Ansible troubleshooting - Error 403: package-latest

Using state: latest for package installations in Ansible can introduce unpredictability. Discover how to improve the code with a practical example to ensure control and stability.

Introduction

Ansible is a powerful automation tool known for its role in provisioning, configuration management, and application deployment. Ensuring the integrity and stability of software installations is vital when managing packages through Ansible. To help you achieve this, Ansible provides a set of rules, including Rule 403, known as "package-latest." This rule emphasizes the importance of controlled, safe package management practices, promoting predictability in your automation tasks.

Deciphering Rule 403 - "package-latest"

Rule 403, or "package-latest," is a rule within Ansible's comprehensive rule set that aims to establish best practices for managing packages using package manager modules, such as ansible.builtin.yum and ansible.builtin.apt. These modules allow users to configure how Ansible installs software on target systems.

The primary concern addressed by this rule is the use of the state parameter in package manager modules. In production environments, it is crucial to set the state to "present" and specify a target version for package installations. This practice ensures that packages are installed according to a predefined and tested version, adding a layer of control and predictability to your automation tasks.

Conversely, setting the state to "latest" is discouraged, as it not only installs the desired software but also initiates an update process that can lead to unintended consequences. The update process can result in performance degradation or the installation of additional packages, potentially causing service disruptions.

If your intention is to update packages to the latest version, this rule suggests using the update_only or only_upgrade parameter (depending on the package manager in use) and setting it to "true." This practice ensures that only updates are applied without the introduction of unexpected packages.

Problematic Code

Let's explore a problematic code snippet to understand how Rule 403, "package-latest," can identify issues in your playbooks:

``yaml


---
name: Example playbook
  hosts: all
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible
        state: latest # <- Installs the latest package.

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
      args:
        state: latest # <- Installs the latest package.

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: latest # <- Installs the latest package.

    - name: Install Ansible with update_only to false
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: false # <- Updates and installs packages.

    - name: Install Ansible with only_upgrade to false
      ansible.builtin.apt:
        name: sudo
        state: latest
        only_upgrade: false # <- Upgrades and installs packages

In this code, the state` parameter is set to "latest" across various packa