Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We shouldn't enable apt-daily service units #7298

Open
legoktm opened this issue Oct 29, 2024 · 1 comment · May be fixed by #7299
Open

We shouldn't enable apt-daily service units #7298

legoktm opened this issue Oct 29, 2024 · 1 comment · May be fixed by #7299
Assignees
@legoktm

Comments

@legoktm
Copy link
Member

legoktm commented Oct 29, 2024

Description

In the ansible playbook:

- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
  systemd:
    name: "{{ item }}"
    state: started
    enabled: yes
    masked: no
  with_items:
    - 'apt-daily'
    - 'apt-daily-upgrade'
  tags:
    - apt
    - unattended-upgrades

- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled.
  systemd:
    name: "{{ item }}"
    state: started
    enabled: yes
  with_items:
    - 'apt-daily.timer'
    - 'apt-daily-upgrade.timer'
  tags:
    - apt
    - unattended-upgrades

We should only be starting/enabling the timers not the services themselves.

I noticed this while trying to figure out why ./securedrop-admin install kept reporting things as changing (the service needed to be started), even though I had just run it seconds before.
@legoktm legoktm self-assigned this Oct 29, 2024
legoktm added a commit that referenced this issue Oct 29, 2024
@legoktm
Don't enable apt-daily services, just the timers
64eab75 
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service means that it starts running while the
playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
@legoktm legoktm linked a pull request Oct 29, 2024 that will close this issue
Open
3 tasks
legoktm added a commit that referenced this issue Oct 29, 2024
@legoktm
Don't enable apt-daily services, just the timers
ff00081 
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service/timer means that it starts running while
the playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
legoktm added a commit that referenced this issue Nov 19, 2024
@legoktm
Don't enable apt-daily services, just the timers
41f7496 
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service/timer means that it starts running while
the playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
legoktm added a commit that referenced this issue Nov 23, 2024
@legoktm
Don't enable apt-daily services, just the timers
b2d6ebe 
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service/timer means that it starts running while
the playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
@legoktm
Copy link
Member Author

legoktm commented Nov 23, 2024

Some more context at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844453

legoktm added a commit that referenced this issue Nov 23, 2024
@legoktm
Don't enable apt-daily services, just the timers
3730228 
By enabling the services, it means it runs every time the machine boots,
defeating the point of the timer.

Similarly, starting the service/timer means that it starts running while
the playbook is still going, which might also explain the dpkg lock
contention (#7258).

Ansible will now just ensure the units are unmasked and the
securedrop-config postinst will disable the services if enabled.

Fixes #7298
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legoktm legoktm

Labels
None yet
Projects
SecureDrop dev cycle
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't enable apt-daily services, just the timers freedomofpress/securedrop
1 participant
@legoktm