-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script to upgrade from focal to noble #7406
base: develop
Are you sure you want to change the base?
Conversation
843ac2a
to
ce32f1e
Compare
I think the script is basically complete at this point, but I haven't actually tried it yet. So I need to do that, and then figure out how we're going to do CI on it. I think we should ideally be able to take the focal staging environment, upgrade it, and then re-run testinfra (noble) checks on it. |
b72bef2
to
6e433aa
Compare
Fixed a number of issues found by actual test runs, currently hit:
Will get to that tomorrow. |
Interesting wrinkle, because the systemd unit is installed by the Debian package, it smartly wants to restart the service during package upgrade. Except that kills the apt-get process upgrading the package, which totally breaks everything. I'm trying to figure out how to stop that restart, but it doesn't seem like dh_systemd_start's Alternatively we could have the script fork in a way that it doesn't get killed when the service stops - similar to what unattended-upgrades does. |
6e433aa
to
e1396bb
Compare
I'm thinking of getting rid of the --without-new-pkgs step and just doing a single full-upgrade step, it'll avoid a lot of the dependency constraint weirdness that keeps manifesting in weird ways. For example, I dropped the apparmor-utils dependency, which meant that Python 3.12 got pulled in later, and then app-code got upgraded too early. |
19c39ae
to
5bf94fe
Compare
I think this is the way to go, but with a slightly different variant. We should just ensure the apt-get/dpkg processes don't get killed. It's okay if the upgrade script dies, as long as apt-get keeps going. The commands are all idempotent so when the script gets restarted by the timer, it'll re-run the apt-get command it'll do nothing and not kill itself, and then keep moving on. Plus by just keeping apt-get alive, we don't need to implement any locking, etc ourselves, because dpkg already takes care of all of that in a battle-tested manner. |
5bf94fe
to
087599e
Compare
The changes I just pushed introduce a new To visualize:
One gotcha here is that we can no longer reliably capture stdout/stderr because if the parent is killed, it'll go nowhere. So we will need to send it to a file presumably. |
087599e
to
14ebc22
Compare
I mostly got through a full automated migration; something is going wrong during the installation of iptables-persistent/nftables-persistent and /etc/iptables/rules.{v4,v6} are blank, so there's no firewall up, causing the integrity check to fail. Once I bypassed that, it reached the done stage. \o/ |
239e0fd
to
bf03fa6
Compare
I successfully completed a fully-automated app migration today, so I'm marking this as ready for review. I still need to write up a more comprehensive test plan and stuff but at least the code can begin to be looked at. |
I've written up the full test plan now. |
Also as far as the code review goes, I'll try to split this up into more commits to simplify review. I also want to write a brief architecture document that explains how it's all supposed to work. |
https://github.com/freedomofpress/securedrop/wiki/noble-upgrade-architecture |
bf03fa6
to
6753f8a
Compare
I thought it was going to be more, but in the end it's two commits: 1) move some logic out of the check.rs file into a new Rust lib.rs and 2) the migration script and everything else. |
As part of the upgrade script, we want to run the check one last time to ensure that everything is ready to go. Instead of shelling out to it, move the logc into a Rust library that can be shared by both binaries.
6753f8a
to
d9ccbd2
Compare
(Rebased on top of the Rust upgrade) |
d9ccbd2
to
faf3129
Compare
The script is split into various stages where progress is tracked on-disk. The script is able to resume where it was at any point, and needs to, given multiple reboots in the middle. The new noble-upgrade.json file shipped in the securedrop-config package is used to control the upgrade process. Further details of the script are explained inline and at <https://github.com/freedomofpress/securedrop/wiki/noble-upgrade-architecture>. Fixes #7332.
faf3129
to
87d6e1a
Compare
Status
Ready for review
Description of Changes
The script is split into various stages where progress is tracked on-disk. The script is able to resume where it was at any point, and needs to, given multiple reboots in the middle.
The new noble-upgrade.json file shipped in the securedrop-config package is used to control the upgrade process.
Fixes #7332.
Testing
How should the reviewer test this PR?
Preparation
UBUNTU_VERSION=focal make build-debs
andUBUNTU_VERSION=noble make build-debs
).UBUNTU_VERSION=noble make build-debs-ossec
dist
folder alongside focal and noble, runapt-ftparchive packages ./focal > dists/focal/main/binary-amd64/Packages
andapt-ftparchive packages ./noble > dists/noble/main/binary-amd64/Packages
(you'll need to create the intermediate directories in dist/ manually)The next step of steps need to be applied to both app and mon:
/etc/apt/sources.list.d/apt_freedom_press.list
file with a line likedeb [trusted=yes] https://example.org/apt focal main
. The[trusted=yes]
bypasses PGP signature checking so we don't need to also fiddle with signing the temporary packages and installing the keyring.sudo apt-get update && sudo unattended-upgrade
to upgrade to the 2.12.0-rc0 packages./lib/systemd/systemd/securedrop-noble-migration-upgrade.service
to add the lineEnvironment=EXTRA_APT_SOURCE="deb [trusted=yes] https://example.org/apt noble main"
(note that this says noble and not focal! also keep an eye on the quotes)Upgrading
This should be repeated twice, once for app and then once that's done, for mon.
/etc/securedrop-noble-migration-state.json
was created with{"finished": None, "bucket": 1-5}
.journalctl -f
- primarily to follow along the progress/usr/share/securedrop/noble-migration.json
, to setapp.enabled = true
andapp.bucket = 5
. (or mon if that's what you're upgrading)sudo systemctl start securedrop-noble-migration-upgrade
./etc/securedrop-noble-migration-state.json
should now have finished PendingUpdates./etc/securedrop-noble-migration-state.json
should be at Reboot.Done
stage.cat /etc/os-release
should output noble.Verification
After the upgrade:
./securedrop-admin verify
should pass.Misc.
Deployment
Any special considerations for deployment? Consider both:
Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development containerIf you made changes to
securedrop-admin
:make -C admin test
) pass in the admin development containerIf you made changes to the system configuration:
If you added or removed a file deployed with the application:
If you made non-trivial code changes:
Choose one of the following:
If you added or updated a reference to a production code dependency:
Production code dependencies are defined in:
admin/requirements.in
admin/requirements-ansible.in
securedrop/requirements/python3/requirements.in
securedrop/requirements/python3/translation.in
(used in the buildcontainer)
If you changed another
requirements.in
file that applies only to developmentor testing environments, then no diff review is required, and you can skip
(remove) this section.
Choose one of the following: