From 0506f18b8a29ee68b82b775571da6248924ab6f9 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Sep 2021 12:41:11 +0200
Subject: kubernetes/base: apt pinning vs package hold

---
 roles/kubernetes/base/tasks/main.yml | 23 +++++++++++++++++++----
 roles/kubernetes/test-pods.url       |  1 +
 2 files changed, 20 insertions(+), 4 deletions(-)
 create mode 100644 roles/kubernetes/test-pods.url

diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml
index 70be0d3a..892dda51 100644
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@@ -17,6 +17,21 @@
   include_role:
     name: apt-repo/kubic-project
 
+- name: generate apt pin files for kubelet and cri-tools
+  loop:
+  - name: kubelet
+    version: "{{ kubernetes_version }}-00"
+  - name: cri-tools
+    version: "{{ kubernetes_cri_tools_pkg_version }}"
+  loop_control:
+    label: "{{ item.name }} == {{ item.version }}"
+  copy:
+    dest: "/etc/apt/preferences.d/{{ item.name }}.pref"
+    content: |
+      Package: {{ item.name }}
+      Pin: version {{ item.version }}
+      Pin-Priority: 1001
+
 - name: install kubelet and common packages
   apt:
     name:
@@ -25,17 +40,17 @@
     - "kubelet={{ kubernetes_version }}-00"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    ## TODO: remove force once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for kubelet and cri-tools
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   loop:
   - kubelet
   - cri-tools
   dpkg_selections:
     name: "{{ item }}"
-    selection: hold
+    selection: install
 
 - name: configure endpoints for crictl
   copy:
diff --git a/roles/kubernetes/test-pods.url b/roles/kubernetes/test-pods.url
new file mode 100644
index 00000000..59404701
--- /dev/null
+++ b/roles/kubernetes/test-pods.url
@@ -0,0 +1 @@
+https://k8s-examples.container-solutions.com/examples/Pod/Pod.html
-- 
cgit v1.2.3


From dbfb3cab70153c47323de4e3f84340096e62ee35 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Sep 2021 13:20:15 +0200
Subject: streaming/blackmagic/*: apt pinning vs package hold

---
 roles/kubernetes/base/tasks/main.yml               |  3 ++-
 .../blackmagic/desktopvideo/tasks/main.yml         | 27 ++++++++++++++++++----
 .../blackmagic/mediaexpress/tasks/main.yml         | 25 ++++++++++++++++----
 3 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml
index 892dda51..72cad066 100644
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@@ -40,7 +40,8 @@
     - "kubelet={{ kubernetes_version }}-00"
     state: present
     force: yes
-    ## TODO: remove force once the following change is available (ansible >= 5.0)
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
   ## TODO: remove this when all machines are migrated to use pin files
diff --git a/roles/streaming/blackmagic/desktopvideo/tasks/main.yml b/roles/streaming/blackmagic/desktopvideo/tasks/main.yml
index 3ef7231e..98d2d28b 100644
--- a/roles/streaming/blackmagic/desktopvideo/tasks/main.yml
+++ b/roles/streaming/blackmagic/desktopvideo/tasks/main.yml
@@ -13,21 +13,38 @@
   set_fact:
     blackmagic_desktopvideo_packages: "{{ ['desktopvideo'] | union(blackmagic_desktopvideo_include_gui | ternary(['desktopvideo-gui'], [])) }}"
 
+- name: generate apt pin files for desktopvideo packages
+  when: blackmagic_desktopvideo_version is defined
+  loop: "{{ blackmagic_desktopvideo_packages }}"
+  copy:
+    dest: "/etc/apt/preferences.d/{{ item }}.pref"
+    content: |
+      Package: {{ item }}
+      Pin: version {{ blackmagic_desktopvideo_version }}
+      Pin-Priority: 1001
+
+- name: remove apt pin files for desktopvideo packages
+  when: blackmagic_desktopvideo_version is not defined
+  loop: "{{ blackmagic_desktopvideo_packages }}"
+  file:
+    path: "/etc/apt/preferences.d/{{ item }}.pref"
+    state: absent
+
 - name: install blackmagic desktopvideo packages
   apt:
     name: "{{ blackmagic_desktopvideo_packages | product(blackmagic_desktopvideo_version is defined | ternary(['=' + (blackmagic_desktopvideo_version | default(''))], [''])) | map('join') }}"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for desktopvideo packages
-  when: blackmagic_desktopvideo_version is defined
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   loop: "{{ blackmagic_desktopvideo_packages }}"
   dpkg_selections:
     name: "{{ item }}"
-    selection: hold
+    selection: install
 
 - name: install improved kill mode for DesktopVideoHelper (1/2)
   file:
diff --git a/roles/streaming/blackmagic/mediaexpress/tasks/main.yml b/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
index 3b99b8d3..7cb771d9 100644
--- a/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
+++ b/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
@@ -3,17 +3,32 @@
   import_role:
     name: apt-repo/blackmagic
 
+- name: generate apt pin files for blackmagic mediaexpress
+  when: blackmagic_mediaexpress_version is defined
+  copy:
+    dest: "/etc/apt/preferences.d/mediaexpress.pref"
+    content: |
+      Package: mediaexpress
+      Pin: version {{ blackmagic_mediaexpress_version }}
+      Pin-Priority: 1001
+
+- name: remove apt pin files for blackmagic mediaexpress
+  when: blackmagic_mediaexpress_version is not defined
+  file:
+    path: "/etc/apt/preferences.d/mediaexpress.pref"
+    state: absent
+
 - name: install blackmagic mediaexpress
   apt:
     name: "mediaexpress{% if blackmagic_mediaexpress_version is defined %}={{ blackmagic_mediaexpress_version }}{% endif %}"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for mediaexpress
-  when: blackmagic_mediaexpress_version is defined
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   dpkg_selections:
     name: mediaexpress
-    selection: hold
+    selection: install
-- 
cgit v1.2.3


From 84c7fef5537caeaf9150d7547bca354e714672a2 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Sep 2021 13:28:04 +0200
Subject: kubernetes/kubeadm/base: apt pinning vs package hold

---
 roles/kubernetes/kubeadm/base/tasks/main.yml | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/roles/kubernetes/kubeadm/base/tasks/main.yml b/roles/kubernetes/kubeadm/base/tasks/main.yml
index 0fab7845..abc0f3af 100644
--- a/roles/kubernetes/kubeadm/base/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/base/tasks/main.yml
@@ -1,4 +1,15 @@
 ---
+- name: generate apt pin files for kubeadm and kubectl
+  loop:
+  - kubeadm
+  - kubectl
+  copy:
+    dest: "/etc/apt/preferences.d/{{ item }}.pref"
+    content: |
+      Package: {{ item }}
+      Pin: version {{ kubernetes_version }}-00
+      Pin-Priority: 1001
+
 - name: install kubeadm packages
   apt:
     name:
@@ -8,17 +19,18 @@
     - "kubectl={{ kubernetes_version }}-00"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for kubeadm/kubectl
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   loop:
   - kubeadm
   - kubectl
   dpkg_selections:
     name: "{{ item }}"
-    selection: hold
+    selection: install
 
 - name: set kubelet node-ip
   when: kubernetes_overlay_node_ip is defined
-- 
cgit v1.2.3


From 4c467bf47401c408b3eca719f18aa5d34013d901 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Sep 2021 14:13:51 +0200
Subject: docker and containerd: apt pinning vs package hold

---
 roles/containerd/tasks/main.yml                    | 25 +++++++++++++++++-----
 roles/docker/engine/tasks/main.yml                 | 25 +++++++++++++++++-----
 .../blackmagic/mediaexpress/tasks/main.yml         |  4 ++--
 3 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/roles/containerd/tasks/main.yml b/roles/containerd/tasks/main.yml
index 26acea66..56970268 100644
--- a/roles/containerd/tasks/main.yml
+++ b/roles/containerd/tasks/main.yml
@@ -17,20 +17,35 @@
   include_role:
     name: "apt-repo/{{ containerd_pkg_provider }}"
 
+- name: generate apt pin file for containerd package
+  when: containerd_pkg_version is defined
+  copy:
+    dest: "/etc/apt/preferences.d/{{ containerd_pkg_name }}.pref"
+    content: |
+      Package: {{ containerd_pkg_name }}
+      Pin: version {{ containerd_pkg_version }}
+      Pin-Priority: 1001
+
+- name: remove apt pin file for containerd package
+  when: containerd_pkg_version is not defined
+  file:
+    path: "/etc/apt/preferences.d/{{ containerd_pkg_name }}.pref"
+    state: absent
+
 - name: install containerd
   apt:
     name: "{{ containerd_pkg_name }}{% if containerd_pkg_version is defined %}={{ containerd_pkg_version }}{% endif %}"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for containerd package
-  when: containerd_pkg_version is defined
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   dpkg_selections:
     name: "{{ containerd_pkg_name }}"
-    selection: hold
+    selection: install
 
 - name: fetch containerd default config
   check_mode: no
diff --git a/roles/docker/engine/tasks/main.yml b/roles/docker/engine/tasks/main.yml
index b6f5bb12..d07d6d63 100644
--- a/roles/docker/engine/tasks/main.yml
+++ b/roles/docker/engine/tasks/main.yml
@@ -26,6 +26,21 @@
   include_role:
     name: "apt-repo/{{ docker_pkg_provider }}"
 
+- name: generate apt pin file for docker package
+  when: docker_pkg_version is defined
+  copy:
+    dest: "/etc/apt/preferences.d/{{ docker_pkg_name }}.pref"
+    content: |
+      Package: {{ docker_pkg_name }}
+      Pin: version {{ docker_pkg_version }}
+      Pin-Priority: 1001
+
+- name: remove apt pin file for docker package
+  when: docker_pkg_version is not defined
+  file:
+    path: "/etc/apt/preferences.d/{{ docker_pkg_name }}.pref"
+    state: absent
+
 - name: install docker
   apt:
     name:
@@ -33,15 +48,15 @@
     - "{{ python_basename }}-docker"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for docker package
-  when: docker_pkg_version is defined
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   dpkg_selections:
     name: "{{ docker_pkg_name }}"
-    selection: hold
+    selection: install
 
 - name: start and enable docker
   service:
diff --git a/roles/streaming/blackmagic/mediaexpress/tasks/main.yml b/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
index 7cb771d9..9aa83c28 100644
--- a/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
+++ b/roles/streaming/blackmagic/mediaexpress/tasks/main.yml
@@ -3,7 +3,7 @@
   import_role:
     name: apt-repo/blackmagic
 
-- name: generate apt pin files for blackmagic mediaexpress
+- name: generate apt pin file for blackmagic mediaexpress
   when: blackmagic_mediaexpress_version is defined
   copy:
     dest: "/etc/apt/preferences.d/mediaexpress.pref"
@@ -12,7 +12,7 @@
       Pin: version {{ blackmagic_mediaexpress_version }}
       Pin-Priority: 1001
 
-- name: remove apt pin files for blackmagic mediaexpress
+- name: remove apt pin file for blackmagic mediaexpress
   when: blackmagic_mediaexpress_version is not defined
   file:
     path: "/etc/apt/preferences.d/mediaexpress.pref"
-- 
cgit v1.2.3