Support for 16.04 Ubuntu Release

[b-meson]

Current SD Administrators are getting the following OSSEC alarm:

Subject:  Cron <root@mon> test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
Body:
/etc/cron.weekly/update-notifier-common:
New release '16.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

If you're an administrator who is diligently checking your OSSEC alarms, you might be tempted to upgrade which will break the application server and require a SD reinstall. Additionally, there is another set of alarms that trigger every two minutes

OSSEC HIDS Notification.
2017 Jan 24 

Received From: mon->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jan 24 23:47:29 mon ntpd[908]: error resolving pool 3.ubuntu.pool.ntp.org: Temporary failure in name resolution (-3)

 --END OF NOTIFICATION

[b-meson]

Someone with admin access in the Redmine Support Portal should send a message to all the registered SecureDrop admins to ignore this do-release-upgrade alarm.
edit: clarity

[conorsch]

Ouch, sorry to hear it, @freddymartinez9. Thanks for reporting. We've had a number of Admins reach out to us via the support portal and inquire about the schedule of moving to 16.04. For now we're definitely recommending that Admins not upgrade to 16.04 Xenial, due to the problems you've described. We'll prioritize testing there and see if we can't update the config to support it in the near future.

[b-meson]

@conorsch ah okay that makes sense. I will try to send an OSSEC PR to suppress the ntpd alarms and double check that ntpd service is functioning properly on 16.40 as well.

[r4v5]

The ntp alarm is because of unrelated DNS problems pool.ntp.org is having. That said, it probably doesn't need to fire every two minutes.

[b-meson]

had a discussion with @r4v5 and it appears that its the actual DNS resolvers having issues. The alarm is triggering every few minutes. We have thought about making it trigger once every six hours in case the pool is down. I'll try to implement this logic in the PR.

[redshiftzero]

For the ugprade here we will need to verify that the Apache access control directives that we use are not deprecated in the version of Apache used in 16.04 (see prior issue #1607).

[psivesely]

+1 for prioritizing this issue as suggested in #1861 in order to reap the benefits of PIE on additional packages, especially including Python.

[redshiftzero]

In PR #2481, @KwadroNaut suggested migrating to 18.04, which has a planned release in April 2018. Eventually we will want to move to 18.04 (unless we abandon Ubuntu), but otherwise we'd want to migrate first to 16.04. From the Ubuntu docs:

To avoid damaging your running system, upgrading should only be done from one release to the next release (e.g. Ubuntu 12.04 to Ubuntu 12.10) or from one LTS release to the next (e.g. Ubuntu 10.04 LTS to Ubuntu 12.04 LTS). If you wish to 'skip' a version, you can back up your data and do a fresh installation, or progressively upgrade to each successive version.

[eloquence]

This issue has become pretty long and confusing, from the original report to the discussion, so per discussion w/ @conorsch and @redshiftzero I'm closing this in favor of opening new tasks for

• the epic of migrating to Xenial (Migrate SecureDrop servers to Ubuntu 16.04 (Xenial) #3204)
• its sub-tasks
• investigating any remaining OSSEC alert issues that Trusty users are getting. (Suppress OSSEC alerts asking SecureDrop administrators to upgrade to Xenial #3205)