diff --git a/.gitignore b/.gitignore index dc3b0c0138..146c876836 100644 --- a/.gitignore +++ b/.gitignore @@ -145,6 +145,9 @@ securedrop/static/.webassets-cache # https://github.com/mitchellh/vagrant/issues/6705 .bundle +# Vagrant-added ansible-galaxy roles +.galaxy_roles + # ignore ansible retry files *.retry diff --git a/Vagrantfile b/Vagrantfile index f9b5891db9..43dd9ac64e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -71,7 +71,11 @@ Vagrant.configure("2") do |config| config.ssh.port = 22 end prod.vm.hostname = "mon-prod" - prod.vm.box = "bento/ubuntu-16.04" + if ENV['USE_FOCAL'] + prod.vm.box = "bento/ubuntu-20.04" + else + prod.vm.box = "bento/ubuntu-16.04" + end prod.vm.network "private_network", ip: "10.0.1.5", virtualbox__intnet: internal_network_name prod.vm.synced_folder './', '/vagrant', disabled: true prod.vm.provider "libvirt" do |lv, override| @@ -86,7 +90,11 @@ Vagrant.configure("2") do |config| config.ssh.port = 22 end prod.vm.hostname = "app-prod" - prod.vm.box = "bento/ubuntu-16.04" + if ENV['USE_FOCAL'] + prod.vm.box = "bento/ubuntu-20.04" + else + prod.vm.box = "bento/ubuntu-16.04" + end prod.vm.network "private_network", ip: "10.0.1.4", virtualbox__intnet: internal_network_name prod.vm.synced_folder './', '/vagrant', disabled: true prod.vm.provider "virtualbox" do |v| @@ -113,6 +121,32 @@ Vagrant.configure("2") do |config| end end + config.vm.define 'apt-local', autostart: false do |prod| + prod.vm.hostname = "apt-local" + prod.vm.box = "bento/ubuntu-20.04" + prod.vm.network "private_network", ip: "10.0.1.7", virtualbox__intnet: internal_network_name + prod.vm.synced_folder './', '/vagrant', disabled: true + prod.vm.provider "virtualbox" do |v| + v.memory = 1024 + end + prod.vm.provider "libvirt" do |lv, override| + lv.memory = 1024 + lv.video_type = "virtio" + end + prod.vm.provision "ansible" do |ansible| + ansible.playbook = "devops/apt-local.yml" + ansible.galaxy_role_file = "molecule/upgrade/requirements.yml" + ansible.galaxy_roles_path = ".galaxy_roles" + ansible.verbose = 'v' + # the production playbook verifies that staging default values are not + # used will need to skip the this role to run in Vagrant + ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS'] + # Taken from the parallel execution tips and tricks + # https://docs.vagrantup.com/v2/provisioning/ansible.html + ansible.limit = 'all,localhost' + end + end + end diff --git a/devops/apt-local.yml b/devops/apt-local.yml new file mode 100644 index 0000000000..e15acc8318 --- /dev/null +++ b/devops/apt-local.yml @@ -0,0 +1,48 @@ +--- +- name: Confirm local debs present + hosts: localhost + gather_facts: no + tasks: + # Before running apt-server logic, confirm we have local + # debs built. + - name: Find local deb files + find: + paths: "../build/focal/" + patterns: "*.deb" + register: _find_debs_result + + - name: Ensure debs were found + assert: + that: + - "_find_debs_result.files|length >= 8" + msg: "No local debs found, run 'make build-debs-focal'" + +- name: Configure apt-server + hosts: apt-local + become: yes + tasks: + - import_tasks: ../molecule/upgrade/local_apt_mirror.yml + - import_tasks: ../molecule/upgrade/local_apt_with_debs.yml + + vars: + QA_APTTEST: False + rep_dist: "focal" + molecule_dir: "../molecule/upgrade" + dpkg_dir: /var/repos/debs + rep_component: main + rep_arch: i386 amd64 + release_file: "/var/repos/base/dists/{{ rep_dist }}/Release" + nginx_sites: + default: + - listen 80 + - root "/var/repos/base" + - location / { autoindex on; } + - location /gpg { alias /var/repos/base/; } + encrypted: + - listen 443 ssl + - server_name apt.freedom.press + - ssl_certificate /etc/ssl/certs/apt_freedom_press.pem + - ssl_certificate_key /etc/ssl/private/apt_freedom_press.priv + - root "/var/repos/base" + - location / { autoindex on; } + diff --git a/install_files/ansible-base/securedrop-apt-local.yml b/install_files/ansible-base/securedrop-apt-local.yml new file mode 100644 index 0000000000..28b081d0fa --- /dev/null +++ b/install_files/ansible-base/securedrop-apt-local.yml @@ -0,0 +1,33 @@ +--- +# Playbook to update SecureDrop VMs to install Focal packages from a local repo +# +# Steps to use this playbook: +# +# 1. On host machine, build packages with `make build-debs-focal` +# 2. On host machine, provision local apt repo with `vagrant up apt-local` +# 3. Switch to Admin Workstation +# 3. Continue with prod provisioning as far as `./securedrop-admin sdconfig` +# 5. Run `source admin/.venv3/bin/activate` (so ansible commands work) +# 6. Run `cd install_files/ansible-base` +# 7. Run `ansible-playbook -vv --diff securedrop-apt-local.yml` +# 8. Proceed with `./securedrop-admin install` + +- name: Configure prod host to prioritize local packages. + environment: + LC_ALL: C + max_fail_percentage: 0 + any_errors_fatal: yes + hosts: securedrop + tasks: + - name: Add apt public key for local repo. + apt_key: + data: "{{ lookup('file', '../../molecule/upgrade/files/apt-test.pub') }}" + state: present + + - name: Add local repo + apt_repository: + repo: deb [arch=amd64] http://10.0.1.7 focal main + state: present + update_cache: yes + become: yes + diff --git a/molecule/upgrade/local_apt_with_debs.yml b/molecule/upgrade/local_apt_with_debs.yml index cdfc6d2d43..64d28d08b0 100644 --- a/molecule/upgrade/local_apt_with_debs.yml +++ b/molecule/upgrade/local_apt_with_debs.yml @@ -31,5 +31,5 @@ changed_when: false - name: Sign release file - command: "gpg -b -u C5D5CD3B6D65484B -o {{ release_file }}.gpg {{ release_file }}" + command: "gpg --armor -b -u C5D5CD3B6D65484B -o {{ release_file }}.gpg {{ release_file }}" changed_when: false