Script to upgrade from focal to noble #7406
Conversation
legoktm
force-pushed
the
stg-upgrade-script
branch
3 times, most recently
from
843ac2a to
ce32f1e
Compare
|
I think the script is basically complete at this point, but I haven't actually tried it yet. So I need to do that, and then figure out how we're going to do CI on it. I think we should ideally be able to take the focal staging environment, upgrade it, and then re-run testinfra (noble) checks on it. |
legoktm
force-pushed
the
stg-upgrade-script
branch
4 times, most recently
from
b72bef2 to
6e433aa
Compare
|
Fixed a number of issues found by actual test runs, currently hit: Will get to that tomorrow. |
|
Interesting wrinkle, because the systemd unit is installed by the Debian package, it smartly wants to restart the service during package upgrade. Except that kills the apt-get process upgrading the package, which totally breaks everything. I'm trying to figure out how to stop that restart, but it doesn't seem like dh_systemd_start's Alternatively we could have the script fork in a way that it doesn't get killed when the service stops - similar to what unattended-upgrades does. |
legoktm
force-pushed
the
stg-upgrade-script
branch
from
6e433aa to
e1396bb
Compare
|
I'm thinking of getting rid of the --without-new-pkgs step and just doing a single full-upgrade step, it'll avoid a lot of the dependency constraint weirdness that keeps manifesting in weird ways. For example, I dropped the apparmor-utils dependency, which meant that Python 3.12 got pulled in later, and then app-code got upgraded too early. |
legoktm
force-pushed
the
stg-upgrade-script
branch
3 times, most recently
from
19c39ae to
5bf94fe
Compare
I think this is the way to go, but with a slightly different variant. We should just ensure the apt-get/dpkg processes don't get killed. It's okay if the upgrade script dies, as long as apt-get keeps going. The commands are all idempotent so when the script gets restarted by the timer, it'll re-run the apt-get command it'll do nothing and not kill itself, and then keep moving on. Plus by just keeping apt-get alive, we don't need to implement any locking, etc ourselves, because dpkg already takes care of all of that in a battle-tested manner. |
legoktm
force-pushed
the
stg-upgrade-script
branch
from
5bf94fe to
087599e
Compare
|
The changes I just pushed introduce a new To visualize:
One gotcha here is that we can no longer reliably capture stdout/stderr because if the parent is killed, it'll go nowhere. So we will need to send it to a file presumably. |
legoktm
force-pushed
the
stg-upgrade-script
branch
from
087599e to
14ebc22
Compare
|
I mostly got through a full automated migration; something is going wrong during the installation of iptables-persistent/nftables-persistent and /etc/iptables/rules.{v4,v6} are blank, so there's no firewall up, causing the integrity check to fail. Once I bypassed that, it reached the done stage. \o/ |
legoktm
force-pushed
the
stg-upgrade-script
branch
3 times, most recently
from
c4585cf to
239e0fd
Compare
The script is split into various stages where progress is tracked on-disk. The script is able to resume where it was at any point, and needs to, given multiple reboots in the middle. Given that we want to invoke the check script during the upgrade path, most of the code is moved into a common lib.rs that can be imported by both check.rs and upgrade.rs. The new noble-upgrade.json file shipped in the securedrop-config package is used to control the upgrade process. A systemd timer runs every 3 minutes to trigger the upgrade script, which in most cases will do nothing. We need to run it so frequently since this is how the script will be restarted after it pauses for a reboot. Fixes #7332.
legoktm
force-pushed
the
stg-upgrade-script
branch
from
239e0fd to
bf03fa6
Compare
legoktm
changed the title
|
I successfully completed a fully-automated app migration today, so I'm marking this as ready for review. I still need to write up a more comprehensive test plan and stuff but at least the code can begin to be looked at. |
|
I've written up the full test plan now. |
|
Also as far as the code review goes, I'll try to split this up into more commits to simplify review. I also want to write a brief architecture document that explains how it's all supposed to work. |
Status
Ready for review
Description of Changes
The script is split into various stages where progress is tracked on-disk. The script is able to resume where it was at any point, and needs to, given multiple reboots in the middle.
The new noble-upgrade.json file shipped in the securedrop-config package is used to control the upgrade process.
Fixes #7332.
Testing
How should the reviewer test this PR?
Preparation
UBUNTU_VERSION=focal make build-debsandUBUNTU_VERSION=noble make build-debs).UBUNTU_VERSION=noble make build-debs-ossecdistfolder alongside focal and noble, runapt-ftparchive packages ./focal > dists/focal/main/binary-amd64/Packagesandapt-ftparchive packages ./noble > dists/noble/main/binary-amd64/Packages(you'll need to create the intermediate directories in dist/ manually)The next step of steps need to be applied to both app and mon:
/etc/apt/sources.list.d/apt_freedom_press.listfile with a line likedeb [trusted=yes] https://example.org/apt focal main. The[trusted=yes]bypasses PGP signature checking so we don't need to also fiddle with signing the temporary packages and installing the keyring.sudo apt-get update && sudo unattended-upgradeto upgrade to the 2.12.0-rc0 packages./lib/systemd/systemd/securedrop-noble-migration-upgrade.serviceto add the lineEnvironment=EXTRA_APT_SOURCE="deb [trusted=yes] https://example.org/apt noble main"(note that this says noble and not focal! also keep an eye on the quotes)Upgrading
This should be repeated twice, once for app and then once that's done, for mon.
/etc/securedrop-noble-migration-state.jsonwas created with{"finished": None, "bucket": 1-5}.journalctl -f- primarily to follow along the progress/usr/share/securedrop/noble-migration.json, to setapp.enabled = trueandapp.bucket = 5. (or mon if that's what you're upgrading)sudo systemctl start securedrop-noble-migration-upgrade./etc/securedrop-noble-migration-state.jsonshould now have finished PendingUpdates./etc/securedrop-noble-migration-state.jsonshould be at Reboot.Donestage.cat /etc/os-releaseshould output noble.Verification
After the upgrade:
./securedrop-admin verifyshould pass.Misc.
Deployment
Any special considerations for deployment? Consider both:
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you added or removed a file deployed with the application:
If you made non-trivial code changes:
Choose one of the following:
If you added or updated a reference to a production code dependency:
Production code dependencies are defined in:
admin/requirements.inadmin/requirements-ansible.insecuredrop/requirements/python3/requirements.insecuredrop/requirements/python3/translation.in(used in the buildcontainer)
If you changed another
requirements.infile that applies only to developmentor testing environments, then no diff review is required, and you can skip
(remove) this section.
Choose one of the following: