You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
Apt-upgrade: Difference between revisions
imported>Arturo Borrero Gonzalez m (Arturo Borrero Gonzalez moved page Apt-upgrades to Apt-upgrade: typo, extra 's') |
imported>BryanDavis No edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
The [[phab:source/operations-puppet/browse/production/modules/apt/files/apt-upgrade.py | '''apt-upgrade''' script]] is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade. | The [[phab:source/operations-puppet/browse/production/modules/apt/files/apt-upgrade.py | '''apt-upgrade''' script]] is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade. | ||
This script was developed as part of our [[Portal:Cloud_VPS/Admin/ | This script was developed as part of our [[Portal:Cloud_VPS/Admin/Managing package upgrades|workflow for package upgrades]]. | ||
Usage options are: | Usage options are: | ||
<syntaxhighlight lang="shell-session"> | <syntaxhighlight lang="shell-session"> | ||
% apt-upgrade [-un] [-f exclude_file] upgrade <suite> [-yh] | % apt-upgrade [-un] [-f exclude_file] [-x regex] upgrade <suite> [-yh] | ||
% apt-upgrade [-un] [-f exclude_file] report [<suite>] [-h] | % apt-upgrade [-un] [-f exclude_file] [-x regex] report [<suite>] [-h] | ||
% apt-upgrade [-un] [-f exclude_file] list [-h] | % apt-upgrade [-un] [-f exclude_file] [-x regex] list [-h] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
The '''-u''' switch is to control whether or not to update the apt cache. The '''-n''' switch control whether the node name should be printed in each line. | The '''-u''' switch is to control whether or not to update the apt cache. The '''-n''' switch control whether the node name should be printed in each line. | ||
The '''-f''' switch allows to load a file with a regex per file for package exclusion. | The '''-f/--exclude-file''' switch allows to load a file with a regex per file for package exclusion. This can be combined with '''-x/--exclude''', which allows to specify exclusion regex as arguments (can be specified multiple times). | ||
* '''upgrade''': upgrade all pending upgradeable packages from a given suite. Use the '''-y''' to avoid a confirmation prompt. | * '''upgrade''': upgrade all pending upgradeable packages from a given suite. Use the '''-y''' to avoid a confirmation prompt. | ||
| Line 93: | Line 93: | ||
* create an apt pinning for it | * create an apt pinning for it | ||
* put the package on hold | * put the package on hold | ||
* exclude it by means of '''-f exclude_file.txt''' | * exclude it by means of '''-f exclude_file.txt''' or '''-x regex'''. | ||
== FAQ == | == FAQ == | ||
Latest revision as of 20:35, 10 July 2018
The apt-upgrade script is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade.
This script was developed as part of our workflow for package upgrades.
Usage options are:
% apt-upgrade [-un] [-f exclude_file] [-x regex] upgrade <suite> [-yh]
% apt-upgrade [-un] [-f exclude_file] [-x regex] report [<suite>] [-h]
% apt-upgrade [-un] [-f exclude_file] [-x regex] list [-h]
The -u switch is to control whether or not to update the apt cache. The -n switch control whether the node name should be printed in each line.
The -f/--exclude-file switch allows to load a file with a regex per file for package exclusion. This can be combined with -x/--exclude, which allows to specify exclusion regex as arguments (can be specified multiple times).
- upgrade: upgrade all pending upgradeable packages from a given suite. Use the -y to avoid a confirmation prompt.
- report: report all upgradeable packages in the system. Optionally, only from a given archive.
- list: report all archives from which there are pending upgradeable packages.
Root permission is always required to run it. Please note that DEBIAN_FRONTEND=nonintereactive is used internally to avoid debconf prompts.
Listing archives which contains upgradeable packages, with and without node name:
user@machine01:~$ sudo apt-upgrade -u list
machine01: jessie-backports, jessie-wikimedia, oldstable-updatesuser
user@machine01:~$ sudo apt-upgrade -un list
jessie-backports, jessie-wikimedia, oldstable-updates
Report details of package upgrades, with and without node name:
user@machine01:~$ sudo apt-upgrade -u report
machine01: jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1
machine01: jessie-wikimedia: linux-meta 1.16 --> 1.17
machine01: jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17
machine01: jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1
machine01: oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3
user@machine01:~$ sudo apt-upgrade -un report
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1
jessie-wikimedia: linux-meta 1.16 --> 1.17
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3
Excluding some packages by using a file with a regexp per line:
user@machine01:~$ cat exclude_file.txt
linux-meta.*
user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt report
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3
Performing an upgrade, a report is printed and a confirmation prompt will appear:
user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1
commit changes? [y/N]:
To avoid the confirmation prompt use -y in the command line:
user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia -y
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1
Selecting previously unselected package linux-image-4.9.0-0.bpo.6-amd64.
(Reading database ... 67435 files and directories currently installed.)
Preparing to unpack .../linux-image-4.9.0-0.bpo.6-amd64_4.9.82-1~wmf1_amd64.deb ...
Unpacking linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
Setting up linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
[...]
Since all machines should have this wrapper, you should be able to use clush:
user@machine01:~$ clush -w @all 'sudo apt-upgrade -u upgrade stretch-updates -y'
To avoid upgrades of certain key important packages, it is recommended that you:
- create an apt pinning for it
- put the package on hold
- exclude it by means of -f exclude_file.txt or -x regex.
FAQ
- Does the `apt-upgrade` script works with any repository?
Yes, since in reads the source repo of candidate upgrades. If no candidates are found, nothing will happen.
- Does the `apt-upgrade` script produce logs?
Yes, in /var/log/apt/history.log as per usual.
- Could the `apt-upgrade` script destroy the system?
It's similar to running `aptitude install pkg1 pkg2 pkg3 ...`. The dependency resolver could do estrange things as per usual. Obtain a report before to see what will happen.
- Is it safe to obtain reports using the `apt-upgrade` script?
yes, it should produce 0 modification to any given system. However, it has been observed that running it may trigger dpkg/apt to continue with previous aborted updates.
- I want to see a package debconf prompt, does apt-upgrade allows that?
no, the code uses interanlly DEBIAN_FRONTEND=noninteractive