Updated restore playbook to only compare tor configs when configs are being updated. #5834
Conversation
zenmonkeykstop
requested review from
conorsch,
emkll and
kushaldas
as code owners
There was a problem hiding this comment.
-
take a backup with
./securedrop-admin backup -
restore the v2+v3 backup with
./securedrop-admin --force restore your/backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task runs and passes.
- Verify that the
Extract backuptask runs, but theExtract backup, skipping tor service configurationstask does not - verify that the restore completes and that the JI/SI and SSH configs are unchanged.
-
restore the backup again with
./securedrop-admin --force restore --preserve-tor-config your/backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task is not executed.
- Verify that the
Extract backup, skipping tor service configurationstask runs, but theExtract backuptask does not - verify that the restore completes and that the JI/SI and SSH configs are unchanged.
-
if a v2 backup is available from any test server, attempt to apply it with
./securedrop-admin --force restore your/v2backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task runs and fails.
- Verify that the restore finishes immediately without applying data or config changes
-
flip the install to v3-only using the
sdconfigandinstalladmin subcommands, then:- restore the v2+v3 backup with
./securedrop-admin --force restore your/backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task runs and passes.
- Verify that the
Extract backuptask runs, but theExtract backup, skipping tor service configurationstask does not. I got the exact Extract backup, using v3 services only. - verify that the restore completes and that only the v3 JI/SI and SSH configs are present.
- restore the backup again with
./securedrop-admin --force restore --preserve-tor-config your/backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task is not executed.
- Verify that the
Extract backup, skipping tor service configurationstask runs, but theExtract backuptask does not - verify that the restore completes and that the v3 JI/SI and SSH configs are unchanged and the v2 ssh configs have not been restored
- if a v2 backup is available from any test server, attempt to apply it with
./securedrop-admin --force restore your/v2backupfile/path/here- Verify that the "Verify that the backup Tor config is compatible with the server Tor config" task runs and fails.
- Verify that the restore finishes immediately without applying data or config changes
- restore the v2+v3 backup with
Worked well, now in a separate PR I will work on the new safety failures.
There was a problem hiding this comment.
These changes resolved the error reported in #5829 for me. However, according to
if --preserve-tor-config is set, the results of the comparison are ignored and a data-only restore is performed
That's not actually what happened for me. Using a v2-only Xenial backup tarball, the data was restored (full db and prior submissions), but the v2 services were destroyed. After running the restore, I logged into the Application Server, and saw only v3 services: sshv3, sourcev3, journalistv3.
That's not really a problem, since it matches our Focal-is-v3-only expectations. Still, calling it out for attention in case since it'll likely be relevant in support contexts.
| - "This backup's tor configuration cannot be applied on this server." | ||
| - "A data-only restore can be applied using the --preserve-tor-config argument" | ||
| - "More info: {{ compare_result.stdout }}" | ||
| when: restore_skip_tor is not defined |
There was a problem hiding this comment.
Nit: consider setting restore_skip_tor to False in defaults/main.yml, then update this line to be when: not restore_skip-tor. Checking for definedness works in this case, but only because it's non-existent, or false.
Yes, that's also my expectation of what should happen with a restore to Focal, and we'll make sure to make that clear in the docs. |
|
If @conorsch 's instance wasn't actually Focal tho (I'm guessing Xenial v2+v3, trying to apply a data-only v2 backup?) then this isn't the desired behaviour. There are a bunch of tasks to clear out V2 configs that should only run if it's a Focal target or if we're restoring just the v3 component of a v2+v3 backup. They shouldn't run in the case where we're doing a data-only backup. Given that this is a config-removing bug, I'll update the PR real quick to address. |
Process was:
Step 6 is where it failed for me in #5829, but when testing with these changes, the restore process completed. This works as expected, and I don't recommend that we change the behavior further. |
…ing the server's config: - if --preserve-tor-config is set, tor configs are ignored completely and only data is restored - if configs match, complete restore performed - if v2+v3 restore to v3 server, only v3 is restored - playbook exits early without restoring anything in all other cases
zenmonkeykstop
force-pushed
the
5829-fix-restore-without-tor
branch
from
2af982a to
5bd7313
Compare
|
this will be slighty out of date, I tested before 43c0e44 was a thing. About to retest, same scenarios (testing on a v3-only install) Testing In progress[...]
|
At this point, I can't restore the v2 services, even if I check out 1.7.1 again. The Tor configuration comparison fails and the restore is aborted. I'm told to contact myself via the support portal. 🙂 |
Testing[...]
|
I think as we were already accessing with v3 ssh service, many of us did not notice this.
But, for a Xenial system, this should not happen. Once again, as a tester we could still ssh into the box with the new v3 ssh access. After spending sometime thinking about this I think this is an okay behavior. Because once one box got I would love to hear what the rest of the team think about this. |
|
I think my second scenario, with I reinstalled and ran that test successfully, with v2 services being left enabled after the restore. |
|
I finished the rest of the test plan and everything looks good:
If v2 gets dropped by restoring without |
|
Ok so to recap (and check my assumptions), the case @rmol is describing is, an instance is (still) on Xenial v2+v3, restores a Xenial v2+v3 backup without using That is kind of unfriendly/surprising, but it will only apply to v2v3 instances trying to restore onto Xenial before April 30, which... is probably not going to come up (and doubtful it would come up without someone filing a support ticket, anyway). My opinion is we are pushing people towards Focal and v3 within a couple weeks anyway, so given the time constraints I think it kind of falls under the "if you have a specific restore scenario you need help with, contact Support," and is okay. If others feel similarly and want to go ahead with this, I can make more explicit note of this behaviour in the migration docs PR. |
|
This wasn't the intent of the PR tho - so it's a bug. My take is that this behaviour is going to be unexpected (and will break v2->v2 backups altogether) so it should be fixed rather than documented. Gonna take one final stab at correcting the logic, if I can prevail upon ye for a final round of testing in the next little while! |
|
OK @rmol or @rocodes if you're set up for v2 or v2+v3 testing (Xenial obvs) please take a spin through. The behaviour should be correct now - the v2 service removal should only be triggered when a v2+v3 backup is applied to a v3 instance and --preserve-tor-config is not set. Apologies for the back and forth on this one! |
|
After last fix:
On a production v2+v3 install (vms or h/w):
|
Status
Ready for review
Description of Changes
Fixes #5829 .
Updates the restore playbook tor config comparison logic such that:
--preserve-tor-configis set, the results of the comparison are ignored and a data-only restore is performedTesting
On a production v2+v3 install (vms or h/w):
take a backup with
./securedrop-admin backuprestore the v2+v3 backup with
./securedrop-admin --force restore your/backupfile/path/hereExtract backuptask runs, but theExtract backup, skipping tor service configurationstask does notrestore the backup again with
./securedrop-admin --force restore --preserve-tor-config your/backupfile/path/hereExtract backup, skipping tor service configurationstask runs, but theExtract backuptask does notif a v2 backup is available from any test server, attempt to apply it with
./securedrop-admin --force restore your/v2backupfile/path/hereflip the install to v3-only using the
sdconfigandinstalladmin subcommands, then:./securedrop-admin --force restore your/backupfile/path/hereExtract backup using v3-onlytask runs, but the otherExtracttasks do not./securedrop-admin --force restore --preserve-tor-config your/backupfile/path/hereExtract backup, skipping tor service configurationstask runs, but the otherExtracttask do not./securedrop-admin --force restore your/v2backupfile/path/hereChecklist
If you made non-trivial code changes:
Choose one of the following: