aboutsummaryrefslogtreecommitdiff
path: root/README
blob: 72afcfc850c032e3aeea538fbab8088416b8df92 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
forked from https://labs.riseup.net/code/projects/show/module-apt


Overview
========

This module manages apt on Debian.

It keeps dpkg's and apt's databases as well as the keyrings for securing
package download current.

backports.org is added and an archive key is provided[1].

dselect is switched to expert mode to suppress superfluous help screens.

sources.list and apt_preferences are managed. Testing and unstable are pinned to
very low values by default to prevent accidental upgrades.

This module needs lsb-release installed.


Variables
=========

$apt_clean
----------
Sets DSelect::Clean, defaults to 'auto' on normal hosts and 'pre-auto'
in vservers, since the latter are usually more space-bound and have
better recovery mechanisms via the host:

From apt.conf(5), 0.7.2: 
     "Cache Clean mode; this value may be one of always, prompt, auto,
     pre-auto and never. always and prompt will remove all packages
     from the cache after upgrading, prompt (the default) does so
     conditionally.  auto removes only those packages which are no
     longer downloadable (replaced with a new version for
     instance). pre-auto performs this action before downloading new
     packages."


$lsbdistcodename
---------------- 	
Contains the codename ("etch", "lenny", ...) of the client's
release. While these values come from lsb-release by default, this
value can be set manually too, e.g. to enable forced upgrades

$custom_sources_list
--------------------
By default this module will use a basic apt/sources.list with a
generic debian mirror. If you need to set more specific sources,
e.g. for country proximity, proxies, etc. you can set this variable to
the location of your sources.list template.  For example, setting the
following variable before including this class will pull in the
templates/apt/sources.list file: 
$custom_sources_list ='template("apt/sources.list")'
		       
$custom_preferences	
--------------------
By default this module will use a basic apt/preferences file with
unstable and testing pinned to very low values so that any package
installation will not accidentally pull in packages from those suites
unless you explicitly specify the version number. You can set this
variable to pull in a customized apt/preferences template, for
example, setting the following variable before including this class
will pull in the templates/apt/preferences file: 
$custom_preferences = 'template("apt/preferences")'

$custom_key_dir
---------------
If you have different apt-key files that you want to get added to your
apt keyring, you can set this variable to a path in your fileserver
where individual key files can be placed. If this is set and keys
exist there, this module will apt-key add each key

$backports_enabled
------------------
If set to true, the debian backports repository is enabled through a 
file in /etc/apt/sources.d/. Defaults to false.

$apt_deb_src_enabled
--------------------
If set to true, the debian sources repository is enabled through a 
file in /etc/apt/sources.d/. Defaults to false.


Classes
=======
apt
---
Sets up the basic apt package management.

apt::unattended_upgrades
------------------------
Sets up the unattended-upgrades package, and configures it mostly through 
the file /etc/apt/apt.conf.d/50unattended-upgrades.
Unfortunately there seems to be a bug in unattended-upgrades <= 0.25.1 that 
wildcards aren't recognized, so use it with care !
http://packages.debian.org/de/lenny/unattended-upgrades


Resources
=========

File[apt_config]
----------------
Use this resource to depend on or add to a completed apt configuration

Exec[apt_updated]
-----------------
After this point, current packages can installed via apt, usually used
like this: 

Package { require => Exec[apt_updated] }

apt::preseeded_package
----------------------
This simplifies installation of packages that you wish to preseed the
answers to debconf. For example, if you wish to provide a preseed file
for the locales package, you would place the locales.seed file in 
templates/$debian_version/locales.seeds and then include the following
in your manifest:

apt::preseeded_package { locales: }

apt::upgrade_package
--------------------
This simplifies upgrades for DSA security announcements or point-releases. This
will ensure that the named package is upgrade to the version specified, only if the
package is installed, otherwise nothing happens. If the specified version is 'latest' (the
default), then the package is ensured to be upgraded to the latest package revision when
it becomes available.  

For example, the following upgrades the perl package to version 5.8.8-7etch1 (if it is
installed), it also upgrades the syslog-ng and perl-modules packages to their latest (also,
only if they are installed):

upgrade_package { "perl":
			version => '5.8.8-7etch1';
		  "syslog-ng":
			version => latest;
		  "perl-modules":
}

TODO
====

Enable debian-archive-keyring handling for sarge, lenny and sid.

Enable selection of country-specific mirrors.

Currently this module updates the caches on every run. Running dselect update is
a expensive operation and should be done only on schedule by using apticron.
Sometimes -- especially when initially starting management or deploying new
packages -- a immediate update is really needed to be able to install the right
packages without errors. Thus a method should be devised to be able to specify
with high fidelity when a update should be run and when it is not needed.



[1] Of course, you should check the validity of _this_ key yourself.