fix(installer): keep apt non-interactive so needrestart can't hang installs on Ubuntu 22.04+

[LukasWodka]

Summary

On Ubuntu 22.04+ (incl. 24.04) the needrestart package hooks apt-get install and opens an interactive "Which services should be restarted?" prompt. -y does not suppress it.

The installer runs apt inside spin_cmd, which redirects stdout/stderr to a log and backgrounds the process. So the prompt is invisible (only the spinner shows) and, being backgrounded, blocks the moment it reads the TTY (SIGTTIN) — the install hangs forever. The reported symptom was the spinner stuck "still pulling conntrack" on a fresh Ubuntu 24.04 host: the package was downloading fine; it was waiting on a hidden prompt.

(The authors already knew "spinners hide prompts" — preflight_sudo warms the sudo cache for exactly this reason — but needrestart/debconf were missed.)

Fix

Pass DEBIAN_FRONTEND=noninteractive + NEEDRESTART_MODE=a through sudo env (sudo resets the environment, so the vars must be set through it) on every apt path the installer drives:

Path	File
PM_INSTALL — conntrack / openssl / curl / tar (and nvidia-container-toolkit, which calls $PM_INSTALL)	scripts/lib/setup-linux.sh
get.docker.com convenience script (runs apt-get internally)	scripts/lib/setup-linux.sh
WSL2 NVIDIA Container Toolkit heredoc — same hidden-prompt class; bounded by the 180 s job timeout but still fails the toolkit install	scripts/install-k8s.ps1

Reuses the established sudo env VAR=val pattern already used for install_k3d (#718).

Tests

scripts/tests/setup-linux.bats:

• new: setup_pm: apt is non-interactive (needrestart/debconf guard) — asserts DEBIAN_FRONTEND=noninteractive, NEEDRESTART_MODE=a, and sudo env in PM_INSTALL.
• strengthened: the Debian/Ubuntu get.docker.com test now also asserts the non-interactive env.

bats scripts/tests/setup-linux.bats is green for every touched test. Two unrelated tests (Amazon Linux → dnf docker, RHEL clone → docker-ce) fail only on macOS dev machines because of BSD-vs-GNU grep in the /etc/os-release mock; they pass in CI on Linux and are untouched here.

Out of scope / follow-up

• scripts/lib/gpu-amd.sh:53 (sudo apt-get install … amdgpu-install.deb) is a direct, visible apt-get (not wrapped in spin_cmd), so a needrestart prompt there is annoying but not a silent hang. The same env could be added for consistency in a later pass.
• scripts/tests/distro-prereqs.sh is a CI-only helper that runs as root in minimal containers (no needrestart) — no exposure.

[LukasWodka]

👋 Heads-up — Code review queue is at 18 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#103 — fix(averaging): correctness foundations — DP, shape guard, sklearn weighting, bounded ensembles (chore: add default CODEOWNERS for auto-reviewer assignment #73) · author: @LukasWodka · reviewer: @shujaatTracebloc
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• backend#735 — fix(flops): atomic flops_used + fire stop once on threshold crossing (#733) · author: @saadqbal · no reviewer assigned
• cli#61 — fix(install.sh): persist PATH to the shell rc (parity with install.ps1) · author: @LukasWodka · reviewer: @saadqbal
• client#207 — test(charts): add helm-unittest suite for ingestion-authz-configmap · author: @saadqbal · no reviewer assigned
• client#211 — fix(installer): bound apt lock wait so 'Installing conntrack…' can't hang forever (Installer hangs at 'Installing conntrack…' on Ubuntu when the apt/dpkg lock is held (no lock timeout) #210) · author: @saadqbal · no reviewer assigned
• data-ingestors#146 — test(schema): lock category enum to the engine's TaskCategory (anti-drift) · author: @LukasWodka · reviewer: @saadqbal
• data-ingestors#148 — Develop to prod · author: @divyasinghds · reviewer: @saadqbal

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

[saadqbal]

Heads-up @LukasWodka: #211 was chasing the same Installing conntrack… hang but via a different root cause — the dpkg lock held by apt-daily/unattended-upgrades on a freshly-booted host (no DPkg::Lock::Timeout, so apt waits forever and spin_cmd hides the Waiting for cache lock line).

Our two PRs overlapped on the non-interactive sudo env edit, so rather than ship a duplicated/conflicting change I've rebased #211 onto this branch and trimmed it to only the lock dimension (DPkg::Lock::Timeout + a visible apt_wait_for_lock step). #211's diff is now purely additive on top of yours and keeps your non-interactive env exactly as-is.

Suggested merge order: this PR (#212) into develop first, then I'll retarget #211 to develop (applies cleanly) and it can go in right after. The two are complementary — yours fixes the hidden-prompt hang, #211 the lock-wait hang.