[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do I permanently disable unattended downloads of software/security updates?

On Wed, Jun 02, 2021 at 09:03:23PM +0200, Linux-Fan wrote:
> 	alias systemctl='systemctl -l --no-pager'
> 	alias journalctl='journalctl --no-pager'

Hmm, that's handy because it preserves the underline/boldface terminal
markup, unlike the |cat trick.

> > systemctl list-timers | grep apt
> 
> As far as I can tell, these ultimately lead to
> /usr/lib/apt/apt.systemd.daily which in turn claims to honor
> `APT::Periodic::Enable "1";` from /etc/apt/apt.conf.d.

I've just spent a few minutes reading /usr/lib/apt/apt.systemd.daily ...
it's not pretty.[1]

First thing I noticed is that in the absence of APT::Periodic::Enable
it *assumes* 1 (yes).  It does this by setting a variable to 1, and then
running the following command:

apt-config shell AutoAptEnable APT::Periodic::Enable

capturing the output, eval-ing it (without quotes!), and then checking
whether that shell variable's value is still 1.  On my system, where
there is no APT::Periodic::Enable in any part of apt's config, the
output of that apt-config command is empty.  So the eval does nothing,
and the variable remains set to 1 (yes).

The next thing I noticed is that apt-daily-upgrade.service runs the same
script with "install" as its argument.  The section of the script that
this triggers is basically a giant wrapper around unattended-upgrade.
If unattended-upgrade is not found in PATH (using a *terrible* check),
pretty much nothing happens.  Of course, it doesn't bother logging that
unless it's running in debug mode.

> # journalctl -u apt-daily-upgrade.service
> -- Logs begin at Wed 2021-06-02 12:24:45 CEST, end at Wed 2021-06-02
> 20:47:39 CEST. --
> Jun 02 12:24:55 masysma-18 systemd[1]: Starting Daily apt upgrade and clean
> activities...
> Jun 02 12:24:56 masysma-18 systemd[1]: apt-daily-upgrade.service: Succeeded.
> Jun 02 12:24:56 masysma-18 systemd[1]: Started Daily apt upgrade and clean
> activities.

Mine is similar, albeit much longer.  Note that on my system,
unattended-upgrade is not installed.

[1] Here's one example:

    if which unattended-upgrade >/dev/null 2>&1 && env LC_ALL=C.UTF-8 unattended-upgrade --help | grep -q download-only && check_stamp $DOWNLOAD_UPGRADEABLE_STAMP $UnattendedUpgradeInterval; then
Reply to: