Merge pull request #5684 from freedomofpress/5295-unattended-upgrades

Replace cron-apt with unattended-upgrades on Focal

.circleci/config.yml

@@ -93,7 +93,6 @@ common-steps:
         - /focalcaches/layers.tar
 
 
-
 version: 2
 jobs:
   lint:

devops/apt-local.yml

@@ -29,6 +29,7 @@
     rep_dist: "focal"
     molecule_dir: "../molecule/upgrade"
     dpkg_dir: /var/repos/debs
+    rep_origin: SecureDrop
     rep_component: main
     rep_arch: i386 amd64
     release_file: "/var/repos/base/dists/{{ rep_dist }}/Release"
@@ -45,4 +46,3 @@
         - ssl_certificate_key /etc/ssl/private/apt_freedom_press.priv
         - root "/var/repos/base"
         - location / { autoindex on; }
-

install_files/ansible-base/group_vars/securedrop_application_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-config-0.1.3+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-ossec-agent-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent-3.6.0+{{ securedrop_target_distribution }}-amd64.deb"

install_files/ansible-base/group_vars/securedrop_monitor_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-config-0.1.3+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-ossec-server-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - ossec-server-3.6.0+{{ securedrop_target_distribution }}-amd64.deb
 

install_files/ansible-base/roles/common/defaults/main.yml

@@ -3,15 +3,6 @@
 # and aid in clearing memory. Only the hour is configurable.
 daily_reboot_time: 4 # An integer between 0 and 23
 
-securedrop_common_packages:
-  - apt-transport-https
-  - aptitude
-  - cron-apt
-  - ntp
-  - ntpdate
-  - resolvconf
-  - tmux
-
 disabled_kernel_modules:
   - btusb
   - bluetooth

install_files/ansible-base/roles/common/tasks/apt_sources.yml

@@ -0,0 +1,8 @@
+- name: Configure apt sources.
+  template:
+    src: sources.list.j2
+    dest: /etc/apt/sources.list
+    mode: "0644"
+    owner: root
+  tags:
+    - apt

install_files/ansible-base/roles/common/tasks/main.yml

@@ -1,6 +1,10 @@
 ---
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
 
+- include: apt_sources.yml
+  when:
+    - ansible_distribution_release == "focal"
+
 - include: install_packages.yml
 
 - include: post_ubuntu_install_checks.yml
@@ -12,6 +16,14 @@
 - include: harden_dns.yml
 
 - include: cron_apt.yml
+  when:
+    - ansible_distribution_release == "xenial"
+  tags:
+    - reboot
+
+- include: unattended_upgrades.yml
+  when:
+    - ansible_distribution_release == "focal"
   tags:
     - reboot
 

install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml

@@ -0,0 +1,39 @@
+---
+# Configuration for unattended upgrades is almost exclusively managed by the
+# securedrop-config package under Focal.
+
+- name: Configure unattended-upgrades to reboot daily at the scheduled time.
+  template:
+    src: 80securedrop.j2
+    dest: /etc/apt/apt.conf.d/80securedrop
+    mode: 0644
+    owner: root
+    group: root
+  tags:
+    - apt
+    - unattended-upgrades
+
+- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
+  systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+    masked: no
+  with_items:
+    - 'apt-daily'
+    - 'apt-daily-upgrade'
+  tags:
+    - apt
+    - unattended-upgrades
+
+- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled.
+  systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  with_items:
+    - 'apt-daily.timer'
+    - 'apt-daily-upgrade.timer'
+  tags:
+    - apt
+    - unattended-upgrades

install_files/ansible-base/roles/common/templates/80securedrop.j2

@@ -0,0 +1,4 @@
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "{{ daily_reboot_time }}:00";

install_files/ansible-base/roles/common/templates/sources.list.j2

@@ -0,0 +1,13 @@
+## newer versions of the distribution.
+deb http://archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} main
+
+## newer versions of the distribution.
+deb http://archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }} universe
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://archive.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-updates main
+
+### Security fixes for distribution packages
+deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main
+deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe

install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml

@@ -5,3 +5,12 @@ securedrop_kernel_packages_to_remove:
   - 'linux-image-.*generic'
 
 resolvconf_target_filepath: /etc/resolv.conf
+
+securedrop_common_packages:
+  - apt-transport-https
+  - aptitude
+  - unattended-upgrades
+  - ntp
+  - ntpdate
+  - resolvconf
+  - tmux

install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml

@@ -9,3 +9,12 @@ securedrop_kernel_packages_to_remove:
   - 'linux-headers-.*'
 
 resolvconf_target_filepath: /etc/resolvconf/resolv.conf.d/base
+
+securedrop_common_packages:
+  - apt-transport-https
+  - aptitude
+  - cron-apt
+  - ntp
+  - ntpdate
+  - resolvconf
+  - tmux

install_files/ansible-base/securedrop-apt-local.yml

@@ -30,4 +30,3 @@
         state: present
         update_cache: yes
   become: yes
-

install_files/securedrop-config-focal/DEBIAN/control.j2

@@ -0,0 +1,11 @@
+Source: securedrop
+Section: web
+Priority: optional
+Maintainer: SecureDrop Team <securedrop@freedom.press>
+Homepage: https://securedrop.org
+Package: securedrop-config
+Version: 0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}
+Depends: unattended-upgrades,update-notifier-common
+Architecture: all
+Description: Establishes baseline system state for running SecureDrop.
+ Configures apt repositories.

