From 3e4e2fcd46b62588781678dadaa33bb81e41ab90 Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Mon, 2 Mar 2026 00:36:51 +0100 Subject: [PATCH] Add retry logic to early-stage package installs and GPG key download MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The main service package installs (elasticsearch, kibana, logstash, beats) already have retries/until/delay, but several early-stage tasks that run before any Elastic packages are installed did not. These are vulnerable to transient network issues, DNS hiccups, or package manager lock contention — especially in CI where multiple containers hit the same cache simultaneously. Added retries: 3 / delay: 10 / until: success to six tasks across repos, elasticsearch, and elasticstack roles: GPG key download, gpg package install (Debian and RHEL), crypto-policies-scripts install, openssl install, and security prerequisite packages. Closes #46 --- roles/elasticsearch/tasks/main.yml | 4 ++++ roles/elasticstack/tasks/packages.yml | 4 ++++ roles/repos/tasks/debian.yml | 8 ++++++++ roles/repos/tasks/redhat.yml | 8 ++++++++ 4 files changed, 24 insertions(+) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index d7b09aa4..19585f5d 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -118,6 +118,10 @@ - name: Install openssl if security is activated ansible.builtin.package: name: openssl + register: _openssl_install + until: _openssl_install is success + retries: 3 + delay: 10 when: elasticsearch_security | bool # the following should be done by the rpm but failed with 7.4 diff --git a/roles/elasticstack/tasks/packages.yml b/roles/elasticstack/tasks/packages.yml index 1e79c371..00edae2a 100644 --- a/roles/elasticstack/tasks/packages.yml +++ b/roles/elasticstack/tasks/packages.yml @@ -20,6 +20,10 @@ - python3-cryptography - python3-packaging - openssl + register: _security_packages_install + until: _security_packages_install is success + retries: 3 + delay: 10 tags: - certificates - renew_ca diff --git a/roles/repos/tasks/debian.yml b/roles/repos/tasks/debian.yml index 3b6fdbed..022af53e 100644 --- a/roles/repos/tasks/debian.yml +++ b/roles/repos/tasks/debian.yml @@ -5,12 +5,20 @@ - gpg - gpg-agent state: present + register: _gpg_install_deb + until: _gpg_install_deb is success + retries: 3 + delay: 10 - name: Ensure Elastic Stack key is available (Debian) ansible.builtin.get_url: url: "{{ elasticstack_repo_key }}" dest: /usr/share/keyrings/elasticsearch.asc mode: "0644" + register: _elastic_key_download + until: _elastic_key_download is success + retries: 3 + delay: 10 - name: Ensure Elastic Stack apt repo is absent (Debian legacy format) ansible.builtin.file: diff --git a/roles/repos/tasks/redhat.yml b/roles/repos/tasks/redhat.yml index 52b2cf33..70b2017a 100644 --- a/roles/repos/tasks/redhat.yml +++ b/roles/repos/tasks/redhat.yml @@ -7,6 +7,10 @@ ansible.builtin.package: name: gnupg state: present + register: _gpg_install_rh + until: _gpg_install_rh is success + retries: 3 + delay: 10 - name: Workaround for EL > 8 when: @@ -27,6 +31,10 @@ - name: Install crypto-policies-scripts ansible.builtin.package: name: crypto-policies-scripts + register: _crypto_policies_install + until: _crypto_policies_install is success + retries: 3 + delay: 10 # since we don't expect to have that workaround for long # we can skip having idempotency checks fixed