[PUP-9564] Puppet upgrades debian packages with pending updates when setting them on hold - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 4.10.12
Fix Version/s: PUP 5.5.16, PUP 6.0.10, PUP 6.4.3, PUP 6.5.0
Component/s: None
Labels:
- resolved-issue-added

Team:
Night's Watch
Story Points:
2
Sprint:
PR - 2019-04-17, PR - 2019-05-02, PR - 2019-05-15
Method Found:
Needs Assessment

Release Notes:
Bug Fix
Release Notes Summary:
Fixed bug for Debian distribution in which the ensure => held would install latest version of the package before locking it to the specific version.

QA Risk Assessment:
Needs Assessment

Description

Puppet Version: 4.10.x, probably other too
Puppet Server Version:
OS Name/Version: Debian 8, probably other versions too

If puppet sets a package with a pending upgrade on hold (ensure=>held), the pending upgrade is installed before the package is set on hold.

Describe steps to reproduce:

1. Show available versions

# apt-cache policy openssl

openssl:

  Installed: 1.0.1t-1+deb8u11

  Candidate: 1.0.1t-1+deb8u11

  Version table:

 *** 1.0.1t-1+deb8u11 0

        500 http://mirror.ip-platform.net/debian-security/ jessie/updates/main amd64 Packages

        100 /var/lib/dpkg/status

     1.0.1t-1+deb8u8 0

        500 http://mirror.ip-platform.net/debian/ jessie/main amd64 Packages

2. Downgrade package:

# puppet resource package openssl ensure=1.0.1t-1+deb8u8

Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u11' to '1.0.1t-1+deb8u8'

package { 'openssl':

 ensure => '1.0.1t-1+deb8u8',

3. Set package on hold:

# puppet resource --debug package openssl ensure=held

[...]

Debug: Prefetching apt resources for package

Debug: Executing '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n''

Debug: Executing: '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install openssl'

Debug: Executing: 'dpkg --set-selections'

Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u8' to 'held'

Debug: Finishing transaction 28203320

Debug: Storing state

Debug: Stored state in 0.45 seconds

Debug: Executing: '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n' openssl'

package { 'openssl':

 ensure => '1.0.1t-1+deb8u11',

4. Now the package has been upgraded:

# apt-cache policy openssl

openssl:

 Installed: 1.0.1t-1+deb8u11

 Candidate: 1.0.1t-1+deb8u11

 Version table:

 1.0.2l-1~bpo8+1 0

 200 http://mirror.ip-platform.net/debian/ jessie-backports/main amd64 Packages

 *** 1.0.1t-1+deb8u11 0

 500 http://mirror.ip-platform.net/debian-security/ jessie/updates/main amd64 Packages

 100 /var/lib/dpkg/status

 1.0.1t-1+deb8u8 0

 500 http://mirror.ip-platform.net/debian/ jessie/main amd64 Packages

Desired Behavior:

The package version stays unchanged and the package is marked on-hold.

Actual Behavior:

The package has been upgraded and is on hold. This is counterintuitive and also not reflected by the agent output, especially as the "on hold" setting may be performed especially to prevent the pending upgrade from being installed.

Probable cause:

The reason this happens is the apt-get install line marked bold above. If the package already is installed, it should not happen.

Attachments

Activity

People

Assignee:: Alexandru Popa

Reporter:: Karsten Heymann

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019/03/15 5:56 AM

Updated:: 2019/06/13 1:07 PM

Resolved:: 2019/06/10 12:56 AM