Commit 15ab33ba authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-update-rstudio_server'

parents 0802caff 6d92f402
Pipeline #58797438 passed with stages
in 435 minutes and 29 seconds
......@@ -119,6 +119,12 @@ Changed
.. __: https://secure.php.net/supported-versions.php
- [debops.rstudio_server] The supported version has been updated to
v1.2.1335. The role no longer installs ``libssl1.0.0`` from Debian Jessie
on Debian Stretch, since the current version of the RStudio Server works in
the default Stretch environment. The downloaded ``.deb`` package will be
verified using the RStudio Inc. GPG signing key before installation.
- [debops.lxc] The :command:`lxc-prepare-ssh` script will read the public SSH
keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file)
and will not accept any custom files to read from, to avoid possible security
......@@ -244,6 +250,11 @@ Removed
in the :ref:`debops.ldap` and :ref:`debops.nslcd` roles, which manage the
client-side LDAP support.
- [debops.rstudio_server] The role will no longer install the historical
``libssl1.0.0`` APT package on Debian Stretch to support older RStudio Server
releases. You should remove it on the existing installations after RStudio
Server is upgraded to the newest release.
Fixed
~~~~~
......
debops.rstudio_server - Manage RStudio Server using Ansible
Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2017 DebOps https://debops.org/
Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2019 DebOps https://debops.org/
This Ansible role is part of DebOps.
......
......@@ -13,17 +13,6 @@
# Application sources [[[
# -----------------------
# .. envvar:: rstudio_server__libssl_in_apt [[[
#
# Variable which contains the information about presence of the ``libssl1.0.0``
# package in APT. If it's not available, the ``.deb`` package containing
# ``libssl`` v1.0.0 from Debian Jessie will be downloaded by the role and
# installed directly.
rstudio_server__libssl_in_apt: '{{ True
if (rstudio_server__register_package_libssl.stdout)
else False }}'
# ]]]
# .. envvar:: rstudio_server__rstudio_in_apt [[[
#
# Variable which contains the information about presence of the
......@@ -43,36 +32,43 @@ rstudio_server__src: '{{ (ansible_local.root.src
else "/usr/local/src") + "/" + rstudio_server__user }}'
# ]]]
# .. envvar:: rstudio_server__libssl_downgrade [[[
# .. envvar:: rstudio_server__release_deb_map [[[
#
# This variable controls if the role should download and install the
# ``libssl1.0.0`` package if it's not available through APT.
# See :ref:`rstudio_server__ref_installation_issues` for more details.
rstudio_server__libssl_downgrade: True
# ]]]
# .. envvar:: rstudio_server__libssl_deb_url [[[
#
# The URL of the ``libssl1.0.0`` ``.deb`` package to download.
rstudio_server__libssl_deb_url: 'https://deb.debian.org/debian/pool/main/o/openssl/libssl1.0.0_1.0.2l-1~bpo8+1_amd64.deb'
# ]]]
# .. envvar:: rstudio_server__libssl_deb_checksum [[[
#
# The SHA256 checksum of the ``libssl1.0.0`` ``.deb`` package.
rstudio_server__libssl_deb_checksum: 'sha256:6e85968afe1a6643f4e82e1cc168f848c5967a131bb1c7392f11974953db0e67'
# The map of the RStudio releases matched to supported OS distributions and releases.
rstudio_server__release_deb_map:
'Ubuntu':
package: 'https://download2.rstudio.org/server/trusty/amd64/rstudio-server-1.2.1335-amd64.deb'
checksum: 'sha256:a41f16fd7e7e471fca77f081a4b302a1d66d14fb32dffcea1299e0c1dbf30e44'
'Debian_jessie':
package: 'https://download2.rstudio.org/server/trusty/amd64/rstudio-server-1.2.1335-amd64.deb'
checksum: 'sha256:a41f16fd7e7e471fca77f081a4b302a1d66d14fb32dffcea1299e0c1dbf30e44'
'Debian':
package: 'https://download2.rstudio.org/server/debian9/x86_64/rstudio-server-1.2.1335-amd64.deb'
checksum: 'sha256:a95d0b33d1f7d85fbd7403a610aa39b3bb8354e7efdba3e80f4d919d1589ca95'
