ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity
community.general/plugins/modules/dnf_versionlock.py
Felix Fontein 2ed82e0318
Use semantic markup (modules d-g) (#6672) 
* Use semantic markup.

* 'ignore:' is no longer needed.

* E() now works better.
2023-06-15 15:46:44 +02:00

355 lines
12 KiB
Python
Raw Blame History

#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2021, Roberto Moreda <moreda@allenta.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = r'''
---
module: dnf_versionlock
version_added: '4.0.0'
short_description: Locks package versions in C(dnf) based systems
description:
- Locks package versions using the C(versionlock) plugin in C(dnf) based
systems. This plugin takes a set of name and versions for packages and
excludes all other versions of those packages. This allows you to for example
protect packages from being updated by newer versions. The state of the
plugin that reflects locking of packages is the C(locklist).
extends_documentation_fragment:
- community.general.attributes
attributes:
check_mode:
support: partial
details:
- The logics of the C(versionlock) plugin for corner cases could be
confusing, so please take in account that this module will do its best to
give a C(check_mode) prediction on what is going to happen. In case of
doubt, check the documentation of the plugin.
- Sometimes the module could predict changes in C(check_mode) that will not
be such because C(versionlock) concludes that there is already a entry in
C(locklist) that already matches.
diff_mode:
support: none
options:
name:
description:
- Package name spec to add or exclude to or delete from the C(locklist)
using the format expected by the C(dnf repoquery) command.
- This parameter is mutually exclusive with O(state=clean).
type: list
required: false
elements: str
default: []
raw:
description:
- Do not resolve package name specs to NEVRAs to find specific version
to lock to. Instead the package name specs are used as they are. This
enables locking to not yet available versions of the package.
type: bool
default: false
state:
description:
- Whether to add (V(present) or V(excluded)) to or remove (V(absent) or
V(clean)) from the C(locklist).
- V(present) will add a package name spec to the C(locklist). If there is a
installed package that matches, then only that version will be added.
Otherwise, all available package versions will be added.
- V(excluded) will add a package name spec as excluded to the
C(locklist). It means that packages represented by the package name
spec will be excluded from transaction operations. All available
package versions will be added.
- V(absent) will delete entries in the C(locklist) that match the
package name spec.
- V(clean) will delete all entries in the C(locklist). This option is
mutually exclusive with O(name).
choices: [ 'absent', 'clean', 'excluded', 'present' ]
type: str
default: present
notes:
- In an ideal world, the C(versionlock) plugin would have a dry-run option to
know for sure what is going to happen. So far we have to work with a best
guess as close as possible to the behaviour inferred from its code.
- For most of cases where you want to lock and unlock specific versions of a
package, this works fairly well.
requirements:
- dnf
- dnf-plugin-versionlock
author:
- Roberto Moreda (@moreda) <moreda@allenta.com>
'''
EXAMPLES = r'''
- name: Prevent installed nginx from being updated
community.general.dnf_versionlock:
name: nginx
state: present
- name: Prevent multiple packages from being updated
community.general.dnf_versionlock:
name:
- nginx
- haproxy
state: present
- name: Remove lock from nginx to be updated again
community.general.dnf_versionlock:
package: nginx
state: absent
- name: Exclude bind 32:9.11 from installs or updates
community.general.dnf_versionlock:
package: bind-32:9.11*
state: excluded
- name: Keep bash package in major version 4
community.general.dnf_versionlock:
name: bash-0:4.*
raw: true
state: present
- name: Delete all entries in the locklist of versionlock
community.general.dnf_versionlock:
state: clean
'''
RETURN = r'''
locklist_pre:
description: Locklist before module execution.
returned: success
type: list
elements: str
sample: [ 'bash-0:4.4.20-1.el8_4.*', '!bind-32:9.11.26-4.el8_4.*' ]
locklist_post:
description: Locklist after module execution.
returned: success and (not check mode or state is clean)
type: list
elements: str
sample: [ 'bash-0:4.4.20-1.el8_4.*' ]
specs_toadd:
description: Package name specs meant to be added by versionlock.
returned: success
type: list
elements: str
sample: [ 'bash' ]
specs_todelete:
description: Package name specs meant to be deleted by versionlock.
returned: success
type: list
elements: str
sample: [ 'bind' ]
'''
from ansible.module_utils.basic import AnsibleModule
import fnmatch
import os
import re
DNF_BIN = "/usr/bin/dnf"
VERSIONLOCK_CONF = "/etc/dnf/plugins/versionlock.conf"
# NEVRA regex.
NEVRA_RE = re.compile(r"^(?P<name>.+)-(?P<epoch>\d+):(?P<version>.+)-"
r"(?P<release>.+)\.(?P<arch>.+)$")
def do_versionlock(module, command, patterns=None, raw=False):
patterns = [] if not patterns else patterns
raw_parameter = ["--raw"] if raw else []
