Introduction
Ansible is a powerful automation tool known for its role in provisioning, configuration management, and application deployment. Ensuring the integrity and stability of software installations is vital when managing packages through Ansible. To help you achieve this, Ansible provides a set of rules, including Rule 403, known as “package-latest.” This rule emphasizes the importance of controlled, safe package management practices, promoting predictability in your automation tasks.
Deciphering Rule 403 - “package-latest”
Rule 403, or “package-latest,” is a rule within Ansible’s comprehensive rule set that aims to establish best practices for managing packages using package manager modules, such as ansible.builtin.yum and ansible.builtin.apt. These modules allow users to configure how Ansible installs software on target systems.
The primary concern addressed by this rule is the use of the state parameter in package manager modules. In production environments, it is crucial to set the state to “present” and specify a target version for package installations. This practice ensures that packages are installed according to a predefined and tested version, adding a layer of control and predictability to your automation tasks.
Conversely, setting the state to “latest” is discouraged, as it not only installs the desired software but also initiates an update process that can lead to unintended consequences. The update process can result in performance degradation or the installation of additional packages, potentially causing service disruptions.
If your intention is to update packages to the latest version, this rule suggests using the update_only or only_upgrade parameter (depending on the package manager in use) and setting it to “true.” This practice ensures that only updates are applied without the introduction of unexpected packages.
Problematic Code
Let’s explore a problematic code snippet to understand how Rule 403, “package-latest,” can identify issues in your playbooks:
---
- name: Example playbook
hosts: all
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible
state: latest # <- Installs the latest package.
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
args:
state: latest # <- Installs the latest package.
- name: Install some-package
ansible.builtin.package:
name: some-package
state: latest # <- Installs the latest package.
- name: Install Ansible with update_only to false
ansible.builtin.yum:
name: sudo
state: latest
update_only: false # <- Updates and installs packages.
- name: Install Ansible with only_upgrade to false
ansible.builtin.apt:
name: sudo
state: latest
only_upgrade: false # <- Upgrades and installs packages
In this code, the state parameter is set to “latest” across various package manager modules, including ansible.builtin.yum, ansible.builtin.pip, and ansible.builtin.package. This configuration can lead to the installation of unexpected package versions and additional packages, introducing unpredictability and potential service issues.
Output:
WARNING Listing 5 violation(s) that are fatal
package-latest: Package installs should not use latest.
403.yml:5 Task/Handler: Install Ansible
package-latest: Package installs should not use latest.
403.yml:10 Task/Handler: Install Ansible-lint
package-latest: Package installs should not use latest.
403.yml:16 Task/Handler: Install some-package
package-latest: Package installs should not use latest.
403.yml:21 Task/Handler: Install Ansible with update_only to false
package-latest: Package installs should not use latest.
403.yml:27 Task/Handler: Install Ansible with only_upgrade to false
Read documentation for instructions on how to ignore specific rule violations.
Rule Violation Summary
count tag profile rule associated tags
5 package-latest safety idempotency
Failed: 5 failure(s), 0 warning(s) on 1 files. Last profile that met the validation criteria was 'moderate'. Rating: 2/5 star
Correct Code
To address the issues highlighted by Rule 403, the correct code should adopt the following best practices:
---
- name: Example playbook
hosts: all
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible-2.12.7.0
state: present # <- Pins the version to install with yum.
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
args:
state: present
version: 5.4.0 # <- Pins the version to install with pip.
- name: Install some-package
ansible.builtin.package:
name: some-package
state: present # <- Ensures the package is installed.
- name: Update Ansible with update_only to true
ansible.builtin.yum:
name: sudo
state: latest
update_only: true # <- Updates but does not install additional packages.
- name: Install Ansible with only_upgrade to true
ansible.builtin.apt:
name: sudo
state: latest
only_upgrade: true # <- Upgrades but does not install additional packages.
In this improved code, the state parameter is set to “present,” and specific version identifiers are used for different package installations. By doing so, the playbook ensures that software is installed to predefined versions, adding a layer of control and predictability to your automation tasks.
Implementing Rule 403 - “package-latest”
Rule 403, “package-latest,” provides critical guidance for maintaining safe and controlled package management practices in Ansible. By following this rule, you can safeguard your automation tasks against unpredictability and ensure the reliable installation of software on target systems. In production environments, embracing predictability is essential to minimize the risk of service disruptions and maintain the integrity of your infrastructure.
In cases where updating packages to the latest version is intentional, the use of the update_only or only_upgrade parameter allows you to strike a balance between flexibility and stability
Academy
Learn the Ansible automation technology with some real-life examples in my
Udemy 300+ Lessons Video Course.
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Donate
Want to keep this project going? Please donate