Merge pull request #7487 from freedomofpress/prep-2.12.1

SecureDrop 2.12.1

Author: legoktm

changelog.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 2.12.1
+
+Note: this is an Admin Workstation-only release. Servers will not receive an update.
+
+### Ubuntu 24.04 (Noble) upgrade
+
+* Make noble-migration playbook smarter for SSH-over-Tor (#7484)
+* Extend reboot timeout to 600 seconds (#7484)
+
 ## 2.12.0
 
 ### Ubuntu 24.04 (Noble) upgrade

install_files/ansible-base/group_vars/all/securedrop

@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "2.12.0"
+securedrop_version: "2.12.1"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true

install_files/ansible-base/roles/noble-migration/tasks/main.yml

@@ -1,17 +1,50 @@
 ---
 
+- name: Initialize
+  set_fact:
+    # Keep in sync with upgrade.rs
+    stages:
+      - 'None'
+      - 'PendingUpdates'
+      - 'MigrationCheck'
+      - 'DisableApache2'
+      - 'Backup'
+      - 'BackupIptables'
+      - 'Marker'
+      - 'SuspendOSSEC'
+      - 'ChangeAptSources'
+      - 'AptGetUpdate'
+      - 'AptGetFullUpgrade'
+      - 'AptGetAutoremove'
+      - 'RestoreIptables'
+      - 'ReenableUnattendedUpdates'
+      - 'ReenableOSSEC'
+      - 'Reboot'
+      - 'SwitchUbuntuSources'
+      - 'IntegrityCheck'
+      - 'ReenableApache2'
+      - 'RemoveBackup'
+      - 'Done'
+
 - name: Check host's migration state
   ansible.builtin.slurp:
     src: /etc/securedrop-noble-migration-state.json
   register: migration_json
-  ignore_errors: yes
 
-- name: Skip migration if already done
+# Note: the variable finished_state is only for debugging and human-readable output.
+# The finished_state_index is what must be used for logic in `when` blocks.
+
+- name: Extract current state
   set_fact:
-    already_finished: "{{ not migration_json.failed and (migration_json.content | b64decode | from_json)['finished'] == 'Done' }}"
+    # slurp base64-encodes our file
+    finished_state: "{{ (migration_json.content | b64decode | from_json)['finished'] }}"
 
-- name: Perform migration
-  when: not already_finished
+- name: Extract current state (2)
+  set_fact:
+    finished_state_index: "{{ stages.index(finished_state) }}"
+
+- name: Kick off migration
+  when: finished_state_index|int == 0
   block:
     - name: Instruct upgrade to begin
       ansible.builtin.copy:
@@ -48,8 +81,31 @@
         connect_timeout: 20
         sleep: 5
         delay: 10
-        timeout: 300
+        timeout: 600
+
+    - name: Recheck host's migration state
+      ansible.builtin.slurp:
+        src: /etc/securedrop-noble-migration-state.json
+      register: migration_json
+
+    - name: Extract current state
+      set_fact:
+        # slurp base64-encodes our file
+        finished_state: "{{ (migration_json.content | b64decode | from_json)['finished'] }}"
+
+    - debug:
+        msg: "The current upgrade state is: {{ finished_state }}"
+
+    - name: Extract current state (2)
+      set_fact:
+        finished_state_index: "{{ stages.index(finished_state) }}"
+    # Note: do not add anything after this line in this block - it will not run, because
+    # the block is in a `when` that we just made false by updating `finished_state_index`.
 
+- name: Phase 2 of migration
+  # After PendingUpdates (index 1) but before Reboot (index 15)
+  when: finished_state_index|int >= 1 and finished_state_index|int < 15
+  block:
     # Start the systemd service manually to avoid waiting for the timer to pick it up
     - name: Resume upgrade systemd service
       ansible.builtin.systemd:
@@ -61,7 +117,7 @@
 
     # Same as above, this will most likely fail as unreachable when the server
     # actually reboots.
-    - name: Wait for system upgrade to noble
+    - name: Wait for system upgrade to noble (phase 2)
       ansible.builtin.wait_for:
         path: /etc/securedrop-noble-migration-state.json
         search_regex: '"finished":"Reboot"'
@@ -71,13 +127,78 @@
       ignore_unreachable: yes
       ignore_errors: yes
 
-    - name: Wait for the second reboot
+    - name: Wait for the second reboot (phase 2)
       ansible.builtin.wait_for_connection:
         connect_timeout: 20
         sleep: 5
         delay: 10
-        timeout: 300
+        timeout: 600
+
+    - name: Recheck host's migration state
+      ansible.builtin.slurp:
+        src: /etc/securedrop-noble-migration-state.json
+      register: migration_json
+
+    - name: Extract current state
+      set_fact:
+        # slurp base64-encodes our file
+        finished_state: "{{ (migration_json.content | b64decode | from_json)['finished'] }}"
+
+    - debug:
+        msg: "The current upgrade state is: {{ finished_state }}"
 
+    - name: Extract current state (2)
+      set_fact:
+        finished_state_index: "{{ stages.index(finished_state) }}"
+    # Note: do not add anything after this line in this block - it will not run, because
+    # the block is in a `when` that we just made false by updating `finished_state_index`.
+
+- name: Phase 2.5 of migration (for SSH-over-Tor users)
+  # After PendingUpdates (index 1) but before Reboot (index 15)
+  when: enable_ssh_over_tor and finished_state_index|int >= 1 and finished_state_index|int < 15
+  block:
+    # Same as above, this will most likely fail as unreachable when the server
+    # actually reboots.
+    - name: Wait for system upgrade to noble (phase 2.5)
+      ansible.builtin.wait_for:
+        path: /etc/securedrop-noble-migration-state.json
+        search_regex: '"finished":"Reboot"'
+        sleep: 5
+        # Should finish in less than 30 minutes
+        timeout: 1800
+      ignore_unreachable: yes
+      ignore_errors: yes
+
+    - name: Wait for the second reboot (phase 2.5)
+      ansible.builtin.wait_for_connection:
+        connect_timeout: 20
+        sleep: 5
+        delay: 10
+        timeout: 600
+
+    - name: Recheck host's migration state
+      ansible.builtin.slurp:
+        src: /etc/securedrop-noble-migration-state.json
+      register: migration_json
+
+    - name: Extract current state
+      set_fact:
+        # slurp base64-encodes our file
+        finished_state: "{{ (migration_json.content | b64decode | from_json)['finished'] }}"
+
+    - debug:
+        msg: "The current upgrade state is: {{ finished_state }}"
+
+    - name: Extract current state (2)
+      set_fact:
+        finished_state_index: "{{ stages.index(finished_state) }}"
+    # Note: do not add anything after this line in this block - it will not run, because
+    # the block is in a `when` that we just made false by updating `finished_state_index`.
+
+- name: Phase 3 of migration
+  # After Reboot (index 15) but before Done (index 20)
+  when: finished_state_index|int >= 15 and finished_state_index|int < 20
+  block:
     - name: Re-resume upgrade systemd service
       ansible.builtin.systemd:
         name: securedrop-noble-migration-upgrade
@@ -90,3 +211,14 @@
         search_regex: '"finished":"Done"'
         sleep: 5
         timeout: 300
+
+    # Instead of slurping the file again, we can set the state to done
+    # because we just waited for it to reach that point.
+    - name: Extract current state
+      set_fact:
+        finished_state: "Done"
+        finished_state_index: 20
+
+- fail:
+    msg: "Upgrade did not successfully finish; please check the logs and documentation for more details."
+  when: finished_state != "Done"

molecule/shared/stable.ver

@@ -1 +1 @@
-2.12.0
+2.12.1

noble-migration/src/bin/upgrade.rs

@@ -30,6 +30,8 @@ const EXTRA_APT_SOURCE: &str = "EXTRA_APT_SOURCE";
 ///
 /// Each stage needs to be idempotent so that it can be run multiple times
 /// in case it errors/crashes.
+///
+/// Keep this in sync with the version in noble-migration/tasks/main.yml
 #[derive(Serialize, Deserialize, PartialEq, Eq, Debug)]
 enum Stage {
     None,

securedrop/debian/changelog

@@ -1,3 +1,9 @@
+securedrop (2.12.1) unstable; urgency=medium
+
+  * see changelog.md
+
+ -- SecureDrop Team <[email protected]>  Mon, 31 Mar 2025 11:08:01 -0400
+
 securedrop (2.12.0) unstable; urgency=medium
 
   * see changelog.md

securedrop/setup.py

@@ -4,7 +4,7 @@
 
 setuptools.setup(
     name="securedrop-app-code",
-    version="2.12.0",
+    version="2.12.1",
     author="Freedom of the Press Foundation",
     author_email="[email protected]",
     description="SecureDrop Server",

securedrop/version.py

@@ -1 +1 @@
-__version__ = "2.12.0"
+__version__ = "2.12.1"