[dak/master] debian-security: place locks around dak commands that affect packages
We don't want process-upload and generate-packages-sources2 or similar
combinations running at the same time. So just create a lock around such
sections.
---
config/debian-security/cron.daily | 16 +++++++++++
config/debian-security/cron.unchecked | 14 +++++++++
config/debian-security/cron.weekly | 17 +++++++++++
dak/new_security_install.py | 48 +++++++++++++++++++-------------
4 files changed, 75 insertions(+), 20 deletions(-)
diff --git a/config/debian-security/cron.daily b/config/debian-security/cron.daily
index abe3c08..ba1d11e 100755
--- a/config/debian-security/cron.daily
+++ b/config/debian-security/cron.daily
@@ -6,6 +6,8 @@ set -e
export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars
. $SCRIPTVARS
+LOCKFILE="$lockdir/unchecked.lock"
+
################################################################################
# Fix overrides
@@ -66,10 +68,24 @@ done
cd $configdir
dak import-keyring -L /srv/keyring.debian.org/keyrings/debian-keyring.gpg
+
+cleanup() {
+ rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r100 "$LOCKFILE"; then
+ echo "Could not lock $LOCKFILE." >&2
+ exit 1
+fi
+trap cleanup EXIT
+
dak clean-queues
dak clean-queues -i $disembargo
dak clean-suites
+cleanup
+trap - EXIT
+
symlinks -d -r $ftpdir
pg_dump obscurity > /org/security-master.debian.org/dak-backup/dump_$(date +%Y.%m.%d-%H:%M:%S)
diff --git a/config/debian-security/cron.unchecked b/config/debian-security/cron.unchecked
index e6ccf82..eea530b 100755
--- a/config/debian-security/cron.unchecked
+++ b/config/debian-security/cron.unchecked
@@ -15,6 +15,7 @@ reportdis=$queuedir/REPORT.disembargo
timestamp=$(date "+%Y-%m-%d %H:%M")
doanything=false
dopolicy=false
+LOCKFILE="$lockdir/unchecked.lock"
# So first we should go and see if any process-policy action is done
dak process-policy embargoed | mail -a "X-Debian: DAK" -e -s "Automatically accepted from embargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftpmaster@ftp-master.debian.org
@@ -24,6 +25,16 @@ dak process-policy unembargoed | mail -a "X-Debian: DAK" -e -s "Automatically ac
# in newstage mean they are (late) accepts of security stuff, need
# to sync to ftp-master
+cleanup() {
+ rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r8 "$LOCKFILE"; then
+ echo "aborting cron.unchecked because $LOCKFILE has already been locked"
+ exit 0
+fi
+trap cleanup EXIT
+
cd $newstage
changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs)
if [ -n "$changes" ]; then
@@ -70,4 +81,7 @@ if [ "x${dopolicy}x" = "xtruex" ]; then
sudo -u archvsync -H /home/archvsync/signal_security
fi
+cleanup
+trap - EXIT
+
$configdir/cron.buildd
diff --git a/config/debian-security/cron.weekly b/config/debian-security/cron.weekly
index 80a8353..15c9d16 100755
--- a/config/debian-security/cron.weekly
+++ b/config/debian-security/cron.weekly
@@ -6,13 +6,30 @@ set -e
export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars
. $SCRIPTVARS
+LOCKFILE="$lockdir/unchecked.lock"
+
################################################################################
# Weekly generation of release files, then pushing mirrors.
# Used as we have a "Valid-until" field in our release files of 10 days. In case
# we dont have a security update in that time...
cd $configdir
+
+cleanup() {
+ rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r100 "$LOCKFILE"; then
+ echo "Could not lock $LOCKFILE. Assuming resigning is not needed."
+ exit 0
+fi
+trap cleanup EXIT
+
dak generate-releases
+
+cleanup
+trap - EXIT
+
/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh
sudo -u archvsync -H /home/archvsync/signal_security
diff --git a/dak/new_security_install.py b/dak/new_security_install.py
index 65df7b0..fb2d5cc 100755
--- a/dak/new_security_install.py
+++ b/dak/new_security_install.py
@@ -95,26 +95,34 @@ def _do_Approve():
print "Sync stuff for upload to ftpmaster"
spawn("rsync -a -q %s/. /srv/queued/ftpmaster/." % (newstage.path))
- # 3. Now run process-upload in the newstage dir
- print "Now put it into the security archive"
- spawn("dak process-upload -a -d %s" % (newstage.path))
-
- # 4. Run all the steps that are needed to publish the changed archive
- print "Domination"
- spawn("dak dominate")
-# print "Generating filelist for apt-ftparchive"
-# spawn("dak generate-filelist")
- print "Updating Packages and Sources files... This may take a while, be patient"
- spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh")
-# spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
- spawn("dak generate-packages-sources2")
- print "Updating Release files..."
- spawn("dak generate-releases")
- print "Triggering security mirrors... (this may take a while)"
- spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh")
- spawn("sudo -u archvsync -H /home/archvsync/signal_security")
- print "Triggering metadata export for packages.d.o and other consumers"
- spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh")
+ print "Locking unchecked"
+ lockfile='/srv/security-master.debian.org/lock/unchecked.lock'
+ spawn("lockfile -r8 {0}".format(lockfile))
+
+ try:
+ # 3. Now run process-upload in the newstage dir
+ print "Now put it into the security archive"
+ spawn("dak process-upload -a -d %s" % (newstage.path))
+
+ # 4. Run all the steps that are needed to publish the changed archive
+ print "Domination"
+ spawn("dak dominate")
+ # print "Generating filelist for apt-ftparchive"
+ # spawn("dak generate-filelist")
+ print "Updating Packages and Sources files... This may take a while, be patient"
+ spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh")
+ # spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
+ spawn("dak generate-packages-sources2")
+ print "Updating Release files..."
+ spawn("dak generate-releases")
+ print "Triggering security mirrors... (this may take a while)"
+ spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh")
+ spawn("sudo -u archvsync -H /home/archvsync/signal_security")
+ print "Triggering metadata export for packages.d.o and other consumers"
+ spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh")
+ finally:
+ os.unlink(lockfile)
+ print "Lock released."
########################################################################
########################################################################
--
1.7.2.5
Reply to: