[MediaWiki-commits] [Gerrit] operations/puppet[production]: apt: unattended-upgrades: add reporter script

Arturo Borrero Gonzalez (Code Review) Fri, 01 Dec 2017 06:29:15 -0800

Arturo Borrero Gonzalez has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/394572 )


Change subject: apt: unattended-upgrades: add reporter script
......................................................................

apt: unattended-upgrades: add reporter script

This new script reports pending upgrades by repository and
what could be upgraded according to the unattended-upgrades configuration.

Bug: T181647
Change-Id: I97b122e6ff0c8f9b0da2000be4ae4c26e2d9c827
Signed-off-by: Arturo Borrero Gonzalez <aborr...@wikimedia.org>
---
A modules/apt/files/report-pending-upgrades.sh
M modules/apt/manifests/unattendedupgrades.pp
2 files changed, 77 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/72/394572/1

diff --git a/modules/apt/files/report-pending-upgrades.sh 
b/modules/apt/files/report-pending-upgrades.sh
new file mode 100644
index 0000000..4a11546
--- /dev/null
+++ b/modules/apt/files/report-pending-upgrades.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+if [ "$(id -u)" != "0" ] ; then
+       echo "E: root required" >&2
+       exit 1
+fi
+
+get_binary()
+{
+       BINARY=$(which $1)
+       if [ ! -x "$BINARY" ] ; then
+               echo "E: no $1 binary found" >&2
+               exit 1
+       fi
+       echo $BINARY
+}
+
+set -e
+APT_GET=$(get_binary apt-get)
+APT_SHOW_VERSIONS=$(get_binary apt-show-versions)
+UNATTENDED_UPGRADES=$(get_binary unattended-upgrades)
+set +e
+
+echo "I: $0 running on $(uname -n)"
+echo "I: updating package cache"
+$APT_GET update >/dev/null
+
+APT_SHOW_VERSIONS_OUTPUT=$($APT_SHOW_VERSIONS | grep upgradeable | sort -t / 
-k 2)
+n1=$(echo "$APT_SHOW_VERSIONS_OUTPUT" | grep -v ^$ | wc -l)
+
+UNATTENDED_UPGRADES_OUTPUT=$($UNATTENDED_UPGRADES --dry-run -v -d | grep 
"Packages that will be upgraded" | awk -F':' '{print $2}' | grep -v 
^[[:space:]]*$)
+n2=$(echo "$UNATTENDED_UPGARDES_OUTPUT" | grep -v ^$ | wc -l)
+
+if [ "$n1" != "0" ] ; then
+       sources=$(echo "$APT_SHOW_VERSIONS_OUTPUT" | awk -F'/' '{print $2}' | 
awk -F' ' '{print $1}' | uniq)
+       for src in $sources ; do
+               src_output=$(echo "$APT_SHOW_VERSIONS_OUTPUT" | grep $src)
+               n3=$(echo "$src_output" | wc -l)
+               echo "I: upgradeable packages from ${src}: $n3"
+               echo
+               echo "$src_output" | sed -e 's/^/  /'
+               echo
+       done
+fi
+
+if [ "$n2" != "0" ] ; then
+       echo "I: upgradeable packages by unattended-upgrades: $n2"
+       echo
+       echo "$UNATTENDED_UPGARDES_OUTPUT" | sed -e 's/^/  /'
+       echo
+fi
+echo "I: $n1 upgradeable packages, $n2 upgradeable packages by 
unatteneded-upgrades"
diff --git a/modules/apt/manifests/unattendedupgrades.pp 
b/modules/apt/manifests/unattendedupgrades.pp
index c02745c..41138d2 100644
--- a/modules/apt/manifests/unattendedupgrades.pp
+++ b/modules/apt/manifests/unattendedupgrades.pp
@@ -4,6 +4,10 @@
         ensure => $ensure,
     }
 
+    package { 'apt-show-versions':
+        ensure => $ensure,
+    }
+
     # dpkg tries to determine the most conservative default action in case of
     # conffile conflict. This tells dpkg to use that action without asking
     apt::conf { 'dpkg-force-confdef':
@@ -37,4 +41,25 @@
         value    => 'origin=Wikimedia,codename=${distro_codename}-wikimedia',
         # lint:endignore
     }
+
+    # https://wiki.debian.org/StableUpdates
+    # https://www.debian.org/News/2011/20110215
+    apt::conf { 'unattended-upgrades-updates':
+        ensure   => $unattended_updates,
+        priority => '52',
+        # Key with trailing '::' to append to potentially existing entry
+        key      => 'Unattended-Upgrade::Origins-Pattern::',
+        # lint:ignore:single_quote_string_with_variables
+        value    => 'origin=${distro_id},codename=${distro_codename}-updates',
+        # lint:endignore
+    }
+
+    file { '/usr/local/sbin/report-pending-upgrades':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0755',
+        source  => 'puppet:///modules/apt/report-pending-upgrades.sh',
+        require => Package['apt-show-versions'],
+   }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/394572
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I97b122e6ff0c8f9b0da2000be4ae4c26e2d9c827
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Arturo Borrero Gonzalez <aborr...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: apt: unattended-upgrades: add reporter script

Reply via email to