apt: Packages were downgraded and -y was used without --allow-downgrades

[ansibot]

From @davidak on 2016-12-01T11:08:05Z

ISSUE TYPE

• Bug Report

COMPONENT NAME

apt

ANSIBLE VERSION

[WARNING]: log file at /var/log/ansible.log is not writeable and we cannot create it, aborting

ansible 2.2.0.0
  config file = /home/davidak/code/ansible/ansible.cfg
  configured module search path = Default w/o overrides

CONFIGURATION

OS / ENVIRONMENT

Controller: elementary OS 0.4 Loki (based on Ubuntu 16.04 LTS)
Host: Ubuntu Server 16.04 LTS

SUMMARY

apt module don't downgrade package

STEPS TO REPRODUCE

Deploy this playbook:

- name: install bacula-fd
  apt:
    name: "{{ item }}=5.2.*"
    update_cache: yes
    cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
    state: present
  with_items:
    - bacula-common
    - bacula-fd
  notify: hold bacula-fd package on xenial

[...]

EXPECTED RESULTS

Ansible instruct apt to downgrade the package to the specified version.

(It currently is 7.0 on the server)

ACTUAL RESULTS

TASK [basecom.bacula-fd : install bacula-fd] ***********************************
task path: /home/davidak/code/ansible/roles/basecom.bacula-fd/tasks/Ubuntu.yml:1
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/packaging/os/apt.py
<dev-ansible-xenial.cust.basecom.de> ESTABLISH SSH CONNECTION FOR USER: root
<dev-ansible-xenial.cust.basecom.de> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/davidak/.ansible/cp/ansible-ssh-%h-%p-%r dev-ansible-xenial.cust.basecom.de '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359 `" && echo ansible-tmp-1480590369.65-131741054149359="` echo $HOME/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359 `" ) && sleep 0'"'"''
<dev-ansible-xenial.cust.basecom.de> PUT /tmp/tmpiAy8LQ TO /root/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359/apt.py
<dev-ansible-xenial.cust.basecom.de> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/davidak/.ansible/cp/ansible-ssh-%h-%p-%r '[dev-ansible-xenial.cust.basecom.de]'
<dev-ansible-xenial.cust.basecom.de> ESTABLISH SSH CONNECTION FOR USER: root
<dev-ansible-xenial.cust.basecom.de> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/davidak/.ansible/cp/ansible-ssh-%h-%p-%r dev-ansible-xenial.cust.basecom.de '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359/ /root/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359/apt.py && sleep 0'"'"''
<dev-ansible-xenial.cust.basecom.de> ESTABLISH SSH CONNECTION FOR USER: root
<dev-ansible-xenial.cust.basecom.de> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/davidak/.ansible/cp/ansible-ssh-%h-%p-%r -tt dev-ansible-xenial.cust.basecom.de '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359/apt.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1480590369.65-131741054149359/" > /dev/null 2>&1 && sleep 0'"'"''
failed: [dev-ansible-xenial.cust.basecom.de] (item=[u'bacula-common=5.2.*', u'bacula-fd=5.2.*']) => {
    "cache_update_time": 1480589184, 
    "cache_updated": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "allow_unauthenticated": false, 
            "autoremove": false, 
            "cache_valid_time": 3600, 
            "deb": null, 
            "default_release": null, 
            "dpkg_options": "force-confdef,force-confold", 
            "force": false, 
            "install_recommends": null, 
            "name": [
                "bacula-common=5.2.*", 
                "bacula-fd=5.2.*"
            ], 
            "only_upgrade": false, 
            "package": [
                "bacula-common=5.2.*", 
                "bacula-fd=5.2.*"
            ], 
            "purge": false, 
            "state": "present", 
            "update_cache": true, 
            "upgrade": null
        }, 
        "module_name": "apt"
    }, 
    "item": [
        "bacula-common=5.2.*", 
        "bacula-fd=5.2.*"
    ], 
    "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\"     install 'bacula-common=5.2.*' 'bacula-fd=5.2.*'' failed: E: Packages were downgraded and -y was used without --allow-downgrades.\n", 
    "stderr": "E: Packages were downgraded and -y was used without --allow-downgrades.\n", 
    "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nSuggested packages:\n  bacula-doc bacula-traymonitor\nThe following packages will be DOWNGRADED:\n  bacula-common bacula-fd\n0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded.\n", 
    "stdout_lines": [
        "Reading package lists...", 
        "Building dependency tree...", 
        "Reading state information...", 
        "Suggested packages:", 
        "  bacula-doc bacula-traymonitor", 
        "The following packages will be DOWNGRADED:", 
        "  bacula-common bacula-fd", 
        "0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 0 not upgraded."
    ]
}
	to retry, use: --limit @/home/davidak/code/ansible/site.retry

PLAY RECAP *********************************************************************
dev-ansible-xenial.cust.basecom.de : ok=49   changed=0    unreachable=0    failed=1

Copied from original issue: ansible/ansible-modules-core#5781

[ansibot]

From @ansibot on 2016-12-01T11:08:05Z

@ansible ping, this issue is waiting for your response.
click here for bot help

[ansibot]

From @davidak on 2016-12-01T11:08:05Z

Workaround: Remove Packages manually and let Ansible reinstall it.

[ansibot]

cc @mgwilliams
click here for bot help

[Tasqa]

This can be resolved by using the force: yes option as mentioned in ansible/ansible-modules-core#327 and ansible/ansible-modules-core#53

[four43]

@Tasqa 's answer worked for me. Can we close this?

[agenosov]

Why not to add the allow_downgrade option to the apt module?
With this new option it would be possible to pass it as a parameter when calling pkg.check() inside the install_deb function.
The only downside is that the oldest versions of the python-apt package don't support passing the allow_downgrade parameter into the check() method.

[PaulGallon]

I'm running into the same problem while trying to correct a software update that shouldn't have happened. The version of docker-ce is pinned in the APT preferences so despite this saying latest it will install the pinned version which is older than the version on the system.

- name: Install Docker package
  apt:
    name: "docker-ce"
    state: "latest"
    dpkg_options: force-downgrade
    force: yes

FAILED! => {
  "changed": false,
  "msg": "'/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Packages were downgraded and -y was used without --allow-downgrades.\n",
  "rc": 100,
  "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nCalculating upgrade...\nThe following packages will be DOWNGRADED:\n  docker-ce\n0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.\n",
  "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information...", "Calculating upgrade...", "The following packages will be DOWNGRADED:", "  docker-ce", "0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded."]
}

[mkrizek]

Note: Allow apt downgrades (#33677)

[hslavchev]

This can be resolved by using the force: yes option as mentioned in ansible/ansible-modules-core#327 and ansible/ansible-modules-core#53

From the apt module's docs (https://docs.ansible.com/ansible/latest/modules/apt_module.html):

This is a destructive operation with the potential to destroy your system, and it should almost never be used. Please also see man apt-get for more information.

I'm with @agenosov on this for adding allow_downgrade parameter

[Bruceforce]

We are currently using the following code to delete the package when we want to enforce a specific version. Of course an option to allow downgrades somehow would be appreciated. Just wanted to share this.

- name: get package facts
  package_facts:
    manager: "auto"

- name: uninstall package
  apt:
    name: "NAME_OF_YOUR_PACKAGE"
    state: absent
  when: "VERSION_OF_YOUR_PACKAGE not in ansible_facts.packages['NAME_OF_YOUR_PACKAGE'][0].version"
  ignore_errors: yes

- name: install package
  apt:
    name: "NAME_OF_YOUR_PACKAGE=VERSION_OF_YOUR_PACKAGE*"

[mercury00]

In our environment we need to install specific kernels.
This breaks our ansible job because it errors out when trying to do so.

ignore_errors is not an option for us because we want the package installed - ignore_errors will ignore errors, and we don't want to ignore errors, we want packages installed.

Adding a allow_downgrade paramenter that adds the --allow-downgrades flag to apt would fix this. What's the fast way to add this simple code to the apt module? I'm happy to test and make the pull request, but I'm not an ansible developer and don't currently have time to browse the source code to find the apt module to do this. If someone can point me at it I can try adding the code.

[mercury00]

Please note: with the KERNEL the option to remove the newer package is NOT an option. On install, a newer kernel version that the one we might want is likely to be installed, and if we need to test different versions, we're likely to have a system running a kernel version newer than the package we want installed. In either case, we cannot remove the currenly running kernel, and we cannot install the older kernel as a downgrade without the allow-downgrades flag.

[sprive]

The way this issue has been handled is disappointing, to phrase it nicely. Please urgently consider fixing the documentation, which has been updated many times in the 3 years since this issue was filed.

The APT module states you CAN declare specific package versions:

• https://docs.ansible.com/ansible/latest/modules/apt_module.html#parameter-state

There's even an example. No limitations mentioned. But the example only works if nothing is installed.

I spent half a day testing, and digging through posts where folks had this question (but never solved it). I even tried injecting dpkg_options: allow-downgrade before I finally stumbled into this post.

In an effort to spare the next person, I suggest:

1. On apt_module.html#parameter-state -- document this.
   1. The simplicity of the docs, with an example showing you CAN declare a package version, led me to persist in doubting my play syntax...
   2. I hope there isn't a blanket policy against linking GH issues in the docs, as the explanation why it's not documented. Even if that's the case, the limitation can be summarized..
2. Until the "allow-downgrade" patch is acceptable, consider printing an Ansible-specific error message...
   1. ...because the raw dkg error leads the user into trying dpkg-specific workarounds, like my dpkg_options: above. I suspect the "force" solution is unacceptable in other environments besides mine..

Hopefully this does not sound too cranky. I love Ansible. But this experience... ouch!

[oz123]

@Tasqa 's answer worked for me. Can we close this?

This can't be closed because apt says this:

    W: --force-yes is deprecated, use one of the options starting with --allow instead.

[Ant0wan]

Hi guys,
I am facing the same issue. Seems that allow-dowgrades has been added to dnf/yum but not to the apt module.

1. Removing and then reinstalling packages is expansive, we can do it this way, for instance:

- name: Update package list
  package_facts:
    manager: auto

- name: Check Docker-CE versions
  set_fact:
    ce_version: "{{ ansible_facts.packages['docker-ce'] | default(none)  |  map(attribute='version')  |  list }}"
    cli_version: "{{ ansible_facts.packages['docker-ce-cli'] | default(none)  |  map(attribute='version')  |  list }}"

- name: Uninstall non-validated docker-ce
  apt:
    name:
      - docker-ce
      - docker-ce-cli
    state: absent
    update_cache: yes
  when: docker_version not in ce_version or docker_version not in cli_version

2. shell or command modules are the cheapest workaround. If an apt update has been done.

- name: Downgrade package
  command: "apt install docker-ce={{ docker_version }} docker-cli={{ docker_version }} -y --allow-downgrades"

Hope I will have time to add the option to apt module...

[hyperreality]

I've opened a new PR providing an allow_downgrade option for the apt module: #74852