From 41f749697834491da2978dae6f0f765645fc55bf Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 29 Oct 2024 12:21:47 -0400 Subject: [PATCH] Don't enable apt-daily services, just the timers By enabling the services, it means it runs every time the machine boots, defeating the point of the timer. Similarly, starting the service/timer means that it starts running while the playbook is still going, which might also explain the dpkg lock contention (#7258). Ansible will now just ensure the units are unmasked and the securedrop-config postinst will disable the services if enabled. Fixes #7298 --- .../common/tasks/unattended_upgrades.yml | 7 ++--- .../common/test_automatic_updates.py | 28 +++++++++++++------ securedrop/debian/securedrop-config.postinst | 3 ++ 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml index c9aaff5e36..f34987007f 100644 --- a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml +++ b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml @@ -20,11 +20,9 @@ # Ensure daemon-reload has happened before starting/enabling - meta: flush_handlers -- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled. +- name: Ensure apt-daily and apt-daily-upgrade services are unmasked systemd: name: "{{ item }}" - state: started - enabled: yes masked: no with_items: - 'apt-daily' @@ -33,10 +31,9 @@ - apt - unattended-upgrades -- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled. +- name: Ensure apt-daily and apt-daily-upgrade timers are enabled. systemd: name: "{{ item }}" - state: started enabled: yes with_items: - 'apt-daily.timer' diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py index 904e32d03f..1891819897 100644 --- a/molecule/testinfra/common/test_automatic_updates.py +++ b/molecule/testinfra/common/test_automatic_updates.py @@ -162,25 +162,37 @@ def test_unattended_upgrades_functional(host): @pytest.mark.parametrize( - "service", + "timer", [ - "apt-daily", "apt-daily.timer", - "apt-daily-upgrade", "apt-daily-upgrade.timer", ], ) -def test_apt_daily_services_and_timers_enabled(host, service): +def test_apt_daily_timers_enabled(host, timer): """ - Ensure the services and timers used for unattended upgrades are enabled - in Ubuntu 20.04 Focal. + Ensure the timers used for unattended upgrades are enabled """ with host.sudo(): - # The services are started only when the upgrades are being performed. - s = host.service(service) + s = host.service(timer) assert s.is_enabled +@pytest.mark.parametrize( + "service", + [ + "apt-daily.service", + "apt-daily-upgrade.service", + ], +) +def test_apt_daily_services_disabled(host, service): + """ + Ensure the services used for unattended upgrades are disabled + """ + with host.sudo(): + s = host.service(service) + assert not s.is_enabled + + def test_apt_daily_timer_schedule(host): """ Timer for running apt-daily, i.e. 'apt-get update', should be OFFSET_UPDATE hrs diff --git a/securedrop/debian/securedrop-config.postinst b/securedrop/debian/securedrop-config.postinst index 96f5f4433a..11370db2a6 100755 --- a/securedrop/debian/securedrop-config.postinst +++ b/securedrop/debian/securedrop-config.postinst @@ -26,6 +26,9 @@ case "$1" in systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupd-refresh.timer # And disable Ubuntu Pro's ua-timer and esm-cache (#6773) systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer + # Disable the apt-daily services but not the timers (#7298) + systemctl is-enabled apt-daily.service && systemctl disable apt-daily.service + systemctl is-enabled apt-daily-upgrade.service && systemctl disable apt-daily-upgrade.service systemctl mask esm-cache # Migrate the ssh group to sdssh securedrop-migrate-ssh-group.py