Bundle mod_wsgi in securedrop-app-code package #4518
Conversation
rmol
requested review from
conorsch,
emkll,
heartsucker,
kushaldas,
msheiny,
redshiftzero and
zenmonkeykstop
as code owners
build/.gitignore
Outdated
| *.deb | ||
| trusty/*.deb | ||
| xenial/*.deb | ||
| *.tar.gz |
There was a problem hiding this comment.
You're right that the .gitignore file is redundant, but it also serves as a placeholder for the build/ pardir—replace with .empty to ensure that build/ exists, otherwise package builds will fail.
There was a problem hiding this comment.
That was ... an accident after cleaning build manually. But good point, I'll create .empty.
There was a problem hiding this comment.
The .gitignore wasn't completely redundant, so I just restored it.
| @@ -142,6 +142,9 @@ case "$1" in | |||
| # the ability to send signals to unconfined peers. | |||
| service apache2 stop | |||
|
|
|||
| # Point Apache to our bundled mod_wsgi | |||
| mod_wsgi-express module-config > /etc/apache2/mods-available/wsgi.load | |||
There was a problem hiding this comment.
Add a config test to assert the contents of /etc/apache2/mods-available/wsgi.load, so we have explicitly defined expectations about the module path.
rmol
force-pushed
the
4292-pip-mod-wsgi
branch
2 times, most recently
from
3588407 to
046d00a
Compare
|
@conorsch @kushaldas Minimally invasive version ready for (re)consideration. It just uses Python 3 when building |
To move to Python 3, we need to remove the dependency on Ubuntu's libapache2-mod-wsgi package. Since the libapache2-mod-wsgi-py3 package is in the universe section, this change bundles mod_wsgi in our securedrop-app-code package. For now, we have to simply drop libapache2-mod-wsgi as a dependency of securedrop-app-code. Actually uninstalling it disables the Apache module, breaking the Apache configuration. So we're leaving it installed and modifying /etc/apache2/mods-available/wsgi.load to point to our bundled mod_wsgi. This should be safe even if libapache2-mod-wsgi is updated, as we're specifying --force-confdef and --force-confold for cron-apt upgrades. At some point when we establish more control over the state of /etc/ on SecureDrop servers and can ensure our bundled module stays configured, we'll be able to remove the libapache2-mod-wsgi package. While testing these changes in prod VMC, I ran into difficulties with direct SSH, so I tweaked the Vagrantfile to support that better. To run a mix of Python 2 and 3, we need to omit backport requirements when running under 3, so I've added environment markers to enum34 and ipaddress. Also, --generate-hashes for develop and test requirements too.
There was a problem hiding this comment.
The changes look good. But, I encountered the following while installing the deb package:
Collecting jsmin==2.2.2 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 17))
Requirement already up-to-date: Magic-file-extensions==0.2 in /usr/lib/python3/dist-packages (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 18))
Collecting Mako==1.0.7 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 19))
Collecting MarkupSafe==1.0 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 20))
Collecting mod-wsgi==4.6.6 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 21))
Collecting passlib==1.7.1 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 22))
Collecting pretty-bad-protocol==3.1.1 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 23))
Collecting psutil==5.4.3 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 24))
Collecting pycparser==2.18 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 25))
Collecting pyotp==2.2.6 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 26))
Collecting python-apt==1.1.0b1+ubuntu0.16.4.4 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 27))
Could not find a version that satisfies the requirement python-apt==1.1.0b1+ubuntu0.16.4.4 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 27)) (from versions: )
No matching distribution found for python-apt==1.1.0b1+ubuntu0.16.4.4 (from -r /var/www/securedrop/requirements/securedrop-app-code-requirements-packaged.txt (line 27))
dpkg: error processing package securedrop-app-code (--install):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
securedrop-app-code
There was a problem hiding this comment.
A few in-line comments. Also suggesting changes to the test plan:
- remove instructions to instantiate a py3 dev env
- recommend use of staging vms for clean install eval
- recommend use of upgrade scenario for upgrade behavior
We can have multiple reviewers pile on to test the various logic branches, if you agree, @rmol.
