Single template update results in 5 hook script calls?

[qubist]

Hi,

I created the following APT hook in /etc/apt/apt.conf.d/98-myhook:

APT::Update::Post-Invoke-Success {"/opt/myscript 2>/dev/null || true";};

myscript does only:

logger "hello"


Then I ran:

user@dom0:~ > qubes-vm-update --force-update --targets D13

while watching the output of journalctl -f of the D13 template.

Result: The "hello" shows 5 times.

Then I ran 'apt-get update' directly in the D13 template.

Result: The "hello" shows only 1 time (as expected).


Why is there such discrepancy?
Is that a bug?

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Mar 19, 2026 at 10:45:48AM -0000, qubist wrote:
> Hi,
>
> I created the following APT hook in /etc/apt/apt.conf.d/98-myhook:
>
> APT::Update::Post-Invoke-Success {"/opt/myscript 2>/dev/null || true";};

First of all, if you want to run something after installing an update,
this is _not_ the place - it's called just after `apt-get update`, which
is only fetching metadata, but not installing anything yet.

> myscript does only:
>
> logger "hello"
>
>
> Then I ran:
>
> user@dom0:~ > qubes-vm-update --force-update --targets D13
>
> while watching the output of journalctl -f of the D13 template.
>
> Result: The "hello" shows 5 times.
>
> Then I ran 'apt-get update' directly in the D13 template.
>
> Result: The "hello" shows only 1 time (as expected).
>
>
> Why is there such discrepancy?
> Is that a bug?

There are multiple apt-get update calls intentionally. At the very
least, to refresh accurately report if all updates got installed (this
is especially relevant if some update included changes to the repository
list). I'm not sure if 5 is really needed, but given apt-get use cache
and doesn't re-fetch it nothing changed, it isn't also really a problem.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmm8EMAACgkQ24/THMrX
1yyHgAf7Bxj2PgoQnBRCpceBCKDEap5GiWCcm6YNKveApqdnYBltELKN9C/n7MYQ
w4sPRi2mgHRZb0m+EEyJ5/MzouFMXDnS5LayAyfP0BivyAKKdSVy0n5SaByNz+t6
Zsa7QHwr3FHMfhYY8pPgBij6GdS3FMGPfKgB1pNVQfPMP1vCtGdH0NWzn7nqK4WW
UHqsTJ18tkUFEPek6mktREYKf8QFTTs/C1CAYG7ETnPnpdVfynM5IFgx8d3D3yB5
ZxjjOllxCJ3qk/c6g8NyIXmf6zhvp5oTx1JPJpuXwPR41N7OnEpa3oCAfoaramue
fY8Ycg6D+13vzGYqQCXvObiymCW6mQ==
=Tdwi
-----END PGP SIGNATURE-----

[qubist]

On Thu, 19 Mar 2026 16:05:36 +0100 Marek Marczykowski-Górecki wrote:

> First of all, if you want to run something after installing an update,
> this is _not_ the place - it's called just after `apt-get update`, which
> is only fetching metadata, but not installing anything yet.

I need to run a script after completion any of these:

- system update (invoked in the domU itself or through dom0)
- packages have been installed
- packages have been uninstalled
- apt-get autopurge

What is the right way to do it?

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

https://askubuntu.com/questions/63717/execute-command-after-dpkg-installation
?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmm8HH4ACgkQ24/THMrX
1yy3fgf/dafZ5wjXADDOtmvs2EkmbXA4Fh3eU96AIBR20MixSQf1Z8AI1bfE/mDl
j1AjUEJ4+NW6JZEano+ALBzGaDdJVz4UIGPBP/z8aqna5TLiWAFY+TE82qktxBCs
Dmci3Q13cGqrL+eQ++YYWOzQV5w5D5RSbKG/vyLTnkBDx68zIKVsPsq7Q0V7WBws
OGX4nOMTsCzdG+L6U4yDtmWYFvG63vZ6Rw704Dr1TXX4vSHjCV+1lfvRPF/LydjA
RgWSpf+x0XmaT6jVDOLsWX5wzbk0JfaPHxqWtS0Tx/zfE/fJy06CuHBNZbW2qDF4
xWlf8I3teQz9sZfi0w7IXeqKAw6piA==
=/1qG
-----END PGP SIGNATURE-----

[qubist]

Thanks!