Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CI staging job testing Ubuntu 24.04 (noble) #7360

Merged
merged 8 commits into from
Jan 9, 2025
Merged

Add CI staging job testing Ubuntu 24.04 (noble) #7360

merged 8 commits into from
Jan 9, 2025

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented Nov 28, 2024
edited by legoktm
Loading

Status

Ready for review

Description of Changes

Fixes #7312

  • adds libvirt-staging-noble molecule scenario
  • updates staging CI to run against both Focal and Noble
  • fixes most of the failing staging tests, rationales are in the commit messages

Testing

  • Visual review
  • A staging(noble) job runs in addition to CI, and completes the testinfra tests.
  • CI is green, esp. the two staging jobs

@zenmonkeykstop zenmonkeykstop changed the title Stg noble staging Add CI staging job testing Ubuntu 24.04 (noble) Nov 28, 2024
@legoktm legoktm added the noble Ubuntu Noble related work label Dec 2, 2024
@legoktm legoktm mentioned this pull request Dec 13, 2024
Closed
@legoktm
Copy link
Member

legoktm commented Dec 13, 2024

Remaining staging failures:

  • There's no longer apparmor profiles for sbin/dhclient and /usr/lib/connman/scripts/dhclient-script because they're no longer shipped in noble
  • same with /usr/sbin/tcpdump I think?
  • test_interface_up is failing against the source interface
  • ip6tables -S is exiting with a zero status code despite IPv6 being fully disabled at the kernel level. Might be a nftables change or Linux 6.6. Maybe there's a better way to verify IPv6 is fully disabled?
  • paxtest outputs different results

@legoktm legoktm force-pushed the stg-noble-staging branch 3 times, most recently from 6e19489 to 6aa21e9 Compare December 21, 2024 00:02
@legoktm
Copy link
Member

legoktm commented Dec 21, 2024

I've just been pushing stuff here for now as I work through the failures, later we can figure out if we want them to get individual PRs or not.

@legoktm legoktm force-pushed the stg-noble-staging branch from 6aa21e9 to 98dc6f9 Compare January 6, 2025 17:01
@legoktm
Copy link
Member

legoktm commented Jan 6, 2025

An interesting quirk of ip6tables on noble; despite IPv6 being disabled the command still works, so on boot you get a wide-open ruleset of:

sdadmin@mon$ sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

This is because netfilter-persistent is smart and checks if IPv6 is disabled, and if so, doesn't load rules. So our "drop everything" in install_files/ansible-base/roles/restrict-direct-access/files/iptables_rules_v6 is never even loaded. We should still keep it around as a defense-in-depth just in case IPv6 is ever actually turned on, it'll get loaded and drop everything.

@legoktm legoktm force-pushed the stg-noble-staging branch 2 times, most recently from 5425046 to 57188ba Compare January 6, 2025 18:41
@legoktm
Copy link
Member

legoktm commented Jan 6, 2025

I fixed the paxtest failure on focal because of unattended-upgrades preventing it from being installed.

The output on noble is uh, off. On app-staging, it's reliably:

...
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         :

(the last line doesn't have a result)

And then on mon-staging:

...
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         :

(interspersed output, missing two results)

@legoktm
Copy link
Member

legoktm commented Jan 6, 2025

@zenmonkeykstop I'm curious if you have any ideas on why the paxtest output is different across hosts and how to design a test to address it?

@zenmonkeykstop
Copy link
Contributor Author

@zenmonkeykstop I'm curious if you have any ideas on why the paxtest output is different across hosts and how to design a test to address it?

Not off the top of my head - assuming same kernel and paxctld setup the results should be the same. I'll look into it once we're done with 2025JanPlanfest.

zenmonkeykstop and others added 8 commits January 7, 2025 16:31
@zenmonkeykstop @legoktm
Add Ubuntu Noble molecule scenario
1a65a44
@zenmonkeykstop @legoktm
Update GCE CI image to version including bento/ubuntu-24.04 box
7474200
@zenmonkeykstop @legoktm
parameterise staging CI job for ubuntu version
13ee54d
@legoktm
Ignore apparmor failures caused by ubuntu_pro_apt_news
1382a91 
This is an upstream Ubuntu bug that was fixed, but occurs before
packages are updated and SecureDrop is installed, so there's really
nothing for us to do until new VM images and installer ISOs are
made available

Fixes #7385.
@legoktm
Simplify apparmor profile tests
2b0c3db 
Instead of maintaining the same version-specific list of profiles six
times, just check against a single list of profiles we care about,
namely tor and apache2. The rest are not something under our control and
vary based on the Ubuntu version.

test_apparmor_ensure_not_disabled was mostly broken, because it was
looking for files like
`/etc/apparmor.d/disabled/usr.sbin./usr/sbin/tor`, which of course would
never exist. Instead just check that there are no disable files
installed.
@legoktm
Fix ip6tables tests on noble
db2af22 
* ip6tables no longer errors if IPv6 is disabled, so limit that test to
  focal only.
* Add a new test that verifies IPv6 is disabled at the kernel level by
  looking at the relevant /proc file.
@legoktm
Ensure paxtest gets installed
6214f53 
Don't let unattended-upgrades interfere with the installation by holding the
dpkg lock.
@legoktm
Improve test_grsecurity_paxtest; temporarily disable on noble
504311d 
* Remove the unnecessary diffing and templating, just keep what we
  want to assert against as a plain string.
* Avoid shelling out to grep, we can do the filtering in Python.
* Add the expected noble output, but disable the test because it
  currently isn't passing with unclear output.
@legoktm legoktm force-pushed the stg-noble-staging branch from 57188ba to 504311d Compare January 7, 2025 21:32
@legoktm legoktm marked this pull request as ready for review January 7, 2025 21:33
@legoktm legoktm requested a review from a team as a code owner January 7, 2025 21:33
@legoktm
Copy link
Member

legoktm commented Jan 7, 2025

Ack; I've set the test to be skipped on noble so we can get a green check and land this and fix it incrementally instead of holding the entire staging job back - I've flipped it out of draft mode.

The individual commit messages have rationales for all the further changes.

zenmonkeykstop
zenmonkeykstop commented Jan 9, 2025
View reviewed changes
Copy link
Contributor Author

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@legoktm your changes LGTM - I can't merge coz original author, will flag in channel

legoktm
legoktm approved these changes Jan 9, 2025
View reviewed changes
Copy link
Member

@legoktm legoktm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per Kev's review

@legoktm legoktm added this pull request to the merge queue Jan 9, 2025
Merged via the queue into develop with commit 2a5d689 Jan 9, 2025
46 checks passed
@legoktm legoktm deleted the stg-noble-staging branch January 10, 2025 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legoktm legoktm legoktm approved these changes

Assignees
No one assigned
Labels
noble Ubuntu Noble related work
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set up noble staging job
2 participants
@zenmonkeykstop @legoktm