From f285029e4943a9112d8a24cfa2eb450d3e19a859 Mon Sep 17 00:00:00 2001 From: Henrique de Moraes Holschuh Date: Tue, 13 Jun 2023 10:48:26 -0300 Subject: [PATCH] [MDC-720] deb: be far more assertive about automated updates Ignore the local administrator settings re. unattended upgrades and have the cron.weekly script enforce an apt-get install of the SIMET packages. This forces their upgrade if they are outdated. There is a guard that ensures it is only done if the main package is not in a removed state. We've seen way too many systems where just depending on unattended- upgrades is *not* enough: they just won't update. Likely, these systems already had unattended-upgrades installed, but disabled. Note that we cannot just force-enable unattended-upgrades, as it updates the whole system and not just our packages. While at it, add an "apt-get -f install" run when things fail, to hopefully fix pending brokenness and give an eventual next attempt a chance to work. The cron script guards require that /opt/simet/bin/simet_register_ma.sh exist. If we move or rename that script, the guards need to be updated to match otherwise it would disable the cron scripts. Add a self-test to Debian rules that will abort the package build if we screw that up. (cherry picked from commit bfd93999809521be93bb09adef8c3e5d26ab343b) --- debian/rules | 8 +++++++ debian/simet-ma.cron.weekly | 45 +++++++++++++++++++------------------ 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/debian/rules b/debian/rules index 748ca2e7..80cf85f2 100755 --- a/debian/rules +++ b/debian/rules @@ -17,6 +17,12 @@ export DEB_CFLAGS_MAINT_APPEND := -Wall -pipe # package maintainers to append LDFLAGS #export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +# One must update all cron scripts *and* debian/rules should this file +# get moved/renamed. It is used as a guard to detect package is in +# installed, and not removed or purged state. +SIMET_ENSURE_FILE_EXISTS=/opt/simet/bin/simet_register_ma.sh + %: dh $@ @@ -57,6 +63,8 @@ override_dh_auto_test: # ensure we always get the same behavior from dh_auto_install override_dh_auto_install: dh_auto_install --destdir=debian/tmp + [ -f "debian/tmp/$(SIMET_ENSURE_FILE_EXISTS)" ] || \ + { printf '\n\n%s\n\n' "ERROR: fix source and packaging, $(SIMET_ENSURE_FILE_EXISTS) was moved or renamed?" ; exit 99 ; } override_dh_install: CODENAME=$$( lsb_release -sc ) && DISTRO=$$( lsb_release -si | tr A-Z a-z ) && \ diff --git a/debian/simet-ma.cron.weekly b/debian/simet-ma.cron.weekly index 86b8e743..cc5b52ac 100644 --- a/debian/simet-ma.cron.weekly +++ b/debian/simet-ma.cron.weekly @@ -1,33 +1,34 @@ #!/bin/sh # simet-ma.cron.weekly - weekly maintenance for the SIMET Measurement Agent -# Copyright (c) 2018,2019 NIC.br +# Copyright (c) 2018-2023 NIC.br # # Distributed under the GPLv3+ license with additional terms and permissions # Refer to the COPYING file on the program source for details SIMET_PACKAGES="simet-ma simet-lmapd" -# Attempt to auto-update if unattended-upgrades are not explicitly disabled. -# We also configure unattended-upgrades just in case this one fails, but that -# won't work if we had to change the initscripts or other stuff in /etc. +# Attempt to auto-update regardless of unattended-updates, otherwise we end up +# with installs running very outdated software (well over an year old). We +# do restrict ourselves to just the core SIMET packages, and any dependencies +# that have versioned requirements. test -f /opt/simet/bin/simet_register_ma.sh && { - RES=$(apt-config shell APTUPD1 APT::Periodic::Update-Package-Lists) && eval $RES - RES=$(apt-config shell APTUPD2 APT::Periodic::Unattended-Upgrade) && eval $RES - [ -z "$APTUPD1" ] && APTUPD1=1 - [ -z "$APTUPD2" ] && APTUPD2=1 - [ $APTUPD1 -ne 0 ] && [ $APTUPD2 -ne 0 ] && { - # Sleep for a random time before we do this, at least 1h - # some code from cron-apt, thanks! - if [ -z "$RANDOM" ] ; then - RANDOM=$(( $(dd if=/dev/urandom bs=2 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 )) - fi - TIME=$(($RANDOM % 3600 + 3600)) - sleep $TIME - apt-get update -qq || true - UCF_FORCE_CONFFNEW=1 DEBIAN_FRONTEND=noninteractive \ - apt-get install -qq --install-recommends -y \ - -o Dpkg::Options::=--force-confmiss -o Dpkg::Options::=--force-confnew \ - $SIMET_PACKAGES - } + # Sleep for a random time before we do this, at least 1h + # some code from cron-apt, thanks! + # shellcheck disable=SC2039 + if [ -z "$RANDOM" ] ; then + RANDOM=$(( $(dd if=/dev/urandom bs=4 count=1 2> /dev/null | cksum | cut -d' ' -f1) % 32767 )) || RANDOM=1 + fi + # shellcheck disable=SC2039 + TIME=$((RANDOM % 3600 + 3600)) || TIME=1 + sleep $TIME || : + # update package lists + apt-get update -qq || true + # self-heal anything can be self-healed by apt + DEBIAN_FRONTEND=noninteractive apt-get -f install --reinstall -qq -y || true + # shellcheck disable=SC2086 + UCF_FORCE_CONFFNEW=1 DEBIAN_FRONTEND=noninteractive \ + apt-get install -qq --install-recommends -y \ + -o Dpkg::Options::=--force-confmiss -o Dpkg::Options::=--force-confnew \ + $SIMET_PACKAGES } :