apt safe-upgrade module

[Benjamin Copeland]

- name: hold openssh-client only if OS is 12.04

  shell: echo "openssh-client hold" | sudo dpkg --set-selections

  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'precise'

- name: hold openssh-server only if OS is 12.04

  shell: echo "openssh-server hold" | sudo dpkg --set-selections

  when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'precise'

- name: update and upgrade a server

  apt: upgrade=safe update_cache=yes

  sudo: yes

The package is "held" it dpkg. 

openssh-client hold

openssh-server hold

The state of apt before ansible:

The following packages have been kept back:

  linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual openssh-client openssh-server

After deploy:

The following packages have been kept back:

  linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual

I would have thought, using the safe-upgrade should have stopped openssh being upgraded.

Is this a bug, or am I missing something?

Thanks

Ben

[Michael DeHaan]

Where are you seeing the output of what is "held back" and so on?  That's usually what you see during an update, so it seems some steps

are not being executed by Ansible, and that's confusing me a little.

Can you show the commands executed?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8cba22f6-9fb1-4a14-a7bc-a52cca604355%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Benjamin Copeland]

Hello Michael,

I am using dpkg, so dpkg --get-selections | grep "openssh-*".

apt-get upgrade, by default won't upgrade held packages. 

There is a option in apt-get manual:

       --ignore-hold

           Ignore package Holds; This causes apt-get to ignore a hold placed on a package. This may be

           useful in conjunction with dist-upgrade to override a large number of undesired holds.

           Configuration Item: APT::Ignore-Hold.

Which, I assume then will overwrite the default behavior.

Thanks

Ben

[Michael DeHaan]

Curious how the holds got placed?

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/941f9249-a6c3-4585-8cc6-2f8c1af52181%40googlegroups.com.

[Benjamin Copeland]

https://help.ubuntu.com/community/PinningHowto#Apt

Like that.

Ben

[Igor Homyakov]

All holds are in /var/lib/dpkg/status file as well as other statuses
of available packages.

> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgy%2B8M2Ebrg9j%3DM23VuEaY1Tr89DMYn9Ebg-7Xo5MJZgbA%40mail.gmail.com.

[Michael DeHaan]

Yep, familiar with apt pinning.

I think I'd be open to a parameter to ignore the pinning, but it probably should not happen by default.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGuansqfqyY9JdAcRU1-Aqq4T3TVTJutkjHnfKFVaT%3DAc2GbaQ%40mail.gmail.com.

[Benjamin Copeland]

Currently, its holding me back from updating a number of our servers. As, soon as the held package gets updated, the server breaks. 

Is there anything I can do? 

[Michael DeHaan]

For now you could modify the module or make a "shell: " command call instead, using the numerous flags and env variables required to make apt do a direct update.

Please make sure there's a ticket or pull request filed for this one if not already.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d6bbd8f8-aea7-429e-81d6-f74172b7ba3c%40googlegroups.com.