Install a specific version about distributions HOT 47 CLOSED

I ended up pinning the version in my Dockefile by dowloading .deb file and apt-get install from it:

RUN set -ex \
  ; apt-get update \
  ; curl -o nodejs.deb https://deb.nodesource.com/node_8.x/pool/main/n/nodejs/nodejs_8.7.0-1nodesource1_amd64.deb \
  ; apt-get install -y ./nodejs.deb \
  ; rm nodejs.deb \
  ; rm -rf /var/lib/apt/lists/*

from distributions.

It is still on our list of things to look at @codyaray, but it's still not at a high priority.

Please keep in mind that for any LTS release, you're guaranteed that the APIs aren't going to change, and there are fairly frequent security related updates. So we really recommend always using the newest version of any LTS line that you're using, which is what apt or yum will do by default.

from distributions.

@conatus, thanks for your comment. We understand that this feature has been a pain point for some. I personally had to work with it when building the Docker images for NodeSource.

@chrislea, @rvagg, and I are all on the @nodesource team.

Our current build uses the reprepro tool from the Debian project to host these repositories. As chrislea commented above, the tool is preventing us from doing this. We are looking into alternatives that will offer this feature.

We understand the need to pin to specific versions of Node in production. The rationale behind our Docker images is to support that specific use case. While we work towards a solution that allows apt to directly pin a version, we have a short term solution that I proposed above.

We religiously keep all of the artifacts generated by our builds, incrementing the trailing digit of the .deb in the event we need to do a rebuild. They all exist on deb.nodesource.com. This allows consumers to pin directly to a version of Node. The pools these artifacts are served from can be found at:

• Node 5: https://deb.nodesource.com/node_5.x/pool/main/n/nodejs/
• Node 4: https://deb.nodesource.com/node_4.x/pool/main/n/nodejs/
• io.js 3: https://deb.nodesource.com/iojs_3.x/pool/main/i/iojs/
• io.js 2: https://deb.nodesource.com/iojs_2.x/pool/main/i/iojs/
• io.js 1: https://deb.nodesource.com/iojs_1.x/pool/main/i/iojs/
• Node .12: https://deb.nodesource.com/node_0.12/pool/main/n/nodejs/
• Node .10: https://deb.nodesource.com/node_0.10/pool/main/n/nodejs/

If you are using ansible, as @heston, the apt package supports the deb flag which takes a path to a .deb file on the remote box. Pairing this with get_url will offer a short term solution to version pinning.

There is a similar story for our rpm packages as well.

from distributions.

FYI: I was able to resolve the python-minimal issue by switching from nodejs_${NODEJS_VERSION}-1nodesource1_amd64.deb to nodejs_${NODEJS_VERSION}-deb-1nodesource1_amd64.deb

It seems the file with -deb in the filename includes metadata that fixes the issue.

from distributions.

Yes, we will probably move to aptly since it seems like the best tool that will let us do this. Unfortunately the way the builds are currently automated is fairly tied to reprepro so this isn't a trivial change to make. It will almost certainly happen when we move the repos to be served off of S3 / CloudFront. So both of those are things on the TODO list, but right now there are a couple of other infrastructure updates that we have to make first internally, so these aren't at the top of the list right now.

from distributions.

Any news on this?

from distributions.

cannot use this repo in production because of this....

from distributions.

A new proper way to do this, per official documentation, is here:

sudo apt install -y ca-certificates gnupg
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg

NODE_MAJOR=16
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list
sudo apt update
apt-cache policy nodejs
sudo apt install --yes nodejs=16.15.1-1nodesource1

from distributions.

+1 It would be great to keep old versions available in Packages rather than just the latest.

Unfortunately pinning doesn't help when needing to provision new VM's to match machines in the cluster that are running an older version of the package.

from distributions.

Thanks for your reply @wblankenship, very much appreciated.

While this short term fix is certainly acceptable and the Dockerfiles are good examples, NodeSource isn't just any old set of builds. It is the set of builds recommended by the Node.js project itself as an install path. This repo is then a key bit of Node.js infrastructure for anyone running any kind of automation. You at @nodesource seem to intend it to be taken as such. So I hope you will consider working out how to pin versions easily as a matter of some priority in the near term.

Thanks a lot.

from distributions.

Friendly bump on this. I just got bit by a version update causing all of our builds to fail. Very unexpected that previous versions are wiped from the repo when a new one is released.

from distributions.

That's hopefully true regarding regressions, but sometimes they slip through. In an ideal world we could simply pin back the version of node we want to install rather than falling back to pulling deb artifacts directly from the pool.

from distributions.

+1 for keeping old versions available in Packages.

Need to be able to apt-get install a specific version (0.10.33 in this case) across multiple servers and then pin the nodejs package to maintain consistency and separately test new versions before rollout.

Reference both https://help.ubuntu.com/community/PinningHowto and http://blog.andrewbeacock.com/2007/03/how-to-install-specific-version-of.html

from distributions.

Thanks @metametadata! FWIW, I had to swap:

apt-get install -y ./nodejs.deb

for:

dpkg -i ./nodejs.deb

Otherwise, apt-get install spews a few thousand lines of:

E: Release 'nodejs.deb' for '$FOO' was not found

before failing. The dpkg command completed without reporting any missing dependencies.

from distributions.

Yep, that's what we did in the end. I think there are fuller examples earlier in this thread or linked from it.

It's a fiddly, messy couple of lines in your CI config or dockerfile, but worse things happen at sea ...

from distributions.

For Debian 10 Buster I had to modify @metametadata script for installing specific version of NodeJS and Yarn. The node version is taken from /app/package.json.

RUN set -x \
      && apt-get update && apt-get install -y curl jq \
      && NODE_VERSION=$(jq -r .engines.node /app/package.json) \
      && DEB_FILE="nodejs_${NODE_VERSION}-1nodesource1_amd64.deb" \
      && curl -sLO "https://deb.nodesource.com/node_12.x/pool/main/n/nodejs/${DEB_FILE}" \
      && apt-get install -y ./"${DEB_FILE}" && rm "${DEB_FILE}" \
      && curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
      && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list \
      && apt-get update && apt-get install -y yarn \
      && rm -rf /var/lib/apt/lists/*

from distributions.

@heston I believe they are only removed from the Release file. They are still in the repo: https://deb.nodesource.com/node_5.x/pool/main/n/nodejs/

Personally I am pinning against specific versions using wget [deb] && dpkg -i [deb].

from distributions.

On centos, I was able to do:

curl -f --silent --location https://rpm.nodesource.com/setup_8.x | bash - 
yum install -y nodejs-8.8.1

from distributions.

@retrohacker
I'm using a Ubuntu 20.04.3 LTS based docker image

ENV NODE_REPO 16.x
ENV NODE_VERSION 16.15.0

RUN wget -O nodejs_${NODE_VERSION}-1nodesource1_amd64.deb https://deb.nodesource.com/node_${NODE_REPO}/pool/main/n/nodejs/nodejs_${NODE_VERSION}-1nodesource1_amd64.deb
RUN dpkg -i nodejs_${NODE_VERSION}-1nodesource1_amd64.deb

But i ran into this error:

Step 7/15 : RUN dpkg -i nodejs_${NODE_VERSION}-1nodesource1_amd64.deb
 ---> Running in 3df495c2ad6f
Selecting previously unselected package nodejs.
(Reading database ... 25329 files and directories currently installed.)
Preparing to unpack nodejs_16.15.0-1nodesource1_amd64.deb ...
Unpacking nodejs (16.15.0-1nodesource1) ...
dpkg: dependency problems prevent configuration of nodejs:
 nodejs depends on python-minimal; however:
  Package python-minimal is not installed.

dpkg: error processing package nodejs (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 nodejs
The command '/bin/bash -c dpkg -i nodejs_${NODE_VERSION}-1nodesource1_amd64.deb' returned a non-zero code: 1

I tried adding python-minimal beforehand but it fails. python-minimal is deprecated in favor of python2-minimal. Unfortunately that doesn't seem to resolve the issue.
From this post it looks like there is a dependency on python2?
https://www.reddit.com/r/node/comments/g99i2b/ubuntu_2004_is_out_but_nodesource_deb_still/

from distributions.

This is not just about using the latest version for security fixes, but about reproducible builds in general. Building the same Dockerfile twice in CI should be 100% guaranteed to work and result in the exact same image digest hash to hit the cache and not cause any pushes or redeploys. I can write a bot that does automatic PRs to update versions in a Dockerfile, I don't have to sacrifice build reproducibility just to stay up to date - as long as old versions are not deleted and can be pinned.

from distributions.

I thought that nodesource was the defacto place to install node from, but this limitation is 😳. It's not possible to use the ppa with configuration management tools, or anything designed to do repeatable builds - e.g. I ended up here because of this: saltstack-formulas/node-formula#22

Anyone else running into this - what did you do instead? I've fallen back to installing from source but it's so insanely slow I don't want to do this long term.

from distributions.

Just to add to #33 (comment) I use the Dockerfile approach for building Expo tooling with Gradle on JDK8.

FROM node:16.13.0 as node

FROM gradle:jdk8
COPY --from=node /usr/local/ /usr/local/
RUN npm install -g expo-cli@4 turtle-cli

from distributions.

This is my question too

from distributions.

https://help.ubuntu.com/community/PinningHowto might be the way to go, /etc/apt/preferences

This is something we're only looking at experimenting with ourselves now for our Docker images, we'll let you know if we come up with an approach we can recommend, but for now, have a look at that wiki link.

from distributions.

Okay, we certainly understand the need. Unfortunately, the reprepro utility which is part of our tooling for publishing the repositories can't do this, so we'll need to look into using something like aptly instead. I'll update here once we have something ready.

from distributions.

What about at least providing one repo per major release series (e.g. 0.10.x, 0.12.x)?

This is especially relevant now that Node 0.12 is out. I'd like to have control over when I make the switch from 0.10.x to 0.12.x. (But I am okay with receiving bugfix updates on the track that I'm on.)

I feel like SaltStack PPAs do this well. (https://launchpad.net/~saltstack) In their case:

• ppa:saltstack/salt gives the latest stable release
• ppa:saltstack/salt2014-7 gives the latest stable v2014.7.x release
• ppa:saltstack/salt2014-1 gives the latest stable v2014.1.x release
• etc.

Going forward, I would love to see something similar for Node (e.g. repos node, node-0.10, node-0.12).

from distributions.

This is an issue for us as well. I've switched to compiling from source for the moment as i'm not sure when the nodesouce repo will switch to a 0.12.x release.

from distributions.

This really should be fixed, like many we test and lock to a specific release for production, we cannot have apt-get install nodejs=specific version fail because a new release was made nor can we accept every new release as if it were the one tested against.

from distributions.

https://github.com/nodesource/docker-node has examples of installing specific versions of node/iojs on debian/ubuntu using dpkg and fedora/centos using rpm. You may want to do gpg verification as well, like https://github.com/iojs/docker-iojs/blob/master/1.6/Dockerfile#L11

from distributions.

Using Meteor and definitely need a way to pin the nodejs since there are version requirements. Thanks for all you you folks do on this distro!

from distributions.

@wblankenship Thanks for the tip. Indeed, I see that the packages are still available, so that's an option. Without them being listed in the repo, it's not as easy to install with a package manager, though.

We're using salt to manage our package installations. It has great support for apt-get, but doesn't work as well with custom installation procedures.

from distributions.

@wblankenship Thanks for the tip too!

Can someone from @nodesource please reply to this issue? We have occasional breaking builds as a result of this decision not to keep the packages around and we need to pin an exact version.

At the risk of sounding off, an allegedly "enterprise" set of packages should really allow this simply.

from distributions.

If it helps, Docker addressed a similar problem using reprepro with their patch at moby/moby#16001. Maybe NodeSource can do something similar.

from distributions.

Any word on this, aptly [1] works great for out internal repos, served from nginx.

[1] https://www.aptly.info/

from distributions.

We switched from reprepro to Aptly for Yarn, and it works pretty well. I'd recommend it.

from distributions.

@Daniel15 Yes switching over to Aptly has been on my radar as a somewhat far-off TODO for quite some time, but unfortunately that change is non-trivial for us because of the overall impact to the workflow that it entails.

Additionally there is just a metric crapton of stuff out there that now expects our repos to behave as they currently do, and we'd definitely need to do whatever testing was needed to make sure that letting Aptly handle the repo management tasks wasn't going to make some unknown number of other things break in order to make pinning work.

I promise that we do understand the desire for this. As somebody that has Ubuntu running on a lot of my devices, it pains me personally that our rpm repos let people pick specific versions but our deb repos don't. It's just going to be a considerable amount of work to actually implement, which is not easy to carve out time for since a) we're a startup and thus very resource constrained and b) the demand for this change, while certainly relevant, just isn't that high.

So I don't have any great news to add to this issue, but I promise it's not something we've forgotten about either.

from distributions.

Yes, please please do this. My salt state fails everytime I run it until I manually update the version (which of course, we don't really want to do for every app every time).

from distributions.

I agree with the previous comments that we are unable to use this in Production since we can go through an entire testing cycle in all our environments and then on Production deployment day, find out the install fails because it is no longer available.

from distributions.

I use LTS repo of node. I install it in testing and production. That is all I can do to minimize possible problems.

from distributions.

wanted to update from version v0.10.25 to v6 on Ubuntu 14.0 , but able to do so

from distributions.

In addition to Aptly, packagecloud could help alleviate a bunch of the problems discussed here (and possibly others, because they support yum and are fronted by Fastly's CDN already). I'm obviously not familiar with your existing build pipeline, so I can't comment on the impact it