Commit 0c614691 authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-apt-improvements'

parents 4602f012 3bbf69b4
Pipeline #56535542 passed with stages
in 22 minutes and 37 seconds
......@@ -78,6 +78,20 @@ Added
configure only the services required for secure LDAP access (PKI, SSH,
PAM/NSS), the rest should be configured using the common playbook.
- [debops.apt][debops.unattended_upgrades] Systems with the End of Life Debian
releases (``wheezy``) installed will be configured to use the Debian Archive
repository as the main APT sources instead of the normal Debian repository
mirrors. These releases have been moved out of the main repositories and are
not fully available through normal means. The periodic updates of the APT
archive repositories on these systems will be disabled since the EOL releases
no longer receive updates.
The Debian LTS release (``jessie``) APT repository sources will use only the
main and security repositories, without updates or backports. See the
`information about the Debian LTS support`__ for more details.
.. __: https://wiki.debian.org/LTS
Changed
~~~~~~~
......@@ -201,6 +215,12 @@ Changed
instead. The :command:`ldapsearch` command used for lookups will default to
LDAP over TLS connections instead of LDAPS.
- [deops.unattended_upgrades] The packages from the ``stable-updates`` APT
repository section will be automatically upgraded by default, the same as the
packages from Debian Security repository. This should cover important
non-security related upgrades, such as timezone changes, antivirus database
changes, and similar.
Removed
~~~~~~~
......
......@@ -227,9 +227,9 @@ apt__distribution_release: '{{ ansible_local.core.distribution_release
# map is used to configure security repositories only on the OS releases that
# have them available.
apt__distribution_release_map:
'Debian': [ 'wheezy', 'jessie', 'stretch', 'buster' ]
'Ubuntu': [ 'precise', 'trusty', 'xenial' ]
'Devuan': [ 'jessie' ]
'Debian': [ 'wheezy', 'jessie', 'stretch', 'buster', 'bullseye' ]
'Ubuntu': [ 'precise', 'trusty', 'xenial', 'bionic' ]
'Devuan': [ 'jessie', 'ascii', 'beowulf' ]
# ]]]
# .. envvar:: apt__distribution_suite_map [[[
......@@ -239,19 +239,29 @@ apt__distribution_release_map:
# repository suffixes should be configured on the current host in case the role
# is used on a Debian Testing system.
apt__distribution_suite_map:
'Debian_wheezy': 'oldoldstable'
'Debian_jessie': 'oldstable'
'Debian_wheezy': 'archive'
'Debian_jessie': 'lts'
'Debian_stretch': 'stable'
'Debian_buster': 'testing'
'Debian_sid': 'unstable'
'Raspbian_wheezy': 'oldstable'
'Raspbian_jessie': 'stable'
'Raspbian_stretch': 'testing'
'Raspbian_wheezy': 'archive'
'Raspbian_jessie': 'oldstable'
'Raspbian_stretch': 'stable'
'Raspbian_buster': 'testing'
'Raspbian_sid': 'unstable'
'Devuan_jessie': 'stable'
'Devuan_ascii': 'testing'
'Devuan_jessie': 'oldstable'
'Devuan_ascii': 'stable'
'Devuan_beowulf': 'testing'
'Devuan_ceres': 'unstable'
# ]]]
# .. envvar:: apt__distribution_suite [[[
#
# The variable that specifies the "suite" or an alias of the current
# distribution release.
apt__distribution_suite: '{{ apt__distribution_suite_map[apt__distribution + "_" +
apt__distribution_release]|d() }}'
# ]]]
# .. envvar:: apt__distribution_suffix_map [[[
#
......@@ -262,6 +272,8 @@ apt__distribution_suite_map:
# If the combination of OS distribution and release is not found, the default
# list of suffixes will be used automatically.
apt__distribution_suffix_map:
'Debian_archive': [ '' ]
'Debian_lts': [ '' ]
'Debian_stable': [ '', '-updates', '-backports' ]
'Debian_testing': [ '', '-updates' ]
'Debian_unstable': [ '' ]
......@@ -316,6 +328,28 @@ apt__distribution_components: '{{ apt__distribution_components_free[apt__distrib
if apt__nonfree|bool else []) }}'
# ]]]
# ]]]
# Archived distribution releases [[[
# ----------------------------------
# .. envvar:: apt__archive_source_map [[[
#
# The YAML dictionary that contains the map of the archive repositories for
# different OS distributions. The archive repositories are usually not part of
# the repository mirrors, but are mirrored separately. See the documentation
# pages for alternative mirrors.
apt__archive_source_map:
# Debian archive repositories: https://www.debian.org/distrib/archive
'Debian': 'http://archive.debian.org/debian/'
# ]]]
# .. envvar:: apt__archive_source [[[
#
# The URL of the archive APT repository configured by default when the current
# OS release is migrated to the archive.
apt__archive_source: '{{ apt__archive_source_map[apt__distribution]|d() }}'
# ]]]
# ]]]
# Default APT package sources [[[
# -------------------------------
......@@ -352,7 +386,8 @@ apt__original_sources:
ansible_local.apt.original_mirrors_deb|d())
else [] }}'
state: '{{ "present" if (ansible_local|d() and ansible_local.apt|d() and
ansible_local.apt.original_mirrors_deb|d())
ansible_local.apt.original_mirrors_deb|d() and
apt__distribution_suite != "archive")
else "absent" }}'
# ]]]
......@@ -362,7 +397,9 @@ apt__original_sources:
# package sources for specific distributions.
# If package sources are defined in specific group, host or on all hosts in
# Ansible inventory, it may be desirable not to include the default sources.
apt__default_sources_state: 'present'
apt__default_sources_state: '{{ "absent"
if (apt__distribution_suite == "archive")
else "present" }}'
# ]]]
# .. envvar:: apt__default_sources [[[
......@@ -417,6 +454,13 @@ apt__default_sources:
distribution: 'Devuan'
state: '{{ apt__default_sources_state }}'
- uri: '{{ apt__archive_source }}'
comment: '{{ "Official " + apt__distribution + " archive repository" }}'
distribution: 'Debian'
state: '{{ "present"
if (apt__distribution_suite == "archive")
else "absent" }}'
# ]]]
# .. envvar:: apt__security_sources_state [[[
#
......@@ -424,7 +468,9 @@ apt__default_sources:
# repositories proving security updates.
# If a local security mirror is defined in Ansible inventory group or host,
# it may be desirable not to include the default security sources.
apt__security_sources_state: 'present'
apt__security_sources_state: '{{ "absent"
if (apt__distribution_suite == "archive")
else "present" }}'
# ]]]
# .. envvar:: apt__group_security_sources [[[
......@@ -517,13 +563,14 @@ apt__security_sources:
# Final list of APT sources to configure. This variable defines an order in
# which various package sources are written in the :file:`/etc/apt/sources.list` as
# well as what sources will be present there.
apt__combined_sources: '{{ apt__sources +
apt__group_sources +
apt__host_sources +
apt__combined_sources: '{{ ([]
if (apt__distribution_suite == "archive")
else (apt__sources + apt__group_sources + apt__host_sources)) +
apt__original_sources +
apt__default_sources +
apt__host_security_sources +
apt__group_security_sources +
([]
if (apt__distribution_suite == "archive")
else (apt__host_security_sources + apt__group_security_sources)) +
apt__security_sources }}'
# ]]]
# ]]]
......
......@@ -48,6 +48,7 @@ output = loads('''{{ ({
else False),
"default_mirrors": apt__tpl_default_sources,
"default_sources_map": apt__tpl_default_sources_map,
"suite": apt__distribution_suite
}) | to_nice_json | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") }}''')
apt_sources_list = ['/etc/apt/sources.list.dpkg-divert',
......@@ -69,19 +70,21 @@ try:
for line in fh:
if line.startswith('deb'):
source = line.split()
if (source[1] not in source_deb
and source[1] not in security_sources):
source_url = source[1].rstrip('/')
if (source_url not in source_deb
and source_url not in security_sources):
for prefix in apt_uri_types:
if source[1].startswith(prefix):
source_deb.append(source[1])
if source_url.startswith(prefix):
source_deb.append(source_url)
elif line.startswith('deb-src'):
source = line.split()
if (source[1] not in source_deb_src
and source[1] not in security_sources):
source_url = source[1].rstrip('/')
if (source_url not in source_deb_src
and source_url not in security_sources):
for prefix in apt_uri_types:
if source[1].startswith(prefix):
source_deb_src.append(source[1])
if source_url.startswith(prefix):
source_deb_src.append(source_url)
fh.close()
......
......@@ -66,6 +66,13 @@
when: item.name|d() and not item.path|d()
changed_when: apt_install__register_alternatives.stdout|d()
- name: Disable kernel hints about pending upgrades
template:
src: 'etc/needrestart/conf.d/no-kernel-hints.conf.j2'
dest: '/etc/needrestart/conf.d/no-kernel-hints.conf'
mode: '0644'
when: apt_install__enabled|bool
- name: Make sure that Ansible fact directory exists
file:
path: '/etc/ansible/facts.d'
......
# {{ ansible_managed }}
# Kernel upgrade hints are disabled to allow for non-interactive APT package
# installs. Without this, non-interactive APT operations, for example performed
# by Ansible, will hang indefinitely - waiting for user interaction.
$nrconf{kernelhints} = 0;
......@@ -50,7 +50,10 @@ unattended_upgrades__packages: []
# script runs :program:`unattended-upgrade`, but also performs some other actions
# which can be useful on their own. Enabling periodic APT runs automatically
# enables repository updates, but not upgrades.
unattended_upgrades__periodic: '{{ unattended_upgrades__enabled }}'
unattended_upgrades__periodic: '{{ False
if (ansible_local|d() and ansible_local.apt|d() and
(ansible_local.apt.suite|d()) == "archive")
else unattended_upgrades__enabled }}'
# ]]]
# .. envvar:: unattended_upgrades__periodic_download [[[
......@@ -108,13 +111,16 @@ unattended_upgrades__security_origins:
# https://www.debian.org/security/
'Debian':
- 'o=Debian,n=${distro_codename},l=Debian-Security'
- 'o=${distro_id},n=${distro_codename}-updates'
# http://www.ubuntu.com/usn/
'Ubuntu':
- 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-security'
- 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-updates'
'default':
- 'o=${distro_id},n=${distro_codename},l=${distro_id}-Security'
- 'o=${distro_id},n=${distro_codename}-updates'
# ]]]
# .. envvar:: unattended_upgrades__release_origins [[[
......@@ -129,17 +135,14 @@ unattended_upgrades__release_origins:
'Debian':
- 'o=${distro_id},n=${distro_codename}'
- 'o=${distro_id},n=${distro_codename}-updates'
- 'o=${distro_id} Backports,n=${distro_codename}-backports'
'Ubuntu':
- 'o=Ubuntu,n=${distro_codename},a=${distro_codename}'
- 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-updates'
- 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-backports'
'default':
- 'o=${distro_id},n=${distro_codename}'
- 'o=${distro_id},n=${distro_codename}-updates'
- 'o=${distro_id},n=${distro_codename}-backports'
# ]]]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment