Merge remote-tracking branch 'ansgar/pu/security-locks' into merge

* ansgar/pu/security-locks:
  debian-security: place locks around dak commands that affect packages
Signed-off-by: NJoerg Jaspert <joerg@debian.org>

config/debian-security/cron.daily

@@ -6,6 +6,8 @@ set -e
 export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars
 . $SCRIPTVARS
 
+LOCKFILE="$lockdir/unchecked.lock"
+
 ################################################################################
 
 # Fix overrides
@@ -66,10 +68,24 @@ done
 
 cd $configdir
 dak import-keyring -L /srv/keyring.debian.org/keyrings/debian-keyring.gpg
+
+cleanup() {
+    rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r100 "$LOCKFILE"; then
+    echo "Could not lock $LOCKFILE." >&2
+    exit 1
+fi
+trap cleanup EXIT
+
 dak clean-queues
 dak clean-queues -i $disembargo
 dak clean-suites
 
+cleanup
+trap - EXIT
+
 symlinks -d -r $ftpdir
 
 pg_dump obscurity > /org/security-master.debian.org/dak-backup/dump_$(date +%Y.%m.%d-%H:%M:%S)

config/debian-security/cron.unchecked

@@ -15,6 +15,7 @@ reportdis=$queuedir/REPORT.disembargo
 timestamp=$(date "+%Y-%m-%d %H:%M")
 doanything=false
 dopolicy=false
+LOCKFILE="$lockdir/unchecked.lock"
 
 # So first we should go and see if any process-policy action is done
 dak process-policy embargoed | mail -a "X-Debian: DAK" -e -s "Automatically accepted from embargoed" team@security.debian.org -- -F "Debian FTP Masters" -f ftpmaster@ftp-master.debian.org
@@ -24,6 +25,16 @@ dak process-policy unembargoed | mail -a "X-Debian: DAK" -e -s "Automatically ac
 # in newstage mean they are (late) accepts of security stuff, need
 # to sync to ftp-master
 
+cleanup() {
+    rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r8 "$LOCKFILE"; then
+    echo "aborting cron.unchecked because $LOCKFILE has already been locked"
+    exit 0
+fi
+trap cleanup EXIT
+
 cd $newstage
 changes=$(find . -maxdepth 1 -mindepth 1 -type f -name \*.changes | sed -e "s,./,," | xargs)
 if [ -n "$changes" ]; then
@@ -70,4 +81,7 @@ if [ "x${dopolicy}x" = "xtruex" ]; then
     sudo -u archvsync -H /home/archvsync/signal_security
 fi
 
+cleanup
+trap - EXIT
+
 $configdir/cron.buildd

config/debian-security/cron.weekly

@@ -6,13 +6,30 @@ set -e
 export SCRIPTVARS=/srv/security-master.debian.org/dak/config/debian-security/vars
 . $SCRIPTVARS
 
+LOCKFILE="$lockdir/unchecked.lock"
+
 ################################################################################
 
 # Weekly generation of release files, then pushing mirrors.
 # Used as we have a "Valid-until" field in our release files of 10 days. In case
 # we dont have a security update in that time...
 cd $configdir
+
+cleanup() {
+    rm -f "$LOCKFILE"
+}
+
+if ! lockfile -r100 "$LOCKFILE"; then
+    echo "Could not lock $LOCKFILE. Assuming resigning is not needed."
+    exit 0
+fi
+trap cleanup EXIT
+
 dak generate-releases
+
+cleanup
+trap - EXIT
+
 /srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh
 sudo -u archvsync -H /home/archvsync/signal_security
 

dak/new_security_install.py

@@ -95,26 +95,34 @@ def _do_Approve():
     print "Sync stuff for upload to ftpmaster"
     spawn("rsync -a -q %s/. /srv/queued/ftpmaster/." % (newstage.path))
 
-    # 3. Now run process-upload in the newstage dir
-    print "Now put it into the security archive"
-    spawn("dak process-upload -a -d %s" % (newstage.path))
-
-    # 4. Run all the steps that are needed to publish the changed archive
-    print "Domination"
-    spawn("dak dominate")
-#    print "Generating filelist for apt-ftparchive"
-#    spawn("dak generate-filelist")
-    print "Updating Packages and Sources files... This may take a while, be patient"
-    spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh")
-#    spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
-    spawn("dak generate-packages-sources2")
-    print "Updating Release files..."
-    spawn("dak generate-releases")
-    print "Triggering security mirrors... (this may take a while)"
-    spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh")
-    spawn("sudo -u archvsync -H /home/archvsync/signal_security")
-    print "Triggering metadata export for packages.d.o and other consumers"
-    spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh")
+    print "Locking unchecked"
+    lockfile='/srv/security-master.debian.org/lock/unchecked.lock'
+    spawn("lockfile -r8 {0}".format(lockfile))
+
+    try:
+        # 3. Now run process-upload in the newstage dir
+        print "Now put it into the security archive"
+        spawn("dak process-upload -a -d %s" % (newstage.path))
+
+        # 4. Run all the steps that are needed to publish the changed archive
+        print "Domination"
+        spawn("dak dominate")
+        #    print "Generating filelist for apt-ftparchive"
+        #    spawn("dak generate-filelist")
+        print "Updating Packages and Sources files... This may take a while, be patient"
+        spawn("/srv/security-master.debian.org/dak/config/debian-security/map.sh")
+        #    spawn("apt-ftparchive generate %s" % (utils.which_apt_conf_file()))
+        spawn("dak generate-packages-sources2")
+        print "Updating Release files..."
+        spawn("dak generate-releases")
+        print "Triggering security mirrors... (this may take a while)"
+        spawn("/srv/security-master.debian.org/dak/config/debian-security/make-mirror.sh")
+        spawn("sudo -u archvsync -H /home/archvsync/signal_security")
+        print "Triggering metadata export for packages.d.o and other consumers"
+        spawn("/srv/security-master.debian.org/dak/config/debian-security/export.sh")
+    finally:
+        os.unlink(lockfile)
+        print "Lock released."
 
 ########################################################################
 ########################################################################