-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apt upgrade full raises a "Could not get lock /var/lib/dpkg/lock-frontend" #51663
Comments
I just got the same error. I tried to install Ansible remotely and got that error. |
I have the same error. I've seen this error before and just killing ec2 instance helped me fix that, but with ansible-playbook i can't do that. |
I found that this happens when I set different hostnames for the same "ip" in hosts:
|
Just a hunch: |
The bug seems related to using I had to run I had success with this, but still TBD whether this solves it consistently:
On Ubuntu 16. Ansible 2.8.5. |
You could try
|
@JoshuaEdwards1991 our playbooks are full with different lockfile waits (dpkg.lock, dpkg-frontend.lock, etc.) this problem is inside the apt task, when update is true, it doesn't check locks halfway through the task. The current solution is to split the single task into apt-update, wait-for lockfile, apt-upgrade... |
Just ran into this issue today:
Looking at comments above, this is a viable workaround for us:
|
I am blocked by this, all my builds on fresh instances with apt module are failing. |
@bcampoli I found out, further to our issue, that it's only happening when we build on AWS instances. Our Docker instances don't have the same issue. I hate that I did this, but we added a pause statement before the APT code above. Even waiting for the lock using
|
We had a similar issue with Ansible package installs randomly and non-deterministically failing on Ubuntu 18.04 running on EC2 instances. We tried explicitly uninstalling the unattended-upgrades packages prior to Ansible being run, but that didn't seem to help. Ended up adding the following workaround which improved things quite a lot: - name: install packages
apt:
name:
- ...
- ...
# There has been an intermittent issue with this task where it would fail and print the error:
#
# Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process
# using it?
#
# The reason for this is unclear. It's not from unattended-upgrades as that has already been
# uninstalled when creating the base image. The workaround for now is to simply retry this task
# several times in the event that it fails, with a small delay between each attempt.
register: result
until: result is not failed
retries: 5
delay: 5 A proper fix would be great. |
I used this command and it worked on GCE. Hope this helps. |
Hi everyone! This is very annoying issue with Ubuntu. Playbooks which use apt simply very fragile. The problem with unnatended upgrades in ubuntu. See details here https://itsfoss.com/could-not-get-lock-error/ I also was thinking to add Ideally, if Canonical could provide ability to stop upgrades on request in a proper manner. I'd like to have a command some like StopUpgradesFor 42 and it stops upgrades for 42 minutes and then in 42 minutes it starts upgrades again if nobody called StopUpgradesFor again. |
Here is what I ended up coming up with that seems to handle all of the edge cases. Some of this is borrowed from others in this issue, some from other attempts to solve this problem I found in my travels: - name: Disable periodic updates
block:
- name: Set all periodic update options to 0
replace:
path: /etc/apt/apt.conf.d/10periodic
regexp: "1"
replace: "0"
- name: Set all auto update options to 0
replace:
path: /etc/apt/apt.conf.d/20auto-upgrades
regexp: "1"
replace: "0"
- name: Disable unattended upgrades
lineinfile:
path: /etc/apt/apt.conf.d/10periodic
regexp: "^APT::Periodic::Unattended-Upgrade"
line: 'APT::Periodic::Unattended-Upgrade "0";'
create: yes
- name: Stop apt-daily.* systemd services
service:
name: "{{ item }}"
state: stopped
with_items:
- unattended-upgrades
- apt-daily
- apt-daily.timer
- apt-daily-upgrade
- apt-daily-upgrade.timer
- name: Disable apt-daily.* systemd services
systemd:
name: "{{service}}"
enabled: no
masked: yes
with_items:
- apt-daily.service
- apt-daily.timer
- apt-daily-upgrade.service
- apt-daily-upgrade.timer
loop_control:
loop_var: service
- name: Uninstall unattended upgrades
apt:
name: unattended-upgrades
state: absent
- name: Prevent unattended upgrades from being installed
dpkg_selections:
name: unattended-upgrades
selection: hold |
@tonycpsu how do you solve upgrades then if you have disabled? My problem is that I use ansible to configure ubuntu machines at home. All works fine except this annoying issue. I do not wanna turn it off. |
Same issue here as described by author. tasks:
- name: Step 1 - Update Ubuntu package list
apt:
update_cache: yes
- name: Step 2 - Update all packages to the latest version
apt:
upgrade: dist It crashes at "Step 2..." with the following error: Something worth noting, Ubuntu seems to have these scheduled activities which trigger on first boot: |
- Is now functionnal - For it to work, we had to remove the 'lock' file in the path '/var/lib/dpkg' SOURCE: ansible/ansible#51663 - Now updates ansible machines
Just to be sure, check if there is a cloud-init running on your instance, for me, there was a cloud-init set which was locking the update manager for any other operation. |
@antonioribeiro: Greetings! Thanks for taking the time to open this issue. In order for the community to handle your issue effectively, we need a bit more information. Here are the items we could not find in your description:
Please set the description of this issue with an appropriate template from: |
This comment has been minimized.
This comment has been minimized.
related #74095 |
@ravulakiran I'm afraid I can't help you in your specific case - you're posting on issues that aren't relevant and without full detail. This issue relates specifically to where the apt process has a lock state because another process is running an apt process. Your initial question did relate to this, but you're now layering more complexity and non-relevant content over the top. To compound issues, where you have posted problems that you are actually having, you're posting just the output of the failed task, you're not providing a simple, testable case that someone can guide you on. In addition, dropping into an existing issue (like this one) and asking unrelated questions makes it difficult to find context that the actual project owners, employees, volunteers or interested parties can use to resolve the initial issue. I would suggest either
I should note, I'm not involved in the project at all, aside from being interested enough in issues to comment on them, and provide code or documentation to resolve a few small issues I can see being helpful. I certainly don't have any sway with the project nor can I moderate conversations, other than dropping a response like this in. |
It looks like per that PR linked above this is getting fixed in 2.12. Is there any chance of backporting it as a bugfix? |
awx 19, ansible 2.9.13 this code works for centos, but not for ubuntu. "msg": "'/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n", #become: yes
|
@TristisOris You must have |
@JonTheNiceGuy i tried all options, but it didnt' works on my hosts without sudoers edit. Some my centos7 works only with |
@TristisOris This is not linked to the issue above, however, you need to supply one of;
The first option allows you to use this password in an automated manner, however, it may be stored in an insecure way (e.g. not using the vault). The second option requires you to provide the sudo password each time you run the script, but is more secure. Again, this is NOT linked to the issue above, so if you have any further issues with your playbook, can I suggest using one of the support methods (e.g. IRC or mailing list) to get more interactive help. |
All the solutions proposed above didn't convince me because I wanted to keep unattended-upgrade, and I didn't want to build a dirty workaround on all apt tasks implying a lot of rewriting on all my ansible roles/playbooks. I solved the problem by building an image with the proper systemd setting disabled:
I disabled the
from |
Has anyone tried this workaround yet?
Found here: https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/ |
LIke @bcoca said, #74095 has been merged into devel, so we'll be getting this in 2.12 I believe. For the time being, I also found that my digitalocean droplets were kicking off - name: Wait for cloud-init to complete
shell: journalctl --boot _COMM=cloud-init | grep 'Cloud-init.*finished at'
register: cloud_init_install
retries: 60
delay: 5
until: cloud_init_install is success Which looked like this:
Hope that helps someone! |
In plublic cloud automation, I ended up with this playbook running first, no need to parse logs:
But it could be not sufficient with systems with unattended-upgrades like Ubuntu which could fire an apt upgrade at boot. |
I run the following bash script using packer on first boot then run ansible for provisioning:
Packer code:
Thanks @wibru for the solution |
I used yours and it finally worked for me. I am connecting to a remote ubuntu VM hosted on azure, I use -u azureuser in the command line and in the playbook I have become: true All I needed to do was add become_user:root and it finally passed. |
with 1, you run the task as the ansible_user but ask for privileges escalation. Depend on the become_method, sudo by default with ubuntu linux. |
Reopening this issue. |
also experiencing this issue on new AWS Ubuntu 20 instances task ... - name: Update package cache so Docker packages install will succeed
apt:
update_cache: yes
pkg:
- docker-ce
- docker-ce-cli
- containerd.io ansible tower error ... {
"stderr_lines": [
"E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 7690 (apt-get)",
"E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?"
],
"changed": false,
"_ansible_no_log": false,
"cache_updated": true,
"stdout": "",
"msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'docker-ce' 'docker-ce-cli' 'containerd.io'' failed: E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 7690 (apt-get)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n",
"stderr": "E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 7690 (apt-get)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n",
"rc": 100,
"invocation": {
"module_args": {
"autoremove": false,
"force": false,
"force_apt_get": false,
"update_cache": true,
"pkg": [
"docker-ce",
"docker-ce-cli",
"containerd.io"
],
"only_upgrade": false,
"default_release": null,
"cache_valid_time": 0,
"dpkg_options": "force-confdef,force-confold",
"upgrade": null,
"policy_rc_d": null,
"package": [
"docker-ce",
"docker-ce-cli",
"containerd.io"
],
"autoclean": false,
"purge": false,
"allow_unauthenticated": false,
"state": "present",
"deb": null,
"install_recommends": null
}
},
"stdout_lines": [],
"cache_update_time": 1687877445
} will try adding a cloud-init status --wait to the playbook ... - name: Wait for cloud-init / user-data to finish
command: cloud-init status --wait
changed_when: false
- name: Update package cache so Docker packages install will succeed
apt:
update_cache: yes
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
|
Hi, I tested multiple things to better disable and the form that I think better is: Regards |
I've attempted the cloud-init wait, but unfortunately that only waits for cloud init, which isn't always the cause. Another block I've added which has been useful is: - name: Wait for cloud-init / user-data to finish
command: cloud-init status --wait
when: "'lxc' not in group_names"
changed_when: false
no_log: true
- name: Wait for cloud init to finish
community.general.cloud_init_data_facts:
filter: status
register: res
until: "res.cloud_init_data_facts.status.v1.stage is defined and not res.cloud_init_data_facts.status.v1.stage"
when: "'lxc' not in group_names"
retries: 50
delay: 5 |
SUMMARY
When trying to
apt: upgrade: full
frequently it errors with"Could not get lock /var/lib/dpkg/lock-frontend"
. I already tried to delete the lock file before running upgrade, but it still raises the error. To fix it I just have to runansible-playbook
again and it usually works.ISSUE TYPE
COMPONENT NAME
apt
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Ansible environment
macOS 10.14
Target OS
Ubuntu 18.04
It's a new host, clean 18.04 install, and Ansible is the only thing installing packages on it.
STEPS TO REPRODUCE
Delete the lock file
I usually get a green on this one, meaning the file was not present:
Ugrade all packages
The one who fails
The text was updated successfully, but these errors were encountered: