Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: freedomofpress/securedrop
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 5bf94fe4b5d852abd18a284001accd1cb23aad89
Choose a base ref
..
head repository: freedomofpress/securedrop
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 087599e817e21bfdb85cab254df1f88d12049ff0
Choose a head ref
Showing with 41 additions and 27 deletions.
  1. +40 −26 noble-migration/src/bin/upgrade.rs
  2. +1 −1 securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-upgrade.service
66 changes: 40 additions & 26 deletions noble-migration/src/bin/upgrade.rs
Original file line number Diff line number Diff line change
@@ -10,7 +10,10 @@ use serde::{Deserialize, Serialize};
use std::{
env,
fs::{self, Permissions},
os::unix::{fs::PermissionsExt, process::ExitStatusExt},
os::unix::{
fs::PermissionsExt,
process::{CommandExt, ExitStatusExt},
},
path::Path,
process::{self, Command, ExitCode},
};
@@ -32,7 +35,6 @@ enum Stage {
SuspendOSSEC,
ChangeAptSources,
AptGetUpdate,
AptGetUpgradeNoNew,
AptGetFullUpgrade,
ReenableUnattendedUpdates,
ReenableOSSEC,
@@ -125,10 +127,6 @@ fn run_next_stage(state: &mut State) -> Result<()> {
state.set(Stage::AptGetUpdate)?;
}
Stage::AptGetUpdate => {
apt_get_upgrade_no_new()?;
state.set(Stage::AptGetUpgradeNoNew)?;
}
Stage::AptGetUpgradeNoNew => {
apt_get_full_upgrade()?;
state.set(Stage::AptGetFullUpgrade)?;
}
@@ -201,6 +199,39 @@ fn check_call(binary: &str, args: &[&str]) -> Result<String> {
}
}

/// Run a command in a way that it will keep running even when this script
/// is killed. This is necessary to keep apt-get from getting killed when
/// the systemd service is restarted.
fn check_call_nokill(binary: &str, args: &[&str]) -> Result<()> {
let child = Command::new(binary)
.args(args)
.env("DEBIAN_FRONTEND", "noninteractive")
// Run this in a separate process_group, so it won't be killed when
// the parent process is (this script).
.process_group(0)
// TODO: stdout/stderr
.spawn()
.context(format!("failed to spawn '{binary}'"))?;

let output = child.wait_with_output()?;
if !output.status.success() {
debug!("Errored running: {binary} {}", args.join(" "));
// Figure out why it failed by looking at the exit code, and if none,
// look at if it was a signal
let exit = match output.status.code() {
Some(code) => format!("exit code {code}"),
None => match output.status.signal() {
Some(signal) => format!("terminated by signal {signal}"),
None => "for an unknown reason".to_string(),
},
};
error!("{}", String::from_utf8_lossy(&output.stderr));
bail!("running '{binary}' failed; {exit}")
}

Ok(())
}

/// Check if the current server is the mon server by
/// looking for the securedrop-ossec-server package
fn is_mon_server() -> bool {
@@ -210,7 +241,7 @@ fn is_mon_server() -> bool {
fn pending_updates(state: &mut State) -> Result<()> {
info!("Applying any pending updates...");
check_call("apt-get", &["update"])?;
check_call("unattended-upgrade", &[])?;
check_call_nokill("unattended-upgrade", &[])?;
// Disable all background updates pre-reboot so we know it's fully
// disabled when we come back.
info!("Temporarily disabling background updates...");
@@ -309,26 +340,9 @@ fn apt_get_update() -> Result<()> {
Ok(())
}

fn apt_get_upgrade_no_new() -> Result<()> {
info!("Upgrading APT packages (first pass)...");
check_call(
"apt-get",
&[
"-o",
"Dpkg::Options::=--force-confdef",
"-o",
"Dpkg::Options::=--force-confold",
"upgrade",
"--without-new-pkgs",
"--yes",
],
)?;
Ok(())
}

fn apt_get_full_upgrade() -> Result<()> {
info!("Upgrading APT packages (second pass)...");
check_call(
info!("Upgrading APT packages...");
check_call_nokill(
"apt-get",
&[
"-o",
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
[Unit]
Description=Run noble migration

RefuseManualStart=true
RefuseManualStop=true

[Service]
Type=exec
Environment=LAUNCHED_BY_SYSTEMD=1
ExecStart=/usr/bin/securedrop-noble-migration-upgrade
User=root
KillMode=process