Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install a specific version #33

Open
hectcastro opened this issue Oct 27, 2014 · 39 comments
Open

Install a specific version #33

hectcastro opened this issue Oct 27, 2014 · 39 comments

Comments

@hectcastro
Copy link

@hectcastro hectcastro commented Oct 27, 2014

How would you recommend that someone use this repository to install a specific version of Node.js? Previously, I was attempting to pin the version number, but it looks like older versions of Node.js are being replaced with newer ones.

My goal is to use a specific version of Node.js, but then not update to the newest version until after some testing occurs.

@Freewavs
Copy link

@Freewavs Freewavs commented Oct 29, 2014

This is my question too

@rvagg
Copy link
Contributor

@rvagg rvagg commented Oct 29, 2014

https://help.ubuntu.com/community/PinningHowto might be the way to go, /etc/apt/preferences

This is something we're only looking at experimenting with ourselves now for our Docker images, we'll let you know if we come up with an approach we can recommend, but for now, have a look at that wiki link.

@zol
Copy link

@zol zol commented Dec 15, 2014

+1 It would be great to keep old versions available in Packages rather than just the latest.

Unfortunately pinning doesn't help when needing to provision new VM's to match machines in the cluster that are running an older version of the package.

@tecto
Copy link

@tecto tecto commented Jan 3, 2015

+1 for keeping old versions available in Packages.

Need to be able to apt-get install a specific version (0.10.33 in this case) across multiple servers and then pin the nodejs package to maintain consistency and separately test new versions before rollout.

Reference both https://help.ubuntu.com/community/PinningHowto and http://blog.andrewbeacock.com/2007/03/how-to-install-specific-version-of.html

@chrislea
Copy link
Contributor

@chrislea chrislea commented Jan 3, 2015

Okay, we certainly understand the need. Unfortunately, the reprepro utility which is part of our tooling for publishing the repositories can't do this, so we'll need to look into using something like aptly instead. I'll update here once we have something ready.

@chris-prince
Copy link

@chris-prince chris-prince commented Feb 7, 2015

What about at least providing one repo per major release series (e.g. 0.10.x, 0.12.x)?

This is especially relevant now that Node 0.12 is out. I'd like to have control over when I make the switch from 0.10.x to 0.12.x. (But I am okay with receiving bugfix updates on the track that I'm on.)

I feel like SaltStack PPAs do this well. (https://launchpad.net/~saltstack) In their case:

  • ppa:saltstack/salt gives the latest stable release
  • ppa:saltstack/salt2014-7 gives the latest stable v2014.7.x release
  • ppa:saltstack/salt2014-1 gives the latest stable v2014.1.x release
  • etc.

Going forward, I would love to see something similar for Node (e.g. repos node, node-0.10, node-0.12).

@coen-hyde
Copy link

@coen-hyde coen-hyde commented Feb 11, 2015

This is an issue for us as well. I've switched to compiling from source for the moment as i'm not sure when the nodesouce repo will switch to a 0.12.x release.

@awithersdd
Copy link

@awithersdd awithersdd commented Apr 3, 2015

This really should be fixed, like many we test and lock to a specific release for production, we cannot have apt-get install nodejs=specific version fail because a new release was made nor can we accept every new release as if it were the one tested against.

@retrohacker
Copy link
Contributor

@retrohacker retrohacker commented Apr 4, 2015

https://github.com/nodesource/docker-node has examples of installing specific versions of node/iojs on debian/ubuntu using dpkg and fedora/centos using rpm. You may want to do gpg verification as well, like https://github.com/iojs/docker-iojs/blob/master/1.6/Dockerfile#L11

@shrop
Copy link

@shrop shrop commented Jul 25, 2015

Using Meteor and definitely need a way to pin the nodejs since there are version requirements. Thanks for all you you folks do on this distro!

@heston
Copy link

@heston heston commented Dec 10, 2015

Friendly bump on this. I just got bit by a version update causing all of our builds to fail. Very unexpected that previous versions are wiped from the repo when a new one is released.

@retrohacker
Copy link
Contributor

@retrohacker retrohacker commented Dec 10, 2015

@heston I believe they are only removed from the Release file. They are still in the repo: https://deb.nodesource.com/node_5.x/pool/main/n/nodejs/

Personally I am pinning against specific versions using wget [deb] && dpkg -i [deb].

@heston
Copy link

@heston heston commented Dec 10, 2015

@wblankenship Thanks for the tip. Indeed, I see that the packages are still available, so that's an option. Without them being listed in the repo, it's not as easy to install with a package manager, though.

We're using salt to manage our package installations. It has great support for apt-get, but doesn't work as well with custom installation procedures.

@conatus
Copy link

@conatus conatus commented Jan 6, 2016

@wblankenship Thanks for the tip too!

Can someone from @nodesource please reply to this issue? We have occasional breaking builds as a result of this decision not to keep the packages around and we need to pin an exact version.

At the risk of sounding off, an allegedly "enterprise" set of packages should really allow this simply.

@retrohacker
Copy link
Contributor

@retrohacker retrohacker commented Jan 6, 2016

@conatus, thanks for your comment. We understand that this feature has been a pain point for some. I personally had to work with it when building the Docker images for NodeSource.

@chrislea, @rvagg, and I are all on the @nodesource team.

Our current build uses the reprepro tool from the Debian project to host these repositories. As chrislea commented above, the tool is preventing us from doing this. We are looking into alternatives that will offer this feature.

We understand the need to pin to specific versions of Node in production. The rationale behind our Docker images is to support that specific use case. While we work towards a solution that allows apt to directly pin a version, we have a short term solution that I proposed above.

We religiously keep all of the artifacts generated by our builds, incrementing the trailing digit of the .deb in the event we need to do a rebuild. They all exist on deb.nodesource.com. This allows consumers to pin directly to a version of Node. The pools these artifacts are served from can be found at:

If you are using ansible, as @heston, the apt package supports the deb flag which takes a path to a .deb file on the remote box. Pairing this with get_url will offer a short term solution to version pinning.

There is a similar story for our rpm packages as well.

@conatus
Copy link

@conatus conatus commented Jan 6, 2016

Thanks for your reply @wblankenship, very much appreciated.

While this short term fix is certainly acceptable and the Dockerfiles are good examples, NodeSource isn't just any old set of builds. It is the set of builds recommended by the Node.js project itself as an install path. This repo is then a key bit of Node.js infrastructure for anyone running any kind of automation. You at @nodesource seem to intend it to be taken as such. So I hope you will consider working out how to pin versions easily as a matter of some priority in the near term.

Thanks a lot.

@leedm777
Copy link

@leedm777 leedm777 commented Jan 25, 2016

If it helps, Docker addressed a similar problem using reprepro with their patch at moby/moby#16001. Maybe NodeSource can do something similar.

@nicholascapo
Copy link

@nicholascapo nicholascapo commented Mar 31, 2016

Any word on this, aptly [1] works great for out internal repos, served from nginx.

[1] https://www.aptly.info/

@chrislea
Copy link
Contributor

@chrislea chrislea commented Mar 31, 2016

Yes, we will probably move to aptly since it seems like the best tool that will let us do this. Unfortunately the way the builds are currently automated is fairly tied to reprepro so this isn't a trivial change to make. It will almost certainly happen when we move the repos to be served off of S3 / CloudFront. So both of those are things on the TODO list, but right now there are a couple of other infrastructure updates that we have to make first internally, so these aren't at the top of the list right now.

@danielkza
Copy link

@danielkza danielkza commented Feb 3, 2017

Any news on this?

@Daniel15
Copy link

@Daniel15 Daniel15 commented Mar 11, 2017

We switched from reprepro to Aptly for Yarn, and it works pretty well. I'd recommend it.

@chrislea
Copy link
Contributor

@chrislea chrislea commented Mar 28, 2017

It is still on our list of things to look at @codyaray, but it's still not at a high priority.

Please keep in mind that for any LTS release, you're guaranteed that the APIs aren't going to change, and there are fairly frequent security related updates. So we really recommend always using the newest version of any LTS line that you're using, which is what apt or yum will do by default.

@dgreene-r7
Copy link

@dgreene-r7 dgreene-r7 commented Mar 29, 2017

That's hopefully true regarding regressions, but sometimes they slip through. In an ideal world we could simply pin back the version of node we want to install rather than falling back to pulling deb artifacts directly from the pool.

@jcputter
Copy link

@jcputter jcputter commented Sep 14, 2017

cannot use this repo in production because of this....

@tardis4500
Copy link

@tardis4500 tardis4500 commented Sep 29, 2017

I agree with the previous comments that we are unable to use this in Production since we can go through an entire testing cycle in all our environments and then on Production deployment day, find out the install fails because it is no longer available.

@luqasz
Copy link

@luqasz luqasz commented Sep 30, 2017

I use LTS repo of node. I install it in testing and production. That is all I can do to minimize possible problems.

Chrisdo82 pushed a commit to Chrisdo82/docker-java-node that referenced this issue Oct 18, 2017
- due to nodejs we cannot pin to a specific version of Node.js (nodesource/distributions#33 (comment))
@metametadata
Copy link

@metametadata metametadata commented Oct 19, 2017

I ended up pinning the version in my Dockefile by dowloading .deb file and apt-get install from it:

RUN set -ex \
  ; apt-get update \
  ; curl -o nodejs.deb https://deb.nodesource.com/node_8.x/pool/main/n/nodejs/nodejs_8.7.0-1nodesource1_amd64.deb \
  ; apt-get install -y ./nodejs.deb \
  ; rm nodejs.deb \
  ; rm -rf /var/lib/apt/lists/*
@kundansmart501
Copy link

@kundansmart501 kundansmart501 commented Nov 6, 2017

wanted to update from version v0.10.25 to v6 on Ubuntu 14.0 , but able to do so

@plinehan
Copy link

@plinehan plinehan commented Jan 31, 2018

Thanks @metametadata! FWIW, I had to swap:

apt-get install -y ./nodejs.deb

for:

dpkg -i ./nodejs.deb

Otherwise, apt-get install spews a few thousand lines of:

E: Release 'nodejs.deb' for '$FOO' was not found

before failing. The dpkg command completed without reporting any missing dependencies.

@hectcastro
Copy link
Author

@hectcastro hectcastro commented Feb 22, 2018

In addition to Aptly, packagecloud could help alleviate a bunch of the problems discussed here (and possibly others, because they support yum and are fronted by Fastly's CDN already). I'm obviously not familiar with your existing build pipeline, so I can't comment on the impact it'll have on that, but package publishing processes I've worked in the past with their CLI have been relatively painless.

In addition, I was partially part of a package repository migration process while at Basho. In that case, we put everything in packagecloud, made that the new source of truth in our docs, but kept the old setup running. Everything still worked the way people expected, but those who wanted in on the latest and greatest (or version pinning) had a clear path with packagecloud.

As for intermediate solutions to this problem, we've worked around it by pinning to Linux binary releases published on nodejs.org. Not as straightforward as a native operating system package, but usually better than compiling from source.

@felixfbecker
Copy link

@felixfbecker felixfbecker commented May 31, 2018

This is not just about using the latest version for security fixes, but about reproducible builds in general. Building the same Dockerfile twice in CI should be 100% guaranteed to work and result in the exact same image digest hash to hit the cache and not cause any pushes or redeploys. I can write a bot that does automatic PRs to update versions in a Dockerfile, I don't have to sacrifice build reproducibility just to stay up to date - as long as old versions are not deleted and can be pinned.

@ErisDS
Copy link

@ErisDS ErisDS commented Jul 19, 2018

I thought that nodesource was the defacto place to install node from, but this limitation is 😳. It's not possible to use the ppa with configuration management tools, or anything designed to do repeatable builds - e.g. I ended up here because of this: saltstack-formulas/node-formula#22

Anyone else running into this - what did you do instead? I've fallen back to installing from source but it's so insanely slow I don't want to do this long term.

@chrislea
Copy link
Contributor

@chrislea chrislea commented Jul 19, 2018

@ErisDS You can always just grab specific packages directly from the repo using something like curl. Assuming you're interested in installing something from the 8.x release, you can find all the files here:

https://deb.nodesource.com/node_8.x/pool/main/n/nodejs/

Hope this helps.

@tragiclifestories
Copy link

@tragiclifestories tragiclifestories commented Jul 19, 2018

Yep, that's what we did in the end. I think there are fuller examples earlier in this thread or linked from it.

It's a fiddly, messy couple of lines in your CI config or dockerfile, but worse things happen at sea ...

bfirsh added a commit to arxiv-vanity/engrafo that referenced this issue Nov 29, 2018
bfirsh added a commit to arxiv-vanity/engrafo that referenced this issue Nov 29, 2018
@gazal-k
Copy link

@gazal-k gazal-k commented Jul 8, 2019

On centos, I was able to do:

curl -f --silent --location https://rpm.nodesource.com/setup_8.x | bash - 
yum install -y nodejs-8.8.1
@abitrolly
Copy link

@abitrolly abitrolly commented Apr 1, 2020

For Debian 10 Buster I had to modify @metametadata script for installing specific version of NodeJS and Yarn. The node version is taken from /app/package.json.

RUN set -x \
      && apt-get update && apt-get install -y curl jq \
      && NODE_VERSION=$(jq -r .engines.node /app/package.json) \
      && DEB_FILE="nodejs_${NODE_VERSION}-1nodesource1_amd64.deb" \
      && curl -sLO "https://deb.nodesource.com/node_12.x/pool/main/n/nodejs/${DEB_FILE}" \
      && apt-get install -y ./"${DEB_FILE}" && rm "${DEB_FILE}" \
      && curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
      && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list \
      && apt-get update && apt-get install -y yarn \
      && rm -rf /var/lib/apt/lists/*
@Daniel15
Copy link

@Daniel15 Daniel15 commented Apr 1, 2020

@abitrolly Just be careful, the -1nodesource1 part is part of the package version number and could change.

I'd also recommend installing a fixed version of Yarn, which you can do using something like apt install yarn=1.22.4-1. You can run apt list -a yarn to see all available versions:

root@vps03:~# apt list -a yarn
Listing... Done
yarn/stable,stable,now 1.22.4-1 all [installed]
yarn/stable,stable 1.22.1-1 all
yarn/stable,stable 1.22.0-1 all
yarn/stable,stable 1.21.1-1 all
yarn/stable,stable 1.19.2-1 all
yarn/stable,stable 1.19.1-1 all
yarn/stable,stable 1.19.0-1 all
yarn/stable,stable 1.17.3-1 all
yarn/stable,stable 1.16.0-1 all
yarn/stable,stable 1.15.2-1 all
yarn/stable,stable 1.13.0-1 all
yarn/stable,stable 1.12.3-1 all
yarn/stable,stable 1.12.1-1 all
yarn/stable,stable 1.10.1-1 all
yarn/stable,stable 1.10.0-1 all
yarn/stable,stable 1.9.4-1 all
yarn/stable,stable 1.9.2-1 all
yarn/stable,stable 1.7.0-1 all
yarn/stable,stable 1.6.0-1 all
yarn/stable,stable 1.5.1-1 all
yarn/stable,stable 1.3.2-1 all
yarn/stable,stable 1.2.1-1 all
yarn/stable,stable 1.2.0-1 all
yarn/stable,stable 1.1.0-1 all
yarn/stable,stable 1.0.2-1 all
yarn/stable,stable 1.0.1-1 all
yarn/stable,stable 0.27.5-1 all
yarn/stable,stable 0.27.4-1 all
yarn/stable,stable 0.27.3-1 all
yarn/stable,stable 0.27.2-1 all
yarn/stable,stable 0.24.6-1 all
yarn/stable,stable 0.24.5-1 all
yarn/stable,stable 0.24.4-1 all
yarn/stable,stable 0.24.3-1 all
yarn/stable,stable 0.23.4-1 all
yarn/stable,stable 0.23.3-1 all
yarn/stable,stable 0.23.2-1 all
yarn/stable,stable 0.22.0-1 all
yarn/stable,stable 0.21.3-1 all
yarn/stable,stable 0.20.3-1 all
yarn/stable,stable 0.19.1-1 all
yarn/stable,stable 0.18.1-1 all
yarn/stable,stable 0.17.10-1 all
yarn/stable,stable 0.17.9-1 all
yarn/stable,stable 0.17.8-1 all
yarn/stable,stable 0.17.6-1 all
yarn/stable,stable 0.17.5-1 all
yarn/stable,stable 0.17.4-1 all
yarn/stable,stable 0.17.3-1 all
yarn/stable,stable 0.17.2-1 all
yarn/stable,stable 0.17.0-1 all
yarn/stable,stable 0.16.1-1 all
yarn/stable,stable 0.16.0-1 all
yarn/stable,stable 0.15.0-1 all
gkalpak added a commit to gkalpak/angular that referenced this issue Apr 28, 2020
Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).
gkalpak added a commit to gkalpak/angular that referenced this issue Apr 28, 2020
Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).
gkalpak added a commit to gkalpak/angular that referenced this issue Apr 28, 2020
Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).
gkalpak added a commit to gkalpak/angular that referenced this issue May 2, 2020
Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).
gkalpak added a commit to gkalpak/angular that referenced this issue May 2, 2020
Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).
alxhub added a commit to angular/angular that referenced this issue May 6, 2020
…36837)

Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).

PR Close #36837
alxhub added a commit to angular/angular that referenced this issue May 6, 2020
…36837)

Previously, in order to remain as deterministic as possible, the
Dockerfile for the preview server Docker image had all dependencies
pinned to specific versions. It turns out that some packages (such as
`nginx`, `nodejs`, and `openssl` - potentially others too) make older
versions unavailable on the repositories once a newer version is
available.

See for example:
- nodesource/distributions#33
- https://askubuntu.com/questions/715104/how-can-i-downgrade-openssl-via-apt-get

This commit, therefore, removes the exact versions for these packages.
The latest versions will be installed everytime the Docker image is
built (subject to Docker caching).

PR Close #36837
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.