Skip to content

Commit

Permalink
Hold securedrop-grsec package in staging
Browse files Browse the repository at this point in the history 
Ensures that the "securedrop-grsec" package built locally for staging
takes precedence, so that the version served from the
apt-test.freedom.press repository doesn't win out.
  • Loading branch information
Conor Schaefer committed Feb 23, 2021
1 parent 00568de commit c2a46a3
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 4 deletions.
3 changes: 3 additions & 0 deletions install_files/ansible-base/group_vars/all/securedrop
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,6 @@ securedrop_pkg_grsec_xenial:
securedrop_pkg_grsec_focal:
ver: "5.4.97"
depends: "linux-image-5.4.97-grsec-securedrop,intel-microcode"

# Mostly useful for local package installation
grsec_version: "{{ securedrop_pkg_grsec_xenial.ver if ansible_distribution_release == 'xenial' else securedrop_pkg_grsec_focal.ver }}"
1 change: 1 addition & 0 deletions install_files/ansible-base/group_vars/securedrop_application_server.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ local_deb_packages:
- "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- "securedrop-ossec-agent-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb
- "{{ securedrop_app_code_deb }}.deb"
- "ossec-agent-3.6.0+{{ securedrop_target_distribution }}-amd64.deb"

Expand Down
1 change: 1 addition & 0 deletions install_files/ansible-base/group_vars/securedrop_monitor_server.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ local_deb_packages:
- "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- "securedrop-ossec-server-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
- securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb
- ossec-server-3.6.0+{{ securedrop_target_distribution }}-amd64.deb

# Configure the tor onion services. The Monitor server has only one,
Expand Down
7 changes: 3 additions & 4 deletions install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
---
- name: Get the grsec version of the current scenario
set_fact:
grsec_version: "{% if ansible_distribution_release == 'xenial' %}{{ securedrop_pkg_grsec_xenial.ver }}{% else %}{{ securedrop_pkg_grsec_focal.ver }}{% endif %}"

- name: Copy locally built securedrop-grsec metapackage
copy:
src: "../../build/{{ securedrop_target_distribution }}/securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb"
dest: /root/securedrop-grsec.deb

- name: Install locally built securedrop-grsec metapackage
command: apt-get install -y -f /root/securedrop-grsec.deb

- name: Mark package as held, so it doesn't update to apt-test version
command: apt-mark hold securedrop-grsec

0 comments on commit c2a46a3

Please sign in to comment.