# ]]]
# .. envvar:: rstudio_server__rstudio_deb_url [[[
#
# The URL of the ``rstudio-server`` ``.deb`` package to download.
rstudio_server__rstudio_deb_url: 'https://download2.rstudio.org/rstudio-server-1.1.383-amd64.deb'
rstudio_server__rstudio_deb_url: '{{ rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release].package
if (rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release]|d())
else rstudio_server__release_deb_map[ansible_distribution].package }}'
# ]]]
# .. envvar:: rstudio_server__rstudio_deb_checksum [[[
#
# The SHA256 checksum of the ``rstudio-server`` ``.deb`` package.
rstudio_server__rstudio_deb_checksum: 'sha256:6f8d7b7d56cdd1618f06fe58f1b5046954eb60a51b1f956488f4cda56dd80033'
rstudio_server__rstudio_deb_checksum: '{{ rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release].checksum
if (rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release]|d())
else rstudio_server__release_deb_map[ansible_distribution].checksum }}'
# ]]]
# .. envvar:: rstudio_server__signing_key_id [[[
#
# The fingerprint of the GPG key used by RStudio Inc. to sign the released
# ``.deb`` packages, used for verification of the package before installation.
# See https://www.rstudio.com/code-signing/ for more details.
rstudio_server__signing_key_id: 'FE85 64CF F1AB 93F1 7286 4519 3F32 EE77 E331 692F'
# ]]]
# ]]]
# APT packages [[[
......@@ -82,10 +78,7 @@ rstudio_server__rstudio_deb_checksum: 'sha256:6f8d7b7d56cdd1618f06fe58f1b5046954
#
# List of APT packages required by RStudio Server.
rstudio_server__base_packages:
- '{{ "libssl1.0.0"
if (rstudio_server__libssl_downgrade|bool and
rstudio_server__libssl_in_apt|bool)
else [] }}'
- 'dpkg-sig'
- '{{ "rstudio-server"
if rstudio_server__rstudio_in_apt|bool
else [] }}'
......@@ -124,7 +117,7 @@ rstudio_server__home: '{{ (ansible_local.root.home
# .. envvar:: rstudio_server__shell [[[
#
# The UNIX shell used by the RStudio user account.
rstudio_server__shell: '/bin/false'
rstudio_server__shell: '/usr/sbin/nologin'
# ]]]
# .. envvar:: rstudio_server__comment [[[
......
---
- name: Verify rstudio-server
command: rstudio-server verify-installation
command: rstudio-server test-config
notify: [ 'Restart rstudio-server' ]
- name: Restart rstudio-server
......
# The tag v1.2.679 seems to be for something else than the Open Source version
# of RStudio Server which is relevant to the role. The uscan command wants to
# pick the higher version, so let's trick it into tracking v1.1.x series instead.
# Role: debops.rstudio_server
# Package: rstudio
# Version: 1.1.383
# Package: rstudio-server
# Version: 1.2.1335
version=4
opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/rstudio-$1\.tar\.gz/ \
https://github.com/rstudio/rstudio/tags .*/v?(1\.1.*\S+)\.tar\.gz
https://github.com/rstudio/rstudio/tags .*/v?(1\.*\S+)\.tar\.gz
---
- name: Check if libssl1.0.0 package is available
shell: set -o nounset -o pipefail -o errexit && apt-cache pkgnames | grep libssl1.0.0 || true
args:
executable: '/bin/bash'
register: rstudio_server__register_package_libssl
changed_when: False
check_mode: False
- name: Check if rstudio-server package is available
shell: set -o nounset -o pipefail -o errexit && apt-cache pkgnames | grep rstudio-server || true
args:
......@@ -32,10 +24,31 @@
home: '{{ rstudio_server__home }}'
shell: '{{ rstudio_server__shell }}'
comment: '{{ rstudio_server__comment }}'
createhome: False
system: True
state: 'present'
- name: Ensure that the ~/.gnupg directory exists
file:
path: '{{ rstudio_server__home + "/.gnupg" }}'
state: 'directory'
owner: '{{ rstudio_server__user }}'
group: '{{ rstudio_server__group }}'
mode: '0700'
- name: Import Rstudio package signing key
apt_key:
keyring: '{{ rstudio_server__home + "/.gnupg/pubring.gpg" }}'
id: '{{ rstudio_server__signing_key_id | replace(" ","") }}'
