Provides first-run custom kernel support for Focal #5518
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
September 18, 2020 18:30
For Xenial we'll continue using the C flag but under Focal we must start using "c" instead. Provides a map in the Ansible settings so the right flag is used depending on what OS the servers are running. Notably we're overlooking the "securedrop-grsec" metapackage which also has these same flags hardcoded, but we may decide to switch to paxctld instead. The reformatting on the "when" conditional non-functional, but silences an Ansible deprecation warning.
The first pass on the pattern updates for Focal machines missed a few default kernel patterns. Now that we're unblocked testing kernels in Focal VMs, was able to identify sufficient patterns so that all assertions pass.
kushaldas
approved these changes
Sep 21, 2020
This was referenced Sep 21, 2020
53 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
Updates the
paxctlcommands to use slightly different logic depending on whether the host is running Xenial or Focal. Notably this only alters the Ansible logic, and ignores the same flags in thesecuredrop-grsecmetapackage. Therefore I'm only saying "refs #5495" since technically there's a bit more follow-up required there (possibly switching to paxctld #4134).Also updating the package patterns so that non-grsec kernels are succesfully removed during first install. I've only tested in this in libvirt staging VMs running focal, but it's enough. More durable forcing of the hardened kernels is tracked in #5507. Therefore, closes #5508.
Testing
You must use a Linux machine with libvirt support.
Confirm that the install completes without error, and the app is functional. The testinfra tests are not yet passing for Focal, so don't expect the "verify" action to work.
Deployment
The changes aim to preserve identical behavior under Xenial. Still, the CI checks for staging will confirm that the paxctl commands are not broken under Xenial. I don't think we need additional functional testing beyond that, outside of standard pre-release QA.
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locallyIf you added or updated a code dependency:
Choose one of the following: