fix: checkUpgradable runs unconditionally in dpkg #1072
Conversation
Signed-off-by: amanycodes <amanycodes@gmail.com>
amanycodes
requested review from
ashnamehrotra,
jeremyrickard and
sozercan
as code owners
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1072 +/- ##
==========================================
- Coverage 42.73% 42.57% -0.17%
==========================================
Files 24 24
Lines 3938 3951 +13
==========================================
- Hits 1683 1682 -1
- Misses 2127 2138 +11
- Partials 128 131 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
amanycodes
changed the title
|
@amanycodes thanks for investigating! this should be expected behavior (if there are no upgradable packages with scan report or update all we should error out). It should be the case for dpkg, and rpm - can we change it for apk? In the issue I was referring to the logs such as "no patchable packages found" which we output for rpm but do not explicitly output in other cases. This way users will know patching is failing because there were not upgradable packages. Let me know if that makes sense! |
Yeah, makes sense! will update the dpkg and apk to show the error of "no patchable packages found". I misunderstood this with existing packages not being further upgradable. Thanks for clarification! Also is that unconditional execution in |
Signed-off-by: amanycodes <amanycodes@gmail.com>
|
I'm still confused about the check we're doing in |
|
@amanycodes for all package managers we want to error out if there are no upgradable packages - thats why we check for that in debian, and want to do it similarly for apk - it looks like right now its within the update all case |
Signed-off-by: amanycodes <amanycodes@gmail.com>
|
@ashnamehrotra @robert-cronin @amanycodes do we want this to be in v0.11 release? |
| ).Root() | ||
|
|
||
| checkUpgradable := `sh -c "apt-get -s upgrade 2>/dev/null | grep -q "^Inst" || exit 1"` | ||
| checkUpgradable := `sh -c "apt-get -s upgrade 2>/dev/null | grep -q "^Inst" > /upgradable.txt || exit 1"` |
There was a problem hiding this comment.
can we do the same thing in the case of distroless images (unpackAndMergeUpdates func)
There was a problem hiding this comment.
and then same thing for rpm distroless just to keep the errors consistent
Signed-off-by: amanycodes <amanycodes@gmail.com>
|
@amanycodes looks like tests are failing for debian patching with no scan report |
the image we are testing doesn't have any upgradable packages and we are returning the required error "no patchable packages found". I think the right now the workflow intends to patch successfully that's why it's failing. Should I update the test to allow "no patchable packages found" as a valid error in this case? |
|
@amanycodes the images have outdated packages, you can run the images to check or scan with trivy to test |
Signed-off-by: amanycodes <amanycodes@gmail.com>
Signed-off-by: amanycodes <amanycodes@gmail.com>
|
@ashnamehrotra I tried but actually I am having trouble finding the exact location of checking the upgradable package among the distroless command shenanigans, I tried multiple approaches but they aren't working. please let me know where am i going wrong |
| checkUpgradable := `sh -c "apt-get -s upgrade 2>/dev/null | grep -q \"^Inst\" > /upgradable.txt || exit 1"` | ||
| updatedCheck := updated.Run(llb.Shlex(checkUpgradable)).Root() | ||
| _, err = buildkit.ExtractFileFromState(ctx, dm.config.Client, &updatedCheck, "/upgradable.txt") | ||
| if err != nil { |
There was a problem hiding this comment.
I think the problem is here, you are just checking if this file exists, and it will always be created even if it is empty.
There was a problem hiding this comment.
@amanycodes I guess you could instead use the file bytes returned in the first arg to check if the file is empty?
|
@amanycodes are you still working on this? should we resolve via #1274 ? |
|
closing this for #1274, @amanycodes to reopen that one |
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Copacetic Workboard
4 participants
This PR checks and improves log consistency for "No Upgradable Packages" (NUP) across
rpm,dpkg, andapkpackage managers. It also fixes a bug in the dpkg manager (later discussed).I ran
copa patchwith a dummy report to simulate NUP. Dummy Report structure (dpkg example):I checked consistency on two cases for each package manager:
installedVersion == FixedVersionand expected a log like:INFO[...] Validated package <pkg> version <ver> meets requested version <ver>FixedVersion > InstalledVersion: The package manager attempts an upgrade but leaves the package at its originalInstalledVersionbecause the higherFixedVersionis not found in its repositories and expected log like:ERRO[...] installed package <pkg> version <ver> is lower than required <ver> from reportI used a regular copa patch command:
copa patch -i $IMAGE -r $REPORT --debugFor apk: I used
alpine:latestand checked forbusyboxandscanelfand got:For rpm: I used
rockylinux:9-minimaland checked forcoreutils-singleand got:For dpkg: I used
ubuntu:22.04and checked fortarand got:and in
dpkgI found the inconsistency. Upon checking theinstallUpdates()I found thatcheckUpgragdablewas being unconditionally executed. copa was failing & terminating the patching early if image has no general updates even though report was specified. I have now fixed this and it's being conditionally executed(only running this check in "update all" mode like in apk.go).This makes the logging for NUP consistent across all package managers.
partially closes: #1010