Ubuntu 20.04 support (#1782)

* ubuntu 20.04 support

* purge snapd for 20.04

* strongswan-starter fix

.github/workflows/main.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-16.04
     strategy:
       matrix:
-        UBUNTU_VERSION: ["18.04", "19.10"]
+        UBUNTU_VERSION: ["18.04", "20.04"]
     steps:
       - uses: actions/checkout@v1
       - uses: actions/setup-python@v1
@@ -98,7 +98,7 @@ jobs:
     runs-on: ubuntu-16.04
     strategy:
       matrix:
-        UBUNTU_VERSION: ["18.04", "19.10"]
+        UBUNTU_VERSION: ["18.04", "20.04"]
     steps:
       - uses: actions/checkout@v1
       - uses: actions/setup-python@v1

config.cfg

@@ -156,10 +156,14 @@ SSH_keys:
 cloud_providers:
   azure:
     size: Standard_B1S
-    image: 19.10-DAILY
+    image:
+      publisher: Canonical
+      offer: 0001-com-ubuntu-server-focal-daily
+      sku: 20_04-daily-lts
+      version: latest
   digitalocean:
     size: s-1vcpu-1gb
-    image: "ubuntu-19-10-x64"
+    image: "ubuntu-20-04-x64"
   ec2:
     # Change the encrypted flag to "false" to disable AWS volume encryption.
     encrypted: true
@@ -168,31 +172,31 @@ cloud_providers:
     use_existing_eip: false
     size: t2.micro
     image:
-      name: "ubuntu-eoan-19.10"
+      name: "ubuntu-focal-20.04"
       owner: "099720109477"
   gce:
     size: f1-micro
-    image: ubuntu-1910
+    image: ubuntu-2004-lts
     external_static_ip: false
   lightsail:
     size: nano_1_0
     image: ubuntu_18_04
   scaleway:
     size: DEV1-S
-    image: Ubuntu Bionic Beaver
+    image: Ubuntu 20.04 Focal Fossa
     arch: x86_64
   hetzner:
     server_type: cx11
-    image: ubuntu-18.04
+    image: ubuntu-20.04
   openstack:
     flavor_ram: ">=512"
     image:  Ubuntu-18.04
   cloudstack:
     size: Micro
-    image: Linux Ubuntu 19.10 64-bit
+    image: Linux Ubuntu 20.04 LTS 64-bit
     disk: 10
   vultr:
-    os: Ubuntu 19.10 x64
+    os: Ubuntu 20.04 x64
     size: 1024 MB RAM,25 GB SSD,1.00 TB BW
   local:
 

docs/deploy-to-ubuntu.md

@@ -4,7 +4,7 @@ You can use Algo to configure a pre-existing server as an AlgoVPN rather than us
 
 To perform a local installation, install the Algo scripts following the normal installation instructions, then choose:
 ```
-Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)
+Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
 ```
 Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`).
 

docs/deploy-to-unsupported-cloud.md

@@ -2,7 +2,7 @@
 
 Algo officially supports the [cloud providers listed here](https://github.com/trailofbits/algo/blob/master/README.md#deploy-the-algo-server). If you want to deploy Algo on another virtual hosting provider, that provider must support:
 
-1. the base operating system image that Algo uses (Ubuntu 18.04 or 19.10), and
+1. the base operating system image that Algo uses (Ubuntu 18.04 or 20.04), and
 2. a minimum of certain kernel modules required for the strongSwan IPsec server.
 
 Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.

docs/troubleshooting.md

@@ -283,7 +283,7 @@ TASK [wireguard : Generate public keys] ****************************************
 
 fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"}
 ```
-This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04. You should upgrade your server to Ubuntu 18.04. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows:
+This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04 or later. You should upgrade your server to Ubuntu 18.04 or later. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows:
 
