Adds dev-focal to run SecureDrop on Focal container

[kushaldas]

Status

Ready for review.

Towards #5524

Description of Changes

make dev-focal will start a Focal container with SecureDrop
running.
Also updates the gpg2 --import command to import into the
pubring.gpg keyring file explictly. Related Ansible change
is tracked via

#5499

The tests in Focal will fail to run, and will be fixed via #5585

Testing

• make dev-focal to see if it starts a container on Focal
• make dev should start SecureDrop on xenial
• make test should not have any error.
• make test-focal will show test failures (as we are slowly fixing them for Focal)
• CI should be green

Deployment

Any special considerations for deployment? Consider both:

1. Upgrading existing production instances.
2. New installs.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

If you made changes to documentation:

• Doc linting (make docs-lint) passed locally

If you added or updated a code dependency:

Choose one of the following:

• I have performed a diff review and pasted the contents to the packaging wiki
• I would like someone else to do the diff review

[emkll]

Thanks for the changes @kushaldas , some preliminary comments inline. There are 33 tests failing here under Focal:

tests/test_alembic.py::test_alembic_head_matches_db_models FAILED        [  0%]
tests/test_alembic.py::test_alembic_migration_downgrade[523fff3f969c] FAILED [  3%]
tests/test_alembic.py::test_alembic_migration_downgrade[60f41bb14d98] FAILED [  4%]
tests/test_alembic.py::test_alembic_migration_downgrade[48a75abc0121] FAILED [  4%]
tests/test_alembic.py::test_alembic_migration_downgrade[35513370ba0d] FAILED [  4%]
tests/test_alembic.py::test_alembic_migration_downgrade[3da3fcab826a] FAILED [  4%]
tests/test_alembic.py::test_alembic_migration_downgrade[b58139cfdc8c] FAILED [  5%]
tests/test_alembic.py::test_alembic_migration_downgrade[f2833ac34bb6] FAILED [  6%]
tests/test_alembic.py::test_alembic_migration_downgrade[a9fe328b053a] FAILED [  6%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[fccf57ceef02] FAILED [  6%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[3d91d6948753] FAILED [  6%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[60f41bb14d98] FAILED [  7%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[2d0ce3ee5bdc] FAILED [  7%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[e0a525cbab83] FAILED [  7%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[b58139cfdc8c] FAILED [  8%]
tests/test_alembic.py::test_schema_unchanged_after_up_then_downgrade[f2833ac34bb6] FAILED [  8%]
tests/test_alembic.py::test_downgrade_with_data[b58139cfdc8c] FAILED     [ 13%]
tests/test_crypto_util.py::test_delete_reply_keypair FAILED              [ 17%]
tests/test_crypto_util.py::test_delete_reply_keypair_pinentry_status_is_handled FAILED [ 17%]
tests/test_integration.py::test_submit_message FAILED                    [ 22%]
tests/test_integration.py::test_submit_file FAILED                       [ 22%]
tests/test_journalist.py::test_delete_source_deletes_source_key FAILED   [ 41%]
tests/test_rm.py::test_secure_delete_capability FAILED                   [ 60%]
tests/test_source.py::test_metadata_route FAILED                         [ 68%]
tests/test_source.py::test_metadata_v2_url FAILED                        [ 68%]
tests/test_source.py::test_metadata_v3_url FAILED                        [ 68%]
tests/functional/test_source_metadata.py::TestInstanceMetadata::test_instance_metadata FAILED [ 79%]
tests/pageslayout/test_journalist.py::TestJournalistLayout::test_col_flagged[en_US] FAILED [ 86%]
tests/pageslayout/test_journalist.py::TestJournalistLayout::test_col_flagged[ar] FAILED [ 86%]
tests/pageslayout/test_journalist.py::TestJournalistLayout::test_flag[en_US] FAILED [ 91%]
tests/pageslayout/test_journalist.py::TestJournalistLayout::test_flag[ar] FAILED [ 91%]
tests/pageslayout/test_source.py::TestSourceLayout::test_source_flagged[en_US] FAILED [ 97%]
tests/pageslayout/test_source.py::TestSourceLayout::test_source_flagged[ar] FAILED [ 97%]

[emkll]

As you've identified in the PR description, it would definitely make sense to move this to develop-requirements and/or test-requirements pinning the proper version and hashes. Since this doesn't affect the app code dependencies, we don't need a diff review, and I'm guessing newer versions should work under Xenial

[emkll]

looks like this comment needs to be updated?

[emkll]

Because this Dockerfile introduced here is pretty much identical to the Xenial Dockerfile, what do you think about using Docker args to feed the Ubuntu container hash and python version to the Dockerfile so that we only maintain a single dockerfile? This is the approach used in the Workstation dom0 build logic in https://github.com/freedomofpress/securedrop-workstation/pull/612/files

In the past we've used BASE_OS variable and it may indeed be easier for us to continue going that route, especially since we aren't planning supporting both Focal and Xenial for very long.

[kushaldas]

We also have different packages installed in this container. I would love to keep in this BASE_OS style two different dockerfiles.

[kushaldas]

Due to the updating of the pytest module, now i will have to tests. https://app.circleci.com/pipelines/github/freedomofpress/securedrop/1133/workflows/556ab459-6515-4104-a338-7eb3355bd314/jobs/45446 will discuss more during standup.

[kushaldas]

Status update is in this commit message: 19f527b

[kushaldas]

Still requires update for lint errors.

[kushaldas]

pip gave pip._vendor.urllib3.exceptions.ProtocolError: ("Connection broken: ConnectionResetError(104, 'Connection reset by peer')", ConnectionResetError(104, 'Connection reset by peer')), I will kick the CI once again.

[emkll]

make dev-focal is failing due to TBB browser version not available https://github.com/freedomofpress/securedrop/pull/5544/files#diff-96bf85e6e44291b96a0917ee04d234a6986bca1858f16f195446ed697d4bf53eR26

https://github.com/freedomofpress/securedrop/pull/5544/files#r497806221 is a suggestion to minimize maintenance through a single docker file for both focal and xenial

[kushaldas]

make dev-focal is failing due to TBB browser version not available https://github.com/freedomofpress/securedrop/pull/5544/files#diff-96bf85e6e44291b96a0917ee04d234a6986bca1858f16f195446ed697d4bf53eR26

I will update this.

https://github.com/freedomofpress/securedrop/pull/5544/files#r497806221 is a suggestion to minimize maintenance through a single docker file for both focal and xenial

I commented above at #5544 (comment) to point out that the Dockerfiles have different dependencies installed. And just maintaining two different versions makes the whole process much simpler.

[emkll]

• make dev-focal to see if it starts a container on Focal
• make dev should start SecureDrop on xenial
• make test should not have any error.
• ❗ make test-focal should have around 33 errors :)

make test-focal is not working for me locally:

var/lib/gems/2.7.0/gems/sass-3.4.23/lib/sass/util.rb:1109: warning: constant ::Fixnum is deprecated
      write static/css/journalist.css
      write static/css/journalist.css.map
      write static/css/source.css
      write static/css/source.css.map
 Generating securedrop/config.py...
Traceback (most recent call last):
  File "/opt/venvs/securedrop-app-code/bin/pytest", line 5, in <module>
    from pytest import main
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/pytest.py", line 7, in <module>
    from _pytest.assertion import register_assert_rewrite
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/_pytest/assertion/__init__.py", line 12, in <module>
    from _pytest.assertion import rewrite
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/_pytest/assertion/rewrite.py", line 22, in <module>
    from _pytest.assertion import util
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/_pytest/assertion/util.py", line 11, in <module>
    import _pytest._code
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/_pytest/_code/__init__.py", line 6, in <module>
    from .code import Code  # noqa
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/_pytest/_code/code.py", line 15, in <module>
    import pluggy
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/pluggy/__init__.py", line 16, in <module>
    from .manager import PluginManager, PluginValidationError
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/pluggy/manager.py", line 6, in <module>
    import importlib_metadata
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/importlib_metadata/__init__.py", line 471, in <module>
    __version__ = version(__name__)
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/importlib_metadata/__init__.py", line 438, in version
    return distribution(package).version
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/importlib_metadata/__init__.py", line 411, in distribution
    return Distribution.from_name(package)
  File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/importlib_metadata/__init__.py", line 179, in from_name
    dists = resolver(name)
  File "<frozen importlib._bootstrap_external>", line 1382, in find_distributions
  File "/usr/lib/python3.8/importlib/metadata.py", line 466, in find_distributions
    found = cls._search_paths(context.name, context.path)
AttributeError: 'str' object has no attribute 'name'
make: *** [Makefile:231: test-focal] Error 1

[kushaldas]

make test-focal is not working for me locally:

Sorry, just now updated the test instruction, we can not run make test-focal untill #5585 is merged.

[rmol]

#5585 is merged, we're now able to run the dev server and tests on Focal, and the test failures under Focal have their own issues (#5602, #5604, #5605). Until we add the test-focal job (#5524) they won't affect CI for other PRs, so I'm OK with merging this.

[emkll]

• make dev-focal to see if it starts a container on Focal
• make dev should start SecureDrop on xenial
• make test should not have any error.
• ❗ make test-focal will show test failures see below
• CI should be green

Getting an error where functional tests aren't running in make test-focal, are you seeing that as well @kushaldas ?

[...]
tests/test_template_filters.py::test_journalist_filters PASSED                                                                                                             [ 75%]
tests/test_worker.py::test_no_interrupted_jobs PASSED                                                                                                                      [ 75%]
tests/test_worker.py::test_job_interruption PASSED                                                                                                                         [ 75%]
tests/test_worker.py::test_worker_for_job PASSED                                                                                                                           [ 75%]
tests/functional/test_admin_interface.py::TestAdminInterface::test_admin_interface /home/user/src/securedrop/securedrop/bin/run-test: line 51:    67 Killed                  pytest --force-flaky --max-runs=3 --page-layout --durations 10 --junitxml=../test-results/junit.xml --cov-report term-missing --cov-report html:../test-results/cov_html --cov-report xml:../test-results/cov.xml --cov-report annotate:../test-results/cov_annotate --cov=. "$@"
make: *** [Makefile:231: test-focal] Error 137

[emkll]

make test-focal is now working for me locally, ran out of memory in my VM (thanks @kushaldas for the assist). Only two tests are failing inside the Focal container, those are captured in #5592.

CI is also green, good to merge from my perspective