AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible-Lint Error 403 package-latest: Fix State Latest Warning

By Luca Berton · Published 2024-01-01 · Category: installation

Fix ansible-lint Error 403 package-latest. Understand why state=latest is risky, when to use state=present, and how to pin package versions safely.

Introduction

Ansible is a powerful automation tool known for its role in provisioning, configuration management, and application deployment. Ensuring the integrity and stability of software installations is vital when managing packages through Ansible. To help you achieve this, Ansible provides a set of rules, including Rule 403, known as "package-latest." This rule emphasizes the importance of controlled, safe package management practices, promoting predictability in your automation tasks.

Deciphering Rule 403 - "package-latest"

Rule 403, or "package-latest," is a rule within Ansible's comprehensive rule set that aims to establish best practices for managing packages using package manager modules, such as ansible.builtin.yum and ansible.builtin.apt. These modules allow users to configure how Ansible installs software on target systems.

The primary concern addressed by this rule is the use of the state parameter in package manager modules. In production environments, it is crucial to set the state to "present" and specify a target version for package installations. This practice ensures that packages are installed according to a predefined and tested version, adding a layer of control and predictability to your automation tasks.

Conversely, setting the state to "latest" is discouraged, as it not only installs the desired software but also initiates an update process that can lead to unintended consequences. The update process can result in performance degradation or the installation of additional packages, potentially causing service disruptions.

If your intention is to update packages to the latest version, this rule suggests using the update_only or only_upgrade parameter (depending on the package manager in use) and setting it to "true." This practice ensures that only updates are applied without the introduction of unexpected packages.

Problematic Code

Let's explore a problematic code snippet to understand how Rule 403, "package-latest," can identify issues in your playbooks:

In this code, the state parameter is set to "latest" across various package manager modules, including ansible.builtin.yum, ansible.builtin.pip, and ansible.builtin.package. This configuration can lead to the installation of unexpected package versions and additional packages, introducing unpredictability and potential service issues.

Output:

Correct Code

To address the issues highlighted by Rule 403, the correct code should adopt the following best practices:

In this improved code, the state parameter is set to "present," and specific version identifiers are used for different package installations. By doing so, the playbook ensures that software is installed to predefined versions, adding a layer of control and predictability to your automation tasks.

Implementing Rule 403 - "package-latest"

Rule 403, "package-latest," provides critical guidance for maintaining safe and controlled package management practices in Ansible. By following this rule, you can safeguard your automation tasks against unpredictability and ensure the reliable installation of software on target systems. In production environments, embracing predictability is essential to minimize the risk of service disruptions and maintain the integrity of your infrastructure.

In cases where updating packages to the latest version is intentional, the use of the update_only or only_upgrade parameter allows you to strike a balance between flexibility and stability

The Error

Quick Fix

Why latest Is Risky

Pin Specific Versions

When latest IS Appropriate

Controlled Updates

Configure the Rule

FAQ

state=present doesn't install the latest version?

It installs whatever version your package manager resolves — typically the latest available. But it won't upgrade if already installed. That's the key difference.

How do I update packages safely?

Use a dedicated update playbook with apt: upgrade=safe or yum: name=* state=latest, run it intentionally (not as part of regular deploys).

What about rolling releases (pip, npm)?

Pin versions in requirements files (requirements.txt, package.json). Never use state: latest for application dependencies.

Related ArticlesAnsible when Conditional GuideAnsible Handlers Guide

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home