Downgrading apt packages safely

Archives Ansible Project
1

Hello,

in my ansible playbook I want to ensure a specific version of a package is installed, even if that would mean downgrading it. I know that I can specify version together with package name, like this: haproxy=1.4.24-2. However, this is not enough in case of downgrading: this playbook

  • hosts: all
    tasks:
  • name: install haproxy
    apt:
    name: haproxy=1.4.24-2
    sudo: yes

will fail if a newer version of haproxy is installed. I know that I can use “force” attribute, but that would also disable some useful security checks - for example, with force=yes Ansible would install a package even if it couldn’t be authenticated. Is there a better way?

I thought that “dpkg_options” may help me, but this playbook also fails on downgrade:

  • hosts: all
    tasks:
  • name: install haproxy
    apt:
    name: haproxy=1.4.24-2
    dpkg_options: force-downgrade
    sudo: yes

Is this a bug?
Maybe I should approach this problem in an altogether different way?

best,
Jan

2

Your playbook gave me an error too:

fatal: [localhost]: FAILED! => {"cache_update_time": 0, "cache_updated": false, "changed": false, "failed": true, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-downgrade\" install 'haproxy=1.4.24-2'' failed: E: There are problems and -y was used without --force-yes\n", "stderr": "E: There are problems and -y was used without --force-yes\n", "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nSuggested packages:\n vim-haproxy\nThe following packages will be DOWNGRADED:\n haproxy\n0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.\nNeed to get 453 kB of archives.\nAfter this operation, 403 kB disk space will be freed.\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "Suggested packages:", " vim-haproxy", "The following packages will be DOWNGRADED:", " haproxy", "0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.", "Need to get 453 kB of archives.", "After this operation, 403 kB disk space will be freed."]}

But I added parameter “force: yes” and package downgraded successfully.

Resulted playbook:

`

3

Thanks! Unfortunately, this doesn’t fully solve my problem: using “force: yes” will disable useful apt security checks. For example, with “force: yes” Ansible will install packages that cannot be authenticated - I don’t want that.

Is there a better way?

best,
Jan