Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creates Focal-specific kernel metapackage #5691

Merged
merged 3 commits into from
Jan 8, 2021
Merged

Creates Focal-specific kernel metapackage #5691

merged 3 commits into from
Jan 8, 2021

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Jan 6, 2021
edited
Loading

Status

Ready for review.

Description of Changes

Fixes #5690. Fixes #4134.

Changes proposed in this pull request:

  • Creates Focal-specific securedrop-grsec metapackage, for pinning kernel and configuring paxctld
  • Installs the locally built securedrop-grsec in staging environment (previously we only used the package from apt-test in staging)
  • Updates tests accordingly
  • Tweaks build logic so we can more easily write per-distro packages

Testing

  • Visual review
  • CI is passing in all scenarios
  • (Optional) Run make build-debs-focal and inspect the securedrop-grsec metapackage that's created

Deployment

Focal-only.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

If you added or updated a code dependency:

Choose one of the following:

  • I have performed a diff review and pasted the contents to the packaging wiki
  • I would like someone else to do the diff review

Conor Schaefer added 3 commits January 5, 2021 17:25
Forks securedrop-grsec metapackage for Focal
e98d894 
Creates a Focal-only version of the "securedrop-grsec" metapackage, so
we can provide distro-specific behavior, namely:

  * use paxctld, rather than paxctl
  * pin explicit kernel version via grub

Much of the new metapackage logic is taken from the comparable work
already implemented in:

https://github.com/freedomofpress/securedrop-debian-packaging/tree/cee267e7dfebd9553cdf4b02ecbe54783049121c/securedrop-workstation-grsec/debian

Also tweaks the package build logic to support per-distro packages.
Updates config tests for kernel metapackage
079a130 
A bit of per-distro logic, but mostly verifying the paxctl/paxctld
settings are as expected. These tests aren't actually passing yet,
because the "securedrop-grsec" metapackage isn't installed from scratch.
Installs locally built metapackage in staging
842787a 
The "securedrop-grsec" metapackage isn't included in the
"install-local-packages" logic, for the staging environment. That makes
evaluationg metapackage changes difficult. Let's add support for local
metapackages to aid in adjusting kernel-related settings.
@conorsch conorsch force-pushed the 5690-kernel-metapackage-for-focal branch from bd6c578 to 842787a Compare January 6, 2021 02:37
@codecov-io
Copy link

codecov-io commented Jan 6, 2021
edited
Loading

Codecov Report

Merging #5691 (842787a) into develop (57cb87a) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #5691   +/-   ##
========================================
  Coverage    85.54%   85.54%           
========================================
  Files           52       52           
  Lines         3771     3771           
  Branches       474      474           
========================================
  Hits          3226     3226           
  Misses         440      440           
  Partials       105      105

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 57cb87a...842787a. Read the comment docs.

@conorsch conorsch marked this pull request as ready for review January 6, 2021 16:06
@conorsch
Copy link
Contributor Author

conorsch commented Jan 6, 2021

Note that post-merge, we should upload the new focal securedrop-grsec package to apt-test in https://github.com/freedomofpress/securedrop-dev-packages-lfs . Since this PR starts using the locally built metapackage in staging, CI is passing with out, but it must be there to unblock testing of Focal on hardware.

@kushaldas kushaldas self-assigned this Jan 7, 2021
@conorsch conorsch mentioned this pull request Jan 8, 2021
Closed
kushaldas
kushaldas approved these changes Jan 8, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally against Focal target. Also did visual review. Looks good.

@kushaldas kushaldas merged commit cfb3cb9 into develop Jan 8, 2021
conorsch pushed a commit to freedomofpress/build-logs that referenced this pull request Jan 8, 2021
Adds securedrop-grsec pkg for Focal
06916a4 
Built post-merge of freedomofpress/securedrop#5691
conorsch pushed a commit to freedomofpress/securedrop-apt-test that referenced this pull request Jan 8, 2021
Adds securedrop-grsec pkg for Focal
295bfc1 
Built after merge of [0], build logs at [1].

[0] freedomofpress/securedrop#5691
[1] freedomofpress/build-logs@06916a4
This was referenced Jan 8, 2021
Merged
Closed
emkll added a commit that referenced this pull request Feb 4, 2021
@emkll
Bump securedrop-grsec-focal metapackage to 5.4.88
8c4430c 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
emkll added a commit that referenced this pull request Feb 4, 2021
@emkll
Bump securedrop-grsec-focal metapackage to 5.4.88
c280ebf 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
kushaldas pushed a commit that referenced this pull request Feb 5, 2021
@emkll @kushaldas
Bump securedrop-grsec-focal metapackage to 5.4.88
2f5af57 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
@emkll emkll mentioned this pull request Feb 8, 2021
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@emkll emkll Awaiting requested review from emkll

Assignees

@kushaldas kushaldas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create Focal-specific securedrop-grsec metapackage Use paxctld to manage all PaX flags in Ubuntu Focal
3 participants
@conorsch @codecov-io @kushaldas