Test and release DSH ~~4.0.4~~ 4.1.0

[edwardchalstrey1]

• Build image from 4.0.4 branch and push to gallery: 20.04.2023050900
• Deploy an SRD from this image to an SRE and test (in May Turing Data Study Group)
  • Smoke tests fail on dsgpeak SRE, need to investigate
• As per @jemrobinson comment below, since changes were made to the release-v4.0.4 branch during the DSG, a test SRE should be deployed with the latest version before we can conclude all is well
  • Deploy a new SHM on the release-v4.0.4 branch ("Orange")
  • Rebuild the SRD image on the latest version of the branch and push to gallery (20.04.2023062000)
  • Deploy an SRE with this image
  • Ensure all tests run successfully
    • SRD build issue: Python installation fails data-safe-haven#1493
    • SRD built with DSH 4.0.4 has failing smoke tests for torch with Python 3.9 and 3.11 (but not 3.10) data-safe-haven#1458
    • Re-run SHM deployment for Orange with latest 4.0.4 branch commit
    • Rebuild SRD image after Use pip-compile for package resolution data-safe-haven#1514 and push to gallery
    • Redeploy SRE (pear)
• Make a new release for 4.0.4

[jemrobinson]

We need to check whether an SHM and SRE can be deployed from the current release-v4.0.4 (a3ff6c0e71e5c4d18d3817ee405b1312ae7f8037)

[edwardchalstrey1]

We need to check whether an SHM and SRE can be deployed from the current release-v4.0.4 (79715276fb5368aa95a4238625a44e8193fe349b)

@jemrobinson I've updated the todo list to complete this issue above, feel free to add any other steps you think are required

[edwardchalstrey1]

I'll actually do this before #1467 - this way I can use the new SHM I'll have set up to test changes to the Firewall rule

[edwardchalstrey1]

After deploying the SHM and running through the setup steps I got to Configure MFA and then got this error:

PS C:\Users\domainorangeadmin> & "C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1"
VERBOSE: Using the provider 'PowerShellGet' for searching packages.
VERBOSE: The -Repository parameter was not specified.  PowerShellGet will use all of the registered repositories.
VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.
VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2' and PackageManagementProvider is 'NuGet'.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='MSOnline'' for ''.
VERBOSE: Total package yield:'1' for the specified package 'MSOnline'.
VERBOSE: Skipping installed module MSOnline 1.1.183.66.
Connecting to Microsoft Azure.  Please sign on as a tenant administrator.
Connect-MsolService : Authentication Error: Unexpected authentication failure.
At C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1:13 char:1
+ Connect-MsolService -Verbose -ErrorAction Stop
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], Exception
    + FullyQualifiedErrorId : System.Exception,Microsoft.Online.Administration.Automation.ConnectMsolService

[jemrobinson]

Are you running this command on the NPS server?

[edwardchalstrey1]

Are you running this command on the NPS server?

Yes

[jemrobinson]

Did you get a prompt (in a web browser) for login credentials?

[edwardchalstrey1]

Yes, I logged in with the aad.admin account I set up for this AAD

[jemrobinson]

OK, if you run the script again (following the troubleshooting steps) does it still fail? Have you gone through the other troubleshooting steps yet?

[edwardchalstrey1]

Have tried a couple of times, but this error seems to be slightly different from the ones in the troubleshooting steps, will have a look at those in case it's the same issue though

[edwardchalstrey1]

Ah, hadn't set up MFA for the aad.admin account apparently - sorted now

[edwardchalstrey1]

@craddm @jemrobinson I've deployed a new test SHM with 4.0.4 called "Orange" and will test building an SRE once I have my new laptop set up. What should we do with regard to the other SHMs set up:

1. Should we update prod4 to bring it in line with the latest version? Specifically I'm thinking of the servicebus firewall change
2. Same question for blue (or alternatively should we tear down blue and use orange instead for future testing - I'm not sure if any other significant SHM changes have been made?)
   • Currently I see 3 SREs on blue called satret1, satret2 and t3guac. Is it worth managing these in the same way on the TRESA SRE board or is that overkill for test SREs?

[edwardchalstrey1]

Also, are there any particular tests that should be run other than the SRE smoke tests?

[jemrobinson]

1. We can (and should) update the SHM to the latest released version as-and-when this is available. Nothing we use in production should ever be running anything except a numbered release

2. Dev environments can be in whatever broken/working state is appropriate. We should be clear about who's using which ones though and tidy up any that are not being used.

3. There are a set of release tests (that I think you helped to write up @edwardchalstrey1 ?) here: https://data-safe-haven.readthedocs.io/en/latest/deployment/security_checklist.html. Make a new folder in SharePoint > release_logs called 4.0.4 and copy the contents of templates into it. You should fill out each of the Markdown documents following the example of version 4.0.0.

[craddm]

For blue, I made the service bus firewall change manually when testing if it worked, so we can leave it be.

[edwardchalstrey1]

Despite the SRD VM image build not raising any problems (see alan-turing-institute/data-safe-haven#1514 (comment)) there seems to be an issue with pip-tools when running the smoke tests on an SRE built with the new SRD image:

The following 1 packages are missing or broken:
     pip-tools

Full error messages from smoke tests

bats run_all_tests.bats 
run_all_tests.bats
 ✓ Julia packages
 ✓ Julia functionality
 ✗ Python packages (3.9)
   (from function `assert_output' in file ../bats/bats-assert/src/assert_output.bash, line 178,
    from function `test_python_packages' in file run_all_tests.bats, line 30,
    in test file run_all_tests.bats, line 67)
     `test_python_packages '3.9'' failed
   
   -- regular expression does not match output --
   regexp (1 lines):
     All [0-9]+ packages are installed
   output (75 lines):
     /opt/tests/tests/test_packages_installed_python.py:7: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
       import pkg_resources
     2023-08-03 14:42:34.801778: I tensorflow/core/platform/cpu_feature_guard.cc:182] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
     To enable the following instructions: AVX2 AVX512F FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
     2023-08-03 14:42:38.932542: W tensorflow/compiler/tf2tensorrt/utils/py_utils.cc:38] TF-TRT Warning: Could not find TensorRT
     /home/ed.chalstrey1/.pyenv/versions/3.9.17/lib/python3.9/site-packages/torch/cuda/__init__.py:546: UserWarning: Can't initialize NVML
       warnings.warn("Can't initialize NVML")
     2023-08-03 14:43:01.320959: E tensorflow/compiler/xla/stream_executor/cuda/cuda_driver.cc:268] failed call to cuInit: CUDA_ERROR_NO_DEVICE: no CUDA-capable device is detected
     Python version 3.9.17 found
     Testing 62 Python packages
     Testing 'arviz' ...
     Testing 'beautifulsoup4' ...
     Testing 'black' ...
     Testing 'Cython' ...
     Testing 'dash' ...
     Testing 'dask' ...
     Testing 'flair' ...
     Testing 'flake8' ...
     Testing 'folium' ...
     Testing 'gensim' ...
     Testing 'geopandas' ...
     Testing 'gym' ...
     Testing 'html5lib' ...
     Testing 'ipykernel' ...
     Testing 'keras' ...
     Testing 'lightgbm' ...
     Testing 'lxml' ...
     Testing 'matplotlib' ...
     Testing 'nltk' ...
     Testing 'numba' ...
     Testing 'numpy' ...
     Testing 'pandas' ...
     Testing 'pandasql' ...
     Testing 'pathos' ...
     Testing 'pg8000' ...
     Testing 'Pillow' ...
     Testing 'pip-tools' ...
     Testing 'plotly' ...
     Testing 'prophet' ...
     Testing 'psycopg2' ...
     Testing 'pydot' ...
     Testing 'pygrib' ...
     Testing 'pylint' ...
     Testing 'pymc' ...
     Testing 'pyodbc' ...
     Testing 'pyproj' ...
     Testing 'pyshp' ...
     Testing 'pystan' ...
     Testing 'pytest' ...
     Testing 'PyYAML' ...
     Testing 'regex' ...
     Testing 'requests' ...
     Testing 'safety' ...
     Testing 'scikit-image' ...
     Testing 'scikit-learn' ...
     Testing 'scipy' ...
     Testing 'seaborn' ...
     Testing 'spacy-langdetect' ...
     Testing 'spacy' ...
     Testing 'Sphinx' ...
     Testing 'SQLAlchemy' ...
     Testing 'statsmodels' ...
     Testing 'sympy' ...
     Testing 'tables' ...
     Testing 'tensorflow' ...
     Tensorflow can see the following devices ['/device:CPU:0']
     Testing 'thinc' ...
     Testing 'torch' ...
     Testing 'torchvision' ...
     Testing 'tsfresh' ...
     Testing 'wordcloud' ...
     Testing 'xgboost' ...
     Testing 'xlrd' ...
     The following 1 packages are missing or broken:
     pip-tools
   --
   
 ✓ Python functionality (3.9)
 ✓ Python virtual environments (3.9)
 ✓ Python package repository (3.9)
 ✗ Python packages (3.10)
   (from function `assert_output' in file ../bats/bats-assert/src/assert_output.bash, line 178,
    from function `test_python_packages' in file run_all_tests.bats, line 30,
    in test file run_all_tests.bats, line 81)
     `test_python_packages '3.10'' failed
   
   -- regular expression does not match output --
   regexp (1 lines):
     All [0-9]+ packages are installed
   output (75 lines):
     /opt/tests/tests/test_packages_installed_python.py:7: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
       import pkg_resources
     2023-08-03 14:48:34.860139: I tensorflow/core/platform/cpu_feature_guard.cc:182] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
     To enable the following instructions: AVX2 AVX512F FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
     2023-08-03 14:48:39.173527: W tensorflow/compiler/tf2tensorrt/utils/py_utils.cc:38] TF-TRT Warning: Could not find TensorRT
     /home/ed.chalstrey1/.pyenv/versions/3.10.12/lib/python3.10/site-packages/torch/cuda/__init__.py:546: UserWarning: Can't initialize NVML
       warnings.warn("Can't initialize NVML")
     2023-08-03 14:49:01.261930: E tensorflow/compiler/xla/stream_executor/cuda/cuda_driver.cc:268] failed call to cuInit: CUDA_ERROR_NO_DEVICE: no CUDA-capable device is detected
     Python version 3.10.12 found
     Testing 62 Python packages
     Testing 'arviz' ...
     Testing 'beautifulsoup4' ...
     Testing 'black' ...
     Testing 'Cython' ...
     Testing 'dash' ...
     Testing 'dask' ...
     Testing 'flair' ...
     Testing 'flake8' ...
     Testing 'folium' ...
     Testing 'gensim' ...
     Testing 'geopandas' ...
     Testing 'gym' ...
     Testing 'html5lib' ...
     Testing 'ipykernel' ...
     Testing 'keras' ...
     Testing 'lightgbm' ...
     Testing 'lxml' ...
     Testing 'matplotlib' ...
     Testing 'nltk' ...
     Testing 'numba' ...
     Testing 'numpy' ...
     Testing 'pandas' ...
     Testing 'pandasql' ...
     Testing 'pathos' ...
     Testing 'pg8000' ...
     Testing 'Pillow' ...
     Testing 'pip-tools' ...
     Testing 'plotly' ...
     Testing 'prophet' ...
     Testing 'psycopg2' ...
     Testing 'pydot' ...
     Testing 'pygrib' ...
     Testing 'pylint' ...
     Testing 'pymc' ...
     Testing 'pyodbc' ...
     Testing 'pyproj' ...
     Testing 'pyshp' ...
     Testing 'pystan' ...
     Testing 'pytest' ...
     Testing 'PyYAML' ...
     Testing 'regex' ...
     Testing 'requests' ...
     Testing 'safety' ...
     Testing 'scikit-image' ...
     Testing 'scikit-learn' ...
     Testing 'scipy' ...
     Testing 'seaborn' ...
     Testing 'spacy-langdetect' ...
     Testing 'spacy' ...
     Testing 'Sphinx' ...
     Testing 'SQLAlchemy' ...
     Testing 'statsmodels' ...
     Testing 'sympy' ...
     Testing 'tables' ...
     Testing 'tensorflow' ...
     Tensorflow can see the following devices ['/device:CPU:0']
     Testing 'thinc' ...
     Testing 'torch' ...
     Testing 'torchvision' ...
     Testing 'tsfresh' ...
     Testing 'wordcloud' ...
     Testing 'xgboost' ...
     Testing 'xlrd' ...
     The following 1 packages are missing or broken:
     pip-tools
   --
   
 ✓ Python functionality (3.10)
 ✓ Python virtual environments (3.10)
 ✓ Python package repository (3.10)
 ✗ Python packages (3.11)
   (from function `assert_output' in file ../bats/bats-assert/src/assert_output.bash, line 178,
    from function `test_python_packages' in file run_all_tests.bats, line 30,
    in test file run_all_tests.bats, line 96)
     `test_python_packages '3.11'' failed
   
   -- regular expression does not match output --
   regexp (1 lines):
     All [0-9]+ packages are installed
   output (65 lines):
     /opt/tests/tests/test_packages_installed_python.py:7: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
       import pkg_resources
     <frozen importlib._bootstrap>:241: UserWarning: Warning: ecCodes 2.19.1 or higher is recommended. You are running 2.16.0.
     /home/ed.chalstrey1/.pyenv/versions/3.11.4/lib/python3.11/site-packages/torch/cuda/__init__.py:546: UserWarning: Can't initialize NVML
       warnings.warn("Can't initialize NVML")
     Python version 3.11.4 found
     Testing 56 Python packages
     Testing 'arviz' ...
     Testing 'beautifulsoup4' ...
     Testing 'black' ...
     Testing 'Cython' ...
     Testing 'dash' ...
     Testing 'dask' ...
     Testing 'flair' ...
     Testing 'flake8' ...
     Testing 'folium' ...
     Testing 'gensim' ...
     Testing 'geopandas' ...
     Testing 'gym' ...
     Testing 'html5lib' ...
     Testing 'ipykernel' ...
     Testing 'lightgbm' ...
     Testing 'lxml' ...
     Testing 'matplotlib' ...
     Testing 'nltk' ...
     Testing 'numpy' ...
     Testing 'pandas' ...
     Testing 'pandasql' ...
     Testing 'pathos' ...
     Testing 'pg8000' ...
     Testing 'Pillow' ...
     Testing 'pip-tools' ...
     Testing 'plotly' ...
     Testing 'prophet' ...
     Testing 'psycopg2' ...
     Testing 'pydot' ...
     Testing 'pygrib' ...
     Testing 'pylint' ...
     Testing 'pymc' ...
     Testing 'pyodbc' ...
     Testing 'pyproj' ...
     Testing 'pyshp' ...
     Testing 'pystan' ...
     Testing 'pytest' ...
     Testing 'PyYAML' ...
     Testing 'regex' ...
     Testing 'requests' ...
     Testing 'safety' ...
     Testing 'scikit-image' ...
     Testing 'scikit-learn' ...
     Testing 'scipy' ...
     Testing 'seaborn' ...
     Testing 'spacy-langdetect' ...
     Testing 'spacy' ...
     Testing 'Sphinx' ...
     Testing 'SQLAlchemy' ...
     Testing 'statsmodels' ...
     Testing 'sympy' ...
     Testing 'tables' ...
     Testing 'thinc' ...
     Testing 'torch' ...
     Testing 'xgboost' ...
     Testing 'xlrd' ...
     The following 1 packages are missing or broken:
     pip-tools
   --
   
 ✓ Python functionality (3.11)
 ✓ Python virtual environments (3.11)
 ✓ Python package repository (3.11)
 ✓ R packages
 ✓ R functionality
 ✓ R package repository
 ✓ Mounted drives (/data)
 ✓ Mounted drives (/home)
 ✓ Mounted drives (/output)
 ✓ Mounted drives (/shared)
 ✓ Mounted drives (/scratch)

22 tests, 3 failures

Do we need to update a package list somewhere other than deployment/secure_research_desktop/packages/packages-python.yaml?

[jemrobinson]

This is because the test tries to run import <package_name> for each package. pip-tools isn't an importable package, it's just some scripts. See the example for repro-catalogue where we check for an executable instead, and try checking for pip-compile.

[edwardchalstrey1]

@jemrobinson We should now be able to make a release for the release-v4.0.4 branch - should I just go ahead and do that? afterwards I can PR this branch into develop and figure out any conflicts

[jemrobinson]

Have you done all the pre-release check? Not sure we've got these written down anywhere (@JimMadge do you know?) but see e.g. release 4.0.0. We need:

• SHM build log
• SRD build log
• SRE build logs for
  • Guacamole and MSRDS
  • Tier 2 and Tier 3
  • These can be combined (eg. t2guac and t3msrds)
• Filled out security checklist

[edwardchalstrey1]

I have the:

• SHM build log
• SRD build log
• SRE Tier 0 build log

I think we should formally decide then which checks should be done for which releases, were all of those things done for each of the previous patch releases e.g. 4.0.3/4.0.2? I would guess no? https://github.com/alan-turing-institute/data-safe-haven/releases

Reading through the security checklist just now it felt like if anything this is something we should be doing on a per deployment basis - though maybe we think that's too laborious and so we assume that reproducible IAC principles mean we can do it for a version? Even in this case, should we do it for every patch release or just minor or major releases?

[jemrobinson]

I agree that these weren't done for previous patch releases, but I'm not sure whether this is still a patch release (bug fixes only) or if it's a minor release now.

Here's the diff (alan-turing-institute/data-safe-haven@v4.0.3...release-v4.0.4) what do you think @edwardchalstrey1 @JimMadge @craddm ?

Can you post a changelog here @edwardchalstrey1 (in the style of previous release changelogs) so we can judge better?

[edwardchalstrey1]

Can you post a changelog here @edwardchalstrey1 (in the style of previous release changelogs) so we can judge better?

Looks like @JimMadge made one already: https://github.com/alan-turing-institute/data-safe-haven/releases/tag/untagged-a52657d965ec43f09888

I've updated that with the recent PRs to the release branch and dropped "beta" from the release name

[edwardchalstrey1]

My thoughts are we should decide and document the checks that we want to do for the 3 levels of versioning, then decide what this release should be and if needed change the number (e.g. 4.1.0) - I'm not against doing the full set of checks you describe @jemrobinson even for patch releases, but I think we should decide that first.

[jemrobinson]

Looking at what we've done in the past, it's:

• MAJOR: SHM log, SRE logs covering Guacamole/MSRDS and tier 2/3, SRD log, security checklist, penetration test
• MINOR: SHM log, SRE logs covering Guacamole/MSRDS and tier 2/3, SRD log, security checklist, penetration test (sometimes)
• PATCH: None

What sounds reasonable to you: @edwardchalstrey1 @JimMadge @craddm for each of these release types?

[edwardchalstrey1]

What does the penetration test involve?
Where should the logs be saved?

Maybe releases that have security fixes (as this does), should be at least a MINOR and subject to all these tests, whereas releases that only have feature additions, non-security related bug fixes and documentation changes can be patches with no testing except perhaps the usual smoke tests on a deployed SRE?

Also just thinking now, would it be normal in software to bundle unrelated changes into a release in the way we have been doing? This does seem fine to me, but if we're taking this approach as oppose to doing releases for a set of related features, should we have a pre-defined interval, e.g. make a release once per quarter, and decide the patch/minor/major increment based on whatever is in it?

[jemrobinson]

The penetration tests are carried out by a third-party (iSTORM). We set up an SHM and a couple of SREs and give them user accounts and various admin accounts. They try to find exploits and report back to us. Typically takes around a week or two weeks for an in-depth test. Results of previous penetration tests are in Sharepoint under Security assessments > External penetration tests.

Maybe releases that have security fixes (as this does), should be at least a MINOR and subject to all these tests

We've already said that MINOR means "Adds new functionality, but new SREs can be deployed into existing environments" while PATCH means "Fixes bugs only and new SREs can be deployed into existing environments". I think security fixes can still be a PATCH release.

whereas releases that only have feature additions, non-security related bug fixes and documentation changes can be patches with no testing except perhaps the usual smoke tests on a deployed SRE?

I guess the real question is: what kind of change can we make where we're ~100% certain that it won't break our SHM or SRE scripts. Documentation changes are in that category, removing MSRDS support is not. Where's the dividing line and is it at the current patch/minor boundary?

Also just thinking now, would it be normal in software to bundle unrelated changes into a release in the way we have been doing? This does seem fine to me, but if we're taking this approach as oppose to doing releases for a set of related features, should we have a pre-defined interval, e.g. make a release once per quarter, and decide the patch/minor/major increment based on whatever is in it?

For security fixes, it's important to get a patch release out as soon as possible. Major and minor don't have that constraint. The problem is that preparing a release takes away from development time so we generally want to have bundled a few important changes to make it worth doing.

[JimMadge]

• Feels like this should be a minor version bump due to the change in Python version on the SRD
• SHM log, SRE logs covering Guacamole/MSRDS and tier 2/3, SRD log, security checklist seems reasonable for patch/minor versions.
  I thought we had this written down but I can't find it.
  My recollection is that we save pen testing for major versions (or when we haven't done one for a while) because of the time/expense of it.
  Releasing a patch version without doing even basic security checks (or testing that deployment works) feels like a very bad idea.

Meta point, why is this issue not in the DSH repo?

[edwardchalstrey1]

Meta point, why is this issue not in the DSH repo?

I think can move it there, in fact, might it be worth having a GH issue template for releases that has a checklist of the above

[jemrobinson]

Let's leave this issue here, but create a new GH issue template in the DSH repo with a checklist of whatever we agree here.

@JimMadge How about something like:

• MAJOR:
  • SHM deployment log
  • SRD deployment log
  • SRE deployment logs covering Guacamole/MSRDS and tier 2/3
  • Security checklist
  • Penetration test
• MINOR:
  • SHM deployment log
  • SRD deployment log
  • SRE deployment logs covering Guacamole/MSRDS and tier 2/3
  • Security checklist
• PATCH:
  • SHM deployment log
  • SRD deployment log
  • SRE deployment logs covering Guacamole/MSRDS and tier 2/3
  • Security checklist

[edwardchalstrey1]

PATCH:

• SRD log
• SRE log for at least one SRE
• Security checklist

Although note that the security checklist requires setting up two SREs (t2 and t3)

[JimMadge]

Is the argument that if we make a security fix to the SHM, that will always be a major release, so we don't need to check SHM deployment?

[edwardchalstrey1]

@jemrobinson question - for the SHM/SRE/SRD logs, where do/should we save these?

[jemrobinson]

Save them in Sharepoint in under release_logs. Copy the templates folder to your new release name and fill in the templates accordingly. You can use markdown2pdf.sh to build the PDF versions that get attached to the release.

[edwardchalstrey1]

Save them in Sharepoint in under release_logs. Copy the templates folder to your new release name and fill in the templates accordingly. You can use markdown2pdf.sh to build the PDF versions that get attached to the release.

thanks, I guess we should record that somewhere internally, maybe on the data-safe-haven-team README?

Here's a PR for release template: alan-turing-institute/data-safe-haven#1543

[edwardchalstrey1]

Closing this issue with the opening of alan-turing-institute/data-safe-haven#1544