Attempt hardware SecureDrop install on Focal

[emkll]

As part of the Focal epic , we have now all (application and infra) tests passing in CI in Focal #5638 .

CI and staging environments are virtualized, and as such there can be differences in kernel support, but also with packages installed. This will also help us begin to document any differences in documentation during the install steps of the underlying OS.

This ticket is to track the install of SecureDrop on a hardware server running Ubuntu 20.04 focal. We should

• make build-debs focal
• deploy these packages to apt-test.freedom.press Adds all Focal packages for SD core securedrop-apt-test#77
• Provision app and mon servers on the latest Ubuntu 20.04 ISO (20.04.1 as of this writing)
• Install SecureDrop an install (using apt-test.freedom.press on the focal channel)
• Document any findings either here or follow up any issues.

[eloquence]

(Blocked on #5638)

[eloquence]

#5638 is merged; shoring up the prod VM story is another step towards this issue, see #5669.

[eloquence]

Now that we have packages on apt-test, this should be unblocked. @rmol will do a first install attempt on NUC7s during the 1/6-1/20 sprint and document findings here.

[eloquence]

This is still a very high priority but slipped due to competing QA requirements for 1.7.0. @rmol and @emkll will lead this investigation during the 1/21-2/3 sprint.

[eloquence]

Next steps discussed in sprint planning today:

• @emkll (Mac Mini) and @rmol (NUC7) will document their findings from their initial install attempts.
• @creviera installed Focal on NUC8 and NUC10
• @kushaldas has been provisionally signed up for a NUC5 install.
• @zenmonkeykstop will attempt an install on the 1U servers.

Relatedly, in support of freedomofpress/securedrop-docs#135, @rmol and @zenmonkeykstop will start drafting an outline (can be in the wiki for now) of what the install process looks like (especially the Ubuntu 20.04 install, which is substantially different from our current docs), informed by these initial install runs.

[emkll]

Preliminary findings, based on Mac Mini testing (testing in progress, will edit this comment):

• cloud-init removal (Improve i18n_tool.py list-translators, update-from-weblate #5571) and upgrade to 5.4 series kernels (Bump securedrop-grsec-focal metapackage to 5.4.88 #5772) allow the install to complete and the reboot to take a normal amount of time. The install completes and basic source and journalist interface testing suggest all works as expected

some testinfra test failures when running against the hardware instance on Focal, several of which are app-related which is strange, as the application and its helper services appear to be running correctly:

1. test_apparmor_enforced for dhclient for app, looks like a test issue, aa-status reports the apparmor profile as being enforced.
2. test_aa_no_denies_in_syslog for app (lxc/snapd AppArmor violations in syslog, we may need to revisit this test )
3. test_securedrop_rqworker_service
4. test_securedrop_shredder_service (looks like a test string issue)
5. test_securedrop_source_deleter_service
6. test_cron_apt_cron_jobs x4 (soon to be replaced in [1.2.2] Backport 5157, 5158 and 5159 (and 5151, 5154 for CI to pass) #5162
7. test_fpf_apt_repo_presentx2 (expected faiilure)
8. test_ip6tables_drop_everything looks like FORWARD is set to ACCEPT, likely due to snap/lxc, more research required

[eloquence]

@zenmonkeykstop has committed to additional testing on 1U hardware in the next few days; once that's done, we can transition to tracking QA via the release ticket (#5794) and a formal QA matrix.

[rocodes]

Successfully installed Focal + SecureDrop on NUC7i7DNHEs, further testing to be documented.

A note for anyone else new to QA-ing is that updating the apt repo to apt-test and using the apt-test signing key, as well as having Focal installed on the servers, is sufficient for a Focal install (editing securedrop_target_distribution in install_files/ansible-base/group_vars/all/securedrop is not required).

[eloquence]

Closing this pre-QA ticket; additional reports will be tracked during QA on #5794 and in the QA matrix.