Mar 06 2021

Why Ansible Upgrades Packages on Hold and How to Fix it

Published by at 7:47 pm under Ansible

I was writing a new Ansible role to upgrade all of my VMs with apt update and apt upgrade. I was still using an old Rancher that only works with docker-ce package up to version 18.06.

A first task holds back the package with Ansible Dpkg module, basically an apt hold, as recommended on many websites.
A second and third steps run an apt update and apt full upgrade on my system with Ansible apt module.

- name: keep docker from being updated on Rancher nodes
    name: docker-ce
    selection: hold
- name: apt update cache
    update_cache: yes
  changed_when: False

- name: apt full-upgrade
    upgrade: full

I then launch my playbook full of confidence and, see docker-ce being upgraded! Oddly, this seems to impact Ubuntu distributions, while it runs smoothly on Debian family.

Moto Cross Sport Race Vehicle
Vitrioline / Pixabay

The Ansible apt module page states “If full, performs an aptitude full-upgrade”.
Let’s check the package on hold after the first step:

$ dpkg -l | grep docker
hi  docker-ce   18.06.3~ce~3-0~ubuntu.  amd64.  Docker: the open-source application container engine

Same with aptitude:

$ aptitude search ~i | grep docker
i  docker-ce - Docker: the open-source application container engine

h for hold is MISSING!

apt-get and aptitude seem to rely on different hold functions, thus “dpkg –selections” doesn’t assure that aptitude (which is the command that performs the upgrade) will not touch the held packages.

What now?
We’re lucky, Ansible apt module provides a way to force updating with apt-get instead of aptitude

- name: apt full-upgrade
    upgrade: full
    force_apt_get: yes

And it did solve my problem

No responses yet

Trackback URI | Comments RSS

Leave a Reply