No APT Recommends with puppet

Question

I use puppet to manage a bunch of Debian servers at work, part if that includes installing packages. One package I install on several systems is nmap which is used to verify that firewall rules are setup properly. On Debian 7.0, if you have APT::Install-Recommends enabled you get a whole bunch of crap along with nmap (see below).

I don't want all the crap that install nmap with recommends enabled included. One solution would be to update my apt configuration with APT::Install-Recommends "0";. But I don't want to have this be the default. The majority of the time I want recommends included. The recommended packages are mostly fine, and I am not getting tons of stuff I don't need. But there are a few packages that are bringing thinks I don't want/need.

  package { 'nmap':
    ensure => installed,
    require => Class['apt'],
  }

Is there any method to control if recommends are installed via puppet when using the 'apt' package provider? I do not want to mess around with the aptitude provider since apt and aptitude are not entirely compatible with each other.

With Recommends

root@fw-01:~# apt-get install nmap
Reading package lists... Done
Building dependency tree       
Reading state information... Done
... 
The following NEW packages will be installed:
  fonts-droid fonts-liberation ghostscript gnuplot gnuplot-nox groff gsfonts
  imagemagick imagemagick-common libblas3 libblas3gf libcroco3 libcupsimage2
  libdjvulibre-text libdjvulibre21 libexiv2-12 libgfortran3 libgs9
  libgs9-common libijs-0.35 libilmbase6 libjbig2dec0 liblcms1 liblcms2-2
  liblensfun-data litesting firewall blensfun0 liblinear-tools liblinear1 liblqr-1-0
  libmagickcore5 libmagickcore5-extra libmagickwand5 libnetpbm10 libopenexr6
  libpaper-utils libpaper1 librsvg2-2 librsvg2-common libsvm-tools libwmf0.2-7
  netpbm nmap poppler-data psutils ufraw-batch
0 upgraded, 45 newly installed, 0 to remove and 0 not upgraded.
Need to get 32.0 MB of archives.
After this operation, 93.8 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Without Recommends

root@fw-01:~# apt-get --no-install-recommends install nmap
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libblas3 libblas3gf libgfortran3 liblinear1
Suggested packages:
  liblinear-dev
Recommended packages:
  liblinear-tools
The following NEW packages will be installed:
  libblas3 libblas3gf libgfortran3 liblinear1 nmap
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,405 kB of archives.
After this operation, 17.4 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Related Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682062 — Zoredache, Jun 05 '13 at 22:33
@MichaelHampton, the apt class justs makes sure that APT is configured to use my internal repositories. It isn't changing anything related to the Recommends. — Zoredache, Jun 05 '13 at 22:34
@Zoredache See also: http://serverfault.com/q/280405 and http://projects.puppetlabs.com/issues/4113 — Shane Madden, Jun 06 '13 at 02:45

score 11 · Accepted Answer · edited Sep 17 '21 at 10:57

This is now possible via the "install_options" setting in the Puppet 'package' type: https://puppet.com/docs/puppet/latest/types/package.html#package-attribute-install_options

For example:

package { 'nmap':
  ensure          => installed,
  install_options => ['--no-install-recommends'],
}

The above ensures the "--no-install-recommends" option is passed to apt-get, which skips the recommended packages just for this install: http://manpages.ubuntu.com/manpages/precise/man8/apt-get.8.html

score 3 · Answer 2 · answered Jun 05 '13 at 23:39

I have found the following solutions so far, but they are not ideal.

Wait until a recently added patch makes it into released version and upgrade.

PRO: this is the right way
CON: I have to wait, or locally patch my setup.

Simply use an exec to install instead of package, and use an exec.

PRO: simple to do if you don't worry about error checking.
CON: It takes a pretty complex command line to install, not automatically upgrade, and gracefully handle installation errors.

Globally update my apt configuration, and spend the time to find all the missing stuff and adjust my manifests to also install packages I wanted that only get installed by being recommended.

PRO: my manifests are more specific, and more precisely reflect the state of a system
CON: Fixing my manifests/configs to reflect this new reality will take a non-trivial amount of time/effort.

Set the APT_CONFIG environment variable before running puppet.

PRO: easy to set, if you are using cron initiated puppet
PRO: doesn't change behavior for any manually usage of apt
CON: easy to forget to set it when manually running APT for testing purposes.
CON: you have to fix all the manifests, just like if you update the global configuration.

How about writing a [custom provider](http://docs.puppetlabs.com/guides/provider_development.html) using the apt provider as a parent, and add the required flags there? Either that, or write a manifest for the puppetmaster to exec the patch command unless there's evidence it's already been applied. — Mike Renfro, Jun 06 '13 at 00:36
@MikeRenfro that isn't out of the question, but I am not particularly familiar with ruby. — Zoredache, Jun 06 '13 at 22:42

No APT Recommends with puppet

2 Answers2