Skip to content

Commit

Permalink
Don't enable apt-daily services, just the timers
Browse files Browse the repository at this point in the history
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service/timer means that it starts running while
the playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
  • Loading branch information
legoktm committed Nov 23, 2024
1 parent 21ee737 commit b2d6ebe
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@
# Ensure daemon-reload has happened before starting/enabling
- meta: flush_handlers

- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
- name: Ensure apt-daily and apt-daily-upgrade services are unmasked
systemd:
name: "{{ item }}"
state: started
enabled: yes
# We disable the service unit and enable the timer
enabled: no
masked: no
with_items:
- 'apt-daily'
Expand All @@ -33,10 +33,9 @@
- apt
- unattended-upgrades

- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled.
- name: Ensure apt-daily and apt-daily-upgrade timers are enabled.
systemd:
name: "{{ item }}"
state: started
enabled: yes
with_items:
- 'apt-daily.timer'
Expand Down
28 changes: 20 additions & 8 deletions molecule/testinfra/common/test_automatic_updates.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,25 +163,37 @@ def test_unattended_upgrades_functional(host):


@pytest.mark.parametrize(
"service",
"timer",
[
"apt-daily",
"apt-daily.timer",
"apt-daily-upgrade",
"apt-daily-upgrade.timer",
],
)
def test_apt_daily_services_and_timers_enabled(host, service):
def test_apt_daily_timers_enabled(host, timer):
"""
Ensure the services and timers used for unattended upgrades are enabled
in Ubuntu 20.04 Focal.
Ensure the timers used for unattended upgrades are enabled
"""
with host.sudo():
# The services are started only when the upgrades are being performed.
s = host.service(service)
s = host.service(timer)
assert s.is_enabled


@pytest.mark.parametrize(
"service",
[
"apt-daily.service",
"apt-daily-upgrade.service",
],
)
def test_apt_daily_services_disabled(host, service):
"""
Ensure the services used for unattended upgrades are disabled
"""
with host.sudo():
s = host.service(service)
assert not s.is_enabled


def test_apt_daily_timer_schedule(host):
"""
Timer for running apt-daily, i.e. 'apt-get update', should be OFFSET_UPDATE hrs
Expand Down
3 changes: 3 additions & 0 deletions securedrop/debian/securedrop-config.postinst
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ case "$1" in
# And disable Ubuntu Pro's ua-timer and esm-cache (#6773)
systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer
systemctl mask esm-cache
# Disable the apt-daily services but not the timers (#7298)
systemctl is-enabled apt-daily.service && systemctl disable apt-daily.service
systemctl is-enabled apt-daily-upgrade.service && systemctl disable apt-daily-upgrade.service
# Migrate the ssh group to sdssh
securedrop-migrate-ssh-group.py

Expand Down

0 comments on commit b2d6ebe

Please sign in to comment.