cron-apt remove action should be after security #4011
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
Fixes #4003 .
In the event the host has broken packages installed (e.g. failed postinst), cron-apt will fail at the remove action before upgrading the package. Upgrades to the broken package will not be installed and the system will remain in a broken state:
Change
1-remove
to9-remove
in cron-apt actions for Ansible install as well as in securedrop-config postinst script (and delete1-remove
via the same)Testing
Clean install scenario:
/etc/cron-apt/action.d/
contains files as expected (0-update 5-security and 9-remove)sudo cron-apt -i -s
completes without errorUpgrade scenario
Using (https://docs.securedrop.org/en/release-0.10.0/development/upgrade_testing.html):
make build-debs
molecule converge -s upgrade
securedrop-config
deb package produced by this branch/etc/hosts
(either app or mon)/etc/apt/security.list
should contain apt.freedom.presscron-apt -i -s
and observe ossec failing to install/etc/apt/security.list
should contain apt-test.freedom.presscron-apt -i -s
and observe ossec failing to installapt list --installed | grep securedrop-app-code
should return that version of securedrop-app-code installed is 0.12.0~rc1Deployment
securedrop-config
apt packageChecklist
If you made changes to the system configuration:
If you made non-trivial code changes: