community.general.dnf_versionlock module – Locks package versions in dnf based systems

Note

This module is part of the community.general collection (version 6.6.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.dnf_versionlock.

New in community.general 4.0.0

Synopsis

  • Locks package versions using the versionlock plugin in dnf based systems. This plugin takes a set of name and versions for packages and excludes all other versions of those packages. This allows you to for example protect packages from being updated by newer versions. The state of the plugin that reflects locking of packages is the locklist.

Requirements

The below requirements are needed on the host that executes this module.

  • dnf

  • dnf-plugin-versionlock

Parameters

Parameter

Comments

name

list / elements=string

Package name spec to add or exclude to or delete from the locklist using the format expected by the dnf repoquery command.

This parameter is mutually exclusive with state=clean.

Default: []

raw

boolean

Do not resolve package name specs to NEVRAs to find specific version to lock to. Instead the package name specs are used as they are. This enables locking to not yet available versions of the package.

Choices:

  • false ← (default)

  • true

state

string

Whether to add (present or excluded) to or remove (absent or clean) from the locklist.

present will add a package name spec to the locklist. If there is a installed package that matches, then only that version will be added. Otherwise, all available package versions will be added.

excluded will add a package name spec as excluded to the locklist. It means that packages represented by the package name spec will be excluded from transaction operations. All available package versions will be added.

absent will delete entries in the locklist that match the package name spec.

clean will delete all entries in the locklist. This option is mutually exclusive with name.

Choices:

  • "absent"

  • "clean"

  • "excluded"

  • "present" ← (default)

Attributes

Attribute

Support

Description

check_mode

Support: partial

The logics of the versionlock plugin for corner cases could be confusing, so please take in account that this module will do its best to give a check_mode prediction on what is going to happen. In case of doubt, check the documentation of the plugin.

Sometimes the module could predict changes in check_mode that will not be such because versionlock concludes that there is already a entry in locklist that already matches.

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • In an ideal world, the versionlock plugin would have a dry-run option to know for sure what is going to happen. So far we have to work with a best guess as close as possible to the behaviour inferred from its code.

  • For most of cases where you want to lock and unlock specific versions of a package, this works fairly well.

Examples

- name: Prevent installed nginx from being updated
  community.general.dnf_versionlock:
    name: nginx
    state: present

- name: Prevent multiple packages from being updated
  community.general.dnf_versionlock:
    name:
      - nginx
      - haproxy
    state: present

- name: Remove lock from nginx to be updated again
  community.general.dnf_versionlock:
    package: nginx
    state: absent

- name: Exclude bind 32:9.11 from installs or updates
  community.general.dnf_versionlock:
    package: bind-32:9.11*
    state: excluded

- name: Keep bash package in major version 4
  community.general.dnf_versionlock:
    name: bash-0:4.*
    raw: true
    state: present

- name: Delete all entries in the locklist of versionlock
  community.general.dnf_versionlock:
    state: clean

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

locklist_post

list / elements=string

Locklist after module execution.

Returned: success and (not check mode or state is clean)

Sample: ["bash-0:4.4.20-1.el8_4.*"]

locklist_pre

list / elements=string

Locklist before module execution.

Returned: success

Sample: ["bash-0:4.4.20-1.el8_4.*", "!bind-32:9.11.26-4.el8_4.*"]

specs_toadd

list / elements=string

Package name specs meant to be added by versionlock.

Returned: success

Sample: ["bash"]

specs_todelete

list / elements=string

Package name specs meant to be deleted by versionlock.

Returned: success

Sample: ["bind"]

Authors

  • Roberto Moreda (@moreda)