You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- name: Remove Redis password line from /etc/redis/redis.conf, if it exists
lineinfile:
path: /etc/redis/redis.conf
state: absent
regexp: "^requirepass .*$"
- name: Reconfigure securedrop-app-code, regenerating Redis config vi postint
command: dpkg-reconfigure securedrop-app-code
This has evolved ad hoc and can lead to inconsistent (and difficult-to-reproduce) configuration.
Steps to Reproduce
Long-running QA instance....
Expected Behavior
Consistent Redis configuration, including exactly one requirepass directive.
Actual Behavior
I run etckeeper on my QA instance for forensic purposes. On automatic upgrade to securedrop-app-code_2.11.0~rc1, etckeeper recorded (NB. QA values; no real secrets leaking here):
Code to set and reset Redis passwords has now proliferated into the
postinst, dev environment, ansible provisioning and backup restore.
Instead of maintaining separate code for this, write a single script
that handles it all.
A new `securedrop-set-redis-auth` tool offers three operations:
* check: verify all the passwords are in sync (for testinfra checks)
* reset: forcibly change the password everywhere (for backup restore)
* reset-if-needed: change the password everywhere if needed (for
postinst)
Fixes#7386.
Upon reflection, @legoktm, it seems to me that this is heading into configuration-management territory. In particular, unlike securedrop-noble-migration-check, it could be done declaratively. Do you think it's worth looking into (e.g.) providing a server-side Ansible playbook as the canonical entry-point for enforcing this configuration?
Do you think it's worth looking into (e.g.) providing a server-side Ansible playbook as the canonical entry-point for enforcing this configuration?
I think that would be a reasonable technical solution (certainly better than an ad hoc script), but server-side ansible is IMO a whole can of worms that I don't think we should open in maintenance mode.
Description
We now set or reset a
requirepass
directive in/etc/redis/redis.conf
in three places, with different conditions and via different mechanisms:securedrop/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
Lines 156 to 163 in 0798935
securedrop-app-code.postinst
:securedrop/securedrop/debian/securedrop-app-code.postinst
Line 200 in 0798935
securedrop/install_files/ansible-base/roles/restore/tasks/perform_restore.yml
Lines 135 to 142 in 0798935
This has evolved ad hoc and can lead to inconsistent (and difficult-to-reproduce) configuration.
Steps to Reproduce
Long-running QA instance....
Expected Behavior
Consistent Redis configuration, including exactly one
requirepass
directive.Actual Behavior
I run etckeeper on my QA instance for forensic purposes. On automatic upgrade to
securedrop-app-code_2.11.0~rc1
, etckeeper recorded (NB. QA values; no real secrets leaking here):Comments
@legoktm and I discussed adding a "re/configure Redis" script that:
postinst
scripts;The text was updated successfully, but these errors were encountered: