Don't enable apt-daily services, just the timers

By enabling the services, it means it runs every time the machine boots, defeating the point of the timer. Similarly, starting the service/timer means that it starts running while the playbook is still going, which might also explain the dpkg lock contention (#7258). Ansible will now just ensure the units are unmasked and the securedrop-config postinst will disable the services if enabled. Fixes #7298
freedomofpress · Nov 19, 2024 · 41f7496 · 41f7496
1 parent 4c9062b
commit 41f7496
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 13 deletions.
diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
@@ -20,11 +20,9 @@
   # Ensure daemon-reload has happened before starting/enabling
 - meta: flush_handlers
 
-- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
+- name: Ensure apt-daily and apt-daily-upgrade services are unmasked
   systemd:
     name: "{{ item }}"
-    state: started
-    enabled: yes
     masked: no
   with_items:
     - 'apt-daily'
@@ -33,10 +31,9 @@
     - apt
     - unattended-upgrades
 
-- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled.
+- name: Ensure apt-daily and apt-daily-upgrade timers are enabled.
   systemd:
     name: "{{ item }}"
-    state: started
     enabled: yes
   with_items:
     - 'apt-daily.timer'

diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py
@@ -162,25 +162,37 @@ def test_unattended_upgrades_functional(host):
 
 
 @pytest.mark.parametrize(
-    "service",
+    "timer",
     [
-        "apt-daily",
         "apt-daily.timer",
-        "apt-daily-upgrade",
         "apt-daily-upgrade.timer",
     ],
 )
-def test_apt_daily_services_and_timers_enabled(host, service):
+def test_apt_daily_timers_enabled(host, timer):
     """
-    Ensure the services and timers used for unattended upgrades are enabled
-    in Ubuntu 20.04 Focal.
+    Ensure the timers used for unattended upgrades are enabled
     """
     with host.sudo():
-        # The services are started only when the upgrades are being performed.
-        s = host.service(service)
+        s = host.service(timer)
         assert s.is_enabled
 
 
+@pytest.mark.parametrize(
+    "service",
+    [
+        "apt-daily.service",
+        "apt-daily-upgrade.service",
+    ],
+)
+def test_apt_daily_services_disabled(host, service):
+    """
+    Ensure the services used for unattended upgrades are disabled
+    """
+    with host.sudo():
+        s = host.service(service)
+        assert not s.is_enabled
+
+
 def test_apt_daily_timer_schedule(host):
     """
     Timer for running apt-daily, i.e. 'apt-get update', should be OFFSET_UPDATE hrs

diff --git a/securedrop/debian/securedrop-config.postinst b/securedrop/debian/securedrop-config.postinst
@@ -26,6 +26,9 @@ case "$1" in
     systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupd-refresh.timer
     # And disable Ubuntu Pro's ua-timer and esm-cache (#6773)
     systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer
+    # Disable the apt-daily services but not the timers (#7298)
+    systemctl is-enabled apt-daily.service && systemctl disable apt-daily.service
+    systemctl is-enabled apt-daily-upgrade.service && systemctl disable apt-daily-upgrade.service
     systemctl mask esm-cache
     # Migrate the ssh group to sdssh
     securedrop-migrate-ssh-group.py