From bc947592e34c53013523a6d11414a96842c82f70 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 11 Feb 2019 12:38:30 +0100 Subject: [PATCH 1/5] update upgrade prompt via postinst script --- .../securedrop-config/DEBIAN/postinst | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst index eba25fa536..bbe09809fc 100755 --- a/install_files/securedrop-config/DEBIAN/postinst +++ b/install_files/securedrop-config/DEBIAN/postinst @@ -4,10 +4,28 @@ set -e set -x -disable_upgrade_prompt() { - # Disable do-release-upgrade notification - sed -i 's/Prompt=.*/Prompt=never/' /etc/update-manager/release-upgrades || true + +# Issue #4104 +# Set Prompt=never on Xenial +# Set Prompt=lts on Trusty +update_release_prompt() { + set -e + + declare -r upgrade_config='/etc/update-manager/release-upgrades' + + declare -r release="$(lsb_release -sc)" + if [ "$?" -ne 0 ]; then + echo 'Unable to detect LSB codename' >&2 + return 1 + fi + + if [[ "$release" == trusty ]]; then + sed -i 's/Prompt=.*/Prompt=lts/' "$upgrade_config" + else + sed -i 's/Prompt=.*/Prompt=never/' "$upgrade_config" + fi } + remove_2fa_tty_req() { # The goal here is to remove legacy 2FA req on TTY logins # Lets prevent this from bombing out the install though if it fails @@ -70,7 +88,7 @@ case "$1" in manage_tor_repo_config remove_2fa_tty_req - disable_upgrade_prompt + update_release_prompt # Remove cron-apt action should occur after security upgrades to avoid breaking # automatic upgrades (see issue #4003) From b2efbea94a674c802d0e7c68acf242c0a4c8018d Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 11 Feb 2019 12:39:09 +0100 Subject: [PATCH 2/5] update the script and log file for new releases to prevent incorrect upgrades --- .../securedrop-config/DEBIAN/postinst | 27 ++++++++++++------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst index bbe09809fc..58cbf8b63a 100755 --- a/install_files/securedrop-config/DEBIAN/postinst +++ b/install_files/securedrop-config/DEBIAN/postinst @@ -4,23 +4,32 @@ set -e set -x +update_release_available_script() { + # The script /etc/cron.weekly/update-notifier-common runs the command + # /usr/lib/ubuntu-release-upgrader/release-upgrade-motd which runs the command + # /usr/lib/ubuntu-release-upgrader/check-new-release whose output is written to the "stamp" file + # /var/lib/ubuntu-release-upgrader/release-upgrade-available which is picked up by OSSEC. + # + # To prevent the OSSEC alerts from from telling the user to run 'do-release-upgrade' which + # may break their system, we update both the script and the existing "stamp" file. + + for file in /usr/lib/ubuntu-release-upgrader/check-new-release /var/lib/ubuntu-release-upgrader/release-upgrade-available; do + if [ -f $file ]; then + sed -i "s|Run 'do-release-upgrade' to upgrade to it\\.|Visit https://securedrop.org/xenial-upgrade for more information|" "$file" + fi + done +} # Issue #4104 # Set Prompt=never on Xenial # Set Prompt=lts on Trusty update_release_prompt() { set -e + upgrade_config='/etc/update-manager/release-upgrades' - declare -r upgrade_config='/etc/update-manager/release-upgrades' - - declare -r release="$(lsb_release -sc)" - if [ "$?" -ne 0 ]; then - echo 'Unable to detect LSB codename' >&2 - return 1 - fi - - if [[ "$release" == trusty ]]; then + if [ "$(lsb_release -sc)" = trusty ]; then sed -i 's/Prompt=.*/Prompt=lts/' "$upgrade_config" + update_release_available_script else sed -i 's/Prompt=.*/Prompt=never/' "$upgrade_config" fi From 047a15b652869677b553fcfc052414611db41e28 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 11 Feb 2019 12:42:45 +0100 Subject: [PATCH 3/5] revert update script changes once we move to xenial --- install_files/securedrop-config/DEBIAN/postinst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst index 58cbf8b63a..5717d8e2f8 100755 --- a/install_files/securedrop-config/DEBIAN/postinst +++ b/install_files/securedrop-config/DEBIAN/postinst @@ -20,6 +20,14 @@ update_release_available_script() { done } +revert_update_release_available_script() { + for file in /usr/lib/ubuntu-release-upgrader/check-new-release /var/lib/ubuntu-release-upgrader/release-upgrade-available; do + if [ -f $file ]; then + sed -i "s|Visit https://securedrop\\.org/xenial-upgrade for more information|Run 'do-release-upgrade' to upgrade to it.|" "$file" + fi + done +} + # Issue #4104 # Set Prompt=never on Xenial # Set Prompt=lts on Trusty @@ -32,6 +40,7 @@ update_release_prompt() { update_release_available_script else sed -i 's/Prompt=.*/Prompt=never/' "$upgrade_config" + revert_update_release_available_script fi } From 4da235c5be4a9e4186bc717309fd02b3b0a17176 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 11 Feb 2019 10:51:26 -0800 Subject: [PATCH 4/5] Adds config tests for release-manager channels Validates that Trusty should honor an upgrade request to Xenial, but Xenial should not honor upgrade requests to Bionic. --- .../staging/common/test_release_upgrades.py | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 molecule/testinfra/staging/common/test_release_upgrades.py diff --git a/molecule/testinfra/staging/common/test_release_upgrades.py b/molecule/testinfra/staging/common/test_release_upgrades.py new file mode 100644 index 0000000000..164c01f1bd --- /dev/null +++ b/molecule/testinfra/staging/common/test_release_upgrades.py @@ -0,0 +1,27 @@ +def test_release_manager_upgrade_channel(host): + """ + Ensures that the `do-release-upgrade` command will honor + upgrades from Trusty to Xenial, but not suggest upgrades + from Xenial to Bionic (which is untested and unsupported.) + """ + expected_channels = { + "trusty": "lts", + "xenial": "never", + } + + config_path = "/etc/update-manager/release-upgrades" + assert host.file(config_path).is_file + + raw_output = host.check_output("grep '^Prompt' {}".format(config_path)) + _, channel = raw_output.split("=") + + expected_channel = expected_channels[host.system_info.codename] + assert channel == expected_channel + + +def test_do_release_upgrade_is_installed(host): + """ + Ensure the `do-release-upgrade` command is present on target systems, + so that instance Admins can upgrade from Trusty to Xenial. + """ + assert host.exists("do-release-upgrade") From cf14d40fec799a524257f74a43fbf692e0ed6171 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Tue, 12 Feb 2019 22:44:47 +0100 Subject: [PATCH 5/5] force re-run the script to trigger an ossec alert --- install_files/securedrop-config/DEBIAN/postinst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst index 5717d8e2f8..a2634a9f40 100755 --- a/install_files/securedrop-config/DEBIAN/postinst +++ b/install_files/securedrop-config/DEBIAN/postinst @@ -18,6 +18,11 @@ update_release_available_script() { sed -i "s|Run 'do-release-upgrade' to upgrade to it\\.|Visit https://securedrop.org/xenial-upgrade for more information|" "$file" fi done + + # remove the file in case it's empty + rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available + # force re-run the update script to trigger an OSSEC alert + /usr/lib/ubuntu-release-upgrader/check-new-release -q > /var/lib/ubuntu-release-upgrader/release-upgrade-available & } revert_update_release_available_script() {