Makefile
Outdated
| admin/requirements-ansible.in \ | ||
| securedrop/requirements/develop-requirements.in | ||
| pip-compile --output-file securedrop/requirements/test-requirements.txt \ | ||
| pip-compile --generate-hashes --output-file securedrop/requirements/test-requirements.txt \ | ||
| securedrop/requirements/test-requirements.in | ||
| pip-compile --generate-hashes --output-file securedrop/requirements/securedrop-app-code-requirements.txt \ | ||
| securedrop/requirements/securedrop-app-code-requirements.in |
There was a problem hiding this comment.
When generating the reqs files for the Application Server, both test and prod reqs, we must take care to use a Python3 virtualenv, otherwise we'll wind up with Py2 deps from the dev env's pip-compile. Consider wrapping just the app code calls to pip-compile in a container; see example here https://github.com/freedomofpress/securedrop.org/blob/d9388f62220e45f5fdd6d50ec2652680cb48805c/Makefile#L43-L51 . (Likely these changes were previously present in the diff, and dropped after discussion of punting on the dev env migration.)
There was a problem hiding this comment.
Done. Slightly differently than your example, as I just used our dev shell with Python 3.
| - python3-dev | ||
| - python3-pip | ||
| - python3-wheel | ||
| state: present |
There was a problem hiding this comment.
These py3 dependencies are in addition to the py2 dependencies declared in molecule/builder-xenial/Dockerfile. We should instead modify the dependencies in the Dockerfile for the build, push a new image, and store the hash as part of this PR. Happy to append to this PR if you agree. Storing the dependencies in the container image definition will help keep local builds snappy, leveraging the cached layers.
There was a problem hiding this comment.
I've left this in for now, but as soon as we can get the image updated I'll remove this step.
| @@ -6,5 +6,5 @@ Homepage: https://securedrop.org | |||
|
|
|||
| Package: securedrop-app-code | |||
| Architecture: amd64 | |||
| Depends: python-pip,apparmor-utils,gnupg2,haveged,python,secure-delete,sqlite3,${dist:Depends},libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config,libpython2.7-dev | |||
| Depends: python3-pip,apparmor-utils,gnupg2,haveged,python3,secure-delete,sqlite3,${dist:Depends},libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config,devscripts | |||
There was a problem hiding this comment.
In order to avoid upstream updates to libapache2-mod-wsgi breaking our customizations to the /etc/apache2/mods-available/wsgi.load, we should pin the current-latest version of libapache2-mod-wsgi in the dependencies. This is a temporary measure—we still intend to remove that package later.
There was a problem hiding this comment.
Pinned. I think I got the version specification correct, as securedrop-app-code is happily installing, but please double check.
Pin libapache2-mod-wsgi so an update can't stop the use of our bundled mod_wsgi. Remove Python 2 backports from securedrop-app-code requirements, and run update-pip-requirements with the securedrop-app-code requirements being updated with Python 3 in a container. When building the securedrop-app-code package: - Stop upgrading pip. - Capture the pip requirements without hashes by transforming the input requirements file instead of running pip freeze, which was pulling in extra dependencies that weren't listed in the Debian control file for securedrop-app-code, so could break its installation. - Remove the parsing of "pip3 wheel" output to determine success; it could mask errors that didn't produce the expected message.
|
@conorsch Test plan updated; please review, and thanks for the help. |
|
@kushaldas This latest round of fixes included a change to how we collect the unhashed requirements when building the |
|
@rmol Test plan still appears out of date to me. Suggestions: TestingClean install
Upgrade behaviorThe "upgrade" scenario requires use of libvirt for VM driver.
Ideally we should modify The test plan should not include use of a py3 virtualenv, based on visual review of the diff. Right now, I'm seeing CI errors that may be related to CI running on your fork, rather than in the main repo. Building the debs locally, I see test errors that aren't the apt up-to-date test, relating to Although it's not been discussed as in the scope of #4292 to date, even once we get this PR merged, we'll still have the supervisord process running via Will take another pass through this with functional testing tomorrow. |
|
@conorsch I don't know what happened to my edit. I think I was still previewing, went to do something else, came back, it looked good, and I never hit the update button. 🙄 Anyway, it looked much like yours except I didn't realize Turns out trying cron-apt was a great suggestion, because we can't upgrade @emkll had the (reluctant) idea of adding a cron-apt action to explicitly install We're hoping you're horrified enough to think of something better. I've pushed a couple of commits for review; with any luck we can rebase-erase them. 🙂 |
| @@ -6,5 +6,5 @@ Homepage: https://securedrop.org | |||
|
|
|||
| Package: securedrop-app-code | |||
| Architecture: amd64 | |||
| Depends: python-pip,apparmor-utils,gnupg2,haveged,python,secure-delete,sqlite3,${dist:Depends},libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config,libpython2.7-dev | |||
| Depends: ${dist:Depends}, apparmor-utils, gnupg2, haveged, libapache2-mod-xsendfile, libapache2-mod-wsgi (= 4.3.0-1.1build1), python3, python3-pip, redis-server, secure-delete, securedrop-config, securedrop-keyring, sqlite3, supervisor | |||
There was a problem hiding this comment.
so if we deployed this change using #4355 then we wouldn't need to install python3-pip (problematic as it's from the universe channel) right? we wouldn't need to pip install the wheels because we'd ship a virtualenv cc @kushaldas @rmol @conorsch
There was a problem hiding this comment.
I've only read the dh-virtualenv docs but yes, it looks like that would be a better way to get this done.
There was a problem hiding this comment.
Once we switch to dh-virtualenv, will this change still require any other package dependency updates that conflict with the current cron-apt update logic (#3376)?
|
Per discussions on Friday and today, this change won't land in 0.14.0, in significant part due to the problems updating dependencies not in During the current sprint, we'll want to continue to explore how this change could be implemented using |
|
Closing in favor of #4622. |
Status
Ready for review
Description of Changes
To move to Python 3, we need to remove the dependency on Ubuntu's
libapache2-mod-wsgi package. Since the libapache2-mod-wsgi-py3 package
is in the universe section, this change bundles mod_wsgi in our
securedrop-app-code package.
For now, we have to simply drop libapache2-mod-wsgi as a dependency of
securedrop-app-code. Actually uninstalling it disables the Apache
module, breaking the Apache configuration. So we're leaving it
installed and modifying /etc/apache2/mods-available/wsgi.load to point
to our bundled mod_wsgi. This should be safe even if
libapache2-mod-wsgi is updated, as we're specifying --force-confdef
and --force-confold for cron-apt upgrades.
At some point when we establish more control over the state of /etc/
on SecureDrop servers and can ensure our bundled module stays
configured, we'll be able to remove the libapache2-mod-wsgi package.
While testing these changes in prod VMC, I ran into difficulties with
direct SSH, so I tweaked the Vagrantfile to support that better.
Fixes #4292.
Testing
[ ] Check out this branch.
[ ] Run
make build-debsand confirm only the apt up-to-date test fails.Clean install
[ ] Run
make stagingand confirm no errors during installation.[ ] Browse to the Source Interface and confirm that the footer says
Powered by SecureDrop 0.14.0~rc1.[ ] Proceed with functional interactive testing of the Source/Journalist interfaces.
Upgrade behavior
The "upgrade" scenario requires use of libvirt for VM driver.
[ ] Run
make upgrade-startto provision local apt VMs.[ ] Visit the source interface (the onion address is at the end of
make upgrade-startoutput) and confirm that the footer saysPowered by SecureDrop 0.13.0(we haven't upgraded yet).[ ] Run
make upgrade-test-local.[ ] Browse to the Source Interface and confirm that the footer says
Powered by SecureDrop 0.14.0~rc1.[ ] Proceed with functional interactive testing of the Source/Journalist Interfaces.
Deployment
Switching to Python 3 is kind of a big deal.
Checklist
If you made changes to the system configuration:
If you made non-trivial code changes: