-
name: hold openssh-client only if OS is 12.04
shell: echo “openssh-client hold” | sudo dpkg --set-selections
when: ansible_distribution == ‘Ubuntu’ and ansible_distribution_release == ‘precise’
-
name: hold openssh-server only if OS is 12.04
shell: echo “openssh-server hold” | sudo dpkg --set-selections
when: ansible_distribution == ‘Ubuntu’ and ansible_distribution_release == ‘precise’
-
name: update and upgrade a server
apt: upgrade=safe update_cache=yes
sudo: yes
The package is “held” it dpkg.
openssh-client hold
openssh-server hold
The state of apt before ansible:
The following packages have been kept back:
linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual openssh-client openssh-server
After deploy:
The following packages have been kept back:
linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual
I would have thought, using the safe-upgrade should have stopped openssh being upgraded.
Is this a bug, or am I missing something?
Thanks
Ben
Where are you seeing the output of what is “held back” and so on? That’s usually what you see during an update, so it seems some steps
are not being executed by Ansible, and that’s confusing me a little.
Can you show the commands executed?
Thanks!
Hello Michael,
I am using dpkg, so dpkg --get-selections | grep “openssh-*”.
apt-get upgrade, by default won’t upgrade held packages.
There is a option in apt-get manual:
–ignore-hold
Ignore package Holds; This causes apt-get to ignore a hold placed on a package. This may be
useful in conjunction with dist-upgrade to override a large number of undesired holds.
Configuration Item: APT::Ignore-Hold.
Which, I assume then will overwrite the default behavior.
Thanks
Ben
Curious how the holds got placed?
All holds are in /var/lib/dpkg/status file as well as other statuses
of available packages.
Yep, familiar with apt pinning.
I think I’d be open to a parameter to ignore the pinning, but it probably should not happen by default.
Currently, its holding me back from updating a number of our servers. As, soon as the held package gets updated, the server breaks.
Is there anything I can do?
For now you could modify the module or make a "shell: " command call instead, using the numerous flags and env variables required to make apt do a direct update.
Please make sure there’s a ticket or pull request filed for this one if not already.