Apt-upgrade

From Wikitech

The apt-upgrade script is a custom tool that can be used to know which suite/channel/repo have pending package upgrades and also to perform the actual upgrade.

This script was developed as part of our workflow for package upgrades.

Usage options are:

% apt-upgrade [-un] [-f exclude_file] [-x regex] upgrade <suite> [-yh]
% apt-upgrade [-un] [-f exclude_file] [-x regex] report [<suite>] [-h]
% apt-upgrade [-un] [-f exclude_file] [-x regex] list [-h]

The -u switch is to control whether or not to update the apt cache. The -n switch control whether the node name should be printed in each line.

The -f/--exclude-file switch allows to load a file with a regex per file for package exclusion. This can be combined with -x/--exclude, which allows to specify exclusion regex as arguments (can be specified multiple times).

  • upgrade: upgrade all pending upgradeable packages from a given suite. Use the -y to avoid a confirmation prompt.
  • report: report all upgradeable packages in the system. Optionally, only from a given archive.
  • list: report all archives from which there are pending upgradeable packages.

Root permission is always required to run it. Please note that DEBIAN_FRONTEND=nonintereactive is used internally to avoid debconf prompts.

Listing archives which contains upgradeable packages, with and without node name:

user@machine01:~$ sudo apt-upgrade -u list
machine01: jessie-backports, jessie-wikimedia, oldstable-updatesuser
user@machine01:~$ sudo apt-upgrade -un list
jessie-backports, jessie-wikimedia, oldstable-updates

Report details of package upgrades, with and without node name:

user@machine01:~$ sudo apt-upgrade -u report
machine01: jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
machine01: jessie-wikimedia: linux-meta 1.16 --> 1.17 
machine01: jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 
machine01: jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
machine01: oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3 
user@machine01:~$ sudo apt-upgrade -un report
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
jessie-wikimedia: linux-meta 1.16 --> 1.17 
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3

Excluding some packages by using a file with a regexp per line:

user@machine01:~$ cat exclude_file.txt 
linux-meta.*
user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt report
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-backports: linux-image-4.9.0-0.bpo.4-amd64 4.9.51-1~bpo8+1 --> 4.9.65-3+deb9u1~bpo8+1 
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
oldstable-updates: linux-image-3.16.0-4-amd64 3.16.43-2+deb8u5 --> 3.16.51-3

Performing an upgrade, a report is printed and a confirmation prompt will appear:

user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
commit changes? [y/N]:

To avoid the confirmation prompt use -y in the command line:

user@machine01:~$ sudo apt-upgrade -un -f exclude_file.txt upgrade jessie-wikimedia -y
jessie-wikimedia: linux-meta 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-meta-4.9 1.16 --> 1.17 [excluded]
jessie-wikimedia: linux-image-4.9.0-0.bpo.6-amd64 [absent] --> 4.9.82-1~wmf1 
Selecting previously unselected package linux-image-4.9.0-0.bpo.6-amd64.
(Reading database ... 67435 files and directories currently installed.)
Preparing to unpack .../linux-image-4.9.0-0.bpo.6-amd64_4.9.82-1~wmf1_amd64.deb ...
Unpacking linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
Setting up linux-image-4.9.0-0.bpo.6-amd64 (4.9.82-1~wmf1) ...
[...]

Since all machines should have this wrapper, you should be able to use clush:

user@machine01:~$ clush -w @all 'sudo apt-upgrade -u upgrade stretch-updates -y'

To avoid upgrades of certain key important packages, it is recommended that you:

  • create an apt pinning for it
  • put the package on hold
  • exclude it by means of -f exclude_file.txt or -x regex.

FAQ

  • Does the `apt-upgrade` script works with any repository?

Yes, since in reads the source repo of candidate upgrades. If no candidates are found, nothing will happen.

  • Does the `apt-upgrade` script produce logs?

Yes, in /var/log/apt/history.log as per usual.

  • Could the `apt-upgrade` script destroy the system?

It's similar to running `aptitude install pkg1 pkg2 pkg3 ...`. The dependency resolver could do estrange things as per usual. Obtain a report before to see what will happen.

  • Is it safe to obtain reports using the `apt-upgrade` script?

yes, it should produce 0 modification to any given system. However, it has been observed that running it may trigger dpkg/apt to continue with previous aborted updates.

  • I want to see a package debconf prompt, does apt-upgrade allows that?

no, the code uses interanlly DEBIAN_FRONTEND=noninteractive