Evaluating Xenial support¶
The SecureDrop project has always recommended Ubuntu Trusty for the server operating system. In April 2019, the Long-Term Support (LTS) status for Trusty will end. We plan to migrate to Ubuntu Xenial 16.04, which will be supported until April 2021.
In order to evaluate how to support Xenial as we prepare for the transition, we’ve created a developer environment suitable for provisioning VMs based on Xenial.
Running the Xenial dev env¶
If you’re using the libvirt Vagrant provider, you’ll need a libvirt-format Xenial base image. To set one up, run the following commands:
vagrant box add bento/ubuntu-16.04 # choose the virtualbox option vagrant mutate bento/ubuntu-16.04 mutate libvirt
Due to packaging logic changes, you’ll need to build the Debian packages with overrides enabled for Xenial support. Then run the Xenial scenario.
make build-debs-xenial make staging-xenial
The VMs will now be available. Depending your choice of VM provider, you can log into the machines with the following commands:
molecule login -s libvirt-staging-xenial -h app-staging
molecule login -s virtualbox-staging-xenial -h app-staging
To run the testinfra tests against the Xenial enviroment, you can use the commands:
molecule verify -s libvirt-staging-xenial
molecule verify -s virtualbox-staging-xenial
If you encounter errors, re-running the
make staging-xenial target
may help. Naturally, we want the process to be error-free reliably.
Known bugs with Xenial support¶
Below is a high-level overview of known problems to be addressed for delivering Xenial compatibility.
- Dependencies for the
securedrop-app-codedeb package have changed;
apache2should be explicitly required;
apache2-mpm-workershould be omitted.
_aptuser should be permitted to perform DNS and outbound TCP calls on ports 80 and 443, rather than the
- Explicit rules required for Apache mpm worker/event changes.
gpg2policy should permit links via
/var/lib/securedrop/keys/* lor similar.
- PAM logic
- The PAM common-auth customizations include declarations for
pam_ecryptfs.sowhich prove problematic; commenting out ostensibly resolves. More research required.
- Config tests
- The testinfra config test suite runs slightly different checks for Trusty and Xenial where appropriate. Care should be taken to preserve functionality of the config tests against both distros.
More detailed research notes on evaluating Xenial support can be found in the following GitHub issues: