Mar 06 2021
Why Ansible Upgrades Packages on Hold and How to Fix it
I was writing a new Ansible role to upgrade all of my VMs with apt update and apt upgrade. I was still using an old Rancher that only works with docker-ce package up to version 18.06.
A first task holds back the package with Ansible Dpkg module, basically an apt hold, as recommended on many websites.
A second and third steps run an apt update and apt full upgrade on my system with Ansible apt module.
- name: keep docker from being updated on Rancher nodes
dpkg_selections:
name: docker-ce
selection: hold
- name: apt update cache
apt:
update_cache: yes
changed_when: False
- name: apt full-upgrade
apt:
upgrade: full
I then launch my playbook full of confidence and, see docker-ce being upgraded! Oddly, this seems to impact Ubuntu distributions, while it runs smoothly on Debian family.
The Ansible apt module page states “If full, performs an aptitude full-upgrade”.
Let’s check the package on hold after the first step:
$ dpkg -l | grep docker
hi docker-ce 18.06.3~ce~3-0~ubuntu. amd64. Docker: the open-source application container engine
Same with aptitude:
$ aptitude search ~i | grep docker
i docker-ce - Docker: the open-source application container engine
h for hold is MISSING!
apt-get and aptitude seem to rely on different hold functions, thus “dpkg –selections” doesn’t assure that aptitude (which is the command that performs the upgrade) will not touch the held packages.
What now?
We’re lucky, Ansible apt module provides a way to force updating with apt-get instead of aptitude
- name: apt full-upgrade
apt:
upgrade: full
force_apt_get: yes
And it did solve my problem
Thank you, this solved it for me as well