T-Gander/ProxmoxVEDHelperScripts
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Simplify APT retry logic and add insecure fallback

Browse Source 
Replace the previous multi-step APT retry sequence (mirror swaps, sleeps, multiple retries) with a simpler fallback: on apt-get update failure disable Acquire::By-Hash, enable Acquire::AllowInsecureRepositories and attempt updates/installs using --allow-insecure-repositories/--allow-unauthenticated where needed. Restore secure settings and refresh lists afterwards, and preserve/propagate the original command exit status. Apply the same simplification in misc/build.func, misc/install.func and the Proxmox LXC cron updater (tools/pve/update-lxcs-cron.sh) to handle Debian repo desyncs more reliably and reduce complex retry logic.
This commit is contained in:
CanbiZ (MickLesk)
2026-03-26 14:02:09 +01:00
parent 681c438e60
commit 6d213d511f
3 changed files with 18 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
misc/build.func
View File

@@ -4601,52 +4601,20 @@ EOF'
fi fi
pct exec "$CTID" -- bash -c "apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1" || { pct exec "$CTID" -- bash -c "apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1" || {
msg_warn "apt-get base packages failed, retrying with by-hash bypass and alternate mirror..." msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
pct exec "$CTID" -- bash -c ' pct exec "$CTID" -- bash -c '
APT_BASE="sudo curl mc gnupg2 jq" APT_BASE="sudo curl mc gnupg2 jq"
apt_retry() {
rm -rf /var/lib/apt/lists/*
apt-get update >/dev/null 2>&1 && apt-get install -y $APT_BASE >/dev/null 2>&1
}
# Retry 1: Disable by-hash (stale CDN by-hash index)
echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
apt_retry && exit 0
# Retry 2: Switch to country mirror (may lag behind primary)
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|deb.debian.org|ftp.de.debian.org|g" "$src"
done
apt_retry && exit 0
# Retry 3: Wait 30s for mirror sync, try original mirror
sleep 30
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|ftp.de.debian.org|deb.debian.org|g" "$src"
done
apt_retry && exit 0
# Retry 4: Temporarily allow hash mismatch (Release/Packages desync)
echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|deb.debian.org|ftp.debian.org|g" "$src"
done
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
if apt-get update --allow-insecure-repositories >/dev/null 2>&1; then apt-get update --allow-insecure-repositories >/dev/null 2>&1 && \
apt-get install -y --allow-unauthenticated $APT_BASE >/dev/null 2>&1 apt-get install -y --allow-unauthenticated $APT_BASE >/dev/null 2>&1
ret=$? ret=$?
# Restore secure settings immediately # Restore secure settings
echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|ftp.debian.org|deb.debian.org|g" "$src"
done
rm -rf /var/lib/apt/lists/*
apt-get update >/dev/null 2>&1 || true
[ $ret -eq 0 ] && exit 0
fi
# Cleanup on failure
echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
exit 1 rm -rf /var/lib/apt/lists/*
apt-get update >/dev/null 2>&1 || true
exit $ret
' || { ' || {
msg_error "apt-get base packages installation failed" msg_error "apt-get base packages installation failed"
exit 1 exit 1

38
misc/install.func
View File

@@ -201,39 +201,15 @@ pkg_update() {
case "$PKG_MANAGER" in case "$PKG_MANAGER" in
apt) apt)
if ! $STD apt-get update; then if ! $STD apt-get update; then
msg_warn "apt-get update failed, retrying with by-hash bypass and alternate mirror..." msg_warn "apt-get update failed, bypassing hash verification (Debian repo desync)..."
echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/99no-by-hash
rm -rf /var/lib/apt/lists/*
$STD apt-get update --allow-insecure-repositories
# Restore secure settings
echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
if ! $STD apt-get update; then $STD apt-get update || true
# Retry with country mirror
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[[ -f "$src" ]] && sed -i 's|deb.debian.org|ftp.de.debian.org|g' "$src"
done
rm -rf /var/lib/apt/lists/*
if ! $STD apt-get update; then
# Wait for mirror sync, try original
sleep 30
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[[ -f "$src" ]] && sed -i 's|ftp.de.debian.org|deb.debian.org|g' "$src"
done
rm -rf /var/lib/apt/lists/*
if ! $STD apt-get update; then
# Last resort: temporarily allow insecure repos
msg_warn "All mirrors have hash mismatch, temporarily relaxing APT verification..."
echo 'Acquire::AllowInsecureRepositories "true";' >>/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[[ -f "$src" ]] && sed -i 's|deb.debian.org|ftp.debian.org|g' "$src"
done
rm -rf /var/lib/apt/lists/*
$STD apt-get update --allow-insecure-repositories
# Restore secure settings immediately
echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[[ -f "$src" ]] && sed -i 's|ftp.debian.org|deb.debian.org|g' "$src"
done
fi
fi
fi
fi fi
;; ;;
apk) apk)

33
tools/pve/update-lxcs-cron.sh
View File

@@ -36,40 +36,15 @@ function update_container() {
archlinux) pct exec "$container" -- bash -c "pacman -Syyu --noconfirm" ;; archlinux) pct exec "$container" -- bash -c "pacman -Syyu --noconfirm" ;;
fedora | rocky | centos | alma) pct exec "$container" -- bash -c "dnf -y update && dnf -y upgrade" ;; fedora | rocky | centos | alma) pct exec "$container" -- bash -c "dnf -y update && dnf -y upgrade" ;;
ubuntu | debian | devuan) pct exec "$container" -- bash -c ' ubuntu | debian | devuan) pct exec "$container" -- bash -c '
apt_update_ok=false apt-get update || {
apt-get update && apt_update_ok=true
if [ "$apt_update_ok" = false ]; then
echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
rm -rf /var/lib/apt/lists/*
apt-get update && apt_update_ok=true
fi
if [ "$apt_update_ok" = false ]; then
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|deb.debian.org|ftp.de.debian.org|g" "$src"
done
rm -rf /var/lib/apt/lists/*
apt-get update && apt_update_ok=true
fi
if [ "$apt_update_ok" = false ]; then
sleep 30
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|ftp.de.debian.org|deb.debian.org|g" "$src"
done
rm -rf /var/lib/apt/lists/*
apt-get update && apt_update_ok=true
fi
if [ "$apt_update_ok" = false ]; then
echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::AllowInsecureRepositories \"true\";" >>/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
[ -f "$src" ] && sed -i "s|deb.debian.org|ftp.debian.org|g" "$src"
done
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
apt-get update --allow-insecure-repositories apt-get update --allow-insecure-repositories
echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do rm -rf /var/lib/apt/lists/*
[ -f "$src" ] && sed -i "s|ftp.debian.org|deb.debian.org|g" "$src" apt-get update || true
done }
fi
DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" dist-upgrade -y DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" dist-upgrade -y
rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED' ;; rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED' ;;
opensuse) pct exec "$container" -- bash -c "zypper ref && zypper --non-interactive dup" ;; opensuse) pct exec "$container" -- bash -c "zypper ref && zypper --non-interactive dup" ;;