keyserver: '{{ ansible_local.core.keyserver
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.keyserver|d())
else "hkp://pool.sks-keyservers.net" }}'
state: 'present'
become: True
become_user: '{{ rstudio_server__user }}'
register: rstudio_server__register_signing_key
until: rstudio_server__register_signing_key is succeeded
- name: Get the current user accounts
getent:
database: 'passwd'
......@@ -66,39 +79,28 @@
file:
path: '{{ rstudio_server__src }}'
state: 'directory'
owner: 'root'
group: 'root'
owner: '{{ rstudio_server__user }}'
group: '{{ rstudio_server__group }}'
mode: '0755'
when: (not rstudio_server__rstudio_in_apt|bool or
not rstudio_server__libssl_in_apt|bool)
- name: Download libssl 1.0.0 .deb package
get_url:
url: '{{ rstudio_server__libssl_deb_url }}'
dest: '{{ rstudio_server__src + "/" + rstudio_server__libssl_deb_url | basename }}'
checksum: '{{ rstudio_server__libssl_deb_checksum }}'
register: rstudio_server__register_libssl_downgrade
until: rstudio_server__register_libssl_downgrade is succeeded
when: rstudio_server__libssl_downgrade|bool and
not rstudio_server__libssl_in_apt|bool
when: not rstudio_server__rstudio_in_apt|bool
- name: Download RStudio Server .deb package
get_url:
url: '{{ rstudio_server__rstudio_deb_url }}'
dest: '{{ rstudio_server__src + "/" + rstudio_server__rstudio_deb_url | basename }}'
checksum: '{{ rstudio_server__rstudio_deb_checksum }}'
become: True
become_user: '{{ rstudio_server__user }}'
register: rstudio_server__register_rstudio_package
until: rstudio_server__register_rstudio_package is succeeded
when: not rstudio_server__rstudio_in_apt|bool
- name: Install libssl 1.0.0 .deb package
apt:
deb: '{{ rstudio_server__src + "/" + rstudio_server__libssl_deb_url | basename }}'
state: 'present'
register: rstudio_server__register_libssl_deb
until: rstudio_server__register_libssl_deb is succeeded
when: rstudio_server__libssl_downgrade|bool and
not rstudio_server__libssl_in_apt|bool
- name: Verify RStudio Server package signature
command: dpkg-sig --verify {{ rstudio_server__src + '/' + (rstudio_server__rstudio_deb_url | basename) }}
become: True
become_user: '{{ rstudio_server__user }}'
changed_when: False
check_mode: False
- name: Install RStudio Server .deb package
apt:
......
......@@ -17,25 +17,6 @@ package will be downloaded directly from the project's website and installed
using :command:`dpkg`. The package integrity is checked via SHA256 checksum. The
package can also be provided via a local APT repository if desired.
At present, the RStudio Server package prepared by upstream is compiled against
the OpenSSL 1.0.0 library provided by the ``libssl1.0.0`` package. This package
is included in Debian Jessie release, but it has been removed in Debian
Stretch; existing ``libssl1.0.2`` version doesn't seem to be correctly
recognized by RStudio Server. This means that the service can be correctly
installed on Debian Jessie, but not on Debian Stretch.
To overcome that limitation, on Debian Stretch systems the role downloads the
``libssl1.0.0`` package from Debian Jessie directly from the Debian Archives
and installs it using :command:`dpkg`. This allows for the RStudio Server to run
correctly, however the role's author doesn't guarantee that resulting system is
secure and without issues.
This arrangement is hopefully temporary, until RStudio releases a new version
of the package compiled against newer version of OpenSSL. As an alternative,
the users can compile their own version of RStudio Server ``.deb`` package
against Debian Stretch and provide it via local APT repositories, in that case
installation of ``libssl1.0.0`` package can be disabled via a boolean variable.
Example inventory
-----------------
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment