Downgrading apt packages safely
1,368 views
Skip to first unread message
jan.w...@codilime.com
Mar 2, 2016, 11:27:24 AM3/2/16
to Ansible Project
Hello,
in my ansible playbook I want to ensure a specific version of a package is installed, even if that would mean downgrading it. I know that I can specify version together with package name, like this: haproxy=1.4.24-2. However, this is not enough in case of downgrading: this playbook
- hosts: all
tasks:
- name: install haproxy
apt:
name: haproxy=1.4.24-2
sudo: yes
will fail if a newer version of haproxy is installed. I know that I can use "force" attribute, but that would also disable some useful security checks - for example, with force=yes Ansible would install a package even if it couldn't be authenticated. Is there a better way?
I thought that "dpkg_options" may help me, but this playbook also fails on downgrade:
- hosts: all
tasks:
- name: install haproxy
apt:
name: haproxy=1.4.24-2
dpkg_options: force-downgrade
sudo: yes
Is this a bug?
Maybe I should approach this problem in an altogether different way?
best,
Jan
in my ansible playbook I want to ensure a specific version of a package is installed, even if that would mean downgrading it. I know that I can specify version together with package name, like this: haproxy=1.4.24-2. However, this is not enough in case of downgrading: this playbook
- hosts: all
tasks:
- name: install haproxy
apt:
name: haproxy=1.4.24-2
sudo: yes
will fail if a newer version of haproxy is installed. I know that I can use "force" attribute, but that would also disable some useful security checks - for example, with force=yes Ansible would install a package even if it couldn't be authenticated. Is there a better way?
I thought that "dpkg_options" may help me, but this playbook also fails on downgrade:
- hosts: all
tasks:
- name: install haproxy
apt:
name: haproxy=1.4.24-2
dpkg_options: force-downgrade
sudo: yes
Is this a bug?
Maybe I should approach this problem in an altogether different way?
best,
Jan
Alexey Vazhnov
Mar 3, 2016, 1:35:05 AM3/3/16
to Ansible Project
Your playbook gave me an error too:
fatal: [localhost]: FAILED! => {"cache_update_time": 0, "cache_updated": false, "changed": false, "failed": true, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-downgrade\" install 'haproxy=1.4.24-2'' failed: E: There are problems and -y was used without --force-yes\n", "stderr": "E: There are problems and -y was used without --force-yes\n", "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nSuggested packages:\n vim-haproxy\nThe following packages will be DOWNGRADED:\n haproxy\n0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.\nNeed to get 453 kB of archives.\nAfter this operation, 403 kB disk space will be freed.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "Suggested packages:", " vim-haproxy", "The following packages will be DOWNGRADED:", " haproxy", "0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.", "Need to get 453 kB of archives.", "After this operation, 403 kB disk space will be freed."]}But I added parameter "force: yes" and package downgraded successfully.
Resulted playbook:
---
- hosts: all
tasks:
- name: install haproxy
apt:
name: haproxy=1.4.24-2
force: yes
dpkg_options: force-downgrade
sudo: yesI used Ansible v. 2.0.1.0 on Ubuntu 14.04 amd64. I tested with this command:
ansible-playbook -s --ask-sudo-pass -i inventory/testing/localhost --limit=localhost --connection=local downgrading.ymljan.w...@codilime.com
Mar 3, 2016, 7:45:07 AM3/3/16
to Ansible Project
Thanks! Unfortunately, this doesn't fully solve my problem: using "force: yes" will disable useful apt security checks. For example, with "force: yes" Ansible will install packages that cannot be authenticated - I don't want that.
Is there a better way?
best,
Jan
Jan
Reply all
Reply to author
Forward
0 new messages