Upgrade from Ubuntu 14.04 (Trusty) to Ubuntu 16.04 (Xenial) (#601)

justinwray · web-flow · commit 4dbbf1041c73 · 2017-12-13T17:13:43.000-05:00
### Upgrade from Ubuntu 14.04 (Trusty) to Ubuntu 16.04 (Xenial) * **NOTE**: These changes require `Xenial` to be used from this point forward. `Trusty` will no longer work as there are _various incompatibilities_. * The platform is now exclusively supported on Ubuntu 16.04 (Xenial). Trusty (14.04) is no longer supported after this commit. * HHVM has been upgraded to to version 3.21. * Provision, Docker, and Vagrant configurations have been updated to support 16.04. This includes Travis builds which utilizes the Docker image (PR #569). * Provision Changes: * HHVM repo and repo keys updated for Xenial * HHVM "restarted" instead of "started" after HHVM repo mode enabled. Enabling repo mode appears to start HHVM before permissions are applied to repo file. Therefore it must be restarted. * `osquery` repo source updated for Xenial * `node.js` legacy purge removed before installation, as this is not required for Xenial * Package `language-pack-en` removed, this is installed and no longer required. * Package `php5-cli` replaced with `php7.0-cli` for compatibility with Xenial. * MySQL configuration file changed from `/etc/mysql/my.cnf` to `/etc/mysql/mysql.conf.d/mysqld.cnf` for compatibility with Xenial. * Vagrant Changes: * Base VM changed to Xenial * Docker Changes: * Images for standalone and multi-setup changed to Xenial * Web directory permissions set to `www-data`. Otherwise, the web directory will be owned by root and cause permissions issues. * MySQL permissions enforced on `/var/lib/mysql and /var/run/mysql`. Otherwise, these directories will be owned by root and MySQL will not function. * HHVM explicitly started as `www-data`. Docker does not allow HHVM startup (running under root) to spawn an HHVM process under another user (www-data). * `sudo` and `apt-utils` installed. These are required packages for provision. * Based on recommended HHVM DockerFile, `ENV HHVM_DISABLE_NUMA` parameter added and set to true.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,4 @@
-FROM ubuntu:trusty
-LABEL maintainer="Boik Su <boik@tdohacker.org>"
+FROM ubuntu:xenial
 
 ENV HOME /root
 
@@ -10,9 +9,11 @@ ARG TYPE=self
 ARG KEY
 ARG CRT
 
+ENV HHVM_DISABLE_NUMA true
+
 WORKDIR $HOME
 COPY . $HOME
-RUN chown www-data:www-data $HOME
 
+RUN apt-get update && apt-get -y install sudo apt-utils
 RUN ./extra/provision.sh -m $MODE -c $TYPE -k $KEY -C $CRT -D $DOMAIN -e $EMAIL -s `pwd` --docker
 CMD ["./extra/service_startup.sh"]
diff --git a/Vagrantfile b/Vagrantfile
@@ -4,7 +4,7 @@
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "ubuntu/trusty64"
+  config.vm.box = "ubuntu/xenial64"
   config.vm.network "private_network", ip: "10.10.10.5"
   config.vm.hostname = "FacebookCTF-Dev"
   config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
diff --git a/Vagrantfile-multi b/Vagrantfile-multi
@@ -4,7 +4,7 @@
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "ubuntu/trusty64"
+  config.vm.box = "ubuntu/xenial64"
   config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
 
   # MySQL Server
diff --git a/Vagrantfile-single b/Vagrantfile-single
@@ -4,7 +4,7 @@
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "ubuntu/trusty64"
+  config.vm.box = "ubuntu/xenial64"
   config.vm.network "private_network", ip: "10.10.10.5"
   config.vm.hostname = "facebookCTF-Dev"
   config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
diff --git a/extra/cache/Dockerfile b/extra/cache/Dockerfile
@@ -1,5 +1,4 @@
-FROM ubuntu:trusty
-LABEL maintainer="Boik Su <boik@tdohacker.org>"
+FROM ubuntu:xenial
 
 ENV HOME /root
 
@@ -13,5 +12,6 @@ ARG CRT
 WORKDIR $HOME
 COPY . $HOME
 
+RUN apt-get update && apt-get -y install sudo apt-utils
 RUN ./extra/provision.sh -m $MODE -c $TYPE -k $KEY -C $CRT -D $DOMAIN -e $EMAIL -s `pwd` --docker --multiple-servers --server-type cache
 CMD ["./extra/cache/cache_startup.sh"]
diff --git a/extra/hhvm/Dockerfile b/extra/hhvm/Dockerfile
@@ -1,5 +1,4 @@
-FROM ubuntu:trusty
-LABEL maintainer="Boik Su <boik@tdohacker.org>"
+FROM ubuntu:xenial
 
 ENV HOME /root
 
@@ -10,8 +9,11 @@ ARG TYPE=self
 ARG KEY
 ARG CRT
 
+ENV HHVM_DISABLE_NUMA true
+
 WORKDIR $HOME
 COPY . $HOME
 
+RUN apt-get update && apt-get -y install sudo apt-utils
 RUN ./extra/provision.sh -m $MODE -c $TYPE -k $KEY -C $CRT -D $DOMAIN -e $EMAIL -s `pwd` --docker --multiple-servers --server-type hhvm --mysql-server mysql --cache-server cache
 CMD ["./extra/hhvm/hhvm_startup.sh"]
diff --git a/extra/hhvm/hhvm_startup.sh b/extra/hhvm/hhvm_startup.sh
@@ -2,7 +2,8 @@
 
 set -e
 
-service hhvm restart
+chown -R www-data:www-data /var/www/fbctf
+sudo -u www-data service hhvm restart
 
 while true; do
     if [[ -e /var/run/hhvm/sock ]]; then
diff --git a/extra/lib.sh b/extra/lib.sh
@@ -59,7 +59,7 @@ function install_unison() {
 function repo_osquery() {
   log "Adding osquery repository keys"
   sudo DEBIAN_FRONTEND=noninteractive apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
-  sudo DEBIAN_FRONTEND=noninteractive add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main"
+  sudo DEBIAN_FRONTEND=noninteractive add-apt-repository "deb [arch=amd64] https://pkg.osquery.io/deb deb main"
 }
 
 function install_mysql() {
@@ -229,16 +229,14 @@ function install_hhvm() {
 
   package software-properties-common
 
-  log "Adding HHVM key"
+  log "Adding HHVM keys"
   sudo DEBIAN_FRONTEND=noninteractive apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0x5a16e7281be7a449
+  sudo DEBIAN_FRONTEND=noninteractive apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xB4112585D386EB94
 
   log "Adding HHVM repo"
-  sudo DEBIAN_FRONTEND=noninteractive add-apt-repository "deb http://dl.hhvm.com/ubuntu $(lsb_release -sc) main"
+  sudo DEBIAN_FRONTEND=noninteractive add-apt-repository "deb http://dl.hhvm.com/ubuntu xenial-lts-3.21 main"
 
   package_repo_update
-
-  log "Installing HHVM"
-  # Installing the package so the dependencies are installed too
   package hhvm
 
   log "Enabling HHVM to start by default"
@@ -274,7 +272,7 @@ function hhvm_performance() {
   cat "$__config" | sed "s|$__oldrepo|$__repofile|g" | sudo tee "$__config"
   sudo hhvm-repo-mode enable "$__path"
   sudo chown www-data:www-data "$__repofile"
-  sudo service hhvm start
+  sudo service hhvm restart
 }
 
 function install_composer() {
@@ -288,9 +286,6 @@ function install_composer() {
 }
 
 function install_nodejs() {
-  log "Removing node.js legacy version"
-  sudo DEBIAN_FRONTEND=noninteractive apt-get remove --purge nodejs -y
-
   log "Downloading and setting node.js version 6.x repo information"
   dl_pipe "https://deb.nodesource.com/setup_6.x" | sudo -E bash -
 
diff --git a/extra/mysql/Dockerfile b/extra/mysql/Dockerfile
@@ -1,5 +1,4 @@
-FROM ubuntu:trusty
-LABEL maintainer="Boik Su <boik@tdohacker.org>"
+FROM ubuntu:xenial
 
 ENV HOME /root
 
@@ -13,5 +12,6 @@ ARG CRT
 WORKDIR $HOME
 COPY . $HOME
 
+RUN apt-get update && apt-get -y install sudo apt-utils
 RUN ./extra/provision.sh -m $MODE -c $TYPE -k $KEY -C $CRT -D $DOMAIN -e $EMAIL -s `pwd` --docker --multiple-servers --server-type mysql
 CMD ["./extra/mysql/mysql_startup.sh"]
diff --git a/extra/mysql/mysql_startup.sh b/extra/mysql/mysql_startup.sh
@@ -2,6 +2,10 @@
 
 set -e
 
+chown -R mysql:mysql /var/lib/mysql
+chown -R mysql:mysql /var/run/mysqld
+chown -R mysql:mysql /var/log/mysql
+
 service mysql restart
 
 while true; do
diff --git a/extra/nginx/Dockerfile b/extra/nginx/Dockerfile
@@ -1,5 +1,4 @@
-FROM ubuntu:trusty
-LABEL maintainer="Boik Su <boik@tdohacker.org>"
+FROM ubuntu:xenial
 
 ENV HOME /root
 
@@ -12,7 +11,7 @@ ARG CRT
 
 WORKDIR $HOME
 COPY . $HOME
-RUN chown www-data:www-data $HOME
 
+RUN apt-get update && apt-get -y install sudo apt-utils
 RUN ./extra/provision.sh -m $MODE -c $TYPE -k $KEY -C $CRT -D $DOMAIN -e $EMAIL -s `pwd` --docker --multiple-servers --server-type nginx --hhvm-server hhvm
 CMD ["./extra/nginx/nginx_startup.sh"]
diff --git a/extra/nginx/nginx_startup.sh b/extra/nginx/nginx_startup.sh
@@ -6,6 +6,7 @@ if [[ -e /root/tmp/certbot.sh ]]; then
     /bin/bash /root/tmp/certbot.sh
 fi
 
+chown -R www-data:www-data /var/www/fbctf
 service nginx restart
 
 while true; do
diff --git a/extra/provision.sh b/extra/provision.sh
@@ -244,7 +244,6 @@ fi
 
 # If multiple servers are being utilized, ensure provision was called from the "nginx" or "hhvm" servers
     if [[ "$MULTIPLE_SERVERS" == false || "$SERVER_TYPE" = "nginx" || $SERVER_TYPE = "hhvm" ]]; then
-    package language-pack-en
 
     if [[ "$UPDATE" == true ]] ; then
         log "Updating repo"
@@ -265,7 +264,6 @@ fi
         log "Installing HHVM"
         install_hhvm "$CTF_PATH" "$HHVM_CONFIG_PATH" "$MULTIPLE_SERVERS"
 
-        # Install Composer
         log "Installing Composer"
         install_composer "$CTF_PATH"
         log "Installing Composer in /usr/bin"
@@ -359,10 +357,10 @@ if [[ "$MULTIPLE_SERVERS" == false || "$SERVER_TYPE" = "mysql" ]]; then
     # Configuration for MySQL
     if [[ "$MULTIPLE_SERVERS" == true ]] && [[ "$SERVER_TYPE" = "mysql" ]]; then
         # This is required in order to generate password hash (since HHVM is not being installed)
-        package php5-cli
+        package php7.0-cli
 
-        sudo sed -e '/^bind-address/ s/^#*/#/' -i /etc/mysql/my.cnf
-        sudo sed -e '/^skip-external-locking/ s/^#*/#/' -i /etc/mysql/my.cnf
+        sudo sed -e '/^bind-address/ s/^#*/#/' -i /etc/mysql/mysql.conf.d/mysqld.cnf
+        sudo sed -e '/^skip-external-locking/ s/^#*/#/' -i /etc/mysql/mysql.conf.d/mysqld.cnf
 	fi
 
     # Database creation
diff --git a/extra/service_startup.sh b/extra/service_startup.sh
@@ -10,7 +10,12 @@ if [[ -e /var/run/hhvm/sock ]]; then
     rm -f /var/run/hhvm/sock
 fi
 
-service hhvm restart
+chown -R mysql:mysql /var/lib/mysql
+chown -R mysql:mysql /var/run/mysqld
+chown -R mysql:mysql /var/log/mysql
+chown -R www-data:www-data /var/www/fbctf
+
+sudo -u www-data service hhvm restart
 service nginx restart
 service mysql restart
 service memcached restart
diff --git a/src/models/Progressive.php b/src/models/Progressive.php
@@ -71,7 +71,7 @@ private static function progressiveFromRow(
       $progressive = array();
       $result =
         await $db->queryf(
-          'SELECT * FROM progressive_log GROUP BY team_name, iteration ORDER BY points ASC',
+          'SELECT MAX(id) as id, MAX(ts) as ts, team_name, MAX(points) as points, iteration FROM progressive_log GROUP BY team_name, iteration, id ORDER BY points ASC',
         );
       foreach ($result->mapRows() as $row) {
         $progressive[$row->get('team_name')][] =
diff --git a/src/models/Session.php b/src/models/Session.php
@@ -439,7 +439,13 @@ private static function sessionFromRow(Map<string, string> $row): Session {
       $sessions = array();
       $cached_sessions = array();
       /* HH_IGNORE_ERROR[4053]: HHVM doesn't beleive there is a getAllKeys() method, there is... */
-      $mc_keys = $mc->getAllKeys();
+      //$mc_keys = $mc->getAllKeys();
+      /* Memcached::getAllKeys() is not working in HHVM 3.21 - For now we will flush Memcache in place of the call.
+       *  Flushing the cache will be slower and will negatively impact performance.
+       *  As soon as getAllKeys() regains support in HHVM, or the functionality it replaced, this should be updated.
+       */
+      $mc_keys = array();
+      self::flushMCCluster();
       $all_sessions = preg_grep(
         '/'.self::$MC_KEY.self::$MC_KEYS->get('SESSIONS').'/',
         $mc_keys,
@@ -492,7 +498,13 @@ public static function invalidateMCSessions(?string $key = null): void {
     $key = str_replace(' ', '', $key);
     if ($key === null) {
       /* HH_IGNORE_ERROR[4053]: HHVM doesn't beleive there is a getAllKeys() method, there is... */
-      $mc_keys = $mc->getAllKeys();
+      //$mc_keys = $mc->getAllKeys();
+      /* Memcached::getAllKeys() is not working in HHVM 3.21 - For now we will flush Memcache in place of the call.
+       *  Flushing the cache will be slower and will negatively impact performance.
+       *  As soon as getAllKeys() regains support in HHVM, or the functionality it replaced, this should be updated.
+       */
+      $mc_keys = array();
+      self::flushMCCluster();
       $all_sessions = preg_grep(
         '/'.self::$MC_KEY.self::$MC_KEYS->get('SESSIONS').'/',
         $mc_keys,
diff --git a/tests/_files/seed.xml b/tests/_files/seed.xml
@@ -278,13 +278,15 @@
     <column>team_id</column>
     <column>created_ts</column>
     <column>last_access_ts</column>
+    <column>last_page_access</column>
     <row>
       <value>1</value>
       <value>cookie</value>
       <value>data</value>
       <value>1</value>
       <value>2015-04-24 17:15:23</value>
       <value>2016-04-24 17:15:23</value>
+      <value>index</value>
     </row>
   </table>
   <table name="registration_tokens">
