Affects Version/s: None
Fix Version/s: None
Template:MODULES Bug Template customfield_10700 368166
Method Found:Customer Feedback
Zendesk Ticket IDs:40262
Zendesk Ticket Count:1
QA Risk Assessment:Needs Assessment
Module Version: all; reproduced on 7.2.0 and 7.4.2
Puppet Version: reproduced on 6.15 and 6.16
OS Name/Version: reproduced on Debian 9, Debian 10, and Ubuntu 18.04
If an apt resource is set to run the apt_update exec, every Puppet run that applies it reports a corrective change, regardless of whether any caches were updated.
The apt-update command, and the actions it performs, is inherently idempotent. We even use it as an example in the Puppet docs of an inherently idempotent command: https://puppet.com/docs/puppet/6.17/type.html#exec
Any command in an exec resource must be able to run multiple times without causing harm — that is, it must be idempotent. There are three main ways for an exec to be idempotent:
- The command itself is already idempotent. (For example, apt-get update.)
However, the apt module's implementation of apt-get update falsely suggests otherwise.
The module README also implies that setting the resource's loglevel to debug (or higher than whatever the agent's log_level setting is) will prevent corrective changes from appearing in agent reports: https://forge.puppet.com/puppetlabs/apt#update-the-list-of-packages
When Exec['apt_update'] is triggered, it generates a Notice message. Because the default logging level for agents is notice, this causes the repository update to appear in logs and agent reports. Some tools, such as The Foreman, report the update notice as a significant change. To eliminate these updates from reports, set the loglevel metaparameter for Exec['apt_update'] above the agent logging level:
However, the PE console still reports a corrective change even when the resource's loglevel is debug or higher, because the corrective change is submitted in the report and the logs don't matter. Aside from the docs not being relevant to the PE console, it's also not true for Foreman as documented: https://github.com/puppetlabs/puppetlabs-apt/pull/690#issuecomment-347472196
I've defined apt::update with loglevel set to debug and I actually don't see any notes from this resource in the report. But Foreman still shows the status of such Puppet runs as "updated" / "changed", so it's always blue, not green.
yeah, I had thought it would properly suppress that in Foreman but it doesn't. I left the MR in place because, well, it's nice not to have it at stdout.
The apt_update exec resource in question: https://github.com/puppetlabs/puppetlabs-apt/blob/2e794c96ce78485bba77183eb57544a1e7415c6f/manifests/update.pp#L59-L67
Steps to reproduce
1. Install PE 2019.8.0 on Ubuntu 18.04.
2. Install the puppetlabs-apt module.
3. Set the default apt resource behavior to always update with a debug loglevel:
4. Run the Puppet agent multiple times
If there's no corrective change, don't report one.
Every run on every node with an apt resource reports a corrective change regardless of the lack of changes on the node, making all reports' statuses effectively meaningless; nodes with changes are indistinguishable from unchanged nodes.
Following the docs suggestion of changing the log level removes the result from the notice-level agent output:
but not the report, so it will still always be reported by the PE console and Foreman, contradicting the docs:
I understand that exec resources always report a corrective change if they successfully run. An exec resource is therefore not appropriate for the apt_update feature because the result (to always report a change) is inherently deceptive (apt-get update can run without performing a corrective change).
apt_update should report a corrective change only when apt-get update results in an updated cache, and the module documentation should not imply that there is a supported way to silence a corrective change in reports.