[pve-devel] [PATCH proxmox-ve v2 2/2] apt-hook: add check preventing the removal of pinned kernels

Wed Feb 9 18:22:39 CET 2022

while talking off-list about this I realized that I forgot to mention that
file_read_firstline is copied from PVE::Tools.

The rationale was that we might end up in a situation where pve-common
might not be available and the hook might still be called.
Also we might eventually have this hook in some of our other products,
which do not depend on pve-common (PBS for now).

if the series is accepted as-is - feel free to update the commit message.
else - I'll include it in the v3

sorry for the noise

On Fri,  4 Feb 2022 19:45:38 +0100
Stoiko Ivanov <s.ivanov at proxmox.com> wrote:

> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  debian/apthook/pve-apt-hook | 28 ++++++++++++++++++++++++++++
>  1 file changed, 28 insertions(+)
> 
> diff --git a/debian/apthook/pve-apt-hook b/debian/apthook/pve-apt-hook
> index 50e50d1..6de56c4 100755
> --- a/debian/apthook/pve-apt-hook
> +++ b/debian/apthook/pve-apt-hook
> @@ -34,6 +34,17 @@ my $cleanup = sub {
>    exit $rc;
>  };
>  
> +my $file_read_firstline = sub {
> +    my ($filename) = @_;
> +
> +    my $fh = IO::File->new($filename, "r");
> +    return undef if !$fh;
> +    my $res = <$fh>;
> +    chomp $res if $res;
> +    $fh->close;
> +    return $res;
> +};
> +
>  chomp (my $ver = <$fh>);
>  if ($ver ne "VERSION 2") {
>    $log->("apt-pve-hook misconfigured, expecting hook protocol version 2\n");
> @@ -84,6 +95,23 @@ while (my $line = <$fh>) {
>        $cleanup->(0, 1);
>      }
>    }
> +  if ($pkg =~ /^pve-kernel-/) {
> +    if ($action eq '**REMOVE**') {
> +      my $next_boot_ver = $file_read_firstline->("/etc/kernel/next-boot-pin");
> +      my $pinned_ver = $file_read_firstline->("/etc/kernel/proxmox-boot-pin");
> +      my $remove_pinned_ver = ($next_boot_ver && $pkg =~ /$next_boot_ver/);
> +      $remove_pinned_ver ||= ($pinned_ver && $pkg =~ /$pinned_ver/);
> +      if ($remove_pinned_ver) {
> +        $log->("!! WARNING !!\n");
> +        $log->("You are attempting to remove the currently pinned kernel '${pkg}'!\n");
> +        $log->("\n");
> +        $log->("If you really do not need the version anymore unpin it by running\n");
> +        $log->("\tproxmox-boot-tool kernel unpin'\n");
> +        $log->("and repeat your apt invocation.\n");
> +        $cleanup->(1);
> +      }
> +    }
> +  }
>  }
>  
>  $cleanup->(0);