Questions[anacron](ubuntu)

Ubuntu seems to have an enduring blind-spot for security upgrades on computers which are not connected permanently to the internet. These days there are surely a ton of them, mostly laptops.

In theory the solution is unattended-upgrades. On Ubuntu this runs by default with a daily systemd timer or cron job. With cron, anacron also runs by default as a protection, and executes any cron jobs which were missed because the computer was turned off. So far so sensible.

BUT!

1. Default unattended-upgrades config (/etc/apt/apt.conf.d/50unattended-upgrades or similar) requires the following to be set, else upgrades risk being skipped on a roaming laptop:

   Unattended-Upgrade::OnlyOnACPower "false";
   Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";
   

2. Even worse, anacron, like cron, runs jobs whether or not an internet connection is available! This is clearly a major design bug for non-server Ubuntu, since personal computers are not always connected permanently.

TLDR: With default config, on a roaming laptop, unattended-upgrades will not work much of the time.

(Perhaps there needs to be a separate class of cron job or systemd timer-thing which waits for a network connection until executing. Or failed cron.daily jobs could be switched to cron.hourly until they execute successfully. Perhaps there is one already.)

One practical solution is a systemd unit file to execute unattended-upgrades as a user script after the network comes online. But it will only run once per boot.

What is the optimal solution? Does anyone know if there are plans to fix this with a new package or a config improvement?

Do I properly understand that it is not possible to run /etc/cron.daily/my from arbitrary user, it will be run only from root according to /etc/crontab?

Can I drop root privilege to specific user in my cron scrip instead?

It is better to place cron job into /etc/cron.d? Like:

$ cat /etc/cron.d/my
5 0 * * *  user  test -x /usr/bin/my && /usr/bin/my -cfg /etc/my.cfg

Linux provides three different job schedulers i.e. Cron, Anacron and Systemd-Timer. What are the benefits of Cron/Anacron vs. Systemd-Timer?

So, I'm using Anacron to be able to reliably run some scripts daily. However, this doesn't work when Anacron itself doesn't start on boot half the time. How would I get Anacron to start up reliably?

> grep 'anacron' /var/log/syslog.2
May 18 19:09:02 s-laptop anacron[2480]: Job `cron.daily' terminated (exit status: 1) (mailing output)
May 18 19:09:02 s-laptop anacron[2480]: Can't find sendmail at /usr/sbin/sendmail, not mailing output
May 18 19:09:02 s-laptop anacron[2480]: anacron: Can't find sendmail at /usr/sbin/sendmail, not mailing output
May 18 19:09:02 s-laptop anacron[2480]: Normal exit (1 job run)
May 18 21:20:48 s-laptop systemd[1]: Started Run anacron jobs at resume.
May 20 16:30:46 s-laptop systemd[1]: Started Run anacron jobs at resume.
May 20 17:02:27 s-laptop systemd[1]: Started Run anacron jobs at resume.
May 20 18:58:50 s-laptop systemd[1]: Started Run anacron jobs at resume.
May 20 19:13:48 s-laptop systemd[1]: Started Run anacron jobs.
May 20 19:13:48 s-laptop anacron[734]: Anacron 2.3 started on 2017-05-20
May 20 19:13:48 s-laptop anacron[734]: Will run job `cron.daily' in 5 min.
May 20 19:13:48 s-laptop anacron[734]: Will run job `cron.weekly' in 10 min.
May 20 19:13:48 s-laptop anacron[734]: Jobs will be executed sequentially
May 20 19:18:51 s-laptop anacron[734]: Job `cron.daily' started
May 20 19:18:51 s-laptop anacron[2367]: Updated timestamp for job `cron.daily' to 2017-05-20
> grep 'anacron' /var/log/syslog.1
May 20 19:18:54 s-laptop anacron[734]: Job `cron.daily' terminated (exit status: 1) (mailing output)
May 20 19:23:48 s-laptop anacron[734]: Job `cron.weekly' started
May 20 19:23:48 s-laptop anacron[2606]: Updated timestamp for job `cron.weekly' to 2017-05-20
May 20 19:30:09 s-laptop anacron[734]: Job `cron.weekly' terminated
May 20 19:30:09 s-laptop anacron[734]: Normal exit (2 jobs run)
May 21 10:02:56 s-laptop systemd[1]: Started Run anacron jobs at resume.
May 25 12:53:39 s-laptop systemd[1]: Started Run anacron jobs at resume.
Jun  1 18:09:14 s-laptop systemd[1]: Started Run anacron jobs at resume.
Jun  3 12:29:40 s-laptop anacron[751]: Anacron 2.3 started on 2017-06-03
Jun  3 12:29:40 s-laptop anacron[751]: Will run job `cron.daily' in 5 min.
Jun  3 12:29:40 s-laptop anacron[751]: Will run job `cron.weekly' in 10 min.
Jun  3 12:29:40 s-laptop systemd[1]: Started Run anacron jobs.
Jun  3 12:29:40 s-laptop anacron[751]: Will run job `cron.monthly' in 15 min.
Jun  3 12:29:40 s-laptop anacron[751]: Jobs will be executed sequentially
Jun  3 12:34:40 s-laptop anacron[751]: Job `cron.daily' started
Jun  3 12:34:40 s-laptop anacron[2243]: Updated timestamp for job `cron.daily' to 2017-06-03
> grep 'anacron' /var/log/syslog
Jun  3 12:34:44 s-laptop anacron[751]: Job `cron.daily' terminated (mailing output)

As can be seen in the syslog, Anacron was only started at boot on May 20th and June 3rd, despite the machine being booted May 21st and 25th and June 1st.

Additionally, today (June 3rd), I actually booted my computer at 12:11, and seeing that Anacron had not started and none of my jobs were run, I rebooted the machine at 12:29. You can see on this second boot, Anacron decided to startup. Why does it just not startup a lot of the time?

$ ps -elf | grep
...
0 D nobody   27320 27319  2  90  10 - 353471 sleep_ 07:54 ?       00:02:19 /usr/bin/find / -ignore_readdir_race ( -fstype NFS -o -fstype nfs -o -fstype nfs4 -o -fstype afs -o -fstype binfmt_misc -o -fstype proc -o -fstype smbfs -o -fstype autofs -o -fstype iso9660 -o -fstype ncpfs -o -fstype coda -o -fstype devpts -o -fstype ftpfs -o -fstype devfs -o -fstype mfs -o -fstype shfs -o -fstype sysfs -o -fstype cifs -o -fstype lustre_lite -o -fstype tmpfs -o -fstype usbfs -o -fstype udf -o -fstype ocfs2 -o -type d -regex \(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/afs$\)\|\(^/amd$\)\|\(^/alex$\)\|\(^/var/spool$\)\|\(^/sfs$\)\|\(^/media$\)\|\(^/var/lib/schroot/mount$\) ) -prune -o -print0                          
...

This job always start automatically and consumes my memory. Even after I kill it, it will starts several hours later.

What's that job?

EDIT

Note: the pid is different from the above because I killed the above one, wait for several hours, then the second one comes.

$ pstree -psl
|-anacron(25920)---sh(25929)---run-parts(25930)---locate(26343)---updatedb.findut(26348)-+-frcode(26358)
|                                                                                        |-sort(26357)
|                                                                                        `-updatedb.findut(26356)---su(26387)---sh(26402)---find(26403)

This is what it look like in a graphical tool: