-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to resolve noble pre-migration issues #612
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
| Preparing for the Ubuntu 24.04 (Noble) migration | ||
| ================================================ | ||
|
|
||
| In 2025, SecureDrops will need to be upgraded to the newer Ubuntu 24.04 (Noble) | ||
| operating system. This process will be more straightforward than in the past | ||
| as there will be semi-automated and fully automated upgrade processes. | ||
|
|
||
| At this time, the current focus is on ensuring all SecureDrop servers are in a good state | ||
| to be ready for the migration. SecureDrop will automatically check some conditions, and report | ||
| via an alert in the Journalist Interface and OSSEC alerts if there are issues. | ||
|
|
||
| Timeline | ||
| -------- | ||
|
|
||
| You should ensure all errors are resolved by January 31, 2025, to ensure your SecureDrop | ||
| servers can safely proceed to the next stage of the migration. | ||
|
|
||
| Getting more details | ||
| -------------------- | ||
|
|
||
| If you see the alert in the Journalist Interface or receive an OSSEC alert, you'll | ||
| need to :doc:`SSH to the Application and Monitor Servers <../installation/test_the_installation>` | ||
| to get more information on what specifically is failing. | ||
|
|
||
| Once logged in, run: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo securedrop-noble-migration-check | ||
|
|
||
| It will display a number of checks and whether they are failing. | ||
| Steps to address each issue are listed below. If you are unsure what to do, | ||
| please :ref:`contact Support <getting_support>`. It is safe to run this command | ||
| multiple times, e.g. if you resolved an issue and want to see that it is fixed. | ||
|
|
||
| For example: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| $ sudo securedrop-noble-migration-check | ||
| ssh OK: group is empty | ||
| ufw ERROR: ufw is still installed | ||
| free space OK: enough free space | ||
| apt OK: all sources are expected | ||
| systemd OK: no failed units | ||
|
|
||
| Some errors were found that will block migration. | ||
|
|
||
| Documentation on how to resolve these errors can be found at: | ||
| <https://docs.securedrop.org/en/stable/admin/maintenance/noble_migration_prep.html> | ||
|
|
||
| If you are unsure what to do, please contact the SecureDrop | ||
| support team: <https://docs.securedrop.org/en/stable/getting_support.html>. | ||
|
|
||
| In this case, the "ERROR" indicates that only the ufw check failed. | ||
|
|
||
| SSH group | ||
| --------- | ||
|
|
||
| If this fails, it means the migration code in SecureDrop 2.11.0 did not work. | ||
|
|
||
| To address it, you can run: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo securedrop-migrate-ssh-group.py | ||
|
|
||
| If that emits an error, please send it and the output of ``getent group ssh`` to | ||
| :ref:`Support <getting_support>`. | ||
|
|
||
| ufw package | ||
| ----------- | ||
|
|
||
| If this fails, it means the migration code in SecureDrop 2.11.0 did not work. | ||
|
|
||
| To address it, you can run: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo apt-get purge ufw --yes | ||
|
|
||
| If that emits an error, please send it to :ref:`Support <getting_support>`. | ||
|
|
||
| Free space | ||
| ---------- | ||
|
|
||
| There needs to be enough free space on the server to both make a backup | ||
| and download the software updates. | ||
|
|
||
| You can see how much free space is available on your server by running: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| df -h | ||
|
|
||
| You should be able to safely run ``sudo apt clean`` to free up some disk space. | ||
|
|
||
| If you have any old sources/submissions that are no longer needed, they should be deleted as well. | ||
|
|
||
| APT sources | ||
| ----------- | ||
|
|
||
| If this fails, it means an unknown source is being used to install software | ||
| on your server. | ||
|
|
||
| Please run: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo apt-get indextargets | ||
|
|
||
| and send the output to :ref:`Support <getting_support>` immediately, so we can diagnose | ||
| the severity. | ||
|
|
||
| Failing systemd units | ||
| --------------------- | ||
|
|
||
| If this fails, it means a process monitored by systemd is failing. | ||
|
|
||
| You can see which process is failing by running: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo systemctl list-units | ||
|
|
||
| Once you know which unit is failing, run: | ||
|
|
||
| .. code:: sh | ||
|
|
||
| sudo systemctl status <name> | ||
|
|
||
| to get more information about why it failed. | ||
|
|
||
| If you are unsure or need help debugging, please :ref:`contact Support <getting_support>`. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This output is based on the changes I've proposed in freedomofpress/securedrop#7369.