Clean up old habitat packages on upgrade

[btm]

When Automate is upgraded and dependencies are upgraded, additional copies of the dependencies may be left behind. As these dependencies age, they may be detected by customers vulnerabilities scanners and cause additional reporting and remediation work for the customer. We should clean up unused old packages from disk.

Keep in mind that automate prevents other services from running in it's habitat supervisor, but that a system may have a separate habitat supervisor running using the same /hab filesystem. See #455 and #2478.

hab pkg uninstall does have a --keep-latest n flag that keeps at least n copies of a package, and won't uninstall packages that are dependencies of others. Something like this works, but don't do this:

# don't do this
INSTALLED_PACKAGES=$(hab pkg list -a | awk -F/ '{print $1 "/" $2 }' | uniq)
for p in $INSTALLED_PACKAGES
do
  sudo hab pkg uninstall $p --keep-latest 1
done

[btm]

Example of customer communications for manual cleanup: https://github.com/chef/customer-bugs/issues/566#issuecomment-1023675551

[stevendanna]

This popped up in my github notifications for some reason and since I'm here, I thought I would mention that changing

automate/api/config/deployment/config_request.go

Line 49 in a8aad69

c.V1.Svc.PackageCleanupMode = w.String("conservative")

to "aggressive" might get you what you want.

automate/components/automate-deployment/pkg/depot/garbage_collect.go

Lines 68 to 73 in a8aad69

	// AggressiveCollect deletes all habitat packages except those that are listed
	// in the roots list or are transitive dependencies of those packages. This can
	// result in deletion of packages that have been intentionally installed by the
	// user, as there is no way to differentiate packages installed by the
	// deployment service but are no longer used from those installed by the user.
	func (gc *GarbageCollector) AggressiveCollect(roots []habpkg.HabPkg) error {