Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9564

Puppet upgrades debian packages with pending updates when setting them on hold

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      2
    • Sprint:
      PR - 2019-04-17, PR - 2019-05-02, PR - 2019-05-15
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Fixed bug for Debian distribution in which the ensure => held would install latest version of the package before locking it to the specific version.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 4.10.x, probably other too
      Puppet Server Version:
      OS Name/Version: Debian 8, probably other versions too

      If puppet sets a package with a pending upgrade on hold (ensure=>held), the pending upgrade is installed before the package is set on hold.

      Describe steps to reproduce:

      1. Show available versions

      # apt-cache policy openssl
      openssl:
        Installed: 1.0.1t-1+deb8u11
        Candidate: 1.0.1t-1+deb8u11
        Version table:
       *** 1.0.1t-1+deb8u11 0
              500 http://mirror.ip-platform.net/debian-security/ jessie/updates/main amd64 Packages
              100 /var/lib/dpkg/status
           1.0.1t-1+deb8u8 0
              500 http://mirror.ip-platform.net/debian/ jessie/main amd64 Packages

       

       2. Downgrade package:

       

      # puppet resource package openssl ensure=1.0.1t-1+deb8u8
      Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u11' to '1.0.1t-1+deb8u8'
      package { 'openssl':
       ensure => '1.0.1t-1+deb8u8',
      }
      

      3. Set package on hold:

       

      # puppet resource --debug package openssl ensure=held
      [...]
      Debug: Prefetching apt resources for package
      Debug: Executing '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n''
      Debug: Executing: '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install openssl'
      Debug: Executing: 'dpkg --set-selections'
      Notice: /Package[openssl]/ensure: ensure changed '1.0.1t-1+deb8u8' to 'held'
      Debug: Finishing transaction 28203320
      Debug: Storing state
      Debug: Stored state in 0.45 seconds
      Debug: Executing: '/usr/bin/dpkg-query -W --showformat '${Status} ${Package} ${Version}\n' openssl'
      package { 'openssl':
       ensure => '1.0.1t-1+deb8u11',
      }
      

      4. Now the package has been upgraded:

      # apt-cache policy openssl
      openssl:
       Installed: 1.0.1t-1+deb8u11
       Candidate: 1.0.1t-1+deb8u11
       Version table:
       1.0.2l-1~bpo8+1 0
       200 http://mirror.ip-platform.net/debian/ jessie-backports/main amd64 Packages
       *** 1.0.1t-1+deb8u11 0
       500 http://mirror.ip-platform.net/debian-security/ jessie/updates/main amd64 Packages
       100 /var/lib/dpkg/status
       1.0.1t-1+deb8u8 0
       500 http://mirror.ip-platform.net/debian/ jessie/main amd64 Packages

       

       

      Desired Behavior:

      The package version stays unchanged and the package is marked on-hold.

      Actual Behavior:

      The package has been upgraded and is on hold. This is counterintuitive and also not reflected by the agent output, especially as the "on hold" setting may be performed especially to prevent the pending upgrade from being installed.

      Probable cause:

      The reason this happens is the apt-get install line marked bold above. If the package already is installed, it should not happen.

       

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                alexandru.popa Alexandru Popa
                Reporter:
                karsten.heymann Karsten Heymann
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support