyday IIAB operators will accidentally override pre-existing Kolibri systemd unit file & Linux username, something to think about!!)

  ┌────────────────────────┤ Kolibri configuration ├────────────────────────┐
  │                                                                         │
  │ This will automatically call the system service to start Kolibri when   │
  │ your system boots.                                                      │
  │                                                                         │
  │ Do you wish to run Kolibri on start-up?                                 │
  │                                                                         │
  │                    <Yes>                       <No>                     │
  │                                                                         │
  └─────────────────────────────────────────────────────────────────────────┘

If one overrides the above default <Yes> to correctly select <No> (to preserve IIAB's systemd file for Kolibri) the next screen is:

  ┌────────────────────────┤ Kolibri configuration ├────────────────────────┐
  │                                                                         │
  │ Running Kolibri manually:                                               │
  │                                                                         │
  │ You have chosen not to run Kolibri as a system service and that means   │
  │ you should run it manually. Starting Kolibri with your current user     │
  │ account:                                                                │
  │                                                                         │
  │   kolibri start                                                         │
  │                                                                         │
  │                                                                         │
  │ Starting Kolibri as a system-wide service:                              │
  │                                                                         │
  │   sudo service kolibri start                                            │
  │                                                                         │
  │                                                                         │
  │ Start Kolibri when the system boots:                                    │
  │                                                                         │
  │   sudo systemctl enable kolibri                                         │
  │                                                                         │
  │                                 <Ok>                                    │
  │                                                                         │
  └─────────────────────────────────────────────────────────────────────────┘

Finally this 3rd screen is generally pre-populated with an incorrect username: (IIAB mandates Linux username kolibri not iiab-admin, Ouch !)

  ┌────────────────────────┤ Kolibri configuration ├────────────────────────┐
  │ The default is to choose your preferred desktop user account, for       │
  │ instance to ensure access to importing data from external USB devices.  │
  │                                                                         │
  │ Entering a username that doesn't exist will create a new system user    │
  │ with home directory /var/<username>.                                    │
  │                                                                         │
  │ Which user account should own the Kolibri server?                       │
  │                                                                         │
  │ iiab-admin_____________________________________________________________ │
  │                                                                         │
  │                                 <Ok>                                    │
  │                                                                         │
  └─────────────────────────────────────────────────────────────────────────┘

I don't have answers; am simply posting the above (Linux Terminal) screenshots, so we can all think about it 🤔

@holta holta changed the title kolibri/tasks/install.yml: Modern apt keyring approach kolibri/tasks/install.yml: Modern apt keyring approach [& apt upgrading Kolibri very risky!] Sep 1, 2022
@holta
Copy link
Member Author

holta commented Sep 1, 2022
edited

If one overrides the above default <Yes> to correctly select <No> (to preserve IIAB's systemd file for Kolibri) the next screen is:

Strangely the above Kolibri prompt neither disables nor clobbers /etc/systemd/system/kolibri.service no matter whether you answer <Yes> or <No>

'Yes' was tested on Ubuntu 20.04, 'No' was tested on Mint 21. Again this is in response to "Do you wish to run Kolibri on start-up?" (So this definitely appears to be a Kolibri bug — a bug that ironically seems to prevent further problems for the moment — when apt upgrading Kolibri as part of IIAB !)

In any case, if one goes ahead with the default <Yes>, the next screen (a bit different than above) is...just FYI:

    ┌──────────────────────┤ Kolibri configuration ├───────────────────────┐
    │                                                                      │
    │ The Kolibri system service                                           │
    │                                                                      │
    │ You have chosen to run Kolibri as a system service and it has been   │
    │ started automatically. You can start/stop/restart Kolibri with the   │
    │ following command                                                    │
    │                                                                      │
    │   sudo service kolibri [start, stop, restart]                        │
    │                                                                      │
    │                                <Ok>                                  │
    │                                                                      │
    └──────────────────────────────────────────────────────────────────────┘

@holta
Copy link
Member Author

holta commented Sep 1, 2022

I guess I'll go ahead and merge this PR. So wider community testing validates this across "all" OS's.

(The issues of apt upgrading Kolibri being very risky and extremely confusing to IIAB operators — are indeed a real issue but this is a separate question in the end — we should definitely assess pragmatic options there, but somewhere separately!)

@holta holta merged commit fa17e5f into iiab:master Sep 1, 2022
@holta holta mentioned this pull request Sep 1, 2022
Closed
@holta
Copy link
Member Author

holta commented Sep 1, 2022

(The issues of apt upgrading Kolibri being very risky and extremely confusing to IIAB operators — are indeed a real issue but this is a separate question in the end — we should definitely assess pragmatic options there, but somewhere separately!)

@jredrejo new ticket is opened here, just for discussion: (even if there are not easy answers!)

@holta
Copy link
Member Author

holta commented Sep 1, 2022
edited

Recap: Of course Ansible's command module is occasionally safer than Ansible shell module.

Still, in this case I opted for to shorten the code (into 1 single stanza/paragraph instead of 2 stanzas/paragraphs) as follows:

iiab/roles/kolibri/tasks/install.yml

Lines 51 to 55 in fa17e5f

# 2022-08-31: keyring /etc/apt/trusted.gpg DEPRECATED as detailed on #3343
- name: Download Kolibri's apt key to /usr/share/keyrings/learningequality-kolibri.gpg
shell: |
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
gpg --yes --output /usr/share/keyrings/learningequality-kolibri.gpg --export DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81

This was referenced Oct 25, 2022
Merged
Merged
@holta holta mentioned this pull request Apr 1, 2023
Merged
This was referenced Apr 17, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@holta