Stores Trusty & Xenial deb packages side by side #4080
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emkll
force-pushed
the
3961-separate-subdir-per-distro-for-deb-pkg-builds
branch
from
4e7ae79 to
5c488d6
Compare
|
Clean install on Trusty looks good with current apt setup: Clean install on xenial looks good: |
Renames the "builder" scenario to "builder-trusty", and adds a "builder-xenial" scenario. Creates env var consumption for determining platform build. Adds tests for the "postinst" scripts, to ensure they're landing inside the deb package. (During rapid development, they were initially missed.) Also updates the target deb filepath for securedrop-app-code, since the new build logic slightly changes the parent directory name.
Mirror trusty strategy to not test debs in staging
The top-level `debian/` dir is used for source packages, and via `debian/rules` will generated `DEBIAN/` dirs for binary packages. Declaring the deb package compatibility of "5" here, which is the lowest compatibility version supported by debhelper. We were previously using inferred compat of "1", given that it was undefined. Moves changelog for securedrop-app-code The `dpkg-buildpackage` logic assumes that the package changelog exists at a specific location. The filepath doesn't appear to be overrideable via a CLI flag, so moving it. Requires corresponding update in the update_version logic.
Updates the Ansible-based build logic to use `dpkg-buildpackage`, so that we can use substvars for Depends, to provide different values for Trusty/Xenial dependencies. As such, removes the "sed" implementation to substitute the depends in-line, which was always a short-term solution anyway. The fetch logic was updated to find the deb in a different location. Include `debhelper` in the Dockerfiles used for building. `sudo` also required, simply because the Ansible logic uses it to run builds, and it wasn't in the Xenial image by default. Adding to both for clarity, since it's genuinely a dependency for both. Installs python-requests for OSSEC URL fetching The dependency has long been present, but in the Trusty container image used for building debs, `python-requests` was already installed. That's not true in the Xenial image, so we'll add it in the build role logic where it belongs.
Now using the source package layout. The DEBIAN/ dir will be automatically generated for each distro at build time.
Since version strings and deb filenames are generated via changelog strings provided by `dch` in update_version.sh, let's handle the split these changelogs and ensure each case is handled in update_version.sh This will ensure we can handle trusty or xenial-specific changes in the changelog The Xenial changelog only includes versions starting from 0.12.0, since versions prior to that did not support Xenial.
Trusty debs with now be under build/trusy, xenial debs under build/xenial Updates the test logic a bit, as well. Update securedrop-app-code deb filename for split build logic Deb file names are relevant to only staging logic, updated the staging logic to override vars for securedrop_app_code_deb
The dpkg-buildpackage logic creates a slightly different parent directory for the debs; the test vars must be updated accordingly to find the package. Additionally, the Jinja conditional logic determining Trusty/Xenial inside the app deb build logic was always returning True, meaning it always named the file "+xenial", which isn't what we want.
Use upstream images that contain a fix to the apt vulnerability, CVE-2019-3462, which was recently patched in develop (before the Xenial builder image existed). The `tzdata` dependency is required for building OSSEC packages. Not storing `python-requests` in the image file, but rather pulling in via Ansible logic, because including it generated a pyssl error. We already declare the dependency in declared in the OSSEC Ansible logic for building, so it's not strictly necessary in the container image, but it would be nice to speed up builds somewhat.
Ossec's install.sh returns 0 if the process fails, and resulting deb package do not contain compiled binaries. Let's test to ensure all expected binaries are in the deb file.
When developer systems are under heavy load, the multi-container build scenarios can fail, due to Ansible failing to gather facts from each container within 10s (the default timeout for gathering facts). Rather than edit ansible.cfg, which would affect prod SD servers, let's override the timeout exclusively for the build scenarios, via env var.
Touches up the package build logic with explicit mention of the Xenial targets. Also removes several of the known problems with Xenial, given that we've addressed them as part of recent sprints. Leaving in the config test verification mention, since we have a separate ticket tracking that (3964). Have not made mention of prod envs for Xenial, since we have more work to do on that front yet.
Tor 0.3.5.x series now supports authenticated v3 hidden services. Since *stealth* hidden services are not supported in v3, the current torrc configuration returns an error under 0.3.5.x series. Tor no longer serves 0.3.4.x series debs, so we should migrate to the 0.3.5.x series soon.
Now properly supports both Trusty & Xenial, based on the platform being configured. This allows the same Ansible logic to be applied to either platform, and it'll do the right thing. Includes configuration test updates, to remove hardcoding of "trusty" throughout, and instead substitute the result of `lsb_release -sc` via testinfra's system_info module.
conorsch
force-pushed
the
3961-separate-subdir-per-distro-for-deb-pkg-builds
branch
from
b6fd4af to
c1c0d5f
Compare
As part of the 0.12.0 release, we're consolidating the separate tor-apt repo into part of the main apt.freedom.press repository. As such, we must clean up references to the old tor-apt repository on disk. Accordingly, increments the version of the `securedrop-config` package. Includes updates to relevant Ansible logic, for backwards compatibility, as well as config tests, which aim to ensure that the old tor-specific apt repos are not configured anywhere on the system.
conorsch
force-pushed
the
3961-separate-subdir-per-distro-for-deb-pkg-builds
branch
from
c1c0d5f to
680dd37
Compare
|
Ready for review! Looking for input from @kushaldas in particular. See the test plan above. Given the large amount of testing (staging & prod under both Trusty & Xenial), consider breaking up the testing work with e.g. @zenmonkeykstop. Perhaps @kushaldas can take the staging environments, and @zenmonkeykstop the prod. |
The Molecule scenarios were still forcing trusty repos on xenial hosts, due to a hardcoded override. Now that we've added full Xenial support, we can remove the override. Caught this in the config tests.
kushaldas
suggested changes
Jan 31, 2019
There was a problem hiding this comment.
Staging environment
-
make build-debs && make stagingpasses without error -
All infra tests pass
molecule verify -s {libvirt,virtualbox}-staging -
make build-debs-xenial && make staging-xenialpasses without error -
All infra tests pass
molecule verify -s {libvirt,virtualbox}-staging-xenialfails with the following errors
=================================== FAILURES ===================================
__________ test_pax_flags[ansible://app-staging-/usr/sbin/grub-probe] __________
[gw1] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
_______ test_pax_flags[ansible://app-staging-/usr/sbin/grub-mkdevicemap] _______
[gw1] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
_______ test_pax_flags[ansible://app-staging-/usr/bin/grub-script-check] _______
[gw1] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
__________ test_pax_flags[ansible://mon-staging-/usr/sbin/grub-probe] __________
[gw0] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
_______ test_pax_flags[ansible://mon-staging-/usr/sbin/grub-mkdevicemap] _______
[gw1] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
_______ test_pax_flags[ansible://mon-staging-/usr/bin/grub-script-check] _______
[gw0] linux2 -- Python 2.7.13 /home/kdas/code/sd/bin/python2
[XPASS(strict)] PaX flags unset at install time, see issue #3916
=== 6 failed, 447 passed, 13 skipped, 2 xfailed, 2 xpassed in 211.42 seconds ===
8 tasks
9 tasks
zenmonkeykstop
requested changes
Jan 31, 2019
There was a problem hiding this comment.
- Clean installation (prod vms) on Xenial using apt-test.freedom.press completes without error
- (Basic server testing is successful) - aa-status reports that haveged process is running unconfined
- Clean installation (prod vms) on Trusty using apt-test.freedom.press completes without error
- (Basic server testing is successful)
|
@kushaldas Those failures look an awful lot like #3916 to me—mind posting a comment over there? It may be that the problem doesn't occur on Xenial boxes, in which case we can remove the strict setting on those tests. I suspect the ultimate solution is still to reorder the role includes, otherwise tests passing is dependent on the build time of the box, which certainly isn't what we want. @zenmonkeykstop Thanks for flagging the |
kushaldas
approved these changes
Feb 1, 2019
|
Thanks for re-review, @kushaldas! |
This was referenced Feb 12, 2019
This was referenced Feb 15, 2019
13 tasks
heartsucker
deleted the
3961-separate-subdir-per-distro-for-deb-pkg-builds
branch
eloquence
added a commit
that referenced
this pull request
Jul 31, 2019
This was overlooked in the migration away from tor-apt.freedom.press in #4080. It's harmless but unnecessary and potentially confusing.
lev-csouffrant
pushed a commit
to lev-csouffrant/securedrop
that referenced
this pull request
Aug 25, 2019
This was overlooked in the migration away from tor-apt.freedom.press in freedomofpress#4080. It's harmless but unnecessary and potentially confusing.
kushaldas
pushed a commit
that referenced
this pull request
Sep 25, 2019
This was overlooked in the migration away from tor-apt.freedom.press in #4080. It's harmless but unnecessary and potentially confusing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Work in progress.
Description of Changes
Fixes #3961. Fixes #4051.
Changes proposed in this pull request:
securedrop-app-codepackage for discrete dependencies under Trusty & Xenialbuild/trusty/andbuild/xenial/.Testing
Given the magnitude of changes here, we must confirm that both staging and prod environments are fully functioning, on both Trusty and Xenial.
Staging environment
make build-debs && make stagingpasses without errormolecule verify -s {libvirt,virtualbox}-stagingmake build-debs-xenial && make staging-xenialpasses without errormolecule verify -s {libvirt,virtualbox}-staging-xenial** Note that due to #3916 some PaX-related tests might fail, and there should be a note referring to that issue in the output.
Production environment
If testing xenial, you must change the base box in the
Vagrantfile: replacebento/ubuntu-14.04withbento/ubuntu-16.04forapp-prodandmon-prodIn Tails, update the vars to use the
apt-testserver. Specifically, that entails:install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml, setapt_repo_url: https://apt-test.freedom.presscp install_files/ansible-base/roles/install-fpf-repo/files/{apt-test-signing-key,fpf-signing-key}.pubThen, proceed with testing. Confirm the following in your report:
apt-test.freedom.presscompletes without error (Basic server testing is successful)apt-test.freedom.presscompletes without error (Basic server testing is successful)Deployment
At present, the "xenial" apt channel is only served up from non-prod URLs. We'll update the prod config to do the same as part of the 0.12.0 release.
Developers can now retain platform-specific deb packages built from the develop branch for faster iteration on testing the Xenial migration.
Visual review
Checklist
If you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locally