You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Apt-upgrade: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Arturo Borrero Gonzalez
m (Arturo Borrero Gonzalez moved page Apt-upgrades to Apt-upgrade: typo, extra 's')
 
imported>BryanDavis
No edit summary
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
The [[phab:source/operations-puppet/browse/production/modules/apt/files/apt-upgrade.py | '''apt-upgrade''' script]] is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade.
The [[phab:source/operations-puppet/browse/production/modules/apt/files/apt-upgrade.py | '''apt-upgrade''' script]] is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade.


This script was developed as part of our [[Portal:Cloud_VPS/Admin/managing_package_upgrades | workflow for package upgrades]].
This script was developed as part of our [[Portal:Cloud_VPS/Admin/Managing package upgrades|workflow for package upgrades]].


Usage options are:
Usage options are:
<syntaxhighlight lang="shell-session">
<syntaxhighlight lang="shell-session">
% apt-upgrade [-un] [-f exclude_file] upgrade <suite> [-yh]
% apt-upgrade [-un] [-f exclude_file] [-x regex] upgrade <suite> [-yh]
% apt-upgrade [-un] [-f exclude_file] report [<suite>] [-h]
% apt-upgrade [-un] [-f exclude_file] [-x regex] report [<suite>] [-h]
% apt-upgrade [-un] [-f exclude_file] list [-h]
% apt-upgrade [-un] [-f exclude_file] [-x regex] list [-h]
</syntaxhighlight>
</syntaxhighlight>


The '''-u''' switch is to control whether or not to update the apt cache. The '''-n''' switch control whether the node name should be printed in each line.
The '''-u''' switch is to control whether or not to update the apt cache. The '''-n''' switch control whether the node name should be printed in each line.


The '''-f''' switch allows to load a file with a regex per file for package exclusion.
The '''-f/--exclude-file''' switch allows to load a file with a regex per file for package exclusion. This can be combined with '''-x/--exclude''', which allows to specify exclusion regex as arguments (can be specified multiple times).


* '''upgrade''': upgrade all pending upgradeable packages from a given suite. Use the '''-y''' to avoid a confirmation prompt.
* '''upgrade''': upgrade all pending upgradeable packages from a given suite. Use the '''-y''' to avoid a confirmation prompt.
Line 93: Line 93:
* create an apt pinning for it
* create an apt pinning for it
* put the package on hold
* put the package on hold
* exclude it by means of '''-f exclude_file.txt'''
* exclude it by means of '''-f exclude_file.txt''' or '''-x regex'''.


== FAQ ==
== FAQ ==

Latest revision as of 20:35, 10 July 2018

The apt-upgrade script is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade.

This script was developed as part of our workflow for package upgrades.

Usage options are:

% apt-upgrade [-un] [-f exclude_file] [-x regex] upgrade <suite> [-yh]
% apt-upgrade [-un] [-f exclude_file] [-x regex] report [<suite>] [-h]
% apt-upgrade [-un] [-f exclude_file] [-x regex] list [-h]

The -u switch is to control whether or not to update the apt cache. The -n switch control whether the node name should be printed in each line.

The -f/--exclude-file switch allows to load a file with a regex per file for package exclusion. This can be combined with -x/--exclude, which allows to specify exclusion regex as arguments (can be specified multiple times).

  • upgrade: upgrade all pending upgradeable packages from a given suite. Use the -y to avoid a confirmation prompt.
  • report: report all upgradeable packages in the system. Optionally, only from a given archive.
  • list: report all archives from which there are pending upgradeable packages.

Root permission is always required to run it. Please note that DEBIAN_FRONTEND=nonintereactive is used internally to avoid debconf prompts.

Listing archives which contains upgradeable packages, with and without node name:

user@machine01:~$ sudo apt-upgrade -u list
machine01: jessie-backports, jessie-wikimedia, oldstable-updatesuser
user@machine01:~$ sudo apt-upgrade -un list
jessie-backports, jessie-wikimedia, oldstable-updates

Report details of package upgrades, with and without node name:

user@machine01:~$ sudo apt-upgrade -u report
machine01: jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
machine01: jessie-wikimedia: linux-meta 1.16 --> 1.17 
machine01: jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 
machine01: jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
machine01: oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3 
user@machine01:~$ sudo apt-upgrade -un report
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
jessie-wikimedia: linux-meta 1.16 --> 1.17 
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3

Excluding some packages by using a file with a regexp per line:

user@machine01:~$ cat exclude_file.txt 
linux-meta.*
user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt report
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3

Performing an upgrade, a report is printed and a confirmation prompt will appear:

user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
commit changes? [y/N]:

To avoid the confirmation prompt use -y in the command line:

user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia -y
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
Selecting previously unselected package linux-image-4.9.0-0.bpo.6-amd64.
(Reading database ... 67435 files and directories currently installed.)
Preparing to unpack .../linux-image-4.9.0-0.bpo.6-amd64_4.9.82-1~wmf1_amd64.deb ...
Unpacking linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
Setting up linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
[...]

Since all machines should have this wrapper, you should be able to use clush:

user@machine01:~$ clush -w @all 'sudo apt-upgrade -u upgrade stretch-updates -y'

To avoid upgrades of certain key important packages, it is recommended that you:

  • create an apt pinning for it
  • put the package on hold
  • exclude it by means of -f exclude_file.txt or -x regex.

FAQ

  • Does the `apt-upgrade` script works with any repository?

Yes, since in reads the source repo of candidate upgrades. If no candidates are found, nothing will happen.

  • Does the `apt-upgrade` script produce logs?

Yes, in /var/log/apt/history.log as per usual.

  • Could the `apt-upgrade` script destroy the system?

It's similar to running `aptitude install pkg1 pkg2 pkg3 ...`. The dependency resolver could do estrange things as per usual. Obtain a report before to see what will happen.

  • Is it safe to obtain reports using the `apt-upgrade` script?

yes, it should produce 0 modification to any given system. However, it has been observed that running it may trigger dpkg/apt to continue with previous aborted updates.

  • I want to see a package debconf prompt, does apt-upgrade allows that?

no, the code uses interanlly DEBIAN_FRONTEND=noninteractive