Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xenial] Restart haveged and apparmor #4201

Merged
merged 1 commit into from
Feb 27, 2019
Merged

[xenial] Restart haveged and apparmor #4201

merged 1 commit into from
Feb 27, 2019

Conversation

emkll
Copy link
Contributor

@emkll emkll commented Feb 26, 2019
edited
Loading

Status

Ready for review

Description of Changes

In the Xenial upgrade scenario, restarting will ensure the AppArmor profiles are correctly loaded so that it can be properly enforced, prior to rebooting.

Fixes #4200

Testing

  • Install 0.12.0-rc3 on Trusty
  • Upgrade to Xenial
  • ssh into app, and run sudo aa-status, observe that haveged is unconfined
  • run installer on this branch
  • observe haveged restart handler running after apparmor restart handler
  • run sudo aa-status and observe that /usr/sbin/haveged is in enforce mode
  • to validate idempotency, run installer again, observe the apparmor handler not running

Deployment

Any special considerations for deployment? Consider both:

  1. Ansible via ./securedrop-admin install
  2. Ansible via ./securedrop-admin install

Checklist

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@emkll emkll force-pushed the 4200-restart-apparmor-haveged branch from 48cfeb9 to 2c5e28e Compare February 26, 2019 20:23
@emkll
Restart haveged and apparmor
4a7ea91 
In the Xenial upgrade scenario, restarting will ensure the AppArmor profiles are correctly loaded so that it can be properly enforced, prior to rebooting.
@emkll emkll force-pushed the 4200-restart-apparmor-haveged branch from 2c5e28e to 4a7ea91 Compare February 26, 2019 20:35
@emkll emkll mentioned this pull request Feb 26, 2019
Merged
3 tasks
@conorsch
Copy link
Contributor

  • Install 0.12.0-rc3 on Trusty
  • Upgrade to Xenial
  • ssh into app, and run sudo aa-status, observe that haveged is unconfined
  • run installer on this branch
  • observe haveged restart handler running after apparmor restart handler
  • run sudo aa-status and observe that /usr/sbin/haveged is in enforce mode
  • 🔶 to validate idempotency, run installer again, observe the apparmor handler not running

Changes work as presented. I did not re-run the install action a second time to confirm changes are idempotent, but on visual review of the diff, I'm satisfied with these changes working as expected.

@redshiftzero redshiftzero merged commit a3d294a into develop Feb 27, 2019
@redshiftzero redshiftzero deleted the 4200-restart-apparmor-haveged branch February 27, 2019 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heartsucker heartsucker heartsucker left review comments

@conorsch conorsch conorsch approved these changes

@redshiftzero redshiftzero Awaiting requested review from redshiftzero

@kushaldas kushaldas Awaiting requested review from kushaldas

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@emkll @conorsch @heartsucker @redshiftzero