Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[4.1] Release securedrop-workstation-dom0-rpm-config 0.10.0 #937

Closed
14 of 29 tasks
rocodes opened this issue Jan 16, 2024 · 10 comments · Fixed by #946
Closed
14 of 29 tasks

[4.1] Release securedrop-workstation-dom0-rpm-config 0.10.0 #937

rocodes opened this issue Jan 16, 2024 · 10 comments · Fixed by #946
Labels

Comments

@rocodes
Copy link
Contributor

rocodes commented Jan 16, 2024

Release process:

RC1:

  • [In release branch] bump rc version using update_version script, update changelog in rpm .spec file changelog not updated, this is why we checklist
  • [In release branch] create rc tag
  • [In release branch] build rc, commit build logs, and publish artifact to yum-test

RC2:

  • [In release branch] bump rc version using update_version script, update changelog in rpm .spec file
  • [In release branch] create rc tag
  • [In release branch] build rc, commit build logs, and publish artifact to yum-test

Release:

  • [In release branch] Bump version via update_version script, and update changelog in rpm .spec file
  • [In release branch] Create prod tag (signed by release signing key)
  • Build prod artifact, sign with release key, commit build logs
  • QA/smoketest of prod artifact (stuff rpm in dom0 of SDW prod machine)
  • Publish prod artifact to yum repo

Post-release

QA Test Plan

Fresh install (prodlike install)

Qubes 4.1.2 expected, please note hardware

Prep:

Testing:

  • RPM installs successfully in dom0
  • with config in place, sdw-admin --apply completes successfully
  • whonix-17 workstation and gateway templates are installed as part of --apply run
  • sd-whonix uses whonix-gateway-17 as its template
  • basic client functionality requiring Tor (login, first sync) completed successfully.

Upgrade from 0.9.0 (no whonix17 templates preinstalled)

Qubes 4.1.2 expected, please note hardware

Testing:

  • RPM installs succesfully via sudo dnf install <name> in dom0, replacing the existing 0.9.0 rpm
  • Updater starts successfully and runs a full sdw-admin --apply migration
  • whonix-17 workstation and gateway templates are installed as part of updater run
  • sd-whonix uses whonix-gateway-17 as its template
  • basic client functionality requiring Tor (login, sync) completed successfully.

Upgrade from 0.9.0 (whonix17 templates are preinstalled)

  • RPM installs succesfully via sudo dnf install <name> in dom0, replacing the existing 0.9.0 rpm
  • Updater starts successfully and runs a full sdw-admin --apply migration
  • sd-whonix uses whonix-gateway-17 as its template
  • basic client functionality requiring Tor (login, sync) completed successfully.
@marmarek
Copy link

FYI updated salt formulae for Whonix are in current-testing for R4.1 already: QubesOS/qubes-mgmt-salt-dom0-virtual-machines#59
Be aware that Whonix 17 has changed template names (whonix-gw -> whonix-gateway, whonix-ws -> whonix-workstation).

@rocodes rocodes mentioned this issue Jan 22, 2024
8 tasks
@zenmonkeykstop zenmonkeykstop moved this from Blocked to In Progress in SecureDrop dev cycle Feb 6, 2024
@zenmonkeykstop zenmonkeykstop pinned this issue Feb 6, 2024
@eloquence
Copy link
Member

RC1 is on https://yum-test.securedrop.org/workstation/dom0/f32/, taking it for a spin for a fresh install.

@eloquence
Copy link
Member

I was initially surprised that the published checksum on yum-test differed until I reminded myself that we're now auto-signing dev RPMs with the dev key (https://github.com/freedomofpress/infrastructure/pull/4096). Dev key signature OK.

@eloquence
Copy link
Member

eloquence commented Feb 7, 2024

Performed a fresh install (previous SDW install removed) of 0.10.0-RC1 from RPM downloaded from yum-test on a 4.1 system. Provisioning succeeded on first try without errors, full log at https://gist.github.com/eloquence/6ac1fbd212bb5e61b2a937c845e77aaf in case anyone wants to compare notes.

Whonix 17 was installed and whonix-gateway-17 is correctly set as the template for sd-whonix. SecureDrop Client login works without issues, downloading files works without issues. Updater not tested yet. Let me know if there's anything else you want me to test on this config.

@zenmonkeykstop
Copy link
Contributor

Flagging it here since I cut RC2 without a new issue. RC1 had the following bugs:

  • missing changelog update (minor, could have been sorted out for prod RPM)
  • missing migration flag (major, prevents testing updater behaviour)

RC2 is now available.

@zenmonkeykstop zenmonkeykstop changed the title [4.1] Release dom0-rpm-config with Whonix 17 support [4.1] Release securedrop-workstation-dom0-rpm-config 0.10.0 Feb 7, 2024
@eloquence
Copy link
Member

eloquence commented Feb 8, 2024

Upgraded a 0.9.0 machine to 0.10.0RC2 without issue. This was entirely done via the GUI updater. Whonix 17 templates were downloaded and configured for sd-whonix as expected. Smoke test logging into SD Client ran without issue.

One caveat: the 0.9.0 machine was configured as dev (rather than staging). I don't believe this materially impacts the validity of the test, as the thing we're concerned about (the migration via the RPM) relies on packages being downloaded from https://yum-test.securedrop.org/workstation/dom0/f32/ which, as far as I can tell, is still the default for RPM packages in dev; the dom0 repo settings show this path, rather than the nightlies path, and the logs show that the 0.10.0-rc2 package, rather than a nightly, was installed. The client used for the smoke test is a nightly from apt-test, but since we've already tested client behavior with the stable release, that seems immaterial.

For completeness, here is the stdout output from the updater run: https://gist.github.com/eloquence/069cbf16f22abbf431c09189838ddb52

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Feb 8, 2024

Upgraded prod via updater as follows:

  • installed 0.9.0

  • manually installed 0.10.0rc2 RPM in dom0

  • ran updater

  • RPM installs succesfully via sudo dnf install in dom0, replacing the existing 0.9.0 rpm

  • Updater starts successfully and runs a full sdw-admin --apply migration

  • whonix-17 workstation and gateway templates are installed as part of updater run

  • sd-whonix uses whonix-gateway-17 as its template

  • (extra) on subsequent update run, full run is not applied

  • basic client functionality requiring Tor (login, sync) completed successfully.

@zenmonkeykstop
Copy link
Contributor

Based on results above I'm thinking we're good to go for a release version. Tagging etc in progress

@rocodes
Copy link
Contributor Author

rocodes commented Feb 8, 2024

extra install info for testers:

  • staging packages (apt-test) can be tested against a staging setup by running the GUI updater, no manual stuffing in should be needed
  • when prod packages are on yum-qa, edit /etc/yum.repos.d/secucredrop-workstation-dom0.repo 's baseurl to point to yum-qa.securedrop.org, then run the sdw updater

@nathandyer
Copy link

Tested on my production SDW workstation by:

  • Editing the baseurl to point to yum-qa as described by @rocodes
  • Running the SecureDrop updater
  • Rebooting when prompted after it reached 100%

Note: no issues during the upgrade procedure itself, saw the whonix-workstation-17 starting notification early on. Total update time for me was ~30 minutes.

Smoke tests:

  • Updater starts successfully and completes without error
  • whonix-17 workstation and gateway templates are installed as part of updater run
  • sd-whonix uses whonix-gateway-17 as its template
  • basic client functionality requiring Tor (login, sync) completed successfully

make test:
I also went ahead and ran make test with a local checkout of this branch in dom0: 76 tests completed in 213s. OK across the board

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

6 participants