From e608eebceb4d11d252b2b6defba9d6184c10e1ad Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 17 Oct 2024 11:46:35 -0400 Subject: [PATCH] Use a single pass in ansible to install local packages In edbc81539582, the process was refactored to use a two-pass system in which packages were first installed with `apt`, which would resolve dependencies, and then `dpkg`, which forcibly installed/overwrote existing packages. Recently we've been hitting trouble where the dpkg lock is still held and the second pass fails. We can do this all in one pass using apt though, by installing all the packages at once, so the dependency graph can be fullfilled, and by passing `--reinstall` to force the installation of the new debs. Fixes #7258. --- .../tasks/install_debs.yml | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/install_files/ansible-base/roles/install-local-packages/tasks/install_debs.yml b/install_files/ansible-base/roles/install-local-packages/tasks/install_debs.yml index b6b23b535f..aaa5caea00 100644 --- a/install_files/ansible-base/roles/install-local-packages/tasks/install_debs.yml +++ b/install_files/ansible-base/roles/install-local-packages/tasks/install_debs.yml @@ -7,22 +7,8 @@ dest: /root/ with_items: "{{ local_deb_packages }}" -# Using a two-pass approach for installing local deb packages. -# The first pass uses `apt`, which will intelligently resolve dependencies; -# a useful attribute, particular for the initial provisioning run. On subsequent -# runs, however, the apt module will skip installation, since the version in -# the DEBIAN/control file hasn't changed. +# Install all the packages we just copied using apt, which will resolve +# dependencies for us. Use --reinstall to forcibly install them even if +# the version is the same. - name: Install locally built deb packages (via apt). - apt: - deb: /root/{{ item.1 }} - ignore_errors: yes - with_indexed_items: "{{ local_deb_packages }}" - -# Using `dpkg` via `command` to ensure installation ensure installation -# every time, regardless of whether packages changed. SecureDrop deb package -# builds are not deterministic, so the `copy` task above will always report -# changed. Once the `apt` task above has installed the packages, only the -# `dpkg -i` calls will reinstall, ensuring the latest local code changes are used. -- name: Install locally built deb packages (via dpkg). - command: dpkg -i /root/{{ item }} - with_items: "{{ local_deb_packages }}" + command: apt-get install --reinstall --yes /root/{{ local_deb_packages | join(' /root/') }}