The default configuration we were writing for Debian was only working
for Squeeze, from Wheezy and onwards this wasn't working anymore. This
has to do with the fact that we should now be using Origins-Pattern
according to the unattended-upgrades docs. However, Ubuntu didn't
entirely get with the program yet...
This change reflects the defaults that unattended-upgrade installs on
every platform we support. In order to do so the unattended-upgrades
Debian archive for Squeeze, Wheezy, Lucid, Precise and Trusty were
downloaded and the default /etc/apt/apt.conf.d/50unattended-upgrades
checked for its content with regard to using Allow-Origins or
Origins-Pattern.
Fixes#277
The module used to always pin backports to a priority of 200. This
default is still retained but is now configurable.
Additionally the default is now an Integer, not a 'quoted Integer' and
the tests have been updated to reflect this. This matters for future
parser as it will now kick people if they pass in a stringified integer
as priority.
I am aware this can be done with `dpkg --set-selections`, `apt-mark`
or `ensure => 'held'` on a package resource. The changes to the README
include the full rationale for wanting another mechanism.
Introducing a totally rewritten and tested apt::key. This commit also
patches the spec's of apt::source because it was passing in data that
is no longer allowed by the new validation rules in apt::key.
It does its best to not touch any other specs and where we touch them
only minimally to ensure that we're not introducing breaking changes.
We already had a feature to manage and purge entries in preferences.d
but not the preferences file in /etc/apt. This commit adds that
capability.
Fixes#199
Lucid (10.04) has `add-apt-repository` but it doesn't accept any
options. The define defaulted to `-y` but this changes that on lucid.
This was made 7 months ago, so apparently no one cares about 10.04 any
more.
...as sometimes we want to get rid of them. :)
We leave this a little loose; rather than simply requiring a boolean for
$ensure, we set the stage for doing an easy switch to also allowing 'purge' at
some point in the future.
Use release parameter to construct $release_string.
The release parameter may also be set to false to use the system's
default release (so just force a specific version). Use false as the
default setting instead of 'testing'.
Change $install_check to also check if package is installed from the
right release, instead of just checking the version.
The two forms of APT preferences records (general & specific) can now be
completely and not partially defined. All distribution properties can be passed
as resource parameters. This change is totally backward-compatible.
This is necessary when required_packages contains GPG keys that are used for
authenticating other packages. Tested with package ubuntu-cloud-keyring which
is included in Ubuntu main and used by the Ubuntu Cloud Archive.
I think the same problem applies to other *-keyring packages as well.
As the apt pinnings are parsed in ascending alphabetical order with
first match wins within a given scope it is useful to be able to specify
a ordering parameter. Then the name parameter can be kept to something
meaningful.
If you need to pin certain Launchpad PPA (ppa:rskvazh/php), you may do:
apt::pin { 'my-launchpad-repo':
priority => 700,
originator =>'LP-PPA-rskvazh-php',
}
Write the pin preference filename as ${name} rather than ${release}, so
that we can pin more than one thing.
Change apt::source so that when pin is set, that it pins to the origin
rather than the release.
apt::ppa and apt::builddep requires apt class. The anchor introduced for
containment of apt-get update causes a dependency loop. apt::ppa appears
to depend on apt class sources.d direcory. While apt::builddep have no
clear reason for a dependency on apt class. This change refactor both
define type, so they no longer cause a dependency loop.
The update to separate Exec["apt-get update ${name}"] to single exec in
apt::update class resulted in apt-get update command to be dangled.
Previously if user specified Package['package_a'] <-
Apt::Resource['source_a'], the original refactor would no longer
guarantee apt-get update is executed before the package is installed.
This patch fixes the problem using the anchor resource and ensuring the
old behaviour is maintained and user can depend on apt-get update
command being invoked if they specify dependency on any apt::*
define resource type as well as the apt class.
apt::pin release should default to title, but should be able to
override. This update removes unnecessary "" around $name, and add spec
tests.
Conflicts:
spec/defines/pin_spec.rb
Move apt-get update exec to a seperate class to minimize the number of
apt-get updates invoked by configuration changes.
* remove apt_update exec resource in apt class.
* remove apt-get-${name} in defines.
* apt::source notify Exec['apt update'].
* Remove dependency to Exec['apt_update'].
* fix rspec-puppet tests.
Conflicts:
manifests/source.pp
Several apt::* define resource type does not support ensurable. This
update allows ensure=>absent to support the removal of these
configuration files.
* apt::conf
* apt::pin
* apt::source
The shorthand syntax cause rspec-puppet failure for external modules
depending on the puppet-apt module. This patch uses the require
metaparameter to avoid this issue.
Previously the update-apt exec would always use /usr/bin/aptitude, which is not necessarily present. This change makes it use ${apt::params::provider} which defaults to /usr/bin/apt-get. This also adds some consistency so that ${apt::params::provider} is used everywhere.
This patch adds the appropriate spec tests to validate the changes
introduced by e5f2dfe. As a bonus it includes fixes to the manifests
that were discovered while writing the tests.
With the addition of this patch two new defines will be added; one to
manage APT configuration files (apt::conf) and one that abstracts out the
requirements needed to turn on backport repositories (apt::backports).
In addition, the patch takes the opportunity to clean up variable
definitions so they follow a consistent pattern of setting local
variables to the fully qualified value stored in the apt::params
class. Previously all variable used within a class directly addressed
the apt::params namespace when ever the variable was used. In the
pattern they now adhere to we can more easily switch the namespace
data lives in or externalize it even more using hiera.
Previously lowercase keys would be installed every
puppet run because apt-key list returns an uppercase
key. This commit makes the comparison case insensitive.
Previously, apt::key used a noop exec hack to do exactly what anchors were
intended to be used for. This commit removes the exec hack and achieves the
same end using Anchor resources from the puppetlabs/stdlib module.
This commit modifies the release parameter test in apt::source to work
correctly within puppet-rspec for edge-case resource definitions. Previously,
the test for the $release parameter was written as
`if ! $release { fail() }`
This commit updates the test to be written as
`if $release == undef { fail() }`
Additionally, the tests for correct behavior in the presence or absence of a
$release parameter have been beefed up.
The reason for making this change relates to examples such as the following
resource definition:
apt::source { "jenkins":
location => "http://pkg.jenkins-ci.org/debian",
release => "",
repos => "binary/",
key => "D50582E6",
key_source => "http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key",
include_src => false,
}
Note that the $release parameter is given as the empty string. In practice,
this is perfectly valid and everything will work great. However, it seems that
the empty string gets interpreted by something in puppet-rspec as something
equivalent to "False", and thus when testing, the above resource definition
would fail with "Puppet::Error: lsbdistcodename fact not available: release
parameter required" even though the $release parameter has been explicitely
specified (as the empty string).
See also: https://github.com/rtyler/puppet-jenkins/issues/9
Adding this defined type allows puppet to add keys to the apt keystore without
needing to add a corresponding source; it also adds the "key_source" parameter
for wget'ing keys from arbitrary URLs, and allows for keys to be explicity
removed.
apt::key allows a key to be ensured present multiple times to account for
apt::source resources that all reference the same key. However, this means
that it is possible for a given key to be defined multiple times with
differing source parameters. e.g.
apt::key { "Add key: 4BD6EC30 from Apt::Source bunny":
key => "4BD6EC30",
key_server => "pgp.mit.edu",
}
apt::key { "Add key: 4BD6EC30 from Apt::Source rabbit":
key => "4BD6EC30",
key_server => "keyserver.ubuntu.com",
}
The defined type will accept both definitions and will create multiple exec
resources. This was deemed preferable to the alternative (creating only one
exec resource) in that one broken definition won't hose an entire catalog. If
one definition fails to install the key because of a bad "key_server", the
next apt::key that uses the key will get it done.
This commit changes $release to default to Facter's $lsbdistcodename
and fall back to a Parse Error if $release is not set and $lsbdistcodename
does not exist. Previously $release was hardcoded to karmic.
This commit also modifies apt::ppa to use $release and sets the
files to be ensured so that they are not purged when purge_sources_list_d
is set to true.
Prior to this commit, when using the purge option, unmanaged entries
in both /etc/apt/sources.list and sources.list.d would be purged.
This commit splits purge into purge_sources_list and purge_sources_list_d
which handle the purging of those items separately. Brief documentation on
each added to class documentation.
Previously, if more than one apt::source required the same packages to be
installed it would fail with a duplicate exec resource. This adds the name of
the source resource to the exec and gives the exec a name, moving it to a
command parameter for the exec.
The setting `disable_keys => true` parameter in the apt module creates
/etc/apt/apt.conf.d/99unauth with the contents
"APT::Get::AllowUnauthenticated 1;". Changing `disable_keys`
does not remove this file. This patch makes it so that
`disable_keys => false` will remove /etc/apt/apt.conf.d/99unauth.
The hash passing to the with method is cleaner and closer to puppet code, so
all of the with_$param have been replaced with with($hash). This also
includes two minor whitspace changes to unstable.pp and source.pp.
This also replaces the ternary switch on param_set with a hash merge,
which is cleaner and will support more use cases.
When the name is used with a file resource, it becomes difficult to test the
resource using rspec-puppet, as the name parameter gets aliased to path. So to
maintain consistency between tests and manifests, this replaces all name
parameters in file resources with the equivalent path parameter.
Previously, even if $version were passed to apt::force, aptitude would just
install the default version of the package available. This updates the aptitude
call to use the version string if it exists. If no version is passed, or if it
is false, no version is added to the aptitude call. This also updates the
rspec-puppet tests for the define, to reflect the changes to the exec.
This patch fixes the query used by apt::force to
determine rather or not the package is installed.
Previously, the expression was not specific enough and
could not lead to false positives in cases where a package
name is contained within another package name (puppet could be
incorrectly determined as being installed if puppet-common is
installed)
This commit resolves that by improving the query expression.
both of these params facilitate options that
ease the management of apt repos in dev
environments
1. disable_keys - allows repos without properly
signed keys
2. always_apt_update - refreshes via apt update
every time that puppet runs.