 ```ssh
 sudo rm -rf /etc/wireguard/*.lock

input.yml

@@ -21,7 +21,7 @@
       - { name: Scaleway, alias: scaleway}
       - { name: OpenStack (DreamCompute optimised), alias: openstack }
       - { name: CloudStack (Exoscale optimised), alias: cloudstack }
-      - { name: "Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)", alias: local }
+      - { name: "Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)", alias: local }
   vars_files:
     - config.cfg
 

roles/cloud-azure/files/deployment.json

@@ -11,9 +11,18 @@
     "vmSize": {
       "type": "string"
     },
+    "imageReferencePublisher": {
+      "type": "string"
+    },
+    "imageReferenceOffer": {
+      "type": "string"
+    },
     "imageReferenceSku": {
       "type": "string"
     },
+    "imageReferenceVersion": {
+      "type": "string"
+    },
     "SshPort": {
       "type": "int"
     },
@@ -182,10 +191,10 @@
         },
         "storageProfile": {
           "imageReference": {
-            "publisher": "Canonical",
-            "offer": "UbuntuServer",
+            "publisher": "[parameters('imageReferencePublisher')]",
+            "offer": "[parameters('imageReferenceOffer')]",
             "sku": "[parameters('imageReferenceSku')]",
-            "version": "latest"
+            "version": "[parameters('imageReferenceVersion')]"
           },
           "osDisk": {
             "createOption": "FromImage"

roles/cloud-azure/tasks/main.yml

@@ -29,8 +29,14 @@
         value: "{{ wireguard_port }}"
       vmSize:
         value: "{{ cloud_providers.azure.size }}"
+      imageReferencePublisher:
+        value: "{{ cloud_providers.azure.image.publisher }}"
+      imageReferenceOffer:
+        value: "{{ cloud_providers.azure.image.offer }}"
       imageReferenceSku:
-        value: "{{ cloud_providers.azure.image }}"
+        value: "{{ cloud_providers.azure.image.sku }}"
+      imageReferenceVersion:
+        value: "{{ cloud_providers.azure.image.version }}"
       SshPort:
         value: "{{ ssh_port }}"
       UserData:

roles/strongswan/defaults/main.yml

@@ -3,7 +3,7 @@ ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/"
 ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
 strongswan_shell: /usr/sbin/nologin
 strongswan_home: /var/lib/strongswan
-strongswan_service: "{{ 'strongswan-starter' if ansible_distribution_major_version|int > 19 else 'strongswan' }}"
+strongswan_service: "{{ 'strongswan-starter' if ansible_facts['distribution_version'] is version('20.04', '>=') else 'strongswan' }}"
 BetweenClients_DROP: true
 algo_ondemand_cellular: false
 algo_ondemand_wifi: false

roles/wireguard/tasks/ubuntu.yml

@@ -1,12 +1,22 @@
 ---
-- name: WireGuard repository configured
-  apt_repository:
-    repo: ppa:wireguard/wireguard
-    state: present
-  register: result
-  until: result is succeeded
-  retries: 10
-  delay: 3
+- block:
+  - name: WireGuard repository configured
+    apt_repository:
+      repo: ppa:wireguard/wireguard
+      state: present
+    register: result
+    until: result is succeeded
+    retries: 10
+    delay: 3
+
+  - name: Configure unattended-upgrades
+    copy:
+      src: 50-wireguard-unattended-upgrades
+      dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
+      owner: root
+      group: root
+      mode: 0644
+  when: ansible_facts['distribution_version'] is version('20.04', '<')
 
 - name: WireGuard installed
   apt:
@@ -19,14 +29,6 @@
     dest: /etc/wireguard/.reload-module-on-update
     state: touch
 
-- name: Configure unattended-upgrades
-  copy:
-    src: 50-wireguard-unattended-upgrades
-    dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
-    owner: root
-    group: root
-    mode: 0644
-
 - name: Set OS specific facts
   set_fact:
     service_name: "wg-quick@{{ wireguard_interface }}"

tests/pre-deploy.sh

@@ -25,6 +25,10 @@ lxc profile set default security.privileged true
 lxc profile show default
 lxc launch ubuntu:${UBUNTU_VERSION} algo
 
+if [[ ${UBUNTU_VERSION} == "20.04" ]]; then
+  lxc exec algo -- apt remove snapd --purge -y || true
+fi
+
 ip addr
 
 until dig A +short algo.lxd @10.0.8.1 | grep -vE '^$' > /dev/null; do