Merge pull request #5922 from freedomofpress/5904-remove-virtualbox

Removes virtualbox support in VM scenarios

Vagrantfile

@@ -11,57 +11,6 @@ Vagrant.configure("2") do |config|
   # so the key insertion feature should be disabled.
   config.ssh.insert_key = false
 
-  # The staging hosts are just like production but allow non-Tor access
-  # for the web interfaces and ssh.
-  config.vm.define 'mon-staging', autostart: false do |staging|
-    if ENV['SECUREDROP_SSH_OVER_TOR']
-      config.ssh.host = find_ssh_aths("mon-ssh-aths")
-      config.ssh.proxy_command = tor_ssh_proxy_command
-      config.ssh.port = 22
-    elsif ARGV[0] == "ssh"
-      config.ssh.host = "10.0.1.3"
-      config.ssh.port = 22
-    end
-    staging.vm.hostname = "mon-staging"
-    staging.vm.box = "bento/ubuntu-20.04"
-    staging.vm.network "private_network", ip: "10.0.1.3"
-    staging.vm.synced_folder './', '/vagrant', disabled: true
-    staging.vm.provider "libvirt" do |lv, override|
-      lv.video_type = "virtio"
-    end
-  end
-
-  config.vm.define 'app-staging', autostart: false do |staging|
-    if ENV['SECUREDROP_SSH_OVER_TOR']
-      config.ssh.host = find_ssh_aths("app-ssh-aths")
-      config.ssh.proxy_command = tor_ssh_proxy_command
-      config.ssh.port = 22
-    elsif ARGV[0] == "ssh"
-      config.ssh.host = "10.0.1.2"
-      config.ssh.port = 22
-    end
-    staging.vm.hostname = "app-staging"
-    staging.vm.box = "bento/ubuntu-20.04"
-    staging.vm.network "private_network", ip: "10.0.1.2"
-    staging.vm.synced_folder './', '/vagrant', disabled: true
-    staging.vm.provider "virtualbox" do |v|
-      v.memory = 1024
-    end
-    staging.vm.provider "libvirt" do |lv, override|
-      lv.memory = 1024
-      lv.video_type = "virtio"
-    end
-    staging.vm.provision "ansible" do |ansible|
-      ansible.playbook = "install_files/ansible-base/securedrop-staging.yml"
-      ansible.inventory_path = "install_files/ansible-base/inventory-staging"
-      ansible.verbose = 'v'
-      # Taken from the parallel execution tips and tricks
-      # https://docs.vagrantup.com/v2/provisioning/ansible.html
-      ansible.limit = 'all,localhost'
-      ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS']
-    end
-  end
-
   # The prod hosts are just like production but are virtualized.
   # All access to SSH and the web interfaces is only over Tor.
   config.vm.define 'mon-prod', autostart: false do |prod|
@@ -72,7 +21,7 @@ Vagrant.configure("2") do |config|
     end
     prod.vm.hostname = "mon-prod"
     prod.vm.box = "bento/ubuntu-20.04"
-    prod.vm.network "private_network", ip: "10.0.1.5", virtualbox__intnet: internal_network_name
+    prod.vm.network "private_network", ip: "10.0.1.5"
     prod.vm.synced_folder './', '/vagrant', disabled: true
     prod.vm.provider "libvirt" do |lv, override|
       lv.video_type = "virtio"
@@ -87,11 +36,8 @@ Vagrant.configure("2") do |config|
     end
     prod.vm.hostname = "app-prod"
     prod.vm.box = "bento/ubuntu-20.04"
-    prod.vm.network "private_network", ip: "10.0.1.4", virtualbox__intnet: internal_network_name
+    prod.vm.network "private_network", ip: "10.0.1.4"
     prod.vm.synced_folder './', '/vagrant', disabled: true
-    prod.vm.provider "virtualbox" do |v|
-      v.memory = 1024
-    end
     prod.vm.provider "libvirt" do |lv, override|
       lv.memory = 1024
       lv.video_type = "virtio"
@@ -116,11 +62,8 @@ Vagrant.configure("2") do |config|
   config.vm.define 'apt-local', autostart: false do |prod|
     prod.vm.hostname = "apt-local"
     prod.vm.box = "bento/ubuntu-20.04"
-    prod.vm.network "private_network", ip: "10.0.1.7", virtualbox__intnet: internal_network_name
+    prod.vm.network "private_network", ip: "10.0.1.7"
     prod.vm.synced_folder './', '/vagrant', disabled: true
-    prod.vm.provider "virtualbox" do |v|
-      v.memory = 1024
-    end
     prod.vm.provider "libvirt" do |lv, override|
       lv.memory = 1024
       lv.video_type = "virtio"
@@ -177,12 +120,3 @@ def tor_ssh_proxy_command
   end
   return "#{base_cmd} 127.0.0.1:9050 %h %p"
 end
-
-# Create a unique name for the VirtualBox internal network,
-# based on the directory name of the repo. This is to avoid
-# accidental IP collisions when running multiple instances
-# of the staging or prod environment concurrently.
-def internal_network_name
-  repo_root = File.expand_path(File.dirname(__FILE__))
-  return File.basename(repo_root)
-end

devops/scripts/create-staging-env

@@ -2,7 +2,6 @@
 # Wrapper script to determine which VM driver is appropriate for the staging
 # environment, given the host OS and available tooling. Supports:
 #
-#   * VirtualBox (the default)
 #   * Libvirt/KVM
 #   * Qubes (via Admin API)
 #

devops/scripts/select-staging-env

@@ -2,7 +2,6 @@
 # Wrapper script to determine which VM driver is appropriate for the staging
 # environment, given the host OS and available tooling. Supports:
 #
-#   * VirtualBox (the default)
 #   * Libvirt/KVM
 #   * Qubes (via Admin API)
 #
@@ -26,8 +25,9 @@ elif [[ "${OSTYPE:-}" == "linux-gnu" ]]; then
     # Default to Libvirt for Linux users, which works well with Tails VM virtualization.
     securedrop_vm_provider="libvirt"
 else
-    # Default to VirtualBox, since it's the safest bet.
-    securedrop_vm_provider="virtualbox"
+    # We previously maintained Virtualbox support, but don't any longer. Should we?
+    echo "WARNING: Unsupported platform. Libvirt staging environment may not work properly."
+    securedrop_vm_provider="libvirt"
 fi
 
 # Expect the scenario to reside in the molecule/ directory.

install_files/ansible-base/roles/common/tasks/post_ubuntu_install_checks.yml

@@ -31,6 +31,8 @@
   tags:
     - dns
 
+  # These services will be inside staging VMs via the Bento boxes,
+  # even if those boxes are running on libvirt.
 - name: Disable VirtualBox services to avoid conflict with systemd-timesyncd.
   systemd:
     name: "{{ item }}"

molecule/testinfra/common/test_grsecurity.py

@@ -140,17 +140,6 @@ def test_grsecurity_paxtest(host):
             host.run("apt-get remove -y paxtest")
 
 
-@pytest.mark.skip_in_prod
-def test_grub_pc_marked_manual(host):
-    """
-    Ensure the `grub-pc` packaged is marked as manually installed.
-    This is necessary for VirtualBox with Vagrant.
-    """
-    c = host.run('apt-mark showmanual grub-pc')
-    assert c.rc == 0
-    assert c.stdout.strip() == "grub-pc"
-
-
 def test_apt_autoremove(host):
     """
     Ensure old packages have been autoremoved.