puppetlabs / puppetlabs-apt Goto Github PK
View Code? Open in Web Editor NEWThis project forked from evolvingweb/puppet-apt
Puppet module to help manage Apt
Home Page: https://forge.puppetlabs.com/puppetlabs/apt
License: Apache License 2.0
This project forked from evolvingweb/puppet-apt
Puppet module to help manage Apt
Home Page: https://forge.puppetlabs.com/puppetlabs/apt
License: Apache License 2.0
Debian apt-get will look in both /etc/apt/preferences as well as files in /etc/apt/preferences.d for pinning information. This module will purge /etc/apt/sources.list, but will not touch /etc/apt/preferences.
I have code to address this issue, though there is an underlying issue with 'apt-get upgrade' that requires a valid entry in /etc/apt/preferences to function. An empty file, or a file with a single comment, will throw an error (see Debian bug 641245). It makes the Puppet solution look a little sloppy.
apt::params
looks for $::lsbdistid
and $::lsbdistcodename
.
If any combination of those values aren't supported, catalog compilation fails with this error: Unsupported osfamily (XXX) or lsbdistid (YYY)
lsbdistcodename should be mentioned instead of osfamily.
Note: This bug is particularly frustrating as a new default clause as been added to the case in apt::params
. Having a misleading error message makes debugging harder, especially for existing rspec tests in other modules which are now all suddenly failing.
Those rspec tests might not always inject those facts due to puppetlabs-apt not having a hard requirement on them before ; because OS specific configurations defined in params were only used by apt::backports
and apt::ppa
.
After updating the module from 8.3.0 to 8.4.0, I get a dependency cycle on all Debian family nodes, for any repo I manage:
Found 1 dependency cycle:
(Exec[apt_update] => Class[Apt::Update] => Package[gnupg] => Apt::Key[Add key: 5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A from Apt::Source theforman_buster] => Apt::Setting[list-theforman_buster] => File[/etc/apt/sources.list.d/theforman_buster.list] => Class[Apt::Update] => Exec[apt_update])\nTry the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz
No dependency cycle.
# required for adding GPG keys on Debian 9 (and derivatives)
ensure_packages(['gnupg'])
in init.pp
the cycle was gone.
main
stage.Nevermind, I filed this on the wrong project!
I only seem to be able to get apt-get update to "always_apt_update". but the desired behavior is to update on the first run, or if there has been a change to sources.
Amy I missing a setting?
On Lucid, and probably other versions of Ubuntu, -y is an invalid option. This causes use of the apt::ppa resource to fail with "Error: /usr/bin/add-apt-repository -y ppa:git-core/ppa returned 2 instead of one of [0]".
The $option parameter should only be set to "-y" by default on versions of Debian/Ubuntu that support it.
See #146, where this option was introduced.
This new commit, merged and released for tag v9.0.0, hardcodes the Puppet path for the $script_path
variable, in the manifests/ppa.pp
file:
$script_path = "/opt/puppetlabs/puppet/cache/add-apt-repository-${dash_filename_no_specialchars}-${release}.sh"
/opt/puppetlabs/puppet
is not the path used by the Debian Puppet packages (also used by Ubuntu). This uses it's /etc/puppet/
).
The script_path
var should either default to the right path by itself, or at least be modifiable by a user variable.
Looking at this debug output: https://gist.github.com/slamont/6010067
It seems that packages from the system are installed instead of those from the configured ppa.
With this code: https://gist.github.com/slamont/6010094
I assumed (may be wrong) that apt::ppa should execute the update before the installation of the package.
So simply want to know if there should be a dependency in the icinga module like so:
Apt::Ppa <| |> -> Package <| |> ???
I want to add a native type for apt_ppa
especially now that Debian Wheezy has a new enough python-software-properties
that includes this command.
However, since not everyone might want to install / pull in Python just for apt_ppa
we'd still need to support the 'old' way of doing it as apt::ppa
is now doing. The other choice would be to decide that apt::ppa
now requires the target system to have python-software-properties
installed which is the case on Ubuntu installations. Seeing that apt::ppa
is geared towards Ubuntu that seems like a sensible second option.
Is this worth the effort or should we leave it as is?
I want to submit a PR adding the ability to exclude some hosts from the apt proxy when a direct connection is needed (acquire::http::proxy::$host DIRECT).
There are two ways I could do it:
Which of those would you prefer to see?
I want a class that configures an APT repository to also ensure that apt-get update
has run before any dependencies on that class.
This way I can depend on the class that configures the repository without needing to know how this repository is configured.
E.g.:
class mymod::repository {
if $facts['os']['family'] == 'Debian' {
apt::source { 'somerepo':
...
}
contain apt::update
} else {...}
}
class mymod {
require mymod::repository # Make sure that the repository is configured and available.
package { 'somepackage':
ensure => 'present',
}
}
This is currently not possible by using contain apt::source
because that class is private.
Instead if fails with:
error during compilation: Evaluation Error: Error while evaluating a Function Call, Class apt::update is private
Since the apt::update
class is a documented part of this module, I think it could be marked as public.
That would allow it to be used both through contain
and through direct dependencies (require => Class['apt::update']
).
Two alternatives:
Please explain the steps to change the contents of sources.list
I have set these options:
class { 'apt':
purge => {
'sources.list' => true,
'sources.list.d' => true,
}
}
then I add:
apt::ppa { 'ppa:deadsnakes/ppa': }
the repo name is taken here: deadsnakes-ppa
and every time Puppet runs the repo is added and then it's removed, again and again.
it should not purge the repository added through apt::ppa
see above
N/A
Hi,
I have this message when I use Vagrant :
Warning: Variable access via 'name' is deprecated. Use '@name' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:1
(at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:1:in block in result') Warning: Variable access via 'location' is deprecated. Use '@location' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:2 (at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:2:in
block in result')
Warning: Variable access via 'include_src' is deprecated. Use '@include_src' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:3
(at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:3:in block in result') Warning: Not collecting exported resources without storeconfigs Warning: Variable access via 'name' is deprecated. Use '@name' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:1 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:1:in
block in result')
Warning: Variable access via 'explanation' is deprecated. Use '@explanation' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:2
(at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:2:in block in result') Warning: Variable access via 'packages' is deprecated. Use '@packages' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:3 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:3:in
block in result')
Warning: Variable access via 'pin' is deprecated. Use '@pin' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:4
(at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:4:in block in result') Warning: Variable access via 'priority' is deprecated. Use '@priority' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:5 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:5:in
block in result')
Hello,
I am trying to figure out the purpose of that anchor in sources.pp :
anchor { "apt::source::${name}":
require => Class['apt::update'],
}
Indeed, in my manifest, I've added :
Apt::Source <| |> -> Exec["apt_update"]
And I got a dependency cycle :
(Anchor[apt::source::source1] => Apt::Source[source1] => Exec[apt_update] => Class[Apt::Update] => Anchor[apt::source::source1])
I think setting all our sources before doing an apt-get update is the normal way, or am i missing something ?
Regards
Olivier
Rather than writing require => Apt::ppa['...']
for each package that needs a ppa, could I write something to tell Puppet to load all ppa's before any packages?
The same way that we can write something to force apt-get update
before any packages are processed:
exec { 'apt-update':
command => 'apt-get update',
path => '/bin:/usr/bin'
}
Exec['apt-update'] -> Package <| |>
When trying to add the CDH4 repository to APT I ran into the following problem:
Using the following
apt::source {'cdh4':
always_apt_update => true,
location => 'http://archive.cloudera.com/cdh4/ubuntu/precise/amd64/cdh',
release => 'precise-cdh4',
repos => 'contrib',
architecture => 'amd64',
include_src => false,
key => '02A818DD',
key_server => 'keys.gnupg.net'
}
Generates /etc/apt/sources.list.d/cdh4.list containing:
# cdh4
deb [arch=amd64]http://archive.cloudera.com/cdh4/ubuntu/precise/amd64/cdh precise-cdh4 contrib
Notice there is a missing space between [arch=amd64] and http:///...
The source of this bug is in the templates/sources.list.erb file which is not adding a space in the optional architecture statement.
The following check in manifests/ppa.pp
fails for Linux Mint Maja LTS and facter 1.7.5:
if $::operatingsystem != 'Ubuntu' {
fail("apt::ppa is currently supported on Ubuntu only.")
}
From personal experience, though, the Ubuntu based Mint’s are pretty compatible with the ppa system.
