Ansible troubleshooting - Error 403: package-latest

How to Solve the Ansible Error 403 package-latest

November 2, 2023

Introduction

Ansible is a powerful automation tool known for its role in provisioning, configuration management, and application deployment. Ensuring the integrity and stability of software installations is vital when managing packages through Ansible. To help you achieve this, Ansible provides a set of rules, including Rule 403, known as “package-latest.” This rule emphasizes the importance of controlled, safe package management practices, promoting predictability in your automation tasks.

Deciphering Rule 403 - “package-latest”

Rule 403, or “package-latest,” is a rule within Ansible’s comprehensive rule set that aims to establish best practices for managing packages using package manager modules, such as ansible.builtin.yum and ansible.builtin.apt. These modules allow users to configure how Ansible installs software on target systems.

The primary concern addressed by this rule is the use of the state parameter in package manager modules. In production environments, it is crucial to set the state to “present” and specify a target version for package installations. This practice ensures that packages are installed according to a predefined and tested version, adding a layer of control and predictability to your automation tasks.

Conversely, setting the state to “latest” is discouraged, as it not only installs the desired software but also initiates an update process that can lead to unintended consequences. The update process can result in performance degradation or the installation of additional packages, potentially causing service disruptions.

If your intention is to update packages to the latest version, this rule suggests using the update_only or only_upgrade parameter (depending on the package manager in use) and setting it to “true.” This practice ensures that only updates are applied without the introduction of unexpected packages.

Problematic Code

Let’s explore a problematic code snippet to understand how Rule 403, “package-latest,” can identify issues in your playbooks:

---
- name: Example playbook
  hosts: all
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible
        state: latest # <- Installs the latest package.

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
      args:
        state: latest # <- Installs the latest package.

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: latest # <- Installs the latest package.

    - name: Install Ansible with update_only to false
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: false # <- Updates and installs packages.

    - name: Install Ansible with only_upgrade to false
      ansible.builtin.apt:
        name: sudo
        state: latest
        only_upgrade: false # <- Upgrades and installs packages

In this code, the state parameter is set to “latest” across various package manager modules, including ansible.builtin.yum, ansible.builtin.pip, and ansible.builtin.package. This configuration can lead to the installation of unexpected package versions and additional packages, introducing unpredictability and potential service issues.

Output:

WARNING  Listing 5 violation(s) that are fatal
package-latest: Package installs should not use latest.
403.yml:5 Task/Handler: Install Ansible

package-latest: Package installs should not use latest.
403.yml:10 Task/Handler: Install Ansible-lint

package-latest: Package installs should not use latest.
403.yml:16 Task/Handler: Install some-package

package-latest: Package installs should not use latest.
403.yml:21 Task/Handler: Install Ansible with update_only to false

package-latest: Package installs should not use latest.
403.yml:27 Task/Handler: Install Ansible with only_upgrade to false

Read documentation for instructions on how to ignore specific rule violations.

              Rule Violation Summary               
 count tag            profile rule associated tags 
     5 package-latest safety  idempotency          

Failed: 5 failure(s), 0 warning(s) on 1 files. Last profile that met the validation criteria was 'moderate'. Rating: 2/5 star

The Best Resources For Ansible

Certifications

• The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up

• Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription

Video Course

• Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook

Printed Book

• Ansible For VMware by Examples
  Buy on Amazon Buy on Apress
• Ansible for Kubernetes by Example
  Buy on Amazon Buy on Apress
• Hands-on Ansible Automation
  Buy on Amazon Buy on BPB
• Red Hat Ansible Automation Platform
  Buy on Amazon Buy on BPB

eBooks

• Buy on Leanpub Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
• Buy on Leanpub Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
• Buy on Leanpub Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
• Buy on Leanpub Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
• Buy on Leanpub Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
• Buy on Leanpub Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
• Buy on Leanpub Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
• Buy on Leanpub Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
• Buy on Leanpub Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
• Buy on Leanpub Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios

Correct Code

To address the issues highlighted by Rule 403, the correct code should adopt the following best practices:

---
- name: Example playbook
  hosts: all
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible-2.12.7.0
        state: present # <- Pins the version to install with yum.

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
      args:
        state: present
        version: 5.4.0 # <- Pins the version to install with pip.

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: present # <- Ensures the package is installed.

    - name: Update Ansible with update_only to true
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: true # <- Updates but does not install additional packages.

    - name: Install Ansible with only_upgrade to true
      ansible.builtin.apt:
        name: sudo
        state: latest
        only_upgrade: true # <- Upgrades but does not install additional packages.

In this improved code, the state parameter is set to “present,” and specific version identifiers are used for different package installations. By doing so, the playbook ensures that software is installed to predefined versions, adding a layer of control and predictability to your automation tasks.

Implementing Rule 403 - “package-latest”

Rule 403, “package-latest,” provides critical guidance for maintaining safe and controlled package management practices in Ansible. By following this rule, you can safeguard your automation tasks against unpredictability and ensure the reliable installation of software on target systems. In production environments, embracing predictability is essential to minimize the risk of service disruptions and maintain the integrity of your infrastructure.

In cases where updating packages to the latest version is intentional, the use of the update_only or only_upgrade parameter allows you to strike a balance between flexibility and stability

Academy

Learn the Ansible automation technology with some real-life examples in my Learn Ansible automation in 250+ examples & practical lessons

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza