diff --git a/Cargo.lock b/Cargo.lock index 6bef724b5e..a007e53b04 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -263,6 +263,25 @@ dependencies = [ "log", ] +[[package]] +name = "env_filter" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab" +dependencies = [ + "log", +] + +[[package]] +name = "env_logger" +version = "0.11.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d" +dependencies = [ + "env_filter", + "log", +] + [[package]] name = "equivalent" version = "1.0.1" @@ -637,9 +656,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.20" +version = "0.4.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" +checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" [[package]] name = "memchr" @@ -682,6 +701,8 @@ name = "noble-migration" version = "0.1.0" dependencies = [ "anyhow", + "env_logger", + "log", "rustix", "serde", "serde_json", diff --git a/noble-migration/Cargo.toml b/noble-migration/Cargo.toml index af75a0e55b..0ebf0e2bad 100644 --- a/noble-migration/Cargo.toml +++ b/noble-migration/Cargo.toml @@ -5,6 +5,8 @@ edition = "2021" [dependencies] anyhow = "1.0.93" +env_logger = { version = "0.11.5", default-features = false } +log = "0.4.22" rustix = { version = "0.38.40", features = ["process"] } serde = { version = "1.0.215", features = ["derive"] } serde_json = "1.0.132" diff --git a/noble-migration/files/apt_freedom_press.list b/noble-migration/files/apt_freedom_press.list new file mode 100644 index 0000000000..12e72a6778 --- /dev/null +++ b/noble-migration/files/apt_freedom_press.list @@ -0,0 +1 @@ +deb [arch=amd64] https://apt.freedom.press noble main diff --git a/noble-migration/files/sources.list b/noble-migration/files/sources.list new file mode 100644 index 0000000000..df96219dc8 --- /dev/null +++ b/noble-migration/files/sources.list @@ -0,0 +1,13 @@ +## newer versions of the distribution. +deb http://archive.ubuntu.com/ubuntu/ noble main + +## newer versions of the distribution. +deb http://archive.ubuntu.com/ubuntu/ noble universe + +## Major bug fix updates produced after the final release of the +## distribution. +deb http://archive.ubuntu.com/ubuntu/ noble-updates main + +### Security fixes for distribution packages +deb http://security.ubuntu.com/ubuntu noble-security main +deb http://security.ubuntu.com/ubuntu noble-security universe diff --git a/noble-migration/files/ubuntu.sources b/noble-migration/files/ubuntu.sources new file mode 100644 index 0000000000..bcd1f501fe --- /dev/null +++ b/noble-migration/files/ubuntu.sources @@ -0,0 +1,11 @@ +Types: deb +URIs: http://archive.ubuntu.com/ubuntu/ +Suites: noble noble-updates +Components: main universe restricted multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg + +Types: deb +URIs: http://security.ubuntu.com/ubuntu/ +Suites: noble-security +Components: main universe restricted multiverse +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg diff --git a/noble-migration/src/bin/upgrade.rs b/noble-migration/src/bin/upgrade.rs new file mode 100644 index 0000000000..3fb756a8fb --- /dev/null +++ b/noble-migration/src/bin/upgrade.rs @@ -0,0 +1,456 @@ +//! Migrate a SecureDrop server from focal to noble +//! +//! This script should never be run directly, only via the +//! systemd service. +use anyhow::{bail, Context, Result}; +use log::{debug, error, info}; +use rustix::process::geteuid; +use serde::{Deserialize, Serialize}; +use std::{ + collections::HashMap, + fs::{self, Permissions}, + os::unix::{fs::PermissionsExt, process::ExitStatusExt}, + path::Path, + process::{self, Command, ExitCode}, + thread::sleep, + time::Duration, +}; + +const CONFIG_PATH: &str = "/usr/share/securedrop/noble-upgrade.json"; +const STATE_PATH: &str = "/etc/securedrop-noble-migration.json"; +const MON_OSSEC_CONFIG: &str = "/var/ossec/etc/ossec.conf"; + +#[derive(Serialize, Deserialize, PartialEq, Eq, Debug)] +enum Stage { + None, + PendingUpdates, + MigrationCheck, + DisableApache2, + Backup, + Marker, + SuspendOSSEC, + DisableUnattendedUpdates, + ChangeAptSources, + AptGetUpdate, + AptGetUpgradeNoNew, + AptGetFullUpgrade, + ReenableUnattendedUpdates, + ReenableOSSEC, + Reboot, + SwitchUbuntuSources, + IntegrityCheck, + ReenableApache2, + RemoveBackup, + Done, +} + +#[derive(Serialize, Deserialize)] +struct State { + finished: Stage, + bucket: usize, +} + +impl State { + fn load() -> Result { + if !Path::new(STATE_PATH).exists() { + debug!("State file, {}, doesn't exist; state=None", STATE_PATH); + let state = State { + finished: Stage::None, + // FIXME: seed randomly + bucket: 4, + }; + // Persist the randomly selected bucket + state.save()?; + return Ok(state); + } + debug!("Loading state from {}", STATE_PATH); + // FIXME: what if this fails? + serde_json::from_str( + &fs::read_to_string(STATE_PATH) + .context("Unable to read STATE_PATH")?, + ) + .context("Deserializing STATE_PATH failed") + } + + fn set(&mut self, stage: Stage) -> Result<()> { + debug!("Finished stage {stage:?}"); + self.finished = stage; + self.save() + } + + fn save(&self) -> Result<()> { + fs::write( + STATE_PATH, + serde_json::to_string(self).context("Failed to serialize state")?, + ) + .context("Failed to write state") + } +} + +fn run_next_stage(state: &mut State) -> Result<()> { + match state.finished { + Stage::None => { + pending_updates(state)?; + // n.b. this is unreachable because we've already rebooted + state.set(Stage::PendingUpdates)?; + } + Stage::PendingUpdates => { + migration_check()?; + state.set(Stage::MigrationCheck)?; + } + Stage::MigrationCheck => { + disable_apache2()?; + state.set(Stage::DisableApache2)?; + } + Stage::DisableApache2 => { + backup()?; + state.set(Stage::Backup)?; + } + Stage::Backup => { + suspend_ossec()?; + state.set(Stage::Marker)?; + } + Stage::Marker => { + marker()?; + state.set(Stage::SuspendOSSEC)?; + } + Stage::SuspendOSSEC => { + disable_unattended_updates()?; + state.set(Stage::DisableUnattendedUpdates)?; + } + Stage::DisableUnattendedUpdates => { + change_apt_sources()?; + state.set(Stage::ChangeAptSources)?; + } + Stage::ChangeAptSources => { + apt_get_update()?; + state.set(Stage::AptGetUpdate)?; + } + Stage::AptGetUpdate => { + apt_get_upgrade_no_new()?; + state.set(Stage::AptGetUpgradeNoNew)?; + } + Stage::AptGetUpgradeNoNew => { + apt_get_full_upgrade()?; + state.set(Stage::AptGetFullUpgrade)?; + } + Stage::AptGetFullUpgrade => { + reenable_unattended_updates()?; + state.set(Stage::ReenableUnattendedUpdates)?; + } + Stage::ReenableUnattendedUpdates => { + reenable_ossec()?; + state.set(Stage::ReenableOSSEC)?; + } + Stage::ReenableOSSEC => { + reboot(state)?; + // n.b. this is unreachable because we've already rebooted + state.set(Stage::Reboot)?; + } + Stage::Reboot => { + switch_ubuntu_sources()?; + state.set(Stage::SwitchUbuntuSources)?; + } + Stage::SwitchUbuntuSources => { + integrity_check()?; + state.set(Stage::IntegrityCheck)?; + } + Stage::IntegrityCheck => { + reenable_apache2()?; + state.set(Stage::ReenableApache2)?; + } + Stage::ReenableApache2 => { + remove_backup()?; + state.set(Stage::RemoveBackup)?; + } + Stage::RemoveBackup => { + state.set(Stage::Done)?; + } + Stage::Done => {} + } + Ok(()) +} + +/// A wrapper to roughly implement Python's subprocess.check_call/check_output +fn check_call(binary: &str, args: &[&str]) -> Result { + debug!("Running: {binary} {}", args.join(" ")); + let output = Command::new(binary) + .args(args) + .env("DEBIAN_FRONTEND", "noninteractive") + .output() + .context(format!("failed to spawn/execute '{binary}'"))?; + if output.status.success() { + debug!("Finished running: {binary} {}", args.join(" ")); + // FIXME: should we use from_utf8_lossy here? + let stdout = String::from_utf8(output.stdout) + .context("stdout contains non-utf8 bytes")?; + debug!("{stdout}"); + Ok(stdout) + } else { + debug!("Errored running: {binary} {}", args.join(" ")); + // Figure out why it failed by looking at the exit code, and if none, + // look at if it was a signal + let exit = match output.status.code() { + Some(code) => format!("exit code {code}"), + None => match output.status.signal() { + Some(signal) => format!("terminated by signal {signal}"), + None => "for an unknown reason".to_string(), + }, + }; + error!("{}", String::from_utf8_lossy(&output.stderr)); + bail!("running '{binary}' failed; {exit}") + } +} + +/// Check if the current server is the mon server by +/// looking for the securedrop-ossec-server package +fn is_mon_server() -> bool { + Path::new("/usr/share/doc/securedrop-ossec-server/copyright").exists() +} + +fn pending_updates(state: &mut State) -> Result<()> { + info!("Applying any pending updates..."); + check_call("apt-get", &["update"])?; + check_call("unattended-upgrade", &[])?; + state.set(Stage::PendingUpdates)?; + check_call("systemctl", &["reboot"])?; + // Because we've initiated the reboot, do a hard stop here to ensure that + // we don't keep moving forward if the reboot doesn't happen instantly + process::exit(0); +} + +fn migration_check() -> Result<()> { + info!("Checking pre-migration steps..."); + // TODO: consider just invoking the Rust code directly + check_call("systemctl", &["start", "securedrop-noble-migration-check"])?; + loop { + // Wait for the service to finish + let output = check_call( + "systemctl", + &["is-active", "securedrop-noble-migration-check"], + )?; + if output == "active" { + sleep(Duration::from_secs(1)); + } else { + break; + } + } + let data: HashMap = serde_json::from_str( + &fs::read_to_string("/etc/securedrop-noble-migration-check.json")?, + )?; + if data.contains_key("error") { + bail!("Migration check errored") + } else if data.values().any(|val| val == &false) { + bail!("Migration check failed") + } + + Ok(()) +} + +fn disable_apache2() -> Result<()> { + if is_mon_server() { + return Ok(()); + } + info!("Stopping web server for duration of upgrade..."); + check_call("systemctl", &["mask", "apache2"])?; + Ok(()) +} + +fn backup() -> Result<()> { + info!("Taking a backup..."); + // Create a root-only directory to store the backup + fs::create_dir("/var/lib/securedrop-backups")?; + let permissions = Permissions::from_mode(0o700); + fs::set_permissions("/var/lib/securedrop-backups", permissions)?; + check_call( + "/usr/bin/securedrop-app-backup.py", + &["--dest", "/var/lib/securedrop-backups"], + )?; + Ok(()) +} + +fn marker() -> Result<()> { + info!("Writing upgrade marker file..."); + fs::write("/etc/securedrop-upgraded-from-focal", "yes") + .context("failed to write upgrade marker file") +} + +fn suspend_ossec() -> Result<()> { + if !is_mon_server() { + return Ok(()); + } + info!("Temporarily suspending most OSSEC notifications..."); + let current = fs::read_to_string(MON_OSSEC_CONFIG)?; + let new = current.replace( + "7", + "15", + ); + fs::write(MON_OSSEC_CONFIG, new)?; + check_call("systemctl", &["restart", "ossec"])?; + Ok(()) +} + +fn disable_unattended_updates() -> Result<()> { + info!("Temporarily disabling background updates..."); + // FIXME: apt-daily timers + check_call("systemctl", &["mask", "unattended-upgrades"])?; + Ok(()) +} + +fn change_apt_sources() -> Result<()> { + info!("Switching APT sources to noble..."); + fs::write( + "/etc/apt/sources.list", + include_str!("../../files/sources.list"), + )?; + fs::write( + "/etc/apt/sources.list.d/apt_freedom_press.list", + include_str!("../../files/apt_freedom_press.list"), + )?; + Ok(()) +} + +fn apt_get_update() -> Result<()> { + info!("Updating APT cache..."); + check_call("apt-get", &["update"])?; + Ok(()) +} + +fn apt_get_upgrade_no_new() -> Result<()> { + info!("Upgrading APT packages (first pass)..."); + check_call( + "apt-get", + &[ + "upgrade", + "--without-new-pkgs", + "--force-confold", + "--force-confdef", + ], + )?; + Ok(()) +} + +fn apt_get_full_upgrade() -> Result<()> { + info!("Upgrading APT packages (second pass)..."); + check_call( + "apt-get", + &["full-upgrade", "--force-confold", "--force-confdef"], + )?; + Ok(()) +} + +fn reenable_unattended_updates() -> Result<()> { + info!("Re-enabling background updates..."); + // FIXME: apt-daily timers + check_call("systemctl", &["unmask", "unattended-upgrades"])?; + Ok(()) +} + +fn reenable_ossec() -> Result<()> { + if !is_mon_server() { + return Ok(()); + } + info!("Re-enabling OSSEC notifications..."); + let current = fs::read_to_string(MON_OSSEC_CONFIG)?; + let new = current.replace( + "15", + "7", + ); + fs::write(MON_OSSEC_CONFIG, new)?; + check_call("systemctl", &["restart", "ossec"])?; + Ok(()) +} + +fn reboot(state: &mut State) -> Result<()> { + info!("Rebooting!"); + state.set(Stage::Reboot)?; + check_call("systemctl", &["reboot"])?; + // Because we've initiated the reboot, do a hard stop here to ensure that + // we don't keep moving forward if the reboot doesn't happen instantly + process::exit(0); +} + +fn switch_ubuntu_sources() -> Result<()> { + info!("Switching APT sources format..."); + fs::write( + "/etc/apt/sources.list.d/ubuntu.sources", + include_str!("../../files/ubuntu.sources"), + ) + .context("failed to write ubuntu.sources")?; + fs::remove_file("/etc/apt/sources.list") + .context("failed to remove sources.list")?; + Ok(()) +} + +fn integrity_check() -> Result<()> { + info!("Running integrity check post-upgrade..."); + // FIXME: do something here + // FIXME: check no failing systemd units + // FIXME: check firewall is up + Ok(()) +} + +fn reenable_apache2() -> Result<()> { + if is_mon_server() { + return Ok(()); + } + info!("Starting web server..."); + check_call("systemctl", &["unmask", "unattended-upgrades"])?; + Ok(()) +} + +fn remove_backup() -> Result<()> { + info!("Deleting backup..."); + fs::remove_dir_all("/var/lib/securedrop-backups")?; + Ok(()) +} + +#[derive(Deserialize)] +struct UpgradeConfig { + enabled: bool, + bucket: usize, +} + +fn should_upgrade(state: &State) -> Result { + let config: UpgradeConfig = serde_json::from_str( + &fs::read_to_string(CONFIG_PATH) + .context("failed to read CONFIG_PATH")?, + ) + .context("failed to deserialize CONFIG_PATH")?; + if !config.enabled { + info!("Auto-upgrades are disabled"); + return Ok(false); + } + if config.bucket > state.bucket { + info!( + "Auto-upgrades are enabled, but our bucket hasn't been enabled yet" + ); + return Ok(false); + } + + Ok(true) +} + +fn main() -> Result { + // TODO: set a format here, default to info + env_logger::init(); + + if !geteuid().is_root() { + error!("This script must be run as root"); + return Ok(ExitCode::FAILURE); + } + + let mut state = State::load()?; + if !should_upgrade(&state)? { + return Ok(ExitCode::SUCCESS); + } + info!("Starting migration from state: {:?}", state.finished); + loop { + run_next_stage(&mut state)?; + if state.finished == Stage::Done { + break; + } + } + + Ok(ExitCode::SUCCESS) +} diff --git a/securedrop/debian/config/usr/share/securedrop/noble-upgrade.json b/securedrop/debian/config/usr/share/securedrop/noble-upgrade.json new file mode 100644 index 0000000000..c43d7189fc --- /dev/null +++ b/securedrop/debian/config/usr/share/securedrop/noble-upgrade.json @@ -0,0 +1,4 @@ +{ + "enabled": false, + "bucket": 0 +} diff --git a/securedrop/debian/rules b/securedrop/debian/rules index c30672f1c7..b3f846b1fb 100755 --- a/securedrop/debian/rules +++ b/securedrop/debian/rules @@ -22,7 +22,8 @@ override_dh_auto_install: cd /srv/rust/noble-migration && cargo build --release --locked && \ cd /srv/securedrop && \ mkdir -p ./debian/securedrop-config/usr/bin && \ - mv /srv/rust/target/release/check ./debian/securedrop-config/usr/bin/securedrop-noble-migration-check + mv /srv/rust/target/release/check ./debian/securedrop-config/usr/bin/securedrop-noble-migration-check && \ + mv /srv/rust/target/release/upgrade ./debian/securedrop-config/usr/bin/securedrop-noble-upgrade # Build redwood wheel python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target # Set up virtualenv and install dependencies