Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mainline to stable apt repository switch is not managed correctly #590

Open
Al-thi opened this issue Feb 20, 2023 · 4 comments
Open

Mainline to stable apt repository switch is not managed correctly #590

Al-thi opened this issue Feb 20, 2023 · 4 comments
Labels
bug Something isn't working
Milestone

Comments

@Al-thi
Copy link
Contributor

Al-thi commented Feb 20, 2023

Hello,

I installed nginx with this ansible role on Debian buster (Debian 10).

I want a stable production environment, and at first I hadn't noticed the ansible variable nginx_branch, which defaults to mainline.

When I noticed the variable, I tried to switch from mainline to stable.

The simple variable change is not enough because the repository line are appended (instead of replacing the existing lines) in the /etc/apt/sources.list.d/nginx.list file :

2023-02-17 18:42:54,155 p=191540 u=xxx n=ansible | changed: [xxx] => (item=deb-src [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ buster nginx)
2023-02-17 18:44:57,657 p=193486 u=xxx n=ansible | included: /home/xxx/code/xxx/external/roles/nginxinc.nginx/tasks/opensource/install-debian.yml for xxx
 deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ buster nginx
 deb-src [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ buster nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ buster nginx
2023-02-17 18:45:01,396 p=193486 u=xxx n=ansible | changed: [xxx] => (item=deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ buster nginx)
 deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ buster nginx
 deb-src [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ buster nginx
 deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ buster nginx
+deb-src [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian/ buster nginx

The repository should IMO be overriding the actual file content in order to correctly switch from mainline to stable (or the other way around).

@alessfg
Copy link
Collaborator

alessfg commented Feb 28, 2023

I distinctly remember doing some testing around this but I cannot remember whether I could or could not get it working in a painless way. That being said, I'll have another look and if I can't get it working to the standard I'd like I'll at least document somewhere that you might need to uninstall and reinstall NGINX to migrate from mainline to stable.

P.S.: PRs are always more than welcome if you perchance managed to figure out a fix already :)

@alessfg alessfg added the bug Something isn't working label Feb 28, 2023
@alessfg alessfg added this to the 0.24.1 milestone Feb 28, 2023
@Al-thi
Copy link
Contributor Author

Al-thi commented Mar 30, 2023

@alessfg why not use a template containing all of the repos, something like this :

{% if nginx_branch = 'mainline' %}
[MAINLINE REPOS LINES]
{% elif nginx_branch = 'stable' %}
[STABLE REPOS LINES]
{% endif %}

That way you won't have to deal with file creation or line deletion and keep idempotency ?

Just thinking out loud, maybe there's something i'm not seeing.

Sadly I don't have time right now to implement this myself, too much work ...
Thank you for your answer.

@alessfg
Copy link
Collaborator

alessfg commented Mar 30, 2023

I do need to update the apt list of repos in case folks want to then update NGINX without using this role :) -- I use "hard-coded" variables right now (see https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml#L118-L132) and it works fine under all cases except when downgrading from mainline to stable (stable to mainline results in multiple entries but since mainline has a higher version, it pulls from that one).

@alessfg alessfg changed the title Apt repository switch is not managed correctly Mainline to stable apt repository switch is not managed correctly Mar 30, 2023
@alessfg
Copy link
Collaborator

alessfg commented Nov 20, 2023

Quick update:
This playbook does correctly downgrade NGINX from mainline to stable, but the next time you upgrade all packages, NGINX will get upgraded to the latest mainline release.

  tasks:
    - name: Install NGINX
      ansible.builtin.include_role:
        name: nginxinc.nginx
      vars:
        nginx_branch: stable
        nginx_version: "{{ version }}"

The fix, like you suggested, would be to override the relevant repository file. That is doable, but it would introduce a potential breaking change if folks are adding extra things to the source file after running the role. The first step, I think, would be to introduce a warning recommending folks do not edit the source file created by the role. After that we can explore what's the best way to override the repository file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Development

No branches or pull requests

2 participants