1 | #!/bin/sh |
---|
2 | |
---|
3 | complain() { |
---|
4 | logger -t "athena-auto-update" -p user.notice "$*" |
---|
5 | updstatus="failed" |
---|
6 | updmsg="$*" |
---|
7 | } |
---|
8 | |
---|
9 | # NOTE: Unlike complain(), calling warn() without subsequently |
---|
10 | # calling "exit" is not supported and its behavior is undefined |
---|
11 | warn() { |
---|
12 | # If we've already had a warning once, then fail |
---|
13 | if [ "$updstatus" = "warning" ]; then |
---|
14 | complain "$*" |
---|
15 | else |
---|
16 | updstatus="warning" |
---|
17 | updmsg="$*" |
---|
18 | fi |
---|
19 | } |
---|
20 | |
---|
21 | save_success() { |
---|
22 | # We used to check for 'warning' here for non-fatal warnings. |
---|
23 | # There is no longer any such thing. |
---|
24 | updstatus="ok" |
---|
25 | updmsg="$*" |
---|
26 | } |
---|
27 | |
---|
28 | save_state() { |
---|
29 | rm -f $statfile |
---|
30 | echo "$updlast|$(date +"%s")|$updstatus|$updmsg" > $statfile |
---|
31 | } |
---|
32 | |
---|
33 | maybe_reboot() { |
---|
34 | if [ "$SKIP_REBOOT" = "y" ]; then |
---|
35 | return |
---|
36 | fi |
---|
37 | if [ -f /var/run/reboot-required ]; then |
---|
38 | # A package wants us to reboot the machine. Do so if no one is |
---|
39 | # logged in. Be paranoid about stale utmp entries. |
---|
40 | ttys=$(w -h -s | awk '{print $2}') |
---|
41 | for tty in $ttys; do |
---|
42 | pids=$(ps --no-heading -j -t "$tty" 2>/dev/null \ |
---|
43 | | awk '($1 == $3) {print $1}') |
---|
44 | if [ -n "$pids" ]; then |
---|
45 | return |
---|
46 | fi |
---|
47 | done |
---|
48 | # screen processes count as logins. |
---|
49 | if pgrep '^screen' > /dev/null; then |
---|
50 | return |
---|
51 | fi |
---|
52 | save_state |
---|
53 | reboot |
---|
54 | exit |
---|
55 | fi |
---|
56 | } |
---|
57 | |
---|
58 | SKIP_REBOOT="n" |
---|
59 | DEBUG="n" |
---|
60 | VERBOSE="n" |
---|
61 | while getopts "nvd" opt; do |
---|
62 | case "$opt" in |
---|
63 | d) DEBUG="y";; |
---|
64 | v) VERBOSE="y";; |
---|
65 | n) SKIP_REBOOT="y";; |
---|
66 | \?) |
---|
67 | echo "Usage: $0 [ -d ] [ -n ] [ -v ]" |
---|
68 | ;; |
---|
69 | esac |
---|
70 | done |
---|
71 | |
---|
72 | [ "$DEBUG" = "y" ] && VERBOSE="y" |
---|
73 | |
---|
74 | if [ 0 != "$(id -u)" ]; then |
---|
75 | echo "This script must be run as root." >&2 |
---|
76 | exit 1 |
---|
77 | fi |
---|
78 | |
---|
79 | # Don't run updates during a cluster login. |
---|
80 | # Unless forced |
---|
81 | if [ -e /var/run/athena-login ] && [ "$DEBUG" != "y" ]; then |
---|
82 | exit 0 |
---|
83 | fi |
---|
84 | |
---|
85 | # Avoid confusing the system by running two updates at once. |
---|
86 | pidfile=/var/run/athena-update.pid |
---|
87 | if [ -e $pidfile ]; then |
---|
88 | if ! kill -0 "$(cat $pidfile)" 2>/dev/null; then |
---|
89 | rm -f $pidfile |
---|
90 | fi |
---|
91 | fi |
---|
92 | (set -o noclobber; echo $$ > $pidfile) 2>/dev/null || exit |
---|
93 | |
---|
94 | trap 'rm -f $pidfile' EXIT |
---|
95 | |
---|
96 | statfile="/var/lib/athena-update-status" |
---|
97 | updstatus="unknown" |
---|
98 | updmsg="" |
---|
99 | updlast=$(date +"%s") |
---|
100 | |
---|
101 | # Get the last successful update |
---|
102 | if [ -f $statfile ]; then |
---|
103 | updlast=$(awk -F\| '{print $1;}' $statfile) |
---|
104 | updstatus=$(awk -F\| '{print $3;}' $statfile) |
---|
105 | fi |
---|
106 | |
---|
107 | # Make sure nothing expects input on stdin. |
---|
108 | exec </dev/null |
---|
109 | |
---|
110 | # Save a reference to STDOUT |
---|
111 | exec 3>&1 |
---|
112 | |
---|
113 | # Redirect further output to a log file. |
---|
114 | exec >>/var/log/athena-update 2>&1 |
---|
115 | |
---|
116 | # Write a log header now and a footer at exit. |
---|
117 | # Also write a target for cluster's /etc/nologin symlink. |
---|
118 | echo "-----" |
---|
119 | echo "** Beginning Athena auto-update at $(date)" |
---|
120 | |
---|
121 | cat > /var/run/athena-nologin << NOLOGIN |
---|
122 | This system is currently taking software updates. |
---|
123 | Please log in to a different system. |
---|
124 | NOLOGIN |
---|
125 | |
---|
126 | finish() { |
---|
127 | echo "** Ending Athena auto-update at $(date)" |
---|
128 | echo "-----" |
---|
129 | echo |
---|
130 | rm -f $pidfile |
---|
131 | rm -f /var/run/athena-nologin |
---|
132 | save_state |
---|
133 | exit |
---|
134 | } |
---|
135 | trap finish EXIT |
---|
136 | |
---|
137 | v() { |
---|
138 | [ "$VERBOSE" = "y" ] && echo "Running" "$@" >&3 |
---|
139 | echo "** Running:" "$@" |
---|
140 | "$@" |
---|
141 | } |
---|
142 | |
---|
143 | |
---|
144 | # Allow hesiod cluster info to specify the debathena apt release. |
---|
145 | # (Will do nothing if debathena-clusterinfo isn't installed.) |
---|
146 | [ -x /usr/sbin/save-cluster-info ] && v /usr/sbin/save-cluster-info |
---|
147 | cinfo=/var/run/athena-clusterinfo.sh |
---|
148 | slist=/etc/apt/sources.list.d/debathena.clusterinfo.list |
---|
149 | if [ -r "$cinfo" ] && ( [ ! -e "$slist" ] || [ -w "$slist" ] ); then |
---|
150 | echo "** Updating debathena.clusterinfo.list" |
---|
151 | [ -e "$slist" ] && rm "$slist" |
---|
152 | dsource="$(egrep -h '^deb(-src)? http://debathena\.mit\.edu/apt ' /etc/apt/sources.list /etc/apt/sources.list.d/*.list 2>/dev/null | sort -u)" |
---|
153 | if [ -n "$dsource" ]; then |
---|
154 | (. $cinfo |
---|
155 | echo "# This file is automatically updated by debathena-auto-update" |
---|
156 | echo "# based on your Hesiod cluster information. If you want to" |
---|
157 | echo "# make changes, do so in another file." |
---|
158 | echo |
---|
159 | case $APT_RELEASE in |
---|
160 | production) ;; |
---|
161 | proposed) echo "$dsource" | awk '$3 !~ /-/ {$3 = $3 "-proposed"; print}' ;; |
---|
162 | development) echo "$dsource" | awk '$3 != /-/ {$3 = $3 "-proposed"; print}' |
---|
163 | echo "$dsource" | awk '$3 != /-/ {$3 = $3 "-development"; print}' ;; |
---|
164 | esac |
---|
165 | ) > $slist |
---|
166 | else |
---|
167 | echo "Never mind, I can't figure out which sources.list line is Debathena's" |
---|
168 | fi |
---|
169 | else |
---|
170 | echo "** Skipping update of debathena.clusterinfo.list" |
---|
171 | fi |
---|
172 | |
---|
173 | # Tell apt not to expect user input during package installation. |
---|
174 | export DEBIAN_FRONTEND=noninteractive |
---|
175 | |
---|
176 | # Set conservative defaults in case file is missing |
---|
177 | UPDATE_FORCE_CONFFILE=old |
---|
178 | RUN_UPDATE_HOOK=no |
---|
179 | # Process defaults file |
---|
180 | [ -f /etc/default/debathena-auto-update ] && . /etc/default/debathena-auto-update |
---|
181 | # On cluster machines, force our desired settings |
---|
182 | # Ignore /etc/default/debathena-auto-update |
---|
183 | if dpkg-query --showformat '${Status}\n' -W "debathena-cluster" 2>/dev/null | grep -q ' installed$'; then |
---|
184 | UPDATE_FORCE_CONFFILE=new |
---|
185 | RUN_UPDATE_HOOK=yes |
---|
186 | fi |
---|
187 | |
---|
188 | UPDATE_HOOK_URL="https://athena10.mit.edu/update-hook/debathena-update-hook.sh" |
---|
189 | UPDATE_HOOK_SUM="https://athena10.mit.edu/update-hook/debathena-update-hook-sha256sum" |
---|
190 | MITCA="/usr/share/debathena-auto-update/mitCA.crt" |
---|
191 | UPDATE_HOOK="/var/run/debathena-update-hook.sh" |
---|
192 | |
---|
193 | rm -f $UPDATE_HOOK |
---|
194 | if [ "$RUN_UPDATE_HOOK" = "yes" ] && \ |
---|
195 | curl -sf -o $UPDATE_HOOK --cacert $MITCA $UPDATE_HOOK_URL; then |
---|
196 | chmod 500 $UPDATE_HOOK |
---|
197 | SHA256SUM="$(curl -sf --cacert $MITCA $UPDATE_HOOK_SUM)" |
---|
198 | rv=$? |
---|
199 | if [ $rv != 0 ]; then |
---|
200 | complain "Failed to retrieve $UPDATE_HOOK_SUM (curl returned $rv)" |
---|
201 | exit |
---|
202 | fi |
---|
203 | LOCALSUM="$(sha256sum $UPDATE_HOOK | awk '{print $1}')" |
---|
204 | if [ "$SHA256SUM" != "$LOCALSUM" ]; then |
---|
205 | complain "bad update hook checksum ($SHA256SUM != $LOCALSUM)" |
---|
206 | exit |
---|
207 | fi |
---|
208 | if ! [ -f "/var/lib/athena-update-hooks/$SHA256SUM" ]; then |
---|
209 | if ! v $UPDATE_HOOK; then |
---|
210 | complain "update hook returned non-zero status" |
---|
211 | exit |
---|
212 | else |
---|
213 | touch "/var/lib/athena-update-hooks/$SHA256SUM" |
---|
214 | fi |
---|
215 | fi |
---|
216 | fi |
---|
217 | |
---|
218 | echo "Running aptitude install" |
---|
219 | if ! v aptitude --quiet --assume-yes install; then |
---|
220 | # Don't fail, because make dpkg --configure -a will save us |
---|
221 | echo "ERROR: aptitude install failed, but continuing anyway" |
---|
222 | fi |
---|
223 | |
---|
224 | |
---|
225 | # Configure any unconfigured packages (Trac #407) |
---|
226 | if ! v dpkg --configure -a; then |
---|
227 | complain "Failed to configure unconfigured packages." |
---|
228 | exit |
---|
229 | fi |
---|
230 | |
---|
231 | # A recently configured package may want a reboot |
---|
232 | save_success "Rebooted after dpkg --configure -a" |
---|
233 | maybe_reboot |
---|
234 | |
---|
235 | # Ensure that the mirrors aren't broken |
---|
236 | urls=$(cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v ^# | grep -v ^$ | awk '{print $2}' | sort | uniq) |
---|
237 | failed="" |
---|
238 | for u in $urls; do |
---|
239 | # We don't (yet) know how to verify other URI schemes |
---|
240 | if ! echo $u | grep -q "^http:"; then |
---|
241 | continue |
---|
242 | fi |
---|
243 | curl -m 60 -sfL -o /dev/null $u |
---|
244 | if [ $? != 0 ]; then |
---|
245 | if [ -z "$failed" ]; then |
---|
246 | failed=$u |
---|
247 | else |
---|
248 | failed="$failed $u" |
---|
249 | fi |
---|
250 | fi |
---|
251 | done |
---|
252 | if [ -n "$failed" ]; then |
---|
253 | warn "Failed to contact mirror(s): $failed" |
---|
254 | exit |
---|
255 | fi |
---|
256 | |
---|
257 | # Update the aptitude cache. |
---|
258 | if ! v aptitude --quiet --assume-yes update; then |
---|
259 | complain "aptitude update failed" |
---|
260 | exit |
---|
261 | fi |
---|
262 | |
---|
263 | # If new licenses were installed since the last update, deal. |
---|
264 | licenses=/usr/share/debathena-license-config/debathena-license-selections |
---|
265 | if [ -f /var/lib/debathena-license-config/reconfigure_required ]; then |
---|
266 | rm -f /var/lib/debathena-license-config/reconfigure_required |
---|
267 | if [ -f $licenses ]; then |
---|
268 | for p in $(awk '{print $1}' $licenses); do |
---|
269 | if dpkg-query --showformat '${Status}\n' -W $p 2>/dev/null | grep -q ' installed$'; then |
---|
270 | if ! v dpkg-reconfigure -fnoninteractive $p; then |
---|
271 | # Don't fail here |
---|
272 | complain "Failed to dpkg-reconfigure $p" |
---|
273 | fi |
---|
274 | fi |
---|
275 | done |
---|
276 | else |
---|
277 | complain "Could not find $licenses" |
---|
278 | exit |
---|
279 | fi |
---|
280 | fi |
---|
281 | |
---|
282 | |
---|
283 | # Exit quietly (except for perhaps rebooting) if there are no upgrades |
---|
284 | # to take. |
---|
285 | pattern='^0 packages upgraded, 0 newly installed, 0 to remove' |
---|
286 | if v aptitude --simulate --assume-yes full-upgrade | grep -q "$pattern"; then |
---|
287 | echo "Nothing to do!" |
---|
288 | save_success "No updates" |
---|
289 | maybe_reboot |
---|
290 | exit |
---|
291 | fi |
---|
292 | |
---|
293 | # Download packages first. |
---|
294 | if ! v timeout -k 10s 30m aptitude --quiet --assume-yes --download-only full-upgrade; then |
---|
295 | complain "download failed" |
---|
296 | exit |
---|
297 | fi |
---|
298 | |
---|
299 | # If the debathena-reactivate package is installed, call into the |
---|
300 | # login snapshot script to create a root snapshot for the next update. |
---|
301 | if [ -x /usr/sbin/athena-login-snapshot ]; then |
---|
302 | echo "** Creating root snapshot" |
---|
303 | /usr/sbin/athena-login-snapshot update-start |
---|
304 | fi |
---|
305 | |
---|
306 | APTITUDE_OPTS= |
---|
307 | case $UPDATE_FORCE_CONFFILE in |
---|
308 | old) |
---|
309 | APTITUDE_OPTS="-o Dpkg::Options::=--force-confold" |
---|
310 | export UCF_FORCE_CONFFOLD=1 |
---|
311 | ;; |
---|
312 | new) |
---|
313 | APTITUDE_OPTS="-o Dpkg::Options::=--force-confnew" |
---|
314 | export UCF_FORCE_CONFFNEW=1 |
---|
315 | ;; |
---|
316 | *) |
---|
317 | complain "Invalid value for UPDATE_FORCE_CONFFILE" |
---|
318 | exit |
---|
319 | ;; |
---|
320 | esac |
---|
321 | |
---|
322 | |
---|
323 | # Perform the update. In some corner cases, aptitude might decide |
---|
324 | # that the best course of action is to remove the Debathena |
---|
325 | # metapackage, so be paranoid about that. |
---|
326 | v aptitude --quiet --assume-yes keep-all |
---|
327 | v timeout -k 10s 30m aptitude --quiet --assume-yes --download-only dist-upgrade |
---|
328 | if result=$(aptitude -F "%p" search '?action(remove) (^debathena-cluster$ | ^debathena-workstation$ | ^debathena-login$ | ^debathena-standard$ | ^openafs-modules-~D^linux-image-)') |
---|
329 | [ -n "$result" ]; then |
---|
330 | echo "** metapackages would be removed by the update, aborting:" $result |
---|
331 | v aptitude --quiet --assume-yes keep-all |
---|
332 | complain "metapackages would be removed by update:" $result |
---|
333 | elif result=$(aptitude -F "%p" search '~b') |
---|
334 | [ -n "$result" ]; then |
---|
335 | echo "** packages would be broken by the update, aborting:" $result |
---|
336 | v aptitude --quiet --assume-yes keep-all |
---|
337 | complain "packages would be broken by update:" $result |
---|
338 | else |
---|
339 | if v aptitude $APTITUDE_OPTS --quiet --assume-yes install; then |
---|
340 | # Successful update, reset $updlast |
---|
341 | updlast=$(date +"%s") |
---|
342 | save_success "Successful update" |
---|
343 | fi |
---|
344 | fi |
---|
345 | |
---|
346 | # Finally, update the apt-file cache |
---|
347 | v apt-file update |
---|
348 | |
---|
349 | if [ -x /usr/sbin/athena-login-snapshot ]; then |
---|
350 | echo "** Cleaning up root snapshot" |
---|
351 | /usr/sbin/athena-login-snapshot update-end |
---|
352 | fi |
---|
353 | |
---|
354 | maybe_reboot |
---|
355 | exit |
---|