apt-get update and apt-get upgrade in Chef - linux

If package "nginx" in Chef gets translated into apt-get install nginx on an Ubuntu node, what can be written in a Chef recipe that would translate into:
apt-get -y update
apt-get -y upgrade
Couldn't figure out from the apt cookbook.

The Opscode "apt" cookbook's default recipe will run apt-get update to ensure that the package cache is updated. We recommend putting that early in your node's run list so later on packages can be installed with the correct versions.
We generally don't recommend that users use "apt-get upgrade" in a recipe, for a couple reasons.
apt-get may upgrade a package that has conflicting configuration or other issues that cannot be resolved without running the command again, or running other apt/dpkg commands manually.
Automated upgrades of all packages on the system can have unintended side effects on the running system (the edge cases are many and possibly thorny, so I can't cover them all).
Instead, use the "upgrade" action for packages that should always update to the latest version.
package "nginx" do
action :upgrade
end
If you're reusing a cookbook that defines the cookbook, you can write a recipe that modifies the action of the existing resource, like this:
resources("package[nginx]").action(:upgrade)
The #resources method in a recipe will look up in the Resource Collection the specified resource (package nginx). Then sending the #action method with the argument :upgrade will tell Chef that the action should be to upgrade.
Edit Update: Do be careful when choosing packages that would be upgraded automatically in this way. An upstream change in a package can cause detrimental effects on the system. This is especially true if such a package does a restart of services it manages during the post installation scripts. Know your infrastructure, and if in doubt run your own package repository that has the critical packages you need for the application stack.

The Apt chef recipe will not update with every chef run. The attribute which controls this is called periodic_update_min_delay and is set to 86400 (The attribute should be called sec_delay). If the following file exists and is older than 24 hours apt will update the cache.
/var/lib/apt/periodic/update-success-stamp
It also appears that the apt recipe (default.rb) includes a directive to force an update which your recipe could call.
# For other recipes to call to force an update
execute 'apt-get update' do
If you're doing that though, you'll want a not_if to avoid running it too often at which point you might as well call it manually yourself. I got sick of messing with this and ended up just calling apt-get update in a stanza before my install.
execute "apt-get-update" do
command "apt-get update"
end
I suspect the long-term solution for security updates is to set update delay to a few hours.

Related

What are the differences between apt clean/remove/purge etc. commands?

I am quite new to Linux and Apt package manager. I try to build my first docker image (write my first Dockerfile) based on other Dockerfiles written by co-workers for other projects. I came across these commands and however I tried to google them separately one-by-one, as a Linux newbie I still don't really understand what are the differences between them or which one should I use or should I use them all together?
This is a piece from the Dockerfile:
RUN rm -rf /var/lib/apt/lists/*; \
apt-get purge -y --auto-remove; \
apt-get autoremove; \
apt-get clean;
Could you please explain briefly what is the difference?
The differences between the command you metioned are described as follows. Hope these can help you a little.
apt remove
remove is identical to install except that packages are removed instead of installed.
It will remove the binaries, but leave configuration files, data files, and dependencies installed with it on installation time untouched.
apt purge
purge is identical to remove except that packages are removed and purged (any configuration files are deleted too).
It will remove about everything regarding the package, but not the dependencies installed with it on installation, which is particularly useful when you want to “start all over” with an application because you messed up the configuration.
However, purge won’t touch configuration or data files inside the user’s home folder (e.g. /home/User/hiddenFolders). There is no easy way to get those removed as well.
Note that other tools like aptitude will only remember dependency information for packages that it has installed.
apt autoremove
autoremove is used to remove packages that were automatically installed to satisfy dependencies for other packages and are now no longer needed.
In other words, it will only goes through the catalog and remove any left over packages that were not directly installed and that are not required by packages that are installed. Say that you install apache, it will install a lot of libraries. If you remove apache, all these libraries will be left behind until you run autoremove.
The only thing you should watch for, is if you started using one of the dependencies say “Python” but never actually installed it yourself; then it will be removed.
apt clean
clean clears out the local repository of retrieved package files. It removes everything but the lock file from /var/cache/apt/archives/ and /var/cache/apt/archieves/partial/.
apt autoclean
Like clean, autoclean clears out the local repository of retrieved package files. The difference is that it only removes package files that can no longer be downloaded, and are largely useless. This allows a cache to be maintained over a long period without it going out of control.
Extra
This part of contents is not closely related to the question, but I think it's necessary to give you some extra suggestions.
Do not remove files belonging to packages without using the package manager! It will get confused and is the wrong way to do things.
If you don’t know to which package a file belongs, try this:
dpkg -S /path/to/file
For some applications compiled from their source codes, the best way is to refer to its README, and remove it manually.

Docker: container cannot find local repo

I am trying to build a centos image, then run basic yum commands from a company network with no internet access. After successfully grabbing the centos artifact in step 1, next comes RUN yum update where the container tries to load plugins using http://mirrorlist.centos.org, and that obviously will not work. It cannot resolve that host because no web access. So, I get the error:
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
..."Could not resolve host http://mirrorlist.centos.org; Unknown error"
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot find a valid baseurl for repo: base/7/x86_64
The command '/bin/sh -c yum update' returned a non-zero code: 1
I have a repo file in /etc/yum.repos.d that contains content described here. In that file, I have multiple local repo URLs. An [updates] entry has a baseurl for /updates. Is this entry supposed to be used by the container when I do a RUN yum update in my Dockerfile? How does the container know where to look for a local mirror repo or other repo?
Is there also an issue regarding localhost on the host vs. localhost in the container?
I have researched a dozen S.O. entries with no luck.
UPDATE: Dockerfile so far...
FROM path.to.repo/centos
RUN yum update
So, it errors upon yum update.
When you're creating images that can't reach the web but only internal network, you must change tools configuration before trying to use them.
With yum, you have to remove existing repos and replacing them with yours before RUN yum update, something like that :
FROM path.to.repo/centos
RUN rm -rf /etc/yum.repos.d/*.repo
COPY myprivate.repo /etc/yum.repos.d/
RUN yum update
File myprivate.repo must be defined in the same folder as your Dockerfile and must declares your repos.
Furthermore, this created image can now be used as a base image for all others images you need to create.

Set proxy for terminal in linux

In CentOS 7 how can i connect terminal through a "proxy with username and password" and use some command like:
yum update
For now when i use this command i got this error:
Loaded plugins: fastestmirror, langpacks
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os error was
14: curl#7 - "Failed to connect to 2a02:2498:1:3d:5054:ff:fed3:e91a: Network is unreachable"
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Disable the repository, so yum won't use it by default. Yum will then
just ignore the repository until you permanently enable it again or use
--enablerepo for temporary usage:
yum-config-manager --disable <repoid>
4. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot find a valid baseurl for repo: base/7/x86_64
yum uses HTTP so you need to set a http proxy for your environment.
Check this out: https://www.centos.org/docs/5/html/yum/sn-yum-proxy-server.html
try to run the command and you will be connected to do upload or whatever you want
Just add : dhclient and press enter the this command : yum update

How to programmatically detect package and OS releases on Ubuntu

From bash, what commands would I run to get a boolean value that indicates whether or not there are available package updates or operating system upgrades in Ubuntu?
I know how to run apt-get upgrade and apt-get dist-upgrade to actually perform the upgrades, but I can't find any easy way to detect when these options are available without using the --simulate argument and trying to parse stdout.
The command:
aptitude search '~U'
will list all available package updates. You can customize the output format with the -F option; see the manual for details on how.
I'm not aware of any direct equivalent for Ubuntu release updates.
(Relatedly, though, apt-get dist-upgrade does not upgrade to a newer release. It's the same concept as upgrade, just a little more aggressive about dealing with changing dependencies.)
Rephrasing my question in Google lead me to this answer that lists the command simply as:
/usr/lib/update-notifier/apt-check

How to make Debian package install dependencies?

I want to make a simple Debian package to install a simple tool that depends on Qt4 libs.
In control file I have defined that it depends on Qt4 libs however, by the time I'm testing the package it says that the dependency could not be met.
Question:
How can I make Debian trigger apt to install the dependencies as well?
Can't find that the documentation however I know that apt-get does that.
If you want to avoid creating a local APT repository, you can do:
dpkg -i mypackage.deb
apt-get install --fix-missing
If you do want to create a local repository, you can use reprepro for this.
If you install it via dpkg it won't work because dkpg doesn't know where to find additional dependencies. You could do it via apt-get if you build your own repo, but it's kind of time-consuming the first time (it's not difficult, just something "new" the first time that needs some time to be learnt).
On the other hand, and the solution you are probably looking for is gdebi (you may need to install it: apt-get install gdebi-core). It's a tool that checks the dependencies for a package and calls apt-get to fetch and install them, and then calls dpkg to install your package.
Per #textshell in this answer:
starting with apt 1.1 (available in Xenial (16.04), stretch) apt install also allows local files:
sudo apt install ./foo-1.2.3.deb
So much simpler and cleaner.
See the release
announcment
This will also install dependencies, just like a normal apt install or apt-get install.
If you're creating the Debian package, you specify its dependencies in the debian/ directory control files; I believe debian/control takes Depends: directives for that purpose.
I don't know the details too clearly, myself, but there are instructions at http://www.debian.org/doc/manuals/maint-guide/ ; in particular, http://www.debian.org/doc/manuals/maint-guide/dreq.en.html#control seems to be the right place to start looking.
One way would be to create a local package repository on your computer and add it to /etc/apt/sources.list. Then you could install the package from your local repository with apt-get and have the dependencies resolved automatically.
There's probably an easier way to do it, but I don't know what that would be.

Resources