From 128af0d191ab1e4e79bea665172ed4fc6c430635 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 19 Oct 2017 15:03:06 +0200 Subject: [PATCH] debian: disable timer-based apt-get Debian stretch in default configuration calls apt-get update every 24h. And additionally, have automatic unattended security updates enabled. Generally it would be good thing on standalone system, but in AppVM which loose its rootfs changes after restart it is a waste of resources. Especially when it kicks in on multiple VMs simultaneously, while on battery (apt-daily.service have ConditionACPower=true, but VM don't have that information...). It would make some sense on TemplateVM/StandaloneVM, but then it kicks in just at VM startup. Which conflicts with starting the update manually then (by clicking "update VM" button in manager for example, or using salt). So, disable this feature completely. The actual solution is based on pkg-manager-no-autoupdate by @adrelanos. Fixes QubesOS/qubes-issues#2621 --- Makefile | 1 + debian/qubes-core-agent.install | 1 + misc/apt-conf-70no-unattended | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 misc/apt-conf-70no-unattended diff --git a/Makefile b/Makefile index 932bf33..42f8c6e 100644 --- a/Makefile +++ b/Makefile @@ -326,6 +326,7 @@ install-deb: install-common install-systemd install-systemd-dropins install -d $(DESTDIR)/etc/needrestart/conf.d install -D -m 0644 misc/50_qubes.conf $(DESTDIR)/etc/needrestart/conf.d/50_qubes.conf install -D -m 0644 misc/grub.qubes $(DESTDIR)/etc/default/grub.d/30-qubes.cfg + install -D -m 0644 misc/apt-conf-70no-unattended $(DESTDIR)/etc/apt/apt.conf.d/70no-unattended mkdir -p $(DESTDIR)/etc/systemd/system/ install -m 0644 vm-systemd/haveged.service $(DESTDIR)/etc/systemd/system/ diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 1eb21b4..b34789f 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -1,5 +1,6 @@ etc/X11/xorg-preload-apps.conf etc/apt/apt.conf.d/00notify-hook +etc/apt/apt.conf.d/70no-unattended etc/apt/sources.list.d/qubes-r4.list etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg etc/default/grub.d/30-qubes.cfg diff --git a/misc/apt-conf-70no-unattended b/misc/apt-conf-70no-unattended new file mode 100644 index 0000000..7130413 --- /dev/null +++ b/misc/apt-conf-70no-unattended @@ -0,0 +1,26 @@ +## Based on pkg-manager-no-autoupdate by Patrick Schleizer +## https://github.com/Whonix/pkg-manager-no-autoupdate + +## Disable automatic update check APT::Periodic::Update-Package-Lists +## which is the Debian default in /etc/apt/apt.conf.d/10periodic. +## +## The execution time would be too predictable, thus make us fingerprintable. +## +## 20noperiodic comes after 10periodic in alphabet so it takes precedence. +## +## Quoted from the Debian Handbook +## http://debian-handbook.info/browse/wheezy/sect.apt-get.html +## +## "[...] Each directory represents a configuration file which is split over multiple +## files. In this sense, all of the files in /etc/apt/apt.conf.d/ are instructions +## for the configuration of APT. APT includes them in alphabetical order, so that the +## last ones can modify a configuration element defined in one of the first ones. [...] +## +## That changes take effect can be verified using: +## apt-config dump + +APT::Periodic::Update-Package-Lists "0"; +APT::Periodic::Download-Upgradeable-Packages "0"; +APT::Periodic::AutocleanInterval "0"; +APT::Periodic::Unattended-Upgrade "0"; +APT::Periodic::Enable "0";