| Puppet Version: 4.10.x, probably other too
Puppet Server Version:
OS Name/Version: Debian 8, probably other versions too If puppet sets a package with a pending upgrade on hold (ensure=>held), the pending upgrade is installed before the package is set on hold. Describe steps to reproduce: 1. Show available versions
2. Downgrade package:
# puppet resource package openssl ensure=1.0.1t-1+deb8u8 |
Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u11' to '1.0.1t-1+deb8u8' |
package { 'openssl': |
ensure => '1.0.1t-1+deb8u8', |
}
|
3. Set package on hold:
# puppet resource --debug package openssl ensure=held |
[...] |
Debug: Prefetching apt resources for package |
Debug: Executing '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n'' |
Debug: Executing: '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install openssl' |
Debug: Executing: 'dpkg --set-selections' |
Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u8' to 'held' |
Debug: Finishing transaction 28203320 |
Debug: Storing state |
Debug: Stored state in 0.45 seconds |
Debug: Executing: '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n' openssl' |
package { 'openssl': |
ensure => '1.0.1t-1+deb8u11', |
}
|
4. Now the package has been upgraded:
Desired Behavior: The package version stays unchanged and the package is marked on-hold. Actual Behavior: The package has been upgraded and is on hold. This is counterintuitive and also not reflected by the agent output, especially as the "on hold" setting may be performed especially to prevent the pending upgrade from being installed. Probable cause: The reason this happens is the apt-get install line marked bold above. If the package already is installed, it should not happen. |
