fix(installer): bound the apt dpkg-lock wait so a held lock can't hang the install (#210)

[saadqbal]

Fixes #210. Complementary to #212 (now merged) — that PR fixed the needrestart hidden-prompt hang; this one fixes the dpkg-lock hang. Same symptom (Installing conntrack… freezes on a fresh Ubuntu host), different root cause.

Rebased onto develop after #212 merged, so the diff is the lock dimension only.

Root cause

On a freshly-booted host, apt-daily / unattended-upgrades hold the dpkg lock. The installer's apt-get install had no lock timeout, so it waited indefinitely — and spin_cmd redirects apt's Waiting for cache lock… line into a log file, so it looked frozen with no error.

What this adds (on top of #212)

• setup_pm: add -o DPkg::Lock::Timeout=600 to the apt update/install commands → bounded wait, then a clear failure (which spin_cmd surfaces) instead of an infinite silent hang. Appends to fix(installer): keep apt non-interactive so needrestart can't hang installs on Ubuntu 22.04+ #212's non-interactive sudo env command, leaving its env exactly as-is.
• New apt_wait_for_lock: a visible, bounded Waiting for background system updates to finish… spinner before the docker / system-deps installs (no-op when apt or fuser is absent, or the lock is free). Placed before install_docker_engine so the get.docker.com apt path benefits too.
• setup-linux.bats: assert both apt commands carry the lock timeout (regression guard).

Testing

• bash -n scripts/lib/setup-linux.sh — clean.
• Sourced the real setup_pm / apt_wait_for_lock with the bats mocks and asserted fix(installer): keep apt non-interactive so needrestart can't hang installs on Ubuntu 22.04+ #212's guarantees (sudo env, DEBIAN_FRONTEND=noninteractive, NEEDRESTART_MODE=a) and this PR's (DPkg::Lock::Timeout= in both apt commands) hold together; dnf branch free of the apt option; apt_wait_for_lock no-ops on the no-fuser / lock-free paths. All pass.
• bats isn't installed locally — the cross-distro installer CI exercises the real path.

Compatibility

DPkg::Lock::Timeout is a config key (-o), unknown to pre-2.0 apt (e.g. 18.04) where it's silently ignored — no breakage on older distros. dnf/yum/zypper/pacman branches unchanged.

Immediate client workaround (no merge needed)

while sudo fuser /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock >/dev/null 2>&1; do
  echo "waiting for apt lock…"; sleep 5; done
# then re-run the installer

🤖 Generated with Claude Code

---

Note

Low Risk
Linux installer script and test-only changes; no auth, data, or runtime service logic affected.

Overview
Fixes #210: on fresh Debian/Ubuntu boots, apt-daily / unattended-upgrades can hold the dpkg lock while the Linux installer runs apt behind spin_cmd, so the install looks frozen (e.g. at “Installing conntrack…”) with no visible “Waiting for cache lock…” message.

setup_pm now passes -o DPkg::Lock::Timeout=600 on apt update and install so lock waits are bounded and failures surface instead of hanging silently. A new apt_wait_for_lock runs early in install_linux (before Docker/system deps): if fuser sees holders on the standard lock paths, it shows a “Waiting for background system updates to finish…” spinner for up to 600s; otherwise it no-ops. Non-apt package managers are unchanged. setup-linux.bats asserts both apt commands include the lock timeout.

^{Reviewed by Cursor Bugbot for commit 2481d41. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 17 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#103 — fix(averaging): correctness foundations — DP, shape guard, sklearn weighting, bounded ensembles (chore: add default CODEOWNERS for auto-reviewer assignment #73) · author: @LukasWodka · reviewer: @shujaatTracebloc
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• backend#735 — fix(flops): atomic flops_used + fire stop once on threshold crossing (#733) · author: @saadqbal · no reviewer assigned
• cli#61 — fix(install.sh): persist PATH to the shell rc (parity with install.ps1) · author: @LukasWodka · reviewer: @saadqbal
• client#207 — test(charts): add helm-unittest suite for ingestion-authz-configmap · author: @saadqbal · no reviewer assigned
• data-ingestors#146 — test(schema): lock category enum to the engine's TaskCategory (anti-drift) · author: @LukasWodka · reviewer: @saadqbal
• data-ingestors#148 — Develop to prod · author: @divyasinghds · reviewer: @saadqbal
• docs#47 — docs(environment-setup): Installer UX: drop PriorityClass, fix namespace, one-per-machine guard, surface version #192 namespace/workspace flow (hold for client#192) · author: @LukasWodka · reviewer: @saadqbal

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)