Skip to content

Creates Focal-specific kernel metapackage#5691

Merged
kushaldas merged 3 commits intodevelopfrom
5690-kernel-metapackage-for-focal
Jan 8, 2021
Merged

Creates Focal-specific kernel metapackage#5691
kushaldas merged 3 commits intodevelopfrom
5690-kernel-metapackage-for-focal

Conversation

@conorsch
Copy link
Contributor

@conorsch conorsch commented Jan 6, 2021
edited
Loading

Status

Ready for review.

Description of Changes

Fixes #5690. Fixes #4134.

Changes proposed in this pull request:

  • Creates Focal-specific securedrop-grsec metapackage, for pinning kernel and configuring paxctld
  • Installs the locally built securedrop-grsec in staging environment (previously we only used the package from apt-test in staging)
  • Updates tests accordingly
  • Tweaks build logic so we can more easily write per-distro packages

Testing

  • Visual review
  • CI is passing in all scenarios
  • (Optional) Run make build-debs-focal and inspect the securedrop-grsec metapackage that's created

Deployment

Focal-only.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

If you added or updated a code dependency:

Choose one of the following:

  • I have performed a diff review and pasted the contents to the packaging wiki
  • I would like someone else to do the diff review

Conor Schaefer added 3 commits January 5, 2021 17:25
Forks securedrop-grsec metapackage for Focal
e98d894 
Creates a Focal-only version of the "securedrop-grsec" metapackage, so
we can provide distro-specific behavior, namely:

  * use paxctld, rather than paxctl
  * pin explicit kernel version via grub

Much of the new metapackage logic is taken from the comparable work
already implemented in:

https://github.com/freedomofpress/securedrop-debian-packaging/tree/cee267e7dfebd9553cdf4b02ecbe54783049121c/securedrop-workstation-grsec/debian

Also tweaks the package build logic to support per-distro packages.
Updates config tests for kernel metapackage
079a130 
A bit of per-distro logic, but mostly verifying the paxctl/paxctld
settings are as expected. These tests aren't actually passing yet,
because the "securedrop-grsec" metapackage isn't installed from scratch.
Installs locally built metapackage in staging
842787a 
The "securedrop-grsec" metapackage isn't included in the
"install-local-packages" logic, for the staging environment. That makes
evaluationg metapackage changes difficult. Let's add support for local
metapackages to aid in adjusting kernel-related settings.
@conorsch conorsch force-pushed the 5690-kernel-metapackage-for-focal branch from bd6c578 to 842787a Compare January 6, 2021 02:37
@codecov-io
Copy link

codecov-io commented Jan 6, 2021
edited
Loading

Codecov Report

Merging #5691 (842787a) into develop (57cb87a) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop    #5691   +/-   ##
========================================
  Coverage    85.54%   85.54%           
========================================
  Files           52       52           
  Lines         3771     3771           
  Branches       474      474           
========================================
  Hits          3226     3226           
  Misses         440      440           
  Partials       105      105

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 57cb87a...842787a. Read the comment docs.

@conorsch conorsch marked this pull request as ready for review January 6, 2021 16:06
@conorsch
Copy link
Contributor Author

conorsch commented Jan 6, 2021

Note that post-merge, we should upload the new focal securedrop-grsec package to apt-test in https://github.com/freedomofpress/securedrop-dev-packages-lfs . Since this PR starts using the locally built metapackage in staging, CI is passing with out, but it must be there to unblock testing of Focal on hardware.

@kushaldas kushaldas self-assigned this Jan 7, 2021
@conorsch conorsch mentioned this pull request Jan 8, 2021
Closed
kushaldas
kushaldas approved these changes Jan 8, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally against Focal target. Also did visual review. Looks good.

@kushaldas kushaldas merged commit cfb3cb9 into develop Jan 8, 2021
conorsch pushed a commit to freedomofpress/build-logs that referenced this pull request Jan 8, 2021
Adds securedrop-grsec pkg for Focal
06916a4 
Built post-merge of freedomofpress/securedrop#5691
conorsch pushed a commit to freedomofpress/securedrop-apt-test that referenced this pull request Jan 8, 2021
Adds securedrop-grsec pkg for Focal
295bfc1 
Built after merge of [0], build logs at [1].

[0] freedomofpress/securedrop#5691
[1] freedomofpress/build-logs@06916a4
This was referenced Jan 8, 2021
Merged
Closed
emkll added a commit that referenced this pull request Feb 4, 2021
@emkll
Bump securedrop-grsec-focal metapackage to 5.4.88
8c4430c 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
emkll added a commit that referenced this pull request Feb 4, 2021
@emkll
Bump securedrop-grsec-focal metapackage to 5.4.88
c280ebf 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
kushaldas pushed a commit that referenced this pull request Feb 5, 2021
@emkll @kushaldas
Bump securedrop-grsec-focal metapackage to 5.4.88
2f5af57 
This will pull in and install 5.4 series kernels for Focal installs,
thanks to the split metapackage logic introduced in #5691
@emkll emkll mentioned this pull request Feb 8, 2021
Merged
7 tasks
@legoktm legoktm deleted the 5690-kernel-metapackage-for-focal branch January 9, 2025 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emkll emkll Awaiting requested review from emkll

1 more reviewer

@kushaldas kushaldas kushaldas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kushaldas kushaldas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create Focal-specific securedrop-grsec metapackage Use paxctld to manage all PaX flags in Ubuntu Focal

3 participants

@conorsch @codecov-io @kushaldas