-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| Ubuntu 24.04 (Noble) migration | ||
| ============================== | ||
|
|
||
| SecureDrops need to be upgraded to the newer Ubuntu 24.04 (Noble) | ||
| operating system. This process is far simpler than past upgrades | ||
| as it has been fully automated. | ||
|
|
||
| Administrators have two options: | ||
|
|
||
| * **semi-automated**: Administrators will manually trigger the upgrade and observe the process. | ||
| * **automated**: The SecureDrop team will push an update in mid- to late-March that automatically | ||
| begins the upgrade process on all servers. | ||
|
|
||
| The automated upgrade is the simplest option, as it requires no action on your part. | ||
|
|
||
| We recommend the semi-automated upgrade for larger instances or if you have a non-standard setup as | ||
| the upgrade will happen whenever you choose it, so you will already be available in case something goes | ||
| wrong during the process. | ||
|
|
||
| Timeline | ||
| -------- | ||
|
|
||
| Administrators have between TK and TK to perform a semi-automated upgrade, if you want to. | ||
| After that, the SecureDrop team will push an update that begins automated upgrades. | ||
|
|
||
| Preparation | ||
| ----------- | ||
|
|
||
| Since the end of 2024, all SecureDrops have been checking for any potential issues that need to be resolved | ||
| before the upgrade can happen. | ||
|
|
||
| If you are receiving notifications about these issues, they must be resolved before the upgrade can take place. | ||
|
|
||
| Please see our preparation guide for more details. | ||
|
|
||
|
|
||
| What to know | ||
| ------------ | ||
|
|
||
| SecureDrops are currently running the Ubuntu 20.04 (Focal) operating system that | ||
| will stop receiving security updates in April 2025. All SecureDrops must be upgraded | ||
| by then to ensure you continue receiving security patches. | ||
|
|
||
| In the past, Administrators needed to perform a full reinstall of SecureDrop to move over | ||
| to the new version; this is no longer necessary. The SecureDrop team has implemented and tested | ||
| a method that allows for in-place upgrades in an automated fashion. A backup is automatically taken | ||
| before the upgrade begins. | ||
|
|
||
| It is our goal that this process requires as little Administrator work as possible. | ||
|
|
||
| The upgrade can take up to 30 minutes; your SecureDrop will be inaccessible for that duration. It will | ||
| take place shortly after your selected automated restart time, which you can adjust if desired. | ||
|
|
||
| If you have any questions, please reach out to Support. | ||
|
|
||
| Semi-automated upgrade | ||
| ---------------------- | ||
|
|
||
| * Ensure your Admin Workstation has been upgraded to SecureDrop 2.12 | ||
| * Open a Terminal | ||
| * Run ``cd Persistent/securedrop`` | ||
| * Run ``./securedrop-admin noble_migration`` | ||
| * Wait. Every few minutes there may be progress updates, however some of the steps may take | ||
| 10-15 minutes to complete | ||
|
|
||
| The process will upgrade your application server first and then the monitor server. | ||
|
|
||
| Once it finishes, you should check you can submit tips via the Source Interface and can log into the | ||
| Journalist Interface and download submissions. | ||
|
|
||
| Automated upgrade | ||
| ----------------- | ||
|
|
||
| If you have not performed the semi-automated upgrade by mid- to late- March, the SecureDrop team | ||
| will push an update that begins an automated upgrade. This is the same code as the semi-automated | ||
| process, just initiated differently. | ||
|
|
||
| Servers will be upgraded in batches at a pace set by the SecureDrop team. | ||
|
|
||
| Because of some technical limitations, when the upgrade of the app server takes place, you will | ||
| receive a significant amount of OSSEC email alerts because of the changes being made. These are okay | ||
| to ignore (if you use the semi-automated upgrade, these alerts are suppressed). | ||
|
|
||
| Technical details and debugging | ||
| ------------------------------- | ||
|
|
||
| If something goes wrong, logs can be seen by logging into the servers and | ||
| running ``sudo journalctl -u securedrop-noble-migration-upgrade``. | ||
|
|
||
| When upgrading the app server, a backup is taken first and stored at ``/var/lib/securedrop-backup``. | ||
| If necessary, this backup can be used to do a fresh install. | ||
|
|
||
| .. warning:: The backup contains encrypted source communications and should only be stored | ||
| on the app server or an Admin Workstation. It should be deleted once no longer necessary. | ||
|
|
||
| If you are further interested in technical details, we have published a blog post explaining | ||
| how the upgrade process works. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters