change the unattended-upgrades policy to delegate to apt_preferences
in #40758 (closed), we need to tell unattended-upgrades to upgrade tor and tor-geoipdb to follow bullseye-backports.
but the Unattended-Upgrade::Origins-Pattern
setting we have forbids this explicitly. we don't necessarily want to allow upgrades from backports in all hosts, so a solution might be to start having that setting be customizable in the class. but then we need to remember to add that setting in Hiera, which is error prone.
the solution i'm thinking of is, instead, to stop pretending the origins-pattern can save our backs, and embrace apt pinning instead. this involves setting Unattended-Upgrade::Origins-Pattern
to *
to allow any origin to upgrade packages in u-u
. this doesn't actually mean it will upgrade everything to whatever: u-u still respects apt pinning. this policy is actually described in the u-u README file:
If you already configure what to install via apt pinning, you can simply use "origin=*", e.g.:
Unattended-Upgrade::Origins-Pattern { "origin=*"; };
also, relying on an unattended-upgrades specific hack to keep some upgrades from going through can backfire when we run apt upgrade manually, for example. furthermore, we don't want to have to remember to specify those hacks in two places. an example of this problem is @lavamind's attempt at pinning onionbalance to bullseye-backports in Puppet:
commit 502e855a066230e0b02a4ff9fc040cf709dfa65f
Author: Jérôme Charaoui <jerome@riseup.net>
AuthorDate: Tue May 24 09:03:08 2022 -0400
add onionbalance pin for bullseye-backports
---
modules/onion/manifests/balancev3.pp | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/modules/onion/manifests/balancev3.pp b/modules/onion/manifests/balancev3.pp
index 0f56478f..dc38a801 100644
[ 0001-branch-master-updated-add-onionbalance-pin-for-bulls.patch: inline patch (as text/x-diff) ]
--- a/modules/onion/manifests/balancev3.pp
+++ b/modules/onion/manifests/balancev3.pp
@@ -7,6 +7,19 @@ class onion::balancev3(
package { 'onionbalance':
ensure => installed,
}
+
+ apt::pin { 'onionbalance':
+ ensure => $facts['os']['release']['major'] == '11' ? {
+ true => 'present',
+ false => 'absent',
+ },
+ explanation => 'version >= 2.2 is needed',
+ packages => ['onionbalance'],
+ priority => 500,
+ codename => 'bullseye-backports',
+ notify => Package['onionbalance'],
+ }
+
service { 'onionbalance':
ensure => running,
require => Package['onionbalance'],
that looks alright, but actually doesn't work: unattended-upgrades will not upgrade this package because while it respects pins, the origin is not in the allowed list, so it will skip it.
i have a similar problem on polyanthum right now, and we had to install hacks for grafana and gitlab for those upgrades to automatically go through.
@lavamind suggested an alternative solution to this which was to add a package-specific cron-job with a special Unattended-Upgrade::Origins-Pattern
to upgrade just that package, alongside pinning, held together by a puppet define glue. i have those objections to this:
- we are likely to forget to put the glue on, which will mean out of date packages
- it's possible those u-u jobs will run in parallel which could, at best, lead to one of the job failing
- the apt code is already an ugly mess in puppet, and i don't want to add more glue
So i'm going to go through with those steps
-
run puppet everywhere -
lock puppet everywhere to keep it from re-starting the timer -
disable the unattended-upgrades timer ( systemctl stop apt-daily.timer
) to keep u-u from running automatically -
run unattended-upgrades everywhere to make sure everything is up to date already -
push the patch to enable Unattended-Upgrade::Origins-Pattern=*
-
re-enable puppet -
enable,run puppet,disable,everywhere -
run unattended-upgrades in noop mode everywhere to make sure there is no change ( unattended-upgrades --dry-run -v
) -
if there is an unwanted change, add it to pinning or the unattended-upgrades block list, go back to the previous stepno unwanted change, did a pretty good audit -
run unattended-upgrades in wet mode everywhere to make sure there is no change -
re-enable the timer