From 4c467bf47401c408b3eca719f18aa5d34013d901 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 16 Sep 2021 14:13:51 +0200
Subject: docker and containerd: apt pinning vs package hold

---
 roles/containerd/tasks/main.yml | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

(limited to 'roles/containerd')

diff --git a/roles/containerd/tasks/main.yml b/roles/containerd/tasks/main.yml
index 26acea66..56970268 100644
--- a/roles/containerd/tasks/main.yml
+++ b/roles/containerd/tasks/main.yml
@@ -17,20 +17,35 @@
   include_role:
     name: "apt-repo/{{ containerd_pkg_provider }}"
 
+- name: generate apt pin file for containerd package
+  when: containerd_pkg_version is defined
+  copy:
+    dest: "/etc/apt/preferences.d/{{ containerd_pkg_name }}.pref"
+    content: |
+      Package: {{ containerd_pkg_name }}
+      Pin: version {{ containerd_pkg_version }}
+      Pin-Priority: 1001
+
+- name: remove apt pin file for containerd package
+  when: containerd_pkg_version is not defined
+  file:
+    path: "/etc/apt/preferences.d/{{ containerd_pkg_name }}.pref"
+    state: absent
+
 - name: install containerd
   apt:
     name: "{{ containerd_pkg_name }}{% if containerd_pkg_version is defined %}={{ containerd_pkg_version }}{% endif %}"
     state: present
     force: yes
-    ## TODO: remove force once the following changes are available
-    ##   https://github.com/ansible/ansible/pull/73629 or https://github.com/ansible/ansible/pull/72562
+    # allow_downgrade: yes
+    ## TODO: replace force with allow_downgrade once the following change is available (ansible >= 5.0)
     ##   https://github.com/ansible/ansible/pull/74852
 
-- name: disable automatic upgrades for containerd package
-  when: containerd_pkg_version is defined
+  ## TODO: remove this when all machines are migrated to use pin files
+- name: unhold packages (we now use APT pinning)
   dpkg_selections:
     name: "{{ containerd_pkg_name }}"
-    selection: hold
+    selection: install
 
 - name: fetch containerd default config
   check_mode: no
-- 
cgit v1.2.3