Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control locale during Ansible runs #4252

Merged
merged 3 commits into from
Mar 14, 2019
Merged

Control locale during Ansible runs #4252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f445d83
Control locale during Ansible runs
rmol Mar 8, 2019
75d6965
Control locale for securedrop-staging playbook as well
rmol Mar 13, 2019
c71bf16
Enforces locale overrides on all playbooks
Mar 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions install_files/ansible-base/securedrop-backup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
hosts: securedrop_application_server
max_fail_percentage: 0
any_errors_fatal: yes
environment:
LC_ALL: C
roles:
- role: backup
tags: backup
Expand Down
2 changes: 2 additions & 0 deletions install_files/ansible-base/securedrop-logs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
become: yes
max_fail_percentage: 0
any_errors_fatal: yes
environment:
LC_ALL: C
vars:
log_paths_reference:
app:
Expand Down
16 changes: 16 additions & 0 deletions install_files/ansible-base/securedrop-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to also apply these changes to securedrop-staging.yml?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summarizing out of band discussion, we should also add the locale blocks to the other "prod" SD playbooks, such as -logs and -backup. Technically only -logs uses register, which is how we first encountered the error we're aiming to resolve here, but adding coverage to the other playbooks will also let us broaden the config test and reuse the existing "check all prod SD playbooks" logic.

I'll tack on a commit to implement this before final review.

- name: Ensure validation is run before prod install
hosts: localhost
environment:
LC_ALL: C
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about validating that this variable is set (via assert or otherwise) at the start of each play?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than an assert statement, we can add a config test (to be run in CI) that confirms the environment is set as expected on every play. See here for an example: https://github.com/freedomofpress/securedrop/blob/10a2eeedc3c22fd39e6a7eda4ca8f4bca1ca6024/molecule/ansible-config/tests/test_max_fail_percentage.py

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rmol has already added the corresponding config test here, which will help guard against regressions in the future: if new plays are added without the explicit locale declaration, CI will report an error.

max_fail_percentage: 0
any_errors_fatal: yes
connection: local
Expand All @@ -10,6 +12,8 @@

- name: Prepare servers for installation
hosts: securedrop
environment:
LC_ALL: C
gather_facts: no
max_fail_percentage: 0
any_errors_fatal: yes
Expand All @@ -19,6 +23,8 @@

- name: Add FPF apt repository and install base packages.
hosts: securedrop
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
pre_tasks:
Expand Down Expand Up @@ -49,6 +55,8 @@

- name: Configure OSSEC.
hosts: securedrop
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -58,6 +66,8 @@

- name: Configure mailing utilities.
hosts: securedrop_monitor_server
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -67,6 +77,8 @@

- name: Configure SecureDrop Application Server.
hosts: securedrop_application_server
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -81,6 +93,8 @@
# connection. After that point the admin will to proxy traffic over tor.
- name: Lock down firewall configuration for Application and Monitor Servers.
hosts: securedrop
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -89,6 +103,8 @@

- name: Reboot Application and Monitor Servers.
hosts: securedrop
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
vars:
Expand Down
2 changes: 2 additions & 0 deletions install_files/ansible-base/securedrop-restore.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
hosts: securedrop_application_server
max_fail_percentage: 0
any_errors_fatal: yes
environment:
LC_ALL: C
roles:
- role: restore
tags: restore
Expand Down
16 changes: 16 additions & 0 deletions install_files/ansible-base/securedrop-staging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
---
- name: Scrape build directory
hosts: localhost
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
tasks:
Expand All @@ -23,6 +25,8 @@

- name: Prepare servers for installation
hosts: staging
environment:
LC_ALL: C
gather_facts: no
max_fail_percentage: 0
any_errors_fatal: yes
Expand All @@ -32,6 +36,8 @@

- name: Add FPF apt repository and install base packages.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -47,6 +53,8 @@

- name: Configure OSSEC.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -56,6 +64,8 @@

- name: Configure mailing utilities.
hosts: mon-staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -65,6 +75,8 @@

- name: Configure SecureDrop Application Server.
hosts: app-staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -77,6 +89,8 @@
# and default false in production environments, in order to force SSH traffic over Tor.
- name: Configure host firewalls (with direct access for staging).
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand All @@ -85,6 +99,8 @@

- name: Reboot Application and Monitor Servers.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
Expand Down
2 changes: 2 additions & 0 deletions install_files/ansible-base/securedrop-tails.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
any_errors_fatal: yes
connection: local
gather_facts: yes
environment:
LC_ALL: C
roles:
- role: tails-config
tags: tails-config
Expand Down
13 changes: 13 additions & 0 deletions ...-config/tests/test_max_fail_percentage.py → ...e-config/tests/test_play_configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,16 @@ def test_any_errors_fatal(host, playbook):
assert 'any_errors_fatal' in play
# Ansible coerces booleans, so bare assert is sufficient
assert play['any_errors_fatal']


@pytest.mark.parametrize('playbook', find_ansible_playbooks())
def test_locale(host, playbook):
"""
The securedrop-prod and securedrop-staging playbooks should
control the locale in the host environment by setting LC_ALL=C.
"""
with io.open(os.path.join(ANSIBLE_BASE, playbook), 'r') as f:
playbook_yaml = yaml.safe_load(f)
for play in playbook_yaml:
assert 'environment' in play
assert play['environment']['LC_ALL'] == 'C'