install_files/securedrop-config-focal/DEBIAN/postinst

@@ -0,0 +1,24 @@
+#!/bin/sh
+# postinst script for securedrop-config-focal
+
+set -e
+set -x
+
+case "$1" in
+    configure)
+    # Configuration required for unattended-upgrades
+    cp /opt/securedrop/20auto-upgrades /etc/apt/apt.conf.d/
+    cp /opt/securedrop/50unattended-upgrades /etc/apt/apt.conf.d/
+    cp /opt/securedrop/reboot-flag /etc/cron.d/
+
+    ;;
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+exit 0

install_files/securedrop-config-focal/etc/profile.d/securedrop_additions.sh

@@ -0,0 +1,22 @@
+[[ $- != *i* ]] && return
+
+which tmux >/dev/null 2>&1 || return
+
+tmux_attach_via_proc() {
+    # If the tmux package is upgraded during the lifetime of a
+    # session, attaching with the new binary can fail due to different
+    # protocol versions. This function attaches using the reference to
+    # the old executable found in the /proc tree of an existing
+    # session.
+    pid=$(pgrep --newest tmux)
+    if test -n "$pid"
+    then
+        /proc/$pid/exe attach
+    fi
+    return 1
+}
+
+if test -z "$TMUX"
+then
+    (tmux attach || tmux_attach_via_proc || tmux new-session)
+fi

install_files/securedrop-config-focal/opt/securedrop/20auto-upgrades

@@ -0,0 +1,3 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::AutocleanInterval "1";

install_files/securedrop-config-focal/opt/securedrop/50unattended-upgrades

@@ -0,0 +1,60 @@
+// Automatically upgrade packages from these (origin:archive/codename) pairs
+Unattended-Upgrade::Origins-Pattern {
+        "origin=${distro_id},archive=${distro_codename}";
+        "origin=${distro_id},archive=${distro_codename}-security";
+        "origin=${distro_id},archive=${distro_codename}-updates";
+        "origin=SecureDrop,codename=${distro_codename}";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+// This mirrors the previous cron=apt config
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "[email protected]"
+//Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+// This is set in a template in the common role under the file 80securedrop
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";

install_files/securedrop-config-focal/opt/securedrop/reboot-flag

@@ -0,0 +1,4 @@
+# The purpose of this cron is to drop the reboot-required flag every 12 hours
+# to ensure the system is rebooted nightly, regardless of updates being installed
+# or not.
+* */12 * * * touch /var/run/reboot-required

install_files/securedrop-config/DEBIAN/control.j2

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.3+{{ securedrop_version }}+{{ securedrop_target_distribution }}
+Version: 0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.

molecule/builder-focal/playbook.yml

@@ -48,6 +48,7 @@
     - role: build-generic-pkg
       tags: securedrop-config
       package_name: securedrop-config
+      package_dirname: securedrop-config-focal
       when: ansible_host.endswith("-sd-config") or ansible_host == "localhost"
   tags: rebuild
 

molecule/builder-xenial/tests/test_securedrop_deb_package.py

@@ -543,10 +543,18 @@ def test_config_package_contains_expected_files(host: Host) -> None:
     Inspect the package contents to ensure all config files are included in
     the package.
     """
-    wanted_files = [
-        "/etc/cron-apt/action.d/9-remove",
-        "/etc/profile.d/securedrop_additions.sh",
-    ]
+    if SECUREDROP_TARGET_DISTRIBUTION == "xenial":
+        wanted_files = [
+            "/etc/cron-apt/action.d/9-remove",
+            "/etc/profile.d/securedrop_additions.sh",
+        ]
+    else:
+        wanted_files = [
+            "/etc/profile.d/securedrop_additions.sh",
+            "/opt/securedrop/20auto-upgrades",
+            "/opt/securedrop/50unattended-upgrades",
+            "/opt/securedrop/reboot-flag",
+        ]
     c = host.run("dpkg-deb --contents {}".format(deb_paths["securedrop_config"]))
     for wanted_file in wanted_files:
         assert re.search(

molecule/builder-xenial/tests/vars.yml

@@ -2,7 +2,7 @@
 securedrop_version: "1.8.0~rc1"
 ossec_version: "3.6.0"
 keyring_version: "0.1.4"
-config_version: "0.1.3"
+config_version: "0.1.4"
 grsec_version: "4.14.188"
 
 # These values will be interpolated with values populated above