File: //usr/share/doc/debian-policy/policy.html/_sources/ch-maintainerscripts.rst.txt
Package maintainer scripts and installation procedure
=====================================================
.. _s6.1:
Introduction to package maintainer scripts
------------------------------------------
It is possible to supply scripts as part of a package which the package
management system will run for you when your package is installed,
upgraded or removed.
These scripts are the control information files ``preinst``,
``postinst``, ``prerm`` and ``postrm``. They must be proper executable
files; if they are scripts (which is recommended), they must start with
the usual ``#!`` convention. They should be readable and executable by
anyone, and must not be world-writable.
The package management system looks at the exit status from these
scripts. It is important that they exit with a non-zero status if there
is an error, so that the package management system can stop its
processing. For shell scripts this means that you *almost always* need
to use ``set -e`` (this is usually true when writing shell scripts, in fact).
It is also important, of course, that they exit with a zero status if
everything went well.
Additionally, packages interacting with users using ``debconf`` in the
``postinst`` script should install a ``config`` script as a control
information file. See :ref:`s-maintscriptprompt` for
details.
When a package is upgraded a combination of the scripts from the old and
new packages is called during the upgrade procedure. If your scripts are
going to be at all complicated you need to be aware of this, and may
need to check the arguments to your scripts.
Broadly speaking the ``preinst`` is called before (a particular version
of) a package is unpacked, and the ``postinst`` afterwards; the
``prerm`` before (a version of) a package is removed and the ``postrm``
afterwards.
Programs called from maintainer scripts should not normally have a path
prepended to them. Before installation is started, the package
management system checks to see if the programs ``ldconfig``,
``start-stop-daemon``, and ``update-rc.d`` can be found via the ``PATH``
environment variable. Those programs, and any other program that one
would expect to be in the ``PATH``, should thus be invoked without an
absolute pathname. Maintainer scripts should also not reset the
``PATH``, though they might choose to modify it by prepending or
appending package-specific directories. These considerations really
apply to all shell scripts.
.. _s-idempotency:
Maintainer scripts idempotency
------------------------------
It is necessary for the error recovery procedures that the scripts be
idempotent. This means that if it is run successfully, and then it is
called again, it doesn't bomb out or cause any harm, but just ensures
that everything is the way it ought to be. If the first call failed, or
aborted half way through for some reason, the second call should merely
do the things that were left undone the first time, if any, and exit
with a success status if everything is OK. [#]_
.. _s-controllingterminal:
Controlling terminal for maintainer scripts
-------------------------------------------
Maintainer scripts are not guaranteed to run with a controlling terminal
and may not be able to interact with the user. They must be able to fall
back to noninteractive behavior if no controlling terminal is available.
Maintainer scripts that prompt via a program conforming to the Debian
Configuration Management Specification (see
:ref:`s-maintscriptprompt`) may assume that program will
handle falling back to noninteractive behavior.
For high-priority prompts without a reasonable default answer,
maintainer scripts may abort if there is no controlling terminal.
However, this situation should be avoided if at all possible, since it
prevents automated or unattended installs. In most cases, users will
consider this to be a bug in the package.
.. _s-exitstatus:
Exit status
-----------
Each script must return a zero exit status for success, or a nonzero one
for failure, since the package management system looks for the exit
status of these scripts and determines what action to take next based on
that datum.
.. _s-mscriptsinstact:
Summary of ways maintainer scripts are called
---------------------------------------------
What follows is a summary of all the ways in which maintainer scripts
may be called along with what facilities those scripts may rely on being
available at that time. Script names preceded by new- are the scripts
from the new version of a package being installed, upgraded to, or
downgraded to. Script names preceded by old- are the scripts from the
old version of a package that is being upgraded from or downgraded from.
The ``preinst`` script may be called in the following ways:
| ``new-preinst`` install
| ``new-preinst`` install *old-version*
| ``new-preinst`` upgrade *old-version*
The package will not yet be unpacked, so the ``preinst`` script
cannot rely on any files included in its package. Only essential
packages and pre-dependencies (``Pre-Depends``) may be assumed to be
available. Pre-dependencies will have been configured at least once,
but at the time the ``preinst`` is called they may only be in an
"Unpacked" or "Half-Configured" state if a previous version of the
pre-dependency was completely configured and has not been removed
since then.
``old-preinst`` abort-upgrade *new-version*
Called during error handling of an upgrade that failed after
unpacking the new package because the ``postrm upgrade`` action failed. The unpacked files may be
partly from the new version or partly missing, so the script cannot
rely on files included in the package. Package dependencies may not
be available. Pre-dependencies will be at least "Unpacked" following
the same rules as above, except they may be only "Half-Installed" if
an upgrade of the pre-dependency failed. [#]_
The ``postinst`` script may be called in the following ways:
``postinst`` configure *most-recently-configured-version*
The files contained in the package will be unpacked. All package
dependencies will at least be "Unpacked". If there are no circular
dependencies involved, all package dependencies will be configured.
For behavior in the case of circular dependencies, see the
discussion in :ref:`s-binarydeps`.
| ``old-postinst`` abort-upgrade *new-version*
| ``conflictor's-postinst`` abort-remove in-favour *package* *new-version*
| ``postinst`` abort-remove
| ``deconfigured's-postinst`` abort-deconfigure in-favour *failed-install-package* *version* [ removing conflicting-package version ]
The files contained in the package will be unpacked. All package
dependencies will at least be "Half-Installed" and will have
previously been configured and not removed. However, dependencies
may not be configured or even fully unpacked in some error
situations. [#]_ The ``postinst`` should still attempt any actions
for which its dependencies are required, since they will normally be
available, but consider the correct error handling approach if those
actions fail. Aborting the ``postinst`` action if commands or
facilities from the package dependencies are not available is often
the best approach.
The ``prerm`` script may be called in the following ways:
| ``prerm`` remove
| ``old-prerm`` upgrade *new-version*
| ``conflictor's-prerm`` remove in-favour package *new-version*
| ``deconfigured's-prerm`` deconfigure in-favour *package-being-installed* *version* [removing conflicting-package version]
The package whose ``prerm`` is being called will be at least
"Half-Installed". All package dependencies will at least be
"Half-Installed" and will have previously been configured and not
removed. If there was no error, all dependencies will at least be
"Unpacked", but these actions may be called in various error states
where dependencies are only "Half-Installed" due to a partial
upgrade.
``new-prerm`` failed-upgrade *old-version*
Called during error handling when ``prerm upgrade`` fails. The new package will not yet be
unpacked, and all the same constraints as for ``preinst upgrade``
apply.
The ``postrm`` script may be called in the following ways:
| ``postrm`` remove
| ``postrm`` purge
| ``old-postrm`` upgrade *new-version*
| ``disappearer's-postrm`` disappear overwriter *overwriter-version*
The ``postrm`` script is called after the package's files have been
removed or replaced. The package whose ``postrm`` is being called
may have previously been deconfigured and only be "Unpacked", at
which point subsequent package changes do not consider its
dependencies. Therefore, all ``postrm`` actions must only rely on
essential packages and must gracefully skip any actions that require
the package's dependencies if those dependencies are unavailable.
[#]_
``new-postrm`` failed-upgrade *old-version*
Called when the old ``postrm upgrade`` action fails. The new package
will be unpacked, but only essential packages and pre-dependencies
can be relied on. Pre-dependencies will either be configured or will
be "Unpacked" or "Half-Configured" but previously had been
configured and was never removed.
| ``new-postrm`` abort-install
| ``new-postrm`` abort-install *old-version*
| ``new-postrm`` abort-upgrade *old-version*
Called before unpacking the new package as part of the error
handling of ``preinst`` failures. May assume the same state as
``preinst`` can assume.
.. _s-unpackphase:
Details of unpack phase of installation or upgrade
--------------------------------------------------
The procedure on installation/upgrade/overwrite/disappear (i.e., when
running ``dpkg --unpack``, or the unpack stage of ``dpkg --install``) is
as follows. [#]_ In each case, if a major error occurs (unless listed
below) the actions are, in general, run backwards - this means that the
maintainer scripts are run with different arguments in reverse order.
These are the "error unwind" calls listed below.
1. Notify the currently installed package:
a. If a version of the package is already "Installed", call
.. parsed-literal::
old-prerm upgrade *new-version*
b. If the script runs but exits with a non-zero exit status,
``dpkg`` will attempt:
.. parsed-literal::
new-prerm failed-upgrade *old-version*
If this works, the upgrade continues. If this does not work, the
error unwind:
.. parsed-literal::
*old-postinst* abort-upgrade *new-version*
If this works, then the *old-version* is "Installed", if not, the
old version is in a "Half-Configured" state.
2. If a "conflicting" package is being removed at the same time, or if
any package will be broken (due to ``Breaks``):
a. If ``--auto-deconfigure`` is specified, call, for each package to
be deconfigured due to ``Breaks``:
.. parsed-literal::
*deconfigured's-prerm* deconfigure \\
in-favour *package-being-installed* *version*
Error unwind:
.. parsed-literal::
*deconfigured's-postinst* abort-deconfigure \\
in-favour *package-being-installed-but-failed* *version*
The deconfigured packages are marked as requiring configuration,
so that if ``--install`` is used they will be configured again if
possible.
b. If any packages depended on a conflicting package being removed
and ``--auto-deconfigure`` is specified, call, for each such
package:
.. parsed-literal::
*deconfigured's-prerm* deconfigure \\
in-favour *package-being-installed* *version* \\
removing *conflicting-package* *version*
Error unwind:
.. parsed-literal::
*deconfigured's-postinst* abort-deconfigure \\
in-favour *package-being-installed-but-failed* *version* \\
removing *conflicting-package* *version*
The deconfigured packages are marked as requiring configuration,
so that if ``--install`` is used they will be configured again if
possible.
c. To prepare for removal of each conflicting package, call:
.. parsed-literal::
*conflictor's-prerm* remove \\
in-favour *package* *new-version*
Error unwind:
.. parsed-literal::
*conflictor's-postinst* abort-remove \\
in-favour *package* *new-version*
3. Run the ``preinst`` of the new package:
a. If the package is being upgraded, call:
.. parsed-literal::
*new-preinst* upgrade *old-version*
If this fails, we call:
.. parsed-literal::
*new-postrm* abort-upgrade *old-version*
i. If that works, then
.. parsed-literal::
*old-postinst* abort-upgrade *new-version*
is called. If this works, then the old version is in an
"Installed" state, or else it is left in an "Unpacked" state.
ii. If it fails, then the old version is left in an
"Half-Installed" state.
b. Otherwise, if the package had some configuration files from a
previous version installed (i.e., it is in the "Config-Files"
state):
.. parsed-literal::
*new-preinst* install *old-version*
Error unwind:
.. parsed-literal::
*new-postrm* abort-install *old-version*
If this fails, the package is left in a "Half-Installed" state,
which requires a reinstall. If it works, the packages is left in
a "Config-Files" state.
c. Otherwise (i.e., the package was completely purged):
.. parsed-literal::
*new-preinst* install
Error unwind:
.. parsed-literal::
*new-postrm* abort-install
If the error-unwind fails, the package is in a "Half-Installed"
phase, and requires a reinstall. If the error unwind works, the
package is in the "Not-Installed" state.
4. The new package's files are unpacked, overwriting any that may be on
the system already, for example any from the old version of the same
package or from another package. Backups of the old files are kept
temporarily, and if anything goes wrong the package management
system will attempt to put them back as part of the error unwind.
It is an error for a package to contain files which are on the
system in another package, unless ``Replaces`` is used (see
:ref:`s-replaces`).
It is a more serious error for a package to contain a plain file or
other kind of non-directory where another package has a directory
(again, unless ``Replaces`` is used). This error can be overridden
if desired using ``--force-overwrite-dir``, but this is not
advisable.
Packages which overwrite each other's files produce behavior which,
though deterministic, is hard for the system administrator to
understand. It can easily lead to "missing" programs if, for
example, a package is unpacked which overwrites a file from another
package, and is then removed again. [#]_
A directory will never be replaced by a symbolic link to a directory
or vice versa; instead, the existing state (symlink or not) will be
left alone and ``dpkg`` will follow the symlink if there is one.
5. If the package is being upgraded:
a. Call:
.. parsed-literal::
*old-postrm* upgrade *new-version*
b. If this fails, ``dpkg`` will attempt:
.. parsed-literal::
*new-postrm* failed-upgrade *old-version*
If this works, installation continues. If not, Error unwind:
.. parsed-literal::
*old-preinst* abort-upgrade *new-version*
If this fails, the old version is left in a "Half-Installed"
state. If it works, dpkg now calls:
.. parsed-literal::
*new-postrm* abort-upgrade *old-version*
If this fails, the old version is left in a "Half-Installed"
state. If it works, dpkg now calls:
.. parsed-literal::
*old-postinst* abort-upgrade *new-version*
If this fails, the old version is in an "Unpacked" state.
This is the point of no return. If ``dpkg`` gets this far, it won't
back off past this point if an error occurs. This will leave the
package in a fairly bad state, which will require a successful
re-installation to clear up, but it's when ``dpkg`` starts doing
things that are irreversible.