$ facter --version
1.7.5
$ facter operatingsystem
Debian
For installing mariadb on ubuntu I tried the following resource:
apt::source { 'mariadb':
location => 'http://mirror2.hs-esslingen.de/mariadb/repo/5.5/ubuntu',
release => 'precise',
repos => 'main',
key => '0xcbcb082a1bb943db',
key_server => 'hkp://keyserver.ubuntu.com:80',
}
This fails because the key will be upper cased in key.pp
$upkey = upcase($key)
I fixed it by using the parameter $key instead. Should I contribute this change? @see janschumann/puppetlabs-apt@9ab5da3
Or can I work around it otherwise?
This is a valid PPA name from the MAAS documentation: ppa:maas/3.1
but does not pass the regex validation in ppa.pp due to the .
in the version number 3.1
.
Found from the docs here: https://maas.io/docs/how-to-install-maas
It should pass regex checks and be added as normal
Steps to reproduce the behavior:
call this resource:
apt::ppa { "ppa:maas/3.1": }
This should be effecting all versions
Issue is here: https://github.com/puppetlabs/puppetlabs-apt/blob/main/manifests/ppa.pp#L43
Failures:
1) apt::force when using default parameters
Failure/Error: ) }
Puppet::Error:
Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
# ./spec/defines/force_spec.rb:25
2) apt::force when specifying release parameter
Failure/Error: ) }
Puppet::Error:
Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
# ./spec/defines/force_spec.rb:34
3) apt::force when specifying version parameter
Failure/Error: ) }
Puppet::Error:
Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
# ./spec/defines/force_spec.rb:43
4) apt::force when specifying release and version parameters
Failure/Error: ) }
Puppet::Error:
Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
# ./spec/defines/force_spec.rb:55
Finished in 8.62 seconds
175 examples, 4 failures
I'm not particularly good at Ruby, so it's not obvious to me what's going on here.
include_class was deprecated in favour of contain_class, but that's only a warning.
I was recently trying to add a repo for r project, the formatting seems a little different from normal source list files. It was essential for the list file to be formatted as below or it wouldn't allow apt update to run.
deb https://cloud.r-project.org/bin/linux/ubuntu bionic-cran40/
This repo allows the more up to date version of r to be installed.
More info : https://cran.r-project.org/bin/linux/ubuntu/fullREADME.html
I was struggling to get the line formatting correct using the manifest script, I tried a few combinations setting bionic-cran40/ as the release and repo as ' ' but this resulted in a formatting failure when the agent checked in. If I left out repo completely, the list file came out as the following:
deb https://cloud.r-project.org/bin/linux/ubuntu bionic-cran40/ main
I had to resort to a file directive which isn't the end of the world, just interested to know what I could have done better here.
centos 7 puppet master
ubuntu 20.04 / 18.04
The apt-key
command has been deprecated in Debian testing aka bookworm in favor of storing key files directly into either /etc/apt/trusted.gpg.d/ or /etc/apt/keyrings/ and (in case of the latter) refer to them directly in individual sources.list entries (like [ signed-by=/path/to/file.gpg ]
.
This also already works in Debian stable aka bullseye (and maybe oldstable/buster) and corresponding Ubuntu versions. So it would be nice to have this in place already before bookworm is released, esp. so as apt-get update
will emit warnings for all keys still stored in the /etc/apt/trusted.gpg file.
apt::key
should have options to store keys downloaded as .gpg
or .asc
files in one of the directories above.
Only alternative I see currently is to use a file
resource instead of apt::key
.
I was looking at apt::force
and I want to kill it. The way it forces a package to be installed from a specific release is entirely horrible. Doing it in such a way should really be a last resort and might cause weird behaviour as policies change or newer packages start rolling in to different mirrors.
The correct way of doing this is dropping a pin/preferences file in apt that causes the policy to reflect the origin you want those packages from and then just leveraging Puppet's package type's ensure
attribute to do the rest.
apt::mark { 'containerd.io': setting => 'hold' }
Package should be held (this is a regression)
Mark any package containing a . in the package name
there are some other packages with a . in the name.
In our case we want to specify our own mirror to get the binary packages, but the ftp.us.debian.org mirror for source packages. For a given apt::source definition we can say "include_src" to include a "deb-src" entry along with the "deb" entry, but there's no way to instantiate an apt::source definition to create only a "deb-src" entry.
The fix is actually quite easy, and I coded it for our internal use. I'd like to submit it to the PuppetLabs team, if you think this is a reasonable feature.
I've configured the apt module to purge all non-managed sources.list and sources.list.d entries. Unfortunately, in combination with apt::ppa
resources, this results in Puppet adding the PPA in sources.list.d and removing it again on the next Puppet run.
Puppet should not purge sources.list.d entries for apt::ppa
resources.
Steps to reproduce the behavior:
sources.list.d
apt::ppa
With olderversion of apt module this used to work:
apt::source { 'elastic-7':
comment => "Elastic packages 7",
location => "http://artifacts.elastic.co/packages/7.x/apt",
release => 'stable',
repos => 'main',
key => {
'id' => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
'source' => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
'proxy' => "http://${::location}-aptcacher-001.mydomain.com:3142/",
},
include => {
'deb' => true,
},
}
Now this timeout:
Error: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Error: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Wrapped exception:
execution expired
Error: /Stage[main]/repos::Elastic7/Apt::Source[elastic-7]/Apt::Key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/Apt_key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Notice: /Stage[main]/repos::Elastic7/Apt::Source[elastic-7]/Apt::Key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/Anchor[apt_key 46095ACC8548582C1A2699A9D27D666CD88E42B4 present]: Dependency Apt_key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7] has failures: true
Be able to provide proxy information when using "source" parameter to key.
Thw workaround I have for now is to use
key => {
'id' => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
'server' => 'keyserver.ubuntu.com',
'options' => "http-proxy=\"http://${::location}-aptcacher-001.mydomain.com:3142\"",
},
But this works only when the key is available in keyserver.ubuntu.com
When a proxy location
contains options before an HTTPS URI (example), setting https_acng => true
has not effect and updating from that repo fails with:
Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)
https://
should be replaced by http://HTTPS///
in the APT source line and updating from that repo should succeed.
Run this script in a disposable environment:
#!/bin/sh
export DEBIAN_FRONTEND=noninteractive
sudo --preserve-env=DEBIAN_FRONTEND apt-get -y install puppet git apt-cacher-ng
TEMPDIR=$( mktemp -d )
trap "rm -rf ${TEMPDIR}" EXIT
cd ${TEMPDIR}
git clone https://github.com/puppetlabs/puppetlabs-stdlib.git stdlib
git clone https://github.com/puppetlabs/puppetlabs-apt.git apt
git -C ./apt/ checkout v9.0.0
curl -s http://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -
cat > manifest.pp <<EOF
class { 'apt':
proxy => {
host => '127.0.0.1',
port => 3142,
https_acng => true,
},
}
ensure_packages('apt-transport-https')
apt::source { 'torproject':
comment => 'TorProject',
location => '[Check-Date=yes] https://deb.torproject.org/torproject.org',
repos => 'main',
release => 'stable',
require => Package['apt-transport-https'];
}
EOF
sudo puppet apply --modulepath=./ ./manifest.pp
sudo apt update
echo "\n---------- /etc/apt/sources.list.d/torproject.list ----------"
cat /etc/apt/sources.list.d/torproject.list
The output ends with:
(...)
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://deb.debian.org/debian bullseye-updates InRelease
Hit:3 http://security.debian.org/debian-security bullseye-security InRelease
Err:4 https://deb.torproject.org/torproject.org stable InRelease
Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels) [IP: 127.0.0.1 3142]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/stable/InRelease Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels) [IP: 127.0.0.1 3142]
W: Some index files failed to download. They have been ignored, or old ones used instead.
---------- /etc/apt/sources.list.d/torproject.list ----------
# This file is managed by Puppet. DO NOT EDIT.
# TorProject
deb [Check-Date=yes] https://deb.torproject.org/torproject.org stable main
The URI above should've been replaced accordingly to work with apt-cacher-ng
.
To fix this, I think the regexp should be improved here.
Hello,
simmple code
class { 'apt': }
apt::ppa { 'ppa:sjinks/phalcon': }
fails if you running it on system which packages lists are out of date. This occurs because add-apt-repository used by apt::ppa require to install python-software-properties (or software-properties-common), and if for some reason you didn't run apt-get update long time you will get something like that:
Err http://us.archive.ubuntu.com/ubuntu/ precise-updates/main python-software-properties all 0.82.7.2
404 Not Found [IP: 91.189.91.15 80]
Probably we need to run apt-get update before this package installed.
We would like to keep the keys in the puppet repo and let the puppet agent fetch it from the fileserver. Example overloading key_source
:
apt::key { 'jenkins':
key => 'D50582E6',
key_source => 'puppet:///modules/infrastructure/jenkins.key',
}
It's not available in the 3.x branch for instance but is used anyway in ppa.pp.
It's available on master again, but metadata should be fixed to include correct stdlib supported versions or get rid of the getparam function usage.
At the time of writing this the Modulefile lists the project under the Apache 2.0 license. However the LICENSE file in the base of the project is MIT. Which is it?
So, I have a list of keys added via
apt::keys.... This works fine.
I then added a few PPAs today using
apt::ppa { 'ppa:ondrej/php5': }
apt::ppa { 'ppa:ondrej/mysql-5.6': }
this added the key:
pub 1024R/E5267A6C 2009-01-26
uid Launchpad PPA for Ondřej Surý
so now every time I run puppet, I believe because of the accent characters in this persons name I am seeing the message "Error: Could not prefetch apt_key provider 'apt_key': invalid byte sequence in UTF-8" and all of the keys using apt::keys are reinstalled every time.
For hosts that have no pending updates (neither security, or other), the 'apt_security_updates' fact is not reported.
By comparison, if a host has no pending security updates, but has other updates pending, the 'apt_security_updates' fact is reported with a value of 0
The 'apt_security_updates' fact should always be reported, even if there are no updates pending.
Steps to reproduce the behavior:
Attempting to ensure the latest collectd 5 on Ubuntu 12.04 with PE3.
If ppa:raravena80/collectd5 has never been added, the following will add the repo on a puppet run:
apt::ppa { 'ppa:raravena80/collectd5': }
package { 'collectd':
ensure => latest,
require => Apt::Ppa['ppa:raravena80/collectd5'],
}
If you then issue
add-apt-repository --remove ppa:raravena80/collectd5
or
ppa-purge ppa:raravena80/collectd5
subsequent puppet runs will not add the repo.
This occurs because ppa files remain in /etc/apt/sources.list.d/, causing puppet to assume the ppa is currently added, even though the ppa has been removed.
Troubleshooting:
Run puppet agent -t
, see that the ppa repo is added, collectd 5 is installed.
Remove or purge the ppa repo, remove collectd 5.
Run puppet agent -t
, see that the ppa repo is not added, collectd 4 is installed.
Remove collectd 4, then remove /etc/apt/sources.list.d/raravena80-collectd5* and /etc/apt/sources.list.d/.raravena80-collectd5*.
Run puppet agent -t
, see that the ppa repo is added, collectd 5 is installed.
puppetlabs-apt creates a malformed sources entry when an apt::source contains a location parameter that includes a [signed-by] string:
deb [ ] [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ stable 7
When an apt::source
location parameter contains a [string]
entry, puppetlabs-apt should not prepend [ ]
Create an apt::source{} block with a location parameter containing a [string] such as [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg]
. This can be seen 'in the wild' by attempting to install the datadog agent with https://github.com/DataDog/puppet-datadog-agent
The specific apt::source call from datadog is:
$location = "[signed-by=${apt_usr_share_keyring}] https://apt.datadoghq.com/"
apt::source { 'datadog':
comment => 'Datadog Agent Repository',
location => $location,
release => $release,
repos => $repos,
}
Declaring
class { '::apt': always_apt_update => true }
::apt::ppa { 'ppa:ondrej/php5': }
on a clean Ubuntu installation fails due to outdated package sources.
Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/main/s/software-properties/python-software-properties_0.82.7.6_all.deb 404 Not Found [IP: 91.189.91.13 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
I tried to define global dependencies like this:
::Apt::Source <| |> ~> Exec['apt_update'] -> Package <| |>
But this causes a dependency cycle:
Found 1 dependency cycle:
(Exec[add-apt-repository-ppa:ondrej/php5] => Exec[apt_update] => Package[python-software-properties] => Exec[add-apt-repository-ppa:ondrej/php5])
The workaround is to update the package sources and install python-software-properties before executing puppet.
Nevertheless I think it should be a good thing to remove all dependencies on apt::update and define a global dependency as described above.
Is that an appropriate solution?
The 50unattended-upgrades file we write is completely incompatible with Wheezy.
It should write
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,archive=stable,label=Debian-Security";
};
But we get:
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Apparently there've been a few changes...
I'm trying set "apt" module to use aptitude instead apt-get using hiera but I couldn't:
apt::params::provider: "/usr/bin/aptitude"
Other hiera configurations are working fine, as for example:
apt::always_apt_update: true
The 1.3.0 tag is missing from github, please push it.
Can we get a new release to the Forge?
I would like to manage configuration for the Debian snapshot repositories using apt::source
, however there is currently no way to add the check-valid-until
option at a per-repository granularity. This is required when using the Debian security snapshots, because the Release files specify a Valid-Until date only a short time in the future. For more information about snapshot repositories, see https://snapshot.debian.org/.
From the snapshot documentation (link above):
To access snapshots of suites using Valid-Until that are older than a dozen days, it is necessary to ignore the Valid-Until header within Release files, in order to prevent apt from disregarding snapshot entries ("Release file expired"). Use aptitude -o Acquire::Check-Valid-Until=false update or apt-get -o Acquire::Check-Valid-Until=false update for this purpose.
If you use at least apt version 1.1.exp9 (stretch and later), you can use this instead:
deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main
Whilst I can add a global-level configuration for apt
to ignore all Check-Valid-Until dates, I'd prefer to do this at the repository level.
An additional configuration option for the apt::source
module, check_valid_until: Boolean
, e.g.
'debian-snapshot':
location => 'https://snapshot.debian.org/archive/debian/20220412T025122Z/',
release => 'bullseye',
repos => 'main',
check_valid_until => false,
include => {
'deb' => true,
'src' => false,
};
Which resolves in an on-disk representation including the [check-valid-until=no]
option in the apt.lists.d
file.
As above, it is possible to set this globally for apt
to ignore all Valid-Until dates.
I want to mark some debs in the sources as trusted, this can be done by adding [trusted=yes] to a source line.
My problem here is how to implement it nice. because the [] can also contain other options, like arch.
Right now I've implemented it like this:
changed in templates/source.list.erb:
deb <%= @options %><%= @location %> <%= @release_real %> <%= @repos %>
In manifest/source.pp I've added a trusted parameter and code like this:
case $trusted {
true: { $trust = 'yes' }
false: { $trust = 'no' }
undef: { } # do nothing
default: { fail('Valid values for trusted are true or false') }
}
if $architecture and $trust {
$options = "[arch=$architecture trusted=$trust] "
} elsif $architecture and $trust == undef {
$options = "[arch=$architecture] "
} elsif $architecture == undef and $trust {
$options = "[trusted=$trust] "
}
Is this the way to go? Is there is a better way to do this?
Hey puppetlabs,
I have a feature request for your module. My DC hosts their own apt mirror and it would be cool to have your module set it. I have found a way to do it using Hiera, but it's a bit cumbersome. I think it would be better having something like "apt::mirror"
relevant code from hiera.yaml:
...
:hierarchy:
- location/%{::customfact_location}-%{::lsbdistcodename}
- common
relevant code from /etc/puppet/hieradata/location/myDCcompany-precise.yaml
---
apt::purge_sources_list: true
apt::purge_sources_list_d: true
apt::source:
'ubuntu':
location: 'http://mirror.myDCcompany.com/ubuntu/'
repos: 'main restricted universe multiverse'
include_src: 'true'
'precise-backports':
location: 'http://mirror.myDCcompany.com/ubuntu/'
repos: 'main restricted universe multiverse'
release: 'precise-backports'
'precise-security':
location: 'http://mirror.myDCcompany.com/ubuntu/'
repos: 'main restricted universe multiverse'
release: 'precise-security'
proxy_host shouldn't be boolean as it can not be used as a paramterized class in foreman due to foreman's parameter validation.
proxy_host should be undef by default and the switch case to set ensure should be changed from
..
false => absent
..
to
..
undef => absent
..
this would make it possible to set the default value (in foreman) to an empty string meaning not adding a proxy.
The module handles proxies well with proxy_host and proxy_port but it is not working with apt_key when using key_source (wget does not use any proxy)
It works OK with a simple modification of the the key.pp file, by setting up environment variables for wget to work. Something like this:
environment => [ "http_proxy=$::proxy_host:$::proxy_port", "https_proxy=$::proxy_host:$::proxy_port" ],
There may be a cleaner way to do it, I am very new to puppet
Sometimes one could define an Exec user globally. This would make add-apt-repository fail because it do not use user root.
Currently, apt::backports adds the contrib and non-free sources. If the repos are desired, the user should be able to turn them on, but this should not be the default. Only 'main' should be the default.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.