[2.11.0-rc2] Redis reconfiguration can yield multiple requirepass directives

[cfm]

Description

We now set or reset a requirepass directive in /etc/redis/redis.conf in three places, with different conditions and via different mechanisms:

1. Initial installation playbook:
   

   securedrop/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml

   Lines 156 to 163 in 0798935

   	- name: Add 32-byte value for "redis password" to /etc/redis/redis.conf.
   	lineinfile:
   	dest: "/etc/redis/redis.conf"
   	regexp: "^requirepass"
   	line: "requirepass {{ redis_password.stdout }}"
   	insertafter: EOF
   	when: not config.stat.exists
   	register: redis_conf

2. securedrop-app-code.postinst:
   

   securedrop/securedrop/debian/securedrop-app-code.postinst

   Line 200 in 0798935

   echo "requirepass $password" | sudo -u redis tee -a /etc/redis/redis.conf

3. Backup-restoration playbook:
   

   securedrop/install_files/ansible-base/roles/restore/tasks/perform_restore.yml

   Lines 135 to 142 in 0798935

   	- name: Remove Redis password line from /etc/redis/redis.conf, if it exists
   	lineinfile:
   	path: /etc/redis/redis.conf
   	state: absent
   	regexp: "^requirepass .*$"
   	- name: Reconfigure securedrop-app-code, regenerating Redis config vi postint
   	command: dpkg-reconfigure securedrop-app-code

This has evolved ad hoc and can lead to inconsistent (and difficult-to-reproduce) configuration.

Steps to Reproduce

Long-running QA instance....

Expected Behavior

Consistent Redis configuration, including exactly one requirepass directive.

Actual Behavior

I run etckeeper on my QA instance for forensic purposes. On automatic upgrade to securedrop-app-code_2.11.0~rc1, etckeeper recorded (NB. QA values; no real secrets leaking here):

From 4f76e15a7698d6d695d5f7682c093114a01c07f0 Mon Sep 17 00:00:00 2001
From: root <root@app>
Date: Wed, 11 Dec 2024 03:15:56 +0000
Subject: [PATCH 2/2] committing changes in /etc made by "/usr/bin/python3
 /usr/bin/unattended-upgrade"

Package changes:
---
 redis/redis.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/redis/redis.conf b/redis/redis.conf
index 3052aff..8704f5d 100644
--- a/redis/redis.conf
+++ b/redis/redis.conf
@@ -1371,3 +1371,4 @@ rdb-save-incremental-fsync yes
 # active-defrag-max-scan-fields 1000
 
 requirepass iECwDLwqmO2gDCJgMkaUMKkmtqgTih3IF951DMmO0PA=
+requirepass LeabNIFsavoNC6yQm1tjaCn+vCsFBLYFNMPxKHQzq7s=
-- 
2.25.1

Comments

@legoktm and I discussed adding a "re/configure Redis" script that:

1. would be our sole entry-point for Redis configuration across Ansible playbooks and postinst scripts;
2. would enforce consistency across both Redis's own and consumers' configuration; and
3. wouldn't be strictly idempotent, but could be safely rerun without violating that consistency.

[legoktm]

I worked on the script today: b98381e, but I haven't tried to integrate it into anything yet. It needs some integration/unit tests too.

(I was itching to try using memsec, but it's totally overkill and also the password is already unencrypted in Python's memory.)