[pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Fiona Ebner]

Many people will use 'upgrade' instead of 'full-upgrade' or
'dist-upgrade' (e.g. [0][1]) despite the documentation explicitly
mentioning 'dist-upgrade' [3]. Proxmox VE uses different packaging
guarantees than Debian and using 'upgrade' can lead to a broken
system [2].

The match is kept simple, to not accidentally catch things like
> -o 'foo=bar upgrade baz'
and trip up advanced users.

It does not catch invocations with '-y' either, making it less likely
to break automated user scripts. Although they should not use
'upgrade' either, it still would be bad to break them. If the risk is
still considered too high, this change should wait until a major or
at least point release.

To avoid false positives, it would be necessary to properly parse
options, which is likely not worth the effort.

A downside is that the hook is only invoked after the user confirms
the upgrade, but there doesn't seem to be an early enough hook entry
(DPkg::Pre-Invoke is also too late). Since this is just an additional
safety warning to guide new users, it should still be good enough.

[0]: https://forum.proxmox.com/threads/150217/post-680158
[1]: https://forum.proxmox.com/threads/140580/post-630419
[2]: https://www.reddit.com/r/Proxmox/comments/ujqig9/use_apt_distupgrade_or_the_gui_not_apt_upgrade/
[3]: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#system_software_updates

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/apthook/pve-apt-hook | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/debian/apthook/pve-apt-hook b/debian/apthook/pve-apt-hook
index 47629bc..b41d0fe 100755
--- a/debian/apthook/pve-apt-hook
+++ b/debian/apthook/pve-apt-hook
@@ -55,6 +55,14 @@ my $blank;
 while (my $line = <$fh>) {
   chomp $line;
 
+  if ($line && $line =~ m/^CommandLine::AsString=apt(-get)?%20upgrade$/) {
+    $log->("!! WARNING !!\n");
+    $log->("Using 'upgrade' can violate packaging assumptions made by Proxmox VE. Use 'dist-upgrade' instead.\n");
+    $log->("\n");
+    $log->("Press enter to continue, or C^c to abort.\n");
+    $cleanup->(0, 1);
+  }
+
   if (!defined($blank)) {
     $blank = 1 if !$line;
     next;
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Fiona Ebner]

Sorry, messed up the subject-prefix, since I copy-pasted it in the
.git/config and forgot to change. This is for proxmox-ve of course.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Dominik Csapak]

just to mention it (i think it's not widely known):

'apt upgrade' behaves slightly different than 'apt-get upgrade'

while the former also installs new packages if necessary, the latter
doesn't, so an 'apt upgrade' will maybe work ok in most sitations.
I guess we want to filter it out nonetheless?

(none of the commands above will remove packages)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Alexander Zeidler]

On Fri Sep 6, 2024 at 12:40 PM CEST, Fiona Ebner wrote:
> (DPkg::Pre-Invoke is also too late). Since this is just an additional
> safety warning to guide new users, it should still be good enough.

> +  if ($line && $line =~ m/^CommandLine::AsString=apt(-get)?%20upgrade$/) {
> +    $log->("!! WARNING !!\n");
> +    $log->("Using 'upgrade' can violate packaging assumptions made by Proxmox VE. Use 'dist-upgrade' instead.\n");
> +    $log->("\n");

As "an additional safety warning to guide new users", we may want to
rephrase this line:
> +    $log->("Press enter to continue, or C^c to abort.\n");
to something like:
"Press CTRL+C to abort, or ENTER to continue anyway."


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Thomas Lamprecht]

Am 06/09/2024 um 13:01 schrieb Dominik Csapak:
> just to mention it (i think it's not widely known):
> 
> 'apt upgrade' behaves slightly different than 'apt-get upgrade'
> 
> while the former also installs new packages if necessary, the latter
> doesn't, so an 'apt upgrade' will maybe work ok in most sitations.
> I guess we want to filter it out nonetheless?
> 
> (none of the commands above will remove packages)

that's all true, but I agree also with your guess, we rely on removals
to happen as we have semi-frequent transitions during a stable release
cycle, so while `apt upgrade` is thankfully way more sensible already,
it still isn't enough for our use case.



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Thomas Lamprecht]

Am 06/09/2024 um 14:16 schrieb Alexander Zeidler:
> On Fri Sep 6, 2024 at 12:40 PM CEST, Fiona Ebner wrote:
>> (DPkg::Pre-Invoke is also too late). Since this is just an additional
>> safety warning to guide new users, it should still be good enough.
> 
>> +  if ($line && $line =~ m/^CommandLine::AsString=apt(-get)?%20upgrade$/) {
>> +    $log->("!! WARNING !!\n");
>> +    $log->("Using 'upgrade' can violate packaging assumptions made by Proxmox VE. Use 'dist-upgrade' instead.\n");
>> +    $log->("\n");
> 
> As "an additional safety warning to guide new users", we may want to
> rephrase this line:
>> +    $log->("Press enter to continue, or C^c to abort.\n");
> to something like:
> "Press CTRL+C to abort, or ENTER to continue anyway."

FWIW, if we do this then I probably would keep enter spelled lower case,
simply to avoid it sticking so much out to user to trigger reflexes and
pressing enter without fully reading the message.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Thomas Lamprecht]

Am 06/09/2024 um 12:40 schrieb Fiona Ebner:
> Many people will use 'upgrade' instead of 'full-upgrade' or
> 'dist-upgrade' (e.g. [0][1]) despite the documentation explicitly
> mentioning 'dist-upgrade' [3]. Proxmox VE uses different packaging
> guarantees than Debian and using 'upgrade' can lead to a broken
> system [2].
> 
> The match is kept simple, to not accidentally catch things like
>> -o 'foo=bar upgrade baz'
> and trip up advanced users.
> 
> It does not catch invocations with '-y' either, making it less likely
> to break automated user scripts. Although they should not use
> 'upgrade' either, it still would be bad to break them. If the risk is
> still considered too high, this change should wait until a major or
> at least point release.
> 
> To avoid false positives, it would be necessary to properly parse
> options, which is likely not worth the effort.
> 
> A downside is that the hook is only invoked after the user confirms
> the upgrade, but there doesn't seem to be an early enough hook entry
> (DPkg::Pre-Invoke is also too late). Since this is just an additional
> safety warning to guide new users, it should still be good enough.
> 
> [0]: https://forum.proxmox.com/threads/150217/post-680158
> [1]: https://forum.proxmox.com/threads/140580/post-630419
> [2]: https://www.reddit.com/r/Proxmox/comments/ujqig9/use_apt_distupgrade_or_the_gui_not_apt_upgrade/
> [3]: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#system_software_updates
> 

yeah, it's something I considered here and then but never pulled through,
as it just somehow doesn't feel right...

But it's definitively a real problem, and so I surely won't block this on
the basis of some gut feeling, I'd rather like to hear Fabian's opinion on
it.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Fabian Grünbichler]

> Thomas Lamprecht <t.lamprecht@proxmox.com> hat am 06.09.2024 18:58 CEST geschrieben:  
> Am 06/09/2024 um 12:40 schrieb Fiona Ebner:
> > Many people will use 'upgrade' instead of 'full-upgrade' or
> > 'dist-upgrade' (e.g. [0][1]) despite the documentation explicitly
> > mentioning 'dist-upgrade' [3]. Proxmox VE uses different packaging
> > guarantees than Debian and using 'upgrade' can lead to a broken
> > system [2].

just a slight nit here: you should only end up with a broken system if we miss properly tracking some inter-package relationship. it can happen happen (and probably does, from time to time), but in the vast majority of cases "apt[-get] upgrade" should at most leave you stuck with an outdated system (with APT telling you that there are still packages to be upgraded), not a broken one. we did get a lot better about accounting for these things over the past few years (but of course, we don't have anywhere close to the infrastructure that Debian has for automated tracking and testing).

> > The match is kept simple, to not accidentally catch things like
> >> -o 'foo=bar upgrade baz'
> > and trip up advanced users.
> > 
> > It does not catch invocations with '-y' either, making it less likely
> > to break automated user scripts. Although they should not use
> > 'upgrade' either, it still would be bad to break them. If the risk is
> > still considered too high, this change should wait until a major or
> > at least point release.
> > 
> > To avoid false positives, it would be necessary to properly parse
> > options, which is likely not worth the effort.
> > 
> > A downside is that the hook is only invoked after the user confirms
> > the upgrade, but there doesn't seem to be an early enough hook entry
> > (DPkg::Pre-Invoke is also too late). Since this is just an additional
> > safety warning to guide new users, it should still be good enough.
> > 
> > [0]: https://forum.proxmox.com/threads/150217/post-680158
> > [1]: https://forum.proxmox.com/threads/140580/post-630419
> > [2]: https://www.reddit.com/r/Proxmox/comments/ujqig9/use_apt_distupgrade_or_the_gui_not_apt_upgrade/
> > [3]: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#system_software_updates
> > 
> 
> yeah, it's something I considered here and then but never pulled through,
> as it just somehow doesn't feel right...
> 
> But it's definitively a real problem, and so I surely won't block this on
> the basis of some gut feeling, I'd rather like to hear Fabian's opinion on
> it.

given that I also use `apt upgrade` from time to time (habit from being an unstable user ;)), and that it might alienate power users coming from Debian, I'd prefer this to be a non-interactive warning with the text "disarmed" a bit?

something like

!! WARNING !!
Since Proxmox VE follows a rolling release model, using 'upgrade' can lead to a system being stuck on outdated versions, or in rare cases, break upon upgrading. Use 'dist-upgrade' or 'full-upgrade' instead.
!! WARNING !!

with or without a prompt (it's a pity that the hook is not executed with the config before the regular confirmation prompt, else we could just depend on that)?


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Fiona Ebner]

Am 09.09.24 um 09:48 schrieb Fabian Grünbichler:
>> Thomas Lamprecht <t.lamprecht@proxmox.com> hat am 06.09.2024 18:58 CEST geschrieben:  
>> Am 06/09/2024 um 12:40 schrieb Fiona Ebner:
>>> Many people will use 'upgrade' instead of 'full-upgrade' or
>>> 'dist-upgrade' (e.g. [0][1]) despite the documentation explicitly
>>> mentioning 'dist-upgrade' [3]. Proxmox VE uses different packaging
>>> guarantees than Debian and using 'upgrade' can lead to a broken
>>> system [2].
> 
> just a slight nit here: you should only end up with a broken system if we miss properly tracking some inter-package relationship. it can happen happen (and probably does, from time to time), but in the vast majority of cases "apt[-get] upgrade" should at most leave you stuck with an outdated system (with APT telling you that there are still packages to be upgraded), not a broken one. we did get a lot better about accounting for these things over the past few years (but of course, we don't have anywhere close to the infrastructure that Debian has for automated tracking and testing).

Okay, will change the commit message in v2.

> 
>>> The match is kept simple, to not accidentally catch things like
>>>> -o 'foo=bar upgrade baz'
>>> and trip up advanced users.
>>>
>>> It does not catch invocations with '-y' either, making it less likely
>>> to break automated user scripts. Although they should not use
>>> 'upgrade' either, it still would be bad to break them. If the risk is
>>> still considered too high, this change should wait until a major or
>>> at least point release.
>>>
>>> To avoid false positives, it would be necessary to properly parse
>>> options, which is likely not worth the effort.
>>>
>>> A downside is that the hook is only invoked after the user confirms
>>> the upgrade, but there doesn't seem to be an early enough hook entry
>>> (DPkg::Pre-Invoke is also too late). Since this is just an additional
>>> safety warning to guide new users, it should still be good enough.
>>>
>>> [0]: https://forum.proxmox.com/threads/150217/post-680158
>>> [1]: https://forum.proxmox.com/threads/140580/post-630419
>>> [2]: https://www.reddit.com/r/Proxmox/comments/ujqig9/use_apt_distupgrade_or_the_gui_not_apt_upgrade/
>>> [3]: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#system_software_updates
>>>
>>
>> yeah, it's something I considered here and then but never pulled through,
>> as it just somehow doesn't feel right...
>>
>> But it's definitively a real problem, and so I surely won't block this on
>> the basis of some gut feeling, I'd rather like to hear Fabian's opinion on
>> it.
> 
> given that I also use `apt upgrade` from time to time (habit from being an unstable user ;)), and that it might alienate power users coming from Debian, I'd prefer this to be a non-interactive warning with the text "disarmed" a bit?
> 
> something like
> 
> !! WARNING !!
> Since Proxmox VE follows a rolling release model, using 'upgrade' can lead to a system being stuck on outdated versions, or in rare cases, break upon upgrading. Use 'dist-upgrade' or 'full-upgrade' instead.
> !! WARNING !!
> 
> with or without a prompt (it's a pity that the hook is not executed with the config before the regular confirmation prompt, else we could just depend on that)?

Sounds good. And since it is so rare, I'd just leave out the additional
confirmation prompt then.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC qemu-server] apt hook: warn against using 'upgrade' command

[Thomas Lamprecht]

Am 09/09/2024 um 09:52 schrieb Fiona Ebner:
> Am 09.09.24 um 09:48 schrieb Fabian Grünbichler:
>> given that I also use `apt upgrade` from time to time (habit from being an unstable user ;)), and that it might alienate power users coming from Debian, I'd prefer this to be a non-interactive warning with the text "disarmed" a bit?
>>
>> something like
>>
>> !! WARNING !!
>> Since Proxmox VE follows a rolling release model, using 'upgrade' can lead to a system being stuck on outdated versions, or in rare cases, break upon upgrading. Use 'dist-upgrade' or 'full-upgrade' instead.
>> !! WARNING !!

All right, albeit I find the "!! WARNING !!" still rather a bit to scary then.

Maybe just an extra newline above and below and then something like your wording:

NOTE: Proxmox VE follows a rolling release model, so using the 'upgrade' command [...]

FWIW, you could also make this more generic for easier re-use, like:

NOTE: Proxmox projects follow [...]

and ship it in a common package, maybe even an extra one that is only recommended,
not hard-dependency, so the power user can remove the warning if they don't care
(or are daring)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel