Fórum Root.cz
Hlavní témata => Distribuce => Téma založeno: czechsys 01. 12. 2021, 11:26:25
-
Ahoj,
nejak mi unika tento pripad:
# apt-cache policy bind9-dnsutils
bind9-dnsutils:
Installed: (none)
Candidate: 1:9.16.15-1
Version table:
1:9.16.22-1~deb11u1 500
500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
1:9.16.15-1 990
990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages
# apt-cache policy bind9-libs
bind9-libs:
Installed: 1:9.16.22-1~deb11u1
Candidate: 1:9.16.22-1~deb11u1
Version table:
*** 1:9.16.22-1~deb11u1 500
500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
100 /var/lib/dpkg/status
1:9.16.15-1 990
990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages
# apt install bind9-dnsutils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
bind9-dnsutils : Depends: bind9-libs (= 1:9.16.15-1) but 1:9.16.22-1~deb11u1 is to be installed
E: Unable to correct problems, you have held broken packages.
Jinymi slovy, instalace bind9-dnsutils (debian repo) havaruje na tom, ze jeden z pozadovanych baliku je jiz nainstalovan v novejsi verzi (debian-security repo). Je videt, ze priorita pro debian-security je 500, pro hlavni repo 990.
Jak si s timhle poradit v ansible bez nutnosti definovat verzi bind9-dnsutils? Tim se totiz zrusi idempotency...
Diky
-
A jaký je důvod mít bullseye-security 500 a bullseye 990? Standardní nastavení je 500 a 500, pak to bude fungovat.
Edit: pockat není 990 pro nenainstalovaný balíky?
-
No, podle man APT_PREFERENCES(5)
priority 500
to the versions that do not belong to the target release.
priority 990
to the versions that belong to the target release.
-
To odhlašování je fakt naprd, tak ještě jednou, už se nebudu tolik rozepisovat :-D
Můžeš poslat?
apt-cache policy
apt-config dump
Mohlo by tam být něco jako "APT::Default-Release "bullseye";" což by automaticky opinovalo to repo, ale security už ne. Řešením by bylo revertovat tuhle úpravu (pokud vím tak tohle nastavení je uživatelské a by default tam není nastaveno) nebo si opinovat security na stejnou úroveň.
-
Priklad jednoho serveru:
Package files:
100 /var/lib/dpkg/status
release a=now
995 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages
release o=apt.postgresql.org,a=bullseye-pgdg,n=bullseye-pgdg,l=PostgreSQL for Debian/Ubuntu repository,c=main,b=amd64
origin apt.postgresql.org
990 https://packages.sury.org/php bullseye/main amd64 Packages
release o=deb.sury.org,a=bullseye,n=bullseye,c=main,b=amd64
origin packages.sury.org
450 https://artifacts.elastic.co/packages/6.x/apt stable/main amd64 Packages
release o=elastic,a=stable,n=stable,l=. stable,c=main,b=amd64
origin artifacts.elastic.co
450 http://ftp.cz.debian.org/debian bullseye-backports/non-free amd64 Packages
release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=non-free,b=amd64
origin ftp.cz.debian.org
450 http://ftp.cz.debian.org/debian bullseye-backports/contrib amd64 Packages
release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=contrib,b=amd64
origin ftp.cz.debian.org
450 http://ftp.cz.debian.org/debian bullseye-backports/main amd64 Packages
release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=main,b=amd64
origin ftp.cz.debian.org
500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
release v=11,o=Debian,a=stable-security,n=bullseye-security,l=Debian-Security,c=main,b=amd64
origin security.debian.org
990 http://ftp.cz.debian.org/debian bullseye/non-free amd64 Packages
release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=non-free,b=amd64
origin ftp.cz.debian.org
990 http://ftp.cz.debian.org/debian bullseye/contrib amd64 Packages
release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=contrib,b=amd64
origin ftp.cz.debian.org
990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages
release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=main,b=amd64
origin ftp.cz.debian.org
Pinned packages:
V preferences pro samotny debian nastavuji pouze backport repo, jinak per aplikacni repo, je-li potreba.
Ano, APT::Default-Release pouzivam. Obcas potrebuji prekrizit repozitare, tak je to pojistka proti upgrade na novejsi verzi Debianu.
Takze cestou by bylo pridat APT::Default-Release pro security? Blbe je, ze zrovna v deb11 se ten repozitar prejmenoval...
-
Přes APT::Default-Release bude chybný název fatal error, takže asi spíš pining
/etc/apt/preferences
Package: *
Pin: release a=buster-x
Pin-Priority: 990
kde chybný název vlastně nic neudělá a je to jedno
-
A pokud by jsi šel cestou APT::Default-Release() tak je to "vlastně funkce" takže stačí "zavolat" vícekrát s různýmy parametry.
-
Budu číst Release Notes.
Budu číst Release Notes.
Budu číst Release Notes.
...
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
5.1.3. Changed security archive layout
For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).
-
Budu číst Release Notes.
Budu číst Release Notes.
Budu číst Release Notes.
...
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive
5.1.3. Changed security archive layout
For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).
Vas prispevek je uplne mimo tema.
-
Takze cestou by bylo pridat APT::Default-Release pro security? Blbe je, ze zrovna v deb11 se ten repozitar prejmenoval...
5.1.3. Changed security archive layout
For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).
Vas prispevek je uplne mimo tema.
Tak to mi je líto. Stěžoval jste si, že máte kvůli použití APT::Default-Release jiný APT pinning pro stable a security archiv, protože se v bullseye přejmenoval security archiv (suite a codename v jeho Release file). Řešením je změnit APT::Default-Release např. na APT::Default-Release "/^bullseye(|-security|-updates)$/";
O tom je ta odkazovaná sekce v Debian 11 Release Notes.
V čem jsem úplně mimo téma?
-
Aha, diky, ja to odkazovane pohledem jen preletl a videl jsem podobny popis - a to zmenu nazvu updates na security.
Kazdopadne, nedokumentovana featura v apt - to teda pouzivat nebudu. Spokojim se s pinning.
Jinak pro ostatni:
Vicenasobne pouziti APT::Default-Release znamena, ze priorita se nastavi na posledni definici toho parametru, ne pro vsechny.