Tag Archives: apt

Too good to #0011

Mozilla Firefox APT special

The Mozilla Firefox APT repository is incompatible with legacy apt-mirror. Here’s how I install apt-mirror2 as a dedicated python-virtualenv

# apt-get install virtualenv
# virtualenv --no-setuptools /usr/local/apt-mirror2/
# /usr/local/apt-mirror2/bin/pip3 install -U apt-mirror
# /usr/local/apt-mirror2/bin/apt-mirror --help
  • Repeat as-is to update.
  • Here’s the bug that neccessitates the --no-setuptools option: “ModuleNotFoundError: No module named ‘debian'”

mirror.list entry for the Mozilla Firefox APT repository:

deb-all [signed-by=/path/to/packages-mozilla-org.gpg] https://packages.mozilla.org/apt mozilla main
deb-amd64 [signed-by=/path/to/packages-mozilla-org.gpg] https://packages.mozilla.org/apt mozilla main

How to convert Mozilla’s sloppy ASCII-armored PGP key:

$ curl -s -O https://packages.mozilla.org/apt/repo-signing-key.gpg
$ file repo-signing-key.gpg
repo-signing-key.gpg: PGP public key block Secret-Key
$ mv repo-signing-key.gpg repo-signing-key
$ gpg --dearmor repo-signing-key
$ file repo-signing-key.gpg
repo-signing-key.gpg: OpenPGP Public Key Version 4, Created Tue May 4 21:08:03 2021, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate

Too good to #0006

“Sudo on demand” from TGT0003 considered more useful for downgrading privileges on the fly

#!/usr/bin/env bash

want_user=letsencrypt
am_user="$(id -un)"
printf "Running as: %s\n" "${am_user}"
if [[ "${want_user}" != "${am_user}" ]]
then
        printf "Re-executing with sudo.\n"
        exec sudo -u "${want_user}" "${0}"
fi
...

JSON export of all installed packages on Debian/Ubuntu

#!/bin/bash

function dpkg_json(){
    printf "{\n"
    format='"${Package}": { "Version": "${Version}", "Architecture": "${Architecture}", "Status": "${db:Status-Abbrev}" },\n'
    dpkg-query --show --showformat="${format}" | sed '$s/,$//'
    printf "}\n"
}

dpkg_json | jq .

Urlwatch for a new version of a package in the Ubuntu package pool

---
name: "Ubuntu Curtin package (waiting for apt-key fix)"
url: http://archive.ubuntu.com/ubuntu/pool/main/c/curtin/
filter:
  - xpath: //table//td[2]
  - html2text
  - grep: ^curtin.*\.deb$
---

Too good to #0003

Linux uptime in seconds, once and for all

awk '{printf "%i\n", $1}' /proc/uptime

“Sudo on demand”, re-exec shell script with sudo if not running as root

#!/usr/bin/env bash
printf "Running as: %s\n" "$(id -un)"
[[ ${EUID} -ne 0 ]] && printf "Re-executing with sudo.\n" && exec sudo "${0}"

See also TGT0006, this is just as useful for downgrading privileges on the fly.


“When was the last time apt-get on that Debian/Ubuntu machine installed package upgrades?”

  • Reliably answering this is a lot harder than it looks, subject of countless discussions and really does need to parse /var/log/apt/history.log, which is painful.
  • The script below maintains a file /var/log/apt/lastupgrade with the last upgrade’s time stamp, for further processing.
  • Does NOT track invocations of apt-get upgrade that did not lead to package upgrades.
  • Does NOT look behind logfile rotations, which should not be a problem because it’s closely hooked to dpkg.

/usr/sbin/apt-lastupgrade:

#!/bin/bash

while IFS=: read -r key value
do
	if [[ "${key}" == 'Start-Date' ]]
	then
		upgraded=0
	elif [[ "${key}" == 'Upgrade' ]]
	then
		upgraded=1
	elif [[ "${key}" == 'End-Date' ]]
	then
		if [[ ${upgraded} -eq 1 ]]
		then
			printf -v lastupgrade "%s" "${value}"
		fi
		upgraded=0
	fi
done < /var/log/apt/history.log

if [[ -v lastupgrade ]]
then
	tee /var/log/apt/lastupgrade <<-Here
	# Timestamp of last upgrade: ${lastupgrade}
	Here
	touch -d "${lastupgrade}" /var/log/apt/lastupgrade
fi

/etc/apt/apt.conf.d/90lastupgrade:

DPkg::Post-Invoke {"/usr/bin/systemd-run --on-active=60 /usr/sbin/apt-lastupgrade || /bin/true"};

Path of running shell script, dirname for locating config files, includes etc.

me_path="$(readlink -f "${0}")"
me_dir="$(dirname "${me_path}")"
me_base="$(basename "${me_path}")"

Debian /boot old kernel images

So I was looking at yet another failed apt-get upgrade because /boot was full.
After my initial whining on Twitter, I immediately received a hint towards /etc/apt/apt.conf.d/01autoremove-kernels, which gets generated from /etc/kernel/postinst.d/apt-auto-removal after the installation of new kernel images. The file contains a list of kernels that the package manager considers vital at this time. In theory, all kernels not covered by this list should be able to be autoremoved by running apt-get autoremove.
However it turns out that apt-get autoremove would not remove any kernels at all, at least not on this system. After a bit of peeking around on Stackexchange, it turns out that this still somewhat newish concept seems to be ridden by a few bugs, especially concerning kernels that are (Wrongfully? Rightfully? I just don’t know.) marked as manually-installed in the APT database: “Why doesn’t apt-get autoremove remove my old kernels?”
The solution, as suggested by an answer to the linked question, is to mark all kernel packages as autoinstalled before running apt-get autoremove:

apt-mark showmanual |
 grep -E "^linux-([[:alpha:]]+-)+[[:digit:].]+-[^-]+(|-.+)$" |
 xargs -n 1 apt-mark auto

I’m not an APT expert, but I’m posting this because the post-install hook that prevents the current kernel from being autoremoved makes the procedure appear “safe enough”. As always, reader discretion is advised. And there’s also the hope that it will get sorted out fully in the future.