6. Any files which were in the old version of the package but not in
the new are removed.
7. The new file list replaces the old.
8. The new maintainer scripts replace the old.
9. Any packages all of whose files have been overwritten during the
installation, and which aren't required for dependencies, are
considered to have been removed. For each such package
a. ``dpkg`` calls:
.. parsed-literal::
*disappearer's-postrm* disappear \\
*overwriter* *overwriter-version*
b. The package's maintainer scripts are removed.
c. It is noted in the status database as being in a sane state,
namely "Not-Installed" (any conffiles it may have are ignored,
rather than being removed by ``dpkg``). Note that disappearing
packages do not have their prerm called, because ``dpkg`` doesn't
know in advance that the package is going to vanish.
10. Any files in the package we're unpacking that are also listed in the
file lists of other packages are removed from those lists. (This
will lobotomize the file list of the "conflicting" package if there
is one.)
11. The backup files made during installation, above, are deleted.
12. The new package's status is now sane, and recorded as "Unpacked".
Here is another point of no return: if the conflicting package's
removal fails we do not unwind the rest of the installation. The
conflicting package is left in a half-removed limbo.
13. If there was a conflicting package we go and do the removal actions
(described below), starting with the removal of the conflicting
package's files (any that are also in the package being unpacked
have already been removed from the conflicting package's file list,
and so do not get removed now).
.. _s-configdetails:
Details of configuration
------------------------
When we configure a package (this happens with ``dpkg --install`` and ``dpkg --configure``), we first update any
``conffile``\ s and then call:
.. parsed-literal::
*postinst* configure *most-recently-configured-version*
No attempt is made to unwind after errors during configuration. If the
configuration fails, the package is in a "Half-Configured" state, and an
error message is generated.
If there is no most recently configured version ``dpkg`` will pass a
null argument. [#]_
.. _s-removedetails:
Details of removal and/or configuration purging
-----------------------------------------------
1. .. parsed-literal::
*prerm* remove
If prerm fails during replacement due to conflict
.. parsed-literal::
*conflictor's-postinst* abort-remove \\
in-favour *package* *new-version*
Or else we call:
.. parsed-literal::
*postinst* abort-remove
If this fails, the package is in a "Half-Configured" state, or else
it remains "Installed".
2. The package's files are removed (except ``conffile``\ s).
3. .. parsed-literal::
*postrm* remove
If it fails, there's no error unwind, and the package is in an
"Half-Installed" state.
4. All the maintainer scripts except the ``postrm`` are removed.
If we aren't purging the package we stop here. Note that packages
which have no ``postrm`` and no ``conffile``\ s are automatically
purged when removed, as there is no difference except for the
``dpkg`` status.
5. The ``conffile``\ s and any backup files (``~``-files, ``#*#`` files,
``%``-files, ``.dpkg-{old,new,tmp}``, etc.) are removed.
6. .. parsed-literal::
*postrm* purge
If this fails, the package remains in a "Config-Files" state.
7. The package's file list is removed.
.. [#]
This is so that if an error occurs, the user interrupts ``dpkg`` or
some other unforeseen circumstance happens you don't leave the user
with a badly-broken package when ``dpkg`` attempts to repeat the
action.
.. [#]
This can happen if the new version of the package no longer
pre-depends on a package that had been partially upgraded.
.. [#]
For example, suppose packages foo and bar are "Installed" with foo
depending on bar. If an upgrade of bar were started and then aborted,
and then an attempt to remove foo failed because its ``prerm`` script
failed, foo's ``postinst abort-remove`` would be called with bar only
"Half-Installed".
.. [#]
This is often done by checking whether the command or facility the
``postrm`` intends to call is available before calling it. For
example:
::
if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
. /usr/share/debconf/confmodule db_purge
fi
in ``postrm`` purges the ``debconf`` configuration for the package if
debconf is installed.
.. [#]
See :doc:`ap-flowcharts` for flowcharts illustrating
the processes described here.
.. [#]
Part of the problem is due to what is arguably a bug in ``dpkg``.
.. [#]
Historical note: Truly ancient (pre-1997) versions of ``dpkg`` passed
``<unknown>`` (including the angle brackets) in this case. Even older
ones did not pass a second argument at all, under any circumstance.
Note that upgrades using such an old dpkg version are unlikely to
work for other reasons, even if this old argument behavior is handled
by your postinst script.