From: Ansgar Burchardt Date: Mon, 27 Feb 2012 23:13:29 +0000 (+0100) Subject: debian-security: place locks around dak commands that affect packages X-Git-Url: https://git.decadent.org.uk/gitweb/?a=commitdiff_plain;h=ebec9bc1c451491b8558e6012680e7d37c0bc595;p=dak.git debian-security: place locks around dak commands that affect packages We don't want process-upload and generate-packages-sources2 or similar combinations running at the same time. So just create a lock around such sections. --- diff --git a/config/debian-security/cron.daily b/config/debian-security/cron.daily index abe3c08a..ba1d11ee 100755 --- a/config/debian-security/cron.daily +++ b/config/debian-security/cron.daily @@ -6,6 +6,8 @@ set -e export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars . $SCRIPTVARS +LOCKFILE="$lockdir/unchecked.lock" + ################################################################################ # Fix overrides @@ -66,10 +68,24 @@ done cd $configdir dak import-keyring -L /srv/keyring.debian.org/keyrings/debian-keyring.gpg + +cleanup() { + rm -f "$LOCKFILE" +} + +if ! lockfile -r100 "$LOCKFILE"; then + echo "Could not lock $LOCKFILE." >&2 + exit 1 +fi +trap cleanup EXIT + dak clean-queues dak clean-queues -i $disembargo dak clean-suites +cleanup +trap - EXIT + symlinks -d -r $ftpdir pg_dump obscurity > /org/security-master.debian.org/dak-backup/dump_$(date +%Y.%m.%d-%H:%M:%S) diff --git a/config/debian-security/cron.unchecked b/config/debian-security/cron.unchecked index e6ccf824..eea530b4 100755 --- a/config/debian-security/cron.unchecked +++ b/config/debian-security/cron.unchecked @@ -15,6 +15,7 @@ reportdis=$queuedir/REPORT.disembargo timestamp=$(date "+%Y-%m-%d %H:%M") doanything=false dopolicy=false +LOCKFILE="$lockdir/unchecked.lock" # So first we should go and see if any process-policy action is done dak process-policy embargoed | mail -a "X-Debian: DAK" -e -s "Automatically accepted from embargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftpmaster@ftp-master.debian.org @@ -24,6 +25,16 @@ dak process-policy unembargoed | mail -a "X-Debian: DAK" -e -s "Automatically ac # in newstage mean they are (late) accepts of security stuff, need # to sync to ftp-master +cleanup() { + rm -f "$LOCKFILE" +} + +if ! lockfile -r8 "$LOCKFILE"; then + echo "aborting cron.unchecked because $LOCKFILE has already been locked" + exit 0 +fi +trap cleanup EXIT + cd $newstage changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs) if [ -n "$changes" ]; then @@ -70,4 +81,7 @@ if [ "x${dopolicy}x" = "xtruex" ]; then sudo -u archvsync -H /home/archvsync/signal_security fi +cleanup +trap - EXIT + $configdir/cron.buildd diff --git a/config/debian-security/cron.weekly b/config/debian-security/cron.weekly index 80a83538..15c9d16f 100755 --- a/config/debian-security/cron.weekly +++ b/config/debian-security/cron.weekly @@ -6,13 +6,30 @@ set -e export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars . $SCRIPTVARS +LOCKFILE="$lockdir/unchecked.lock" + ################################################################################ # Weekly generation of release files, then pushing mirrors. # Used as we have a "Valid-until" field in our release files of 10 days. In case # we dont have a security update in that time... cd $configdir + +cleanup() { + rm -f "$LOCKFILE" +} + +if ! lockfile -r100 "$LOCKFILE"; then + echo "Could not lock $LOCKFILE. Assuming resigning is not needed." + exit 0 +fi +trap cleanup EXIT + dak generate-releases + +cleanup +trap - EXIT + /srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh sudo -u archvsync -H /home/archvsync/signal_security diff --git a/dak/new_security_install.py b/dak/new_security_install.py index 65df7b08..fb2d5ccf 100755 --- a/dak/new_security_install.py +++ b/dak/new_security_install.py @@ -95,26 +95,34 @@ def _do_Approve(): print "Sync stuff for upload to ftpmaster" spawn("rsync -a -q %s/. /srv/queued/ftpmaster/." % (newstage.path)) - # 3. Now run process-upload in the newstage dir - print "Now put it into the security archive" - spawn("dak process-upload -a -d %s" % (newstage.path)) - - # 4. Run all the steps that are needed to publish the changed archive - print "Domination" - spawn("dak dominate") -# print "Generating filelist for apt-ftparchive" -# spawn("dak generate-filelist") - print "Updating Packages and Sources files... This may take a while, be patient" - spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh") -# spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file())) - spawn("dak generate-packages-sources2") - print "Updating Release files..." - spawn("dak generate-releases") - print "Triggering security mirrors... (this may take a while)" - spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh") - spawn("sudo -u archvsync -H /home/archvsync/signal_security") - print "Triggering metadata export for packages.d.o and other consumers" - spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh") + print "Locking unchecked" + lockfile='/srv/security-master.debian.org/lock/unchecked.lock' + spawn("lockfile -r8 {0}".format(lockfile)) + + try: + # 3. Now run process-upload in the newstage dir + print "Now put it into the security archive" + spawn("dak process-upload -a -d %s" % (newstage.path)) + + # 4. Run all the steps that are needed to publish the changed archive + print "Domination" + spawn("dak dominate") + # print "Generating filelist for apt-ftparchive" + # spawn("dak generate-filelist") + print "Updating Packages and Sources files... This may take a while, be patient" + spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh") + # spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file())) + spawn("dak generate-packages-sources2") + print "Updating Release files..." + spawn("dak generate-releases") + print "Triggering security mirrors... (this may take a while)" + spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh") + spawn("sudo -u archvsync -H /home/archvsync/signal_security") + print "Triggering metadata export for packages.d.o and other consumers" + spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh") + finally: + os.unlink(lockfile) + print "Lock released." ######################################################################## ########################################################################