[MDC-720] deb: be far more assertive about automated updates

Ignore the local administrator settings re. unattended upgrades and have the cron.weekly script enforce an apt-get install of the SIMET packages. This forces their upgrade if they are outdated. There is a guard that ensures it is only done if the main package is not in a removed state. We've seen way too many systems where just depending on unattended- upgrades is *not* enough: they just won't update. Likely, these systems already had unattended-upgrades installed, but disabled. Note that we cannot just force-enable unattended-upgrades, as it updates the whole system and not just our packages. While at it, add an "apt-get -f install" run when things fail, to hopefully fix pending brokenness and give an eventual next attempt a chance to work. The cron script guards require that /opt/simet/bin/simet_register_ma.sh exist. If we move or rename that script, the guards need to be updated to match otherwise it would disable the cron scripts. Add a self-test to Debian rules that will abort the package build if we screw that up. (cherry picked from commit bfd9399)
simetnicbr · Jun 15, 2023 · f285029 · f285029
1 parent ddf443e
commit f285029
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/debian/rules b/debian/rules
@@ -17,6 +17,12 @@ export DEB_CFLAGS_MAINT_APPEND := -Wall -pipe
 # package maintainers to append LDFLAGS
 #export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
 
+
+# One must update all cron scripts *and* debian/rules should this file
+# get moved/renamed.  It is used as a guard to detect package is in
+# installed, and not removed or purged state.
+SIMET_ENSURE_FILE_EXISTS=/opt/simet/bin/simet_register_ma.sh
+
 %:
 	dh $@
 
@@ -57,6 +63,8 @@ override_dh_auto_test:
 # ensure we always get the same behavior from dh_auto_install
 override_dh_auto_install:
 	dh_auto_install --destdir=debian/tmp
+	[ -f "debian/tmp/$(SIMET_ENSURE_FILE_EXISTS)" ] || \
+		{ printf '\n\n%s\n\n' "ERROR: fix source and packaging, $(SIMET_ENSURE_FILE_EXISTS) was moved or renamed?" ; exit 99 ; }
 
 override_dh_install:
 	CODENAME=$$( lsb_release -sc ) && DISTRO=$$( lsb_release -si | tr A-Z a-z ) && \

diff --git a/debian/simet-ma.cron.weekly b/debian/simet-ma.cron.weekly
@@ -1,33 +1,34 @@
 #!/bin/sh
 # simet-ma.cron.weekly - weekly maintenance for the SIMET Measurement Agent
-# Copyright (c) 2018,2019 NIC.br
+# Copyright (c) 2018-2023 NIC.br
 #
 # Distributed under the GPLv3+ license with additional terms and permissions
 # Refer to the COPYING file on the program source for details
 
 SIMET_PACKAGES="simet-ma simet-lmapd"
 
-# Attempt to auto-update if unattended-upgrades are not explicitly disabled.
-# We also configure unattended-upgrades just in case this one fails, but that
-# won't work if we had to change the initscripts or other stuff in /etc.
+# Attempt to auto-update regardless of unattended-updates, otherwise we end up
+# with installs running very outdated software (well over an year old).  We
+# do restrict ourselves to just the core SIMET packages, and any dependencies
+# that have versioned requirements.
 test -f /opt/simet/bin/simet_register_ma.sh && {
-	RES=$(apt-config shell APTUPD1 APT::Periodic::Update-Package-Lists) && eval $RES
-	RES=$(apt-config shell APTUPD2 APT::Periodic::Unattended-Upgrade) && eval $RES
-	[ -z "$APTUPD1" ] && APTUPD1=1
-	[ -z "$APTUPD2" ] && APTUPD2=1
-	[ $APTUPD1 -ne 0 ] && [ $APTUPD2 -ne 0 ] && {
-		# Sleep for a random time before we do this, at least 1h
-		# some code from cron-apt, thanks!
-		if [ -z "$RANDOM" ] ; then
-			RANDOM=$(( $(dd if=/dev/urandom bs=2 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 ))
-		fi
-		TIME=$(($RANDOM % 3600 + 3600))
-		sleep $TIME
-		apt-get update -qq || true
-		UCF_FORCE_CONFFNEW=1 DEBIAN_FRONTEND=noninteractive \
-		    apt-get install -qq --install-recommends -y \
-			-o Dpkg::Options::=--force-confmiss -o Dpkg::Options::=--force-confnew \
-			$SIMET_PACKAGES
-	}
+	# Sleep for a random time before we do this, at least 1h
+	# some code from cron-apt, thanks!
+	# shellcheck disable=SC2039
+	if [ -z "$RANDOM" ] ; then
+		RANDOM=$(( $(dd if=/dev/urandom bs=4 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 )) || RANDOM=1
+	fi
+	# shellcheck disable=SC2039
+	TIME=$((RANDOM % 3600 + 3600)) || TIME=1
+	sleep $TIME || :
+	# update package lists
+	apt-get update -qq || true
+	# self-heal anything can be self-healed by apt
+	DEBIAN_FRONTEND=noninteractive apt-get -f install --reinstall -qq -y || true
+	# shellcheck disable=SC2086
+	UCF_FORCE_CONFFNEW=1 DEBIAN_FRONTEND=noninteractive \
+	    apt-get install -qq --install-recommends -y \
+		-o Dpkg::Options::=--force-confmiss -o Dpkg::Options::=--force-confnew \
+		$SIMET_PACKAGES
 }
 :