# Call dnf versionlock using a just one full NEVR package-name-spec each
# time because multiple package-name-spec and globs are not well supported.
#
# This is a workaround for two alleged bugs in the dnf versionlock plugin:
# * Multiple package-name-spec arguments don't lock correctly
# (https://bugzilla.redhat.com/show_bug.cgi?id=2013324).
# * Locking a version of a not installed package disallows locking other
# versions later (https://bugzilla.redhat.com/show_bug.cgi?id=2013332)
#
# NOTE: This is suboptimal in terms of performance if there are more than a
# few package-name-spec patterns to lock, because there is a command
# execution per each. This will improve by changing the strategy once the
# mentioned alleged bugs in the dnf versionlock plugin are fixed.
if patterns:
outs = []
for p in patterns:
rc, out, err = module.run_command(
[DNF_BIN, "-q", "versionlock", command] + raw_parameter + [p],
check_rc=True)
outs.append(out)
out = "\n".join(outs)
else:
rc, out, err = module.run_command(
[DNF_BIN, "-q", "versionlock", command], check_rc=True)
return out
# This is equivalent to the _match function of the versionlock plugin.
def match(entry, pattern):
entry = entry.lstrip('!')
if entry == pattern:
return True
m = NEVRA_RE.match(entry)
if not m:
return False
for name in (
'%s' % m["name"],
'%s.%s' % (m["name"], m["arch"]),
'%s-%s' % (m["name"], m["version"]),
'%s-%s-%s' % (m["name"], m["version"], m["release"]),
'%s-%s:%s' % (m["name"], m["epoch"], m["version"]),
'%s-%s-%s.%s' % (m["name"], m["version"], m["release"], m["arch"]),
'%s-%s:%s-%s' % (m["name"], m["epoch"], m["version"], m["release"]),
'%s:%s-%s-%s.%s' % (m["epoch"], m["name"], m["version"], m["release"],
m["arch"]),
'%s-%s:%s-%s.%s' % (m["name"], m["epoch"], m["version"], m["release"],
m["arch"])
):
if fnmatch.fnmatch(name, pattern):
return True
return False
def get_packages(module, patterns, only_installed=False):
packages_available_map_name_evrs = {}
rc, out, err = module.run_command(
[DNF_BIN, "-q", "repoquery"] +
(["--installed"] if only_installed else []) +
patterns,
check_rc=True)
for p in out.split():
# Extract the NEVRA pattern.
m = NEVRA_RE.match(p)
if not m:
module.fail_json(
msg="failed to parse nevra for %s" % p,
rc=rc, out=out, err=err)
evr = "%s:%s-%s" % (m["epoch"],
m["version"],
m["release"])
packages_available_map_name_evrs.setdefault(m["name"], set())
packages_available_map_name_evrs[m["name"]].add(evr)
return packages_available_map_name_evrs
def main():
module = AnsibleModule(
argument_spec=dict(
name=dict(type="list", elements="str", default=[]),
raw=dict(type="bool", default=False),
state=dict(type="str", default="present",
choices=["present", "absent", "excluded", "clean"]),
),
supports_check_mode=True,
)
patterns = module.params["name"]
raw = module.params["raw"]
state = module.params["state"]
changed = False
msg = ""
# Check module pre-requisites.
if not os.path.exists(DNF_BIN):
module.fail_json(msg="%s was not found" % DNF_BIN)
if not os.path.exists(VERSIONLOCK_CONF):
module.fail_json(msg="plugin versionlock is required")
# Check incompatible options.
if state == "clean" and patterns:
module.fail_json(msg="clean state is incompatible with a name list")
if state != "clean" and not patterns:
module.fail_json(msg="name list is required for %s state" % state)
locklist_pre = do_versionlock(module, "list").split()
specs_toadd = []
specs_todelete = []
if state in ["present", "excluded"]:
if raw:
# Add raw patterns as specs to add.
for p in patterns:
if ((p if state == "present" else "!" + p)
not in locklist_pre):
specs_toadd.append(p)
else:
# Get available packages that match the patterns.
packages_map_name_evrs = get_packages(
module,
patterns)
# Get installed packages that match the patterns.
packages_installed_map_name_evrs = get_packages(
module,
patterns,
only_installed=True)
# Obtain the list of package specs that require an entry in the
# locklist. This list is composed by:
# a) the non-installed packages list with all available
# versions
# b) the installed packages list
packages_map_name_evrs.update(packages_installed_map_name_evrs)
for name in packages_map_name_evrs:
for evr in packages_map_name_evrs[name]:
locklist_entry = "%s-%s.*" % (name, evr)
if (locklist_entry if state == "present"
else "!%s" % locklist_entry) not in locklist_pre:
specs_toadd.append(locklist_entry)
if specs_toadd and not module.check_mode:
cmd = "add" if state == "present" else "exclude"
msg = do_versionlock(module, cmd, patterns=specs_toadd, raw=raw)
elif state == "absent":
if raw:
# Add raw patterns as specs to delete.
for p in patterns:
if p in locklist_pre:
specs_todelete.append(p)
else:
# Get patterns that match the some line in the locklist.
for p in patterns:
for e in locklist_pre:
if match(e, p):
specs_todelete.append(p)
if specs_todelete and not module.check_mode:
msg = do_versionlock(
module, "delete", patterns=specs_todelete, raw=raw)
elif state == "clean":
specs_todelete = locklist_pre
if specs_todelete and not module.check_mode:
msg = do_versionlock(module, "clear")
if specs_toadd or specs_todelete:
changed = True
response = {
"changed": changed,
"msg": msg,
"locklist_pre": locklist_pre,
"specs_toadd": specs_toadd,
"specs_todelete": specs_todelete
}
if not module.check_mode:
response["locklist_post"] = do_versionlock(module, "list").split()
else:
if state == "clean":
response["locklist_post"] = []
module.exit_json(**response)
if __name__ == "__main__":
main()
View git blame Copy permalink