Makes unattended-upgrades sequencing more similar to cron-apt

[conorsch]

Status

Ready for review

Description of Changes

Fixes #5851. Fixes #5849.

Builds on the great work in #5852 & #5853.

• Overrides the systemd "timer" declarations for apt update & apt upgrade.
• Modifies the unattended-upgrades desired reboot time to be "now", i.e. as soon as the upgrade is finished
• Makes timing of upgrade and reboots handled via Ansible
• Updates test logic to use apt-config, to avoid problems like Focal: force confold and force confdef in apt options for unattended-upgrades #5852 in the future

Testing

1. Configure a local staging environment on this branch, including using latest debs built from here.
2. To observe unattended-upgrades in action, pick a new time for daily_reboot_time 1-2h in the future. Re-run the config of just those files to apply, like so: molecule converge -s qubes-staging-focal -- --tags ua -e daily_reboot_time=15
3. Make sure to apt-mark unhold securedrop-app-code, or even apt-mark showhold | xargs -r sudo apt-mark unhold so that ua can make changes. Also run rm -f /var/lib/apt/periodic/{upgrade,update}-stamp so that ua doesn't defer updates based on recent changes.
4. Run apt-cache policy securedrop-app-code and confirm its outdated.
5. Wait. Optionally, procure coffee or tea.
6. Check back and confirm that packages have actually updated, particularly that securedrop-app-code is at least 1.8.0~rc3.
7. Finally, test the minus-one-hour cron timing logic and confirm you see different values in the apt-daily.timer and apt-daily-upgrade.timer, different by one hour. For example, for molecule converge -s qubes-staging-focal -- --tags ua -e daily_reboot_time=0 you should see a value of midnight for the upgrade, but 11PM (23:00) for the apt update.

Deployment

Critical for Focal behavior starting in in 1.8.0.

[conorsch]

I'm currently waiting on the apt timers to fire in the local staging instance I've got configured on this branch. (Fun fact, it's 3AM UTC right now, so I've got about another hour to wait, give or take, with the random delays. Will leave these running and check back for results.

[conorsch]

Warning: my understanding of this option is that running sudo unattended-upgrades -d interactively will reboot the system out from under you once updates are complete. This is because we set Unattended-Upgrade::Automatic-Reboot-WithUsers=true. I haven't observed that behavior myself yet, but warning others because it could be surprising.

[eloquence]

Thanks for calling this out. If we can confirm this behavior & the PR lands, I'll add a small note the docs to this effect.

[kushaldas]

Even though I can see the timers getting fired, the systems did not reboot.

[conorsch]

To guarantee a reboot, we'd have to update the reboot-flag to fire perhaps hourly. Right now, it fires once every 12 hours. So it's likely that when the update ran, /var/run/reboot-required did not (yet) exist.

[conorsch]

The goal of this modulus is to ensure that apt-daily.timer is configured to run 1h before apt-daily-upgrade, so the apt lists are quite new before installing upgrades.

[kushaldas]

This works on the staging instance.

[rmol]

Running the update more frequently would increase the chance of applying upgrades as soon as possible. You could update every hour except the one in which upgrade is performed with:

OnCalendar=*-*-* {{ range(0,24) | difference([ (daily_reboot_time|int) % 24 ]) | join(",") }}:00

[conorsch]

Here's the change that will re-close #5849.

[codecov-io]

Codecov Report

Merging #5855 (1bc7452) into develop (d26125e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #5855   +/-   ##
========================================
  Coverage    85.66%   85.66%           
========================================
  Files           53       53           
  Lines         3885     3885           
  Branches       484      484           
========================================
  Hits          3328     3328           
  Misses         449      449           
  Partials       108      108           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d26125e...1bc7452. Read the comment docs.

[conorsch]

Confirmed working upgrade to 1.8.0~rc3 via cron, at 04:18 UTC. Ready for review!

[eloquence]

typo in comment: apt.daily.timer -> apt-daily.timer?

[kushaldas]

In both staging and prod instances the the timers are getting fired properly. apt-daily is around an hour ago of apt-daily-upgrade.

But, the actual securedrop-app-code was not upgraded in my staging instance. I tried twice from morning till now.

root@app-staging:/home/vagrant# systemctl list-timers
NEXT                        LEFT        LAST                        PASSED       UNIT                         ACTIVATES                     
Tue 2021-03-09 17:45:26 UTC 8h left     Tue 2021-03-09 06:02:12 UTC 3h 30min ago motd-news.timer              motd-news.service             
Tue 2021-03-09 23:02:40 UTC 13h left    Tue 2021-03-09 06:01:51 UTC 3h 31min ago fwupd-refresh.timer          fwupd-refresh.service         
Wed 2021-03-10 00:00:00 UTC 14h left    Tue 2021-03-09 05:56:32 UTC 3h 36min ago logrotate.timer              logrotate.service             
Wed 2021-03-10 00:00:00 UTC 14h left    Tue 2021-03-09 05:56:32 UTC 3h 36min ago man-db.timer                 man-db.service                
Wed 2021-03-10 06:23:57 UTC 20h left    Tue 2021-03-09 06:23:57 UTC 3h 8min ago  systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Wed 2021-03-10 08:12:02 UTC 22h left    Tue 2021-03-09 08:24:09 UTC 1h 8min ago  apt-daily.timer              apt-daily.service             
Wed 2021-03-10 09:00:44 UTC 23h left    Tue 2021-03-09 09:01:02 UTC 31min ago    apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sun 2021-03-14 03:10:44 UTC 4 days left Tue 2021-03-09 05:56:49 UTC 3h 36min ago e2scrub_all.timer            e2scrub_all.service           
Mon 2021-03-15 00:00:00 UTC 5 days left Tue 2021-03-09 05:56:32 UTC 3h 36min ago fstrim.timer                 fstrim.service                

9 timers listed.
Pass --all to see loaded but inactive timers, too.
root@app-staging:/home/vagrant# apt-cache policy securedrop-app-code
securedrop-app-code:
  Installed: 1.8.0~rc1+focal
  Candidate: 1.8.0~rc3+focal
  Version table:
     1.8.0~rc3+focal 500
        500 https://apt-test.freedom.press focal/main amd64 Packages
 *** 1.8.0~rc1+focal 100
        100 /var/lib/dpkg/status

apt-mark showhold returns nothing. apt tells me that the packages are ready for update.

root@app-staging:/home/vagrant# apt upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  securedrop-app-code securedrop-config securedrop-keyring securedrop-ossec-agent
4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.0 MB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] 

Test steps used

• Configure a local staging environment on this branch, including using latest debs built from here.
• To observe unattended-upgrades in action, pick a new time for daily_reboot_time 1-2h in the future. Re-run the config of just those files to apply, like so: molecule converge -s qubes-staging-focal -- --tags ua -e daily_reboot_time=15
• Make sure to apt-mark unhold securedrop-app-code, or even apt-mark showhold | xargs -r sudo apt-mark unhold so that ua can make changes. Also run rm -f /var/lib/apt/periodic/{upgrade,update}-stamp so that ua doesn't defer updates based on recent changes.
• Run apt-cache policy securedrop-app-code and confirm its outdated.
• Wait. Optionally, procure coffee or tea.
• ❗ Check back and confirm that packages have actually updated, particularly that securedrop-app-code is at least 1.8.0~rc3.
• Finally, test the minus-one-hour cron timing logic and confirm you see different values in the apt-daily.timer and apt-daily-upgrade.timer, different by one hour. For example, for molecule converge -s qubes-staging-focal -- --tags ua -e daily_reboot_time=0 you should see a value of midnight for the upgrade, but 11PM (23:00) for the apt update.

I am digging into this trying to figure out what is wrong here.

[kushaldas]

I can not find any proper logs for this in the staging server other than the following entry in /var/log/syslog.

Mar  9 09:01:02 app-staging systemd[1]: Starting Daily apt upgrade and clean activities...
Mar  9 09:01:02 app-staging systemd[1]: apt-daily-upgrade.service: Succeeded.
Mar  9 09:01:02 app-staging systemd[1]: Finished Daily apt upgrade and clean activities.

[kushaldas]

Note: the manual update just works, but the apt-daily-upgrade.timer did not apply the rc3 debian file for securedrop-app-code.

[kushaldas]

A few more tries shows that the timer worked, but the securedrop-app-code was not updated and no reboot. No errors mentioned anywhere.

Mar  9 13:10:29 app-staging systemd[1]: Starting Daily apt upgrade and clean activities...
Mar  9 13:10:29 app-staging systemd[1]: apt-daily-upgrade.service: Succeeded.
Mar  9 13:10:29 app-staging systemd[1]: Finished Daily apt upgrade and clean activities.

[zenmonkeykstop]

Adding APT::Periodic::Verbose "3"; in /etc/apt/apt.conf.d/10periodic will get debug output from apt-systemd.daily in journalctl, which might indicate where it's going astray. The other thing to check is the output of sudo unattended-upgrades --dry-run --debug - if it's still getting caught by that conffile prompt it'll show up there.

[emkll]

It appears the timer/overrides are working as expected, but the apt-daily timer/service is not updating the apt cache:

vagrant@app-staging:~$ stat /var/cache/apt/srcpkgcache.bin 
  File: /var/cache/apt/srcpkgcache.bin
  Size: 40471018        Blocks: 79048      IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 526795      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-03-09 15:48:45.692051161 +0000
Modify: 2021-03-09 15:48:45.728051630 +0000
Change: 2021-03-09 15:48:45.728051630 +0000
 Birth: -

after the timer is run:

vagrant@app-staging:~$ systemctl list-timers
[...]
Wed 2021-03-10 16:04:48 UTC 23h left      Tue 2021-03-09 16:09:42 UTC 3min 56s ago apt-daily.timer              apt-daily.service

The apt cache is still not updated on disk:

 vagrant@app-staging:~$ stat /var/cache/apt/pkgcache.bin
  File: /var/cache/apt/pkgcache.bin
  Size: 40491682        Blocks: 79088      IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 526916      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-03-09 16:00:59.487188672 +0000
Modify: 2021-03-09 15:48:45.780052307 +0000
Change: 2021-03-09 15:48:45.780052307 +0000
 Birth: -

setting APT::Periodic::Update-Package-Lists "always"; in 20auto-upgrades as suggested in another issue did not resolve, nor did removing the stamps in /var/lib/apt/periodic

simply put, the apt-daily service is never run more than once daily, despite the timer or configuration.
setting
to always in `20 does not resolve, the apt-daily timer is simply not updateing the apt cache,

unless i am missing something

vagrant@app-staging:~$ stat /var/cache/apt/srcpkgcache.bin 
  File: /var/cache/apt/srcpkgcache.bin
  Size: 40471018        Blocks: 79048      IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 526795      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-03-09 15:48:45.692051161 +0000
Modify: 2021-03-09 15:48:45.728051630 +0000
Change: 2021-03-09 15:48:45.728051630 +0000
 Birth: -
vagrant@app-staging:~$ stat /var/cache/apt/
archives/        pkgcache.bin     srcpkgcache.bin  
vagrant@app-staging:~$ stat /var/cache/apt/^C
vagrant@app-staging:~$ sudo apt update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [109 kB]
Hit:2 https://apt-test.freedom.press focal InRelease                                                                    
Hit:3 http://archive.ubuntu.com/ubuntu focal InRelease                       
Get:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Fetched 223 kB in 1s (348 kB/s)    
Reading package lists... Done
Building dependency tree       
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
vagrant@app-staging:~$ stat /var/cache/apt/srcpkgcache.bin 
  File: /var/cache/apt/srcpkgcache.bin
  Size: 40471018        Blocks: 79048      IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 526795      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-03-09 16:41:37.192161214 +0000
Modify: 2021-03-09 16:41:37.228161626 +0000
Change: 2021-03-09 16:41:37.228161626 +0000
 Birth: -
vagrant@app-staging:~$ ls -lah /var/lib/apt/periodic/update-success-stamp 
-rw-r--r-- 1 root root 0 Mar  9 16:41 /var/lib/apt/periodic/update-success-stamp

[emkll]

since we are no longer templating this file (using the reboot time) we could move this configuration to 50unattended-upgrades for simplicity

[conorsch]

Good point, I can move that logic back to the Focal-specific config package now.

[rmol]

Went through one impatient test and packages were updated fine. I'm now running another test, to let the reboot file get created normally.

I have one suggestion: to update more frequently.

[rmol]

Running the update more frequently would increase the chance of applying upgrades as soon as possible. You could update every hour except the one in which upgrade is performed with:

OnCalendar=*-*-* {{ range(0,24) | difference([ (daily_reboot_time|int) % 24 ]) | join(",") }}:00

[rmol]

@emkll That's odd. My staging server updated from rc1 to rc3 without me doing any more than the test plan suggested. I'll watch the cache more closely my next time through.

[conorsch]

Running the update more frequently would increase the chance of applying upgrades as soon as possible.

@rmol I don't follow. My understanding is that apt-daily.timer will simply update the apt lists. Given the check_stamp logic in /usr/lib/apt/apt.systemd.daily, it'll only perform the occasionally, although as mentioned above the undocumented "always" setting may help us sidestep that.

I'll work on a parallel spike to fall back to cron-apt to give us some options. All, please push to this branch at will.

[zenmonkeykstop]

Confirmed the same behaviour as @kushaldas - apt-daily-uprade timer is triggered but nothing is actually upgraded.

Tried clearing the timestamp files, and resetting the timer with:

(sudo)
systemctl stop apt-daily-upgrade.timer
systemctl clean --what=state apt-daily-upgrade.timer # this resets the timer history to null values
systemctl start apt-daily-upgrade.timer

Ran again (by editing timer override), nothing happened, and nothing of note recorded in logs bar the timer itself being triggered.

[rmol]

@conorsch:

My understanding is that apt-daily.timer will simply update the apt lists. Given the check_stamp logic in /usr/lib/apt/apt.systemd.daily, it'll only perform the occasionally, although as mentioned above the undocumented "always" setting may help us sidestep that.

Right. I was thinking we should use intervals of "always" to bypass check_stamp and ensure the cache was updated whenever the update timer fired, to let us schedule more cache updates and give us more chance of having the most current package lists when upgrade ran. I was able to consistently get everything to run with an /etc/apt/apt.conf.d/20auto-updates like this (autoclean is probably overkill):

APT::Periodic::Update-Package-Lists "always";
APT::Periodic::Unattended-Upgrade "always";
APT::Periodic::AutocleanInterval "always";

But it turns out that unattended-upgrade will reboot if /var/run/reboot-required exists even during a --download-only run., which happens during /usr/lib/apt/apt.systemd.daily update. 😞

I can even reboot the system by creating that file before updating the timer overrides with the molecule converge ... command in the test plan. 😆 This may be because I'm running it too close to the scheduled times.

We could reschedule the cron job that creates /var/run/reboot-required to only run right before the "upgrade" timer, at daily_reboot_time minus five minutes or so.

Or, we could just go back to cron-apt, because this is starting to feel like a minefield of undesirable interactions.

[conorsch]

@zenmonkeykstop helpfully pointed out that the bento box configs are different from Qubes staging HVMs, in that the apt-periodic settings are explicitly disabled: https://github.com/chef/bento/blob/b5c6cb3c75bb111b9d55bb26bdb2740c162f1b89/packer_templates/ubuntu/scripts/update.sh#L7-L23 That explains the variation in testing we were seeing. @zenmonkeykstop has pushed a change to be more explicit about that config option, and I've just added a commit to re-implement reboots on the time of daily_reboot_time. The apt-daily/apt-daily-upgrade actions are now approximately 2h and 1h before that, respectively.

[zenmonkeykstop]

With the two commits above the behaviour should be (where T is daily-reboot-time:

• apt-daily.timer triggers cache update at T-2hrs, schedules reboot for T
• apt-daily-upgrade.timer triggers package upgrades at T-1hr, also schedules reboot for T
• reboot at T

Notes for folks testing this:

• Ensure that the apt-test key is in place (e.g. by running curl https://raw.githubusercontent.com/freedomofpress/securedrop/develop/install_files/ansible-base/roles/install-fpf-repo/files/apt-test-signing-key.pub | sudo apt-key add - on the servers before triggering any actions
• Ensure that periodic updates are enabled with `sudo apt-config dump | grep -i "APT::Periodic::Enabled" - it should be set to "1"
• If you want extra log info, add APT::Periodic::Verbose "3" in /etc/apt/apt.cron.d/10periodic

The timers only trigger actions if the interval (1 day) since the last action has elapsed. To reliably trigger an action at a specific time:

1. delete the timestamp files in /var/lib/apt/periodic
2. reset the timers with (sudo) systemctl stop <name>.timer && systemctl --clean --what=state <name>.timer && systemctl start <name>.timer
3. set the timer time with sudo systemctl edit <name>.timer
4. verify with sudo systemctl list-timers
5. Use sudo journalctl -f to monitor the log as the timers run

[conorsch]

Pushed against to tweak a typo in the failing tests. I ever-so-slightly adjusted the APT::Periodic::Enable logic so that it's Focal-only, since Xenial is still using cron-apt. Still waiting on CI to pass, given the re-push, but I consider this ready for review.

[rmol]

I was wrong about seeing a reboot during the "update" task. I think I must have been running the molecule converge timer adjustment when I saw that. With this apt config:

APT::Periodic "";
APT::Periodic::Update-Package-Lists "always";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Verbose "3";
APT::Periodic::Unattended-Upgrade "always";

Having /var/run/reboot-required present during the apt-daily update run does not trigger a reboot, despite that script running unattended-upgrades --download-only, because of APT::Periodic::Unattended-Upgrade "always";:

Mar  9 21:30:03 app-staging apt.systemd.daily[3803]: + unattended-upgrade --download-only -d
Mar  9 21:30:03 app-staging apt.systemd.daily[4115]: Starting unattended upgrades script

The system was rebooted the next time apt-daily-upgrade ran:

Mar  9 21:35:03 app-staging apt.systemd.daily[4509]: Found /var/run/reboot-required, rebooting

So, chalk it up to too many iterations of manual timer adjustments. 🙁 I think it might be safe to
always update the lists and have the apt-daily.timer scheduled more than once a day. All this said, I think we should defer that change and deploy the simplest possible configuration with 1.8.0.

[rmol]

systemctl --clean --what=state .timer

should be systemctl clean --what=state <name>.timer -- no hyphens on clean

[emkll]

Thanks @conorsch @rmol and @zenmonkeykstop for working on these changes, I think we are now observing the expected behavior, Tested the following in staging VMs and the behavior is as we expect:

• apt-mark showhold | xargs -r sudo apt-mark unhold
• rm -f /var/lib/apt/periodic/{upgrade,update}-stamp
• set APT::Periodic::Verbose "3"
• imported the apt test key set curl https://raw.githubusercontent.com/freedomofpress/securedrop/develop/install_files/ansible-base/roles/install-fpf-repo/files/apt-test-signing-key.pub | sudo apt-key add -
• edited the timers
• waited
• observed journalctl output:

Wed 2021-03-10 23:26:59 UTC 23h left      Tue 2021-03-09 23:26:37 UTC 5min ago             apt-daily.timer              apt-daily.service             
Wed 2021-03-10 23:27:20 UTC 23h left      Tue 2021-03-09 23:27:20 UTC 4min 44s ago         apt-daily-upgrade.timer      apt-daily-upgrade.service  
[...]
Mar  9 23:26:42 app-staging systemd[1]: apt-daily.service: Succeeded.
[...]
Mar 09 23:27:55 app-staging systemd[1]: apt-daily-upgrade.service: Succeeded.
Mar 09 23:27:55 app-staging systemd[1]: Finished Daily apt upgrade and clean activities.

Broadcast message from root@app-staging (Tue 2021-03-09 23:28:00 UTC):

The system is going down for reboot at Tue 2021-03-09 23:30:00 UTC!

The reboot occurred, the apt-cache was updated right after apt-daily.service was run

vagrant@app-staging:~$ stat /var/cache/apt/pkgcache.bin 
  File: /var/cache/apt/pkgcache.bin
  Size: 40491536        Blocks: 79088      IO Block: 4096   regular file
Device: fc00h/64512d    Inode: 526262      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-03-09 23:27:52.959581115 +0000
Modify: 2021-03-09 23:27:52.735582601 +0000
Change: 2021-03-09 23:27:52.735582601 +0000
 Birth: -

It was updated to rc3 packages:

securedrop-app-code/unknown,now 1.8.0~rc3+focal amd64 [installed]
securedrop-config/unknown,now 0.1.4+1.8.0~rc3+focal all [installed]
securedrop-grsec/unknown,now 5.4.97+focal amd64 [installed]
securedrop-keyring/unknown,now 0.1.4+1.8.0~rc3+focal amd64 [installed]
securedrop-ossec-agent/unknown,now 3.6.0+1.8.0~rc3+focal amd64 [installed]

Let's merge and include this in 1.8.0-rc4

[emkll]

Initially i thought this was a template block but it's just declaring the variables 👍

[emkll]

TIL: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html#controlling-when-handlers-run

[conorsch]

Pleased to report that I've observed working upgrades to securedrop-app-code=1.8.0~rc3 on both Qubes staging VMs (built from ISO) and libvirt-based staging VMs (via Bento). I had to futz with the timer config so as not to wait very many hours, but with the time customization, packages were upgraded without issue.

During that testing, I had neglected to touch /var/run/reboot-required, so I'll try again, to observe an automatic reboot.

https://github.com/freedomofpress/securedrop/pull/5855/files#diff-12366c76335b8b6ecc14b0a02f3cd0cce6c6d06d17e2ecd4b282b029926396dfR65-R67 will ensure freshness of apt cache, we can address this in later iterations if there's a need to update apt cache more frequently