Ansible + debian - security versus main repo bind9-dnsutils

Ahoj,

nejak mi unika tento pripad:

Kód: [Vybrat]
# apt-cache policy bind9-dnsutils
bind9-dnsutils:
  Installed: (none)
  Candidate: 1:9.16.15-1
  Version table:
     1:9.16.22-1~deb11u1 500
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
     1:9.16.15-1 990
        990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages

# apt-cache policy bind9-libs
bind9-libs:
  Installed: 1:9.16.22-1~deb11u1
  Candidate: 1:9.16.22-1~deb11u1
  Version table:
 *** 1:9.16.22-1~deb11u1 500
        500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.16.15-1 990
        990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages

Kód: [Vybrat]
# apt install bind9-dnsutils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 bind9-dnsutils : Depends: bind9-libs (= 1:9.16.15-1) but 1:9.16.22-1~deb11u1 is to be installed
E: Unable to correct problems, you have held broken packages.

Jinymi slovy, instalace bind9-dnsutils (debian repo) havaruje na tom, ze jeden z pozadovanych baliku je jiz nainstalovan v novejsi verzi (debian-security repo). Je videt, ze priorita pro debian-security je 500, pro hlavni repo 990.

Jak si s timhle poradit v ansible bez nutnosti definovat verzi bind9-dnsutils? Tim se totiz zrusi idempotency...


Diky


ETNyx

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #1 kdy: 01. 12. 2021, 12:40:11 »
A jaký je důvod mít bullseye-security 500 a bullseye 990? Standardní nastavení je 500 a 500, pak to bude fungovat.

Edit: pockat není 990 pro nenainstalovaný balíky?
« Poslední změna: 01. 12. 2021, 12:43:41 od ETNyx »

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #2 kdy: 01. 12. 2021, 17:06:15 »
No, podle man APT_PREFERENCES(5)

Kód: [Vybrat]
priority 500

to the versions that do not belong to the target release.

priority 990

to the versions that belong to the target release.

ETNyx

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #3 kdy: 02. 12. 2021, 10:32:14 »
To odhlašování je fakt naprd, tak ještě jednou, už se nebudu tolik rozepisovat :-D

Můžeš poslat?

Citace
apt-cache policy
Citace
apt-config dump

Mohlo by tam být něco jako "APT::Default-Release "bullseye";" což by automaticky opinovalo to repo, ale security už ne. Řešením by bylo revertovat tuhle úpravu (pokud vím tak tohle nastavení je uživatelské a by default tam není nastaveno) nebo si opinovat security na stejnou úroveň.

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #4 kdy: 02. 12. 2021, 11:00:40 »
Priklad jednoho serveru:
Kód: [Vybrat]
Package files:
 100 /var/lib/dpkg/status
     release a=now
 995 http://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages
     release o=apt.postgresql.org,a=bullseye-pgdg,n=bullseye-pgdg,l=PostgreSQL for Debian/Ubuntu repository,c=main,b=amd64
     origin apt.postgresql.org
 990 https://packages.sury.org/php bullseye/main amd64 Packages
     release o=deb.sury.org,a=bullseye,n=bullseye,c=main,b=amd64
     origin packages.sury.org
 450 https://artifacts.elastic.co/packages/6.x/apt stable/main amd64 Packages
     release o=elastic,a=stable,n=stable,l=. stable,c=main,b=amd64
     origin artifacts.elastic.co
 450 http://ftp.cz.debian.org/debian bullseye-backports/non-free amd64 Packages
     release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=non-free,b=amd64
     origin ftp.cz.debian.org
 450 http://ftp.cz.debian.org/debian bullseye-backports/contrib amd64 Packages
     release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=contrib,b=amd64
     origin ftp.cz.debian.org
 450 http://ftp.cz.debian.org/debian bullseye-backports/main amd64 Packages
     release o=Debian Backports,a=bullseye-backports,n=bullseye-backports,l=Debian Backports,c=main,b=amd64
     origin ftp.cz.debian.org
 500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
     release v=11,o=Debian,a=stable-security,n=bullseye-security,l=Debian-Security,c=main,b=amd64
     origin security.debian.org
 990 http://ftp.cz.debian.org/debian bullseye/non-free amd64 Packages
     release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=non-free,b=amd64
     origin ftp.cz.debian.org
 990 http://ftp.cz.debian.org/debian bullseye/contrib amd64 Packages
     release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=contrib,b=amd64
     origin ftp.cz.debian.org
 990 http://ftp.cz.debian.org/debian bullseye/main amd64 Packages
     release v=11.1,o=Debian,a=stable,n=bullseye,l=Debian,c=main,b=amd64
     origin ftp.cz.debian.org
Pinned packages:

V preferences pro samotny debian nastavuji pouze backport repo, jinak per aplikacni repo, je-li potreba.

Ano, APT::Default-Release pouzivam. Obcas potrebuji prekrizit repozitare, tak je to pojistka proti upgrade na novejsi verzi Debianu.

Takze cestou by bylo pridat APT::Default-Release pro security? Blbe je, ze zrovna v deb11 se ten repozitar prejmenoval...


ETNyx

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #5 kdy: 02. 12. 2021, 14:09:19 »
Přes APT::Default-Release bude chybný název fatal error, takže asi spíš pining
Kód: [Vybrat]
/etc/apt/preferences
Kód: [Vybrat]
Package: *
Pin: release a=buster-x
Pin-Priority: 990

kde chybný název vlastně nic neudělá a je to jedno

ETNyx

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #6 kdy: 02. 12. 2021, 15:09:03 »
A pokud by jsi šel cestou APT::Default-Release() tak je to "vlastně funkce" takže stačí "zavolat" vícekrát s různýmy parametry.

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #7 kdy: 05. 12. 2021, 11:06:12 »
Budu číst Release Notes.
Budu číst Release Notes.
Budu číst Release Notes.
...

https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

Citace
5.1.3. Changed security archive layout

 For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

Kód: [Vybrat]
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:

Kód: [Vybrat]
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #8 kdy: 06. 12. 2021, 09:42:38 »
Budu číst Release Notes.
Budu číst Release Notes.
Budu číst Release Notes.
...

https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

Citace
5.1.3. Changed security archive layout

 For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

Kód: [Vybrat]
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:

Kód: [Vybrat]
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).

Vas prispevek je uplne mimo tema.

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #9 kdy: 07. 12. 2021, 21:06:26 »
Takze cestou by bylo pridat APT::Default-Release pro security? Blbe je, ze zrovna v deb11 se ten repozitar prejmenoval...

Citace: Debian 11 Release Notes
5.1.3. Changed security archive layout

 For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

Kód: [Vybrat]
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:

Kód: [Vybrat]
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).

Vas prispevek je uplne mimo tema.

Tak to mi je líto. Stěžoval jste si, že máte kvůli použití APT::Default-Release jiný APT pinning pro stable a security archiv, protože se v bullseye přejmenoval security archiv (suite a codename v jeho Release file). Řešením je změnit APT::Default-Release např. na
Kód: [Vybrat]
APT::Default-Release "/^bullseye(|-security|-updates)$/";
O tom je ta odkazovaná sekce v Debian 11 Release Notes.

V čem jsem úplně mimo téma?
« Poslední změna: 07. 12. 2021, 21:08:49 od Petr Gajdusek »

Re:Ansible + debian - security versus main repo bind9-dnsutils
« Odpověď #10 kdy: 08. 12. 2021, 12:10:19 »
Aha, diky, ja to odkazovane pohledem jen preletl a videl jsem podobny popis - a to zmenu nazvu updates na security.

Kazdopadne, nedokumentovana featura v apt - to teda pouzivat nebudu. Spokojim se s pinning.

Jinak pro ostatni:
Vicenasobne pouziti APT::Default-Release znamena, ze priorita se nastavi na posledni definici toho parametru, ne pro vsechny.