1

We manage quite a lot of linux servers using ansible VIA an AWX server, and patch these once a week using dnf update. Most of our servers are Alma Linux.

We've had two instances recently where significant bugs have been released which has caused a lot of problems and work to fix things up. I'm wondering about some kind of mechanism whereby we can only install updates/packages based on a specified minimum age or time since release. So, for example, we say dnf update, but only install anything that has been out for at least two weeks (thereby hopefully avoiding any new problems that may be lurking about).

I've scoured the internet and haven't found anything like this though which is surprising. Does anyone have any way to do something like this? Appreciate the question is quite open, but that's because I can't find even a starting point at the moment.

Just for reference here is a snippet of a playbook that patches these machines.

---
- name: upgrade all packages
  remote_user: "{{ remote_user }}"
  become: yes
  dnf:
    name: "*"
    state: latest
shaneoh
  • 404
  • 3
  • 7
  • 18
  • This isn't very related to your question, but I am curious what packages are causing you issues, and if they are causing OS problems, or dependency problems with your installed applications? Also, are you hosting patches locally, or pulling straight from the vendor? – cutrightjm Aug 22 '22 at 04:31
  • 4
    I do, but not via ansible. We use a RedHat Satellite server to define various catalogs which are set to be slightly behind RHEL by a few steps. We can assign various catalogs to various hosts ensuring that updates are stepped through the environment. Since you likely don't have RHSS, is hosting an internal yum repository an option? – Semicolon Aug 22 '22 at 04:53
  • 3
    AFAIK there is no native method to that and the only way to address that is by configuring your systems to use your own repo's rather than the upstream ones that get updated more or less continuously. We do the same as @Semicolon does: create custom point in time *"releases"* (a snapshot of the upstream repositories) in RHN Satellite , but you should be able to use the OpenSource version of Satellite instead as well https://theforeman.org/ – HBruijn Aug 22 '22 at 07:17
  • cutrightjm the one that stung us recently was a major bug with containerd: https://github.com/containerd/containerd/issues/7219 – shaneoh Aug 22 '22 at 20:24
  • Semicolon and HBruijn - thanks for the comments. I guess this confirms what I suspected. We are actually moving towards exclusively using our own repos and indeed some systems use them now, so I guess doing this faster is the solution here. – shaneoh Aug 22 '22 at 20:26

1 Answers1

0

Possibly this could have something to do with the --best parameter of dnf.

-b, --best

Try the best available package versions in transactions. Specifically during dnf upgrade, which by default skips over updates that can not be installed for dependency reasons, the switch forces DNF to only consider the latest packages. When running into packages with broken dependencies, DNF will fail giving a reason why the latest version can not be installed.

Note that the use of the newest available version is only guaranteed for the packages directly requested (e.g. as a command line arguments), and the solver may use older versions of dependencies to meet their requirements.

In the dnf module of Ansible there is the option nobest.

phanaz
  • 295
  • 2
  • 8