7

I have a few dozens of Debian boxes which I want to keep up to date in a deterministic fashion, and also follow the Engineering => Pre-Prod => Prod routine with a deterministic staging process.

Ideal world for me would be to have some sort of 'patch level ID' at hand, like 2022-01-10.e28de15cc1 and be able to say apt upgrade --to 2022-01-10.e28de15cc1, but I've not found anything remotely similar.

I probably can hash the output of apt list --installed after upgrading the first box and simulate the concept, but am really wondering why no one has done it, is my mental model of keeping penguins tidy completely off here?

bobah
  • 171
  • 2

2 Answers2

8

As far as I know, an apt repository does not have a global ID referring to a certain version numbers of all packages. You could create a list of package versions, distribute it to all servers, and create a script to fetch those specific versions. But such a script is "error-prone", and you get in trouble if that specific version has been deleted from the repository.

The easiest way to achieve this is probably if you would setup your own repository (or three, if you'd like to keep engineering / pre-prod / prod at different levels), and whenever you'd like to update, you'd have to update the repo server first, and afterwards the connected servers...

Cristopher
  • 103
  • 4
Martin
  • 2,194
  • 7
  • 16
  • Right now I run it with a JFrog apt proxy to have deterministic cut lines. But feels really backwards. – bobah Jan 09 '22 at 11:50
0

I suspect that in practice - most people don't need 'all' their packages at a precise/'deterministic' upgrade level. They need some critical ones and the tools exist to do that.

That said, hashing the output of apt list --installed is probably the 'right' first step.

For 'local'/testing use, apt will let you install a specific version with apt-get install packagename=version and you can hold the package. This is probably not the right approach when its a large number of systems

While I (vaguely) recall legacy unixes and other OSes having patch levels, with the internet, and distributed software development, It makes a lot less sense. The tools do however exist for one to build a deterministic system build tho.

The right way would be to use your config management tool, then use that to install specific versions of software for that role. Ansible will do it, for example.

Journeyman Geek
  • 6,977
  • 3
  • 32
  • 50
  • I don’t care much what specific versions are for most of the packages, but I care that what I’ve tested in the engineering lab is EXACTLY the same as pre-prod and later prod. Ansible can help it look declarative and obfuscate the fact of apt-get presence, but it does not make any difference other that. Patch level is not “old days”, it’s just an overall version of the package repository (like commit ID in svn or commit hash in Git). It would be extremely useful. – bobah Jan 10 '22 at 00:30