search

mvo5 / unattended-upgrades

Automatic installation of security upgrades on apt based systems
GNU General Public License v2.0
278 stars 78 forks source link

apt update failing manually, unattended upgrade does not inform me of the issue #317

Closed sgalam closed 2 years ago

sgalam commented 2 years ago

Hi, I'm experiencing an issue with unattended-upgrade. I have a repo in my setup that is failing to update. This is the output of apt update:

root@gitlab:~# apt update
Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
Ign:2 http://ftp.it.debian.org/debian stretch InRelease
Hit:3 http://ftp.it.debian.org/debian stretch-updates InRelease
Hit:4 http://ftp.it.debian.org/debian stretch Release
Get:5 https://packages.gitlab.com/gitlab/gitlab-ee/debian stretch InRelease [23.3 kB]
Err:5 https://packages.gitlab.com/gitlab/gitlab-ee/debian stretch InRelease
  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
Fetched 23.3 kB in 2s (10.9 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.gitlab.com/gitlab/gitlab-ee/debian stretch InRelease: The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Failed to fetch https://packages.gitlab.com/gitlab/gitlab-ee/debian/dists/stretch/InRelease  The following signatures were invalid: EXPKEYSIG 3F01618A51312F3F GitLab B.V. (package repository signing key) <packages@gitlab.com>
W: Some index files failed to download. They have been ignored, or old ones used instead.

So the apt gitlab repository is broken as the key is expired.

Here is the unattended-upgrades --dry-run --debug output:

root@gitlab:~# unattended-upgrades --dry-run --debug
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security', 'origin=packages.gitlab.com/gitlab/gitlab-ee']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals

As you can see, unattended-upgrades does not inform me about the problem. I should receive an alert by unattended-upgrades that the system is not up to date. What I am missing?

Thanks

Matteo

julian-klode commented 2 years ago

No you should not be receiving an alert as your system is up-to-date with regards to the sources downloaded, unattended-upgrades can't know that the update failed. The update happens in apt-daily.service, and you need to monitor your journal if it errors out (timers do not send emails, unlike cron jobs).

sgalam commented 2 years ago

Ok, thanks for pointing me to the right direction! I did some investigation about the issue. Apt update by design exit always with 0 also when warnings happens. APT developers introduced a feature to exit with an error code when there are warnings about one year ago. This is the merge request: https://salsa.debian.org/apt-team/apt/-/merge_requests/150 That feature was merged in main at release 2.1.16 at the end of 2021 so it's very new and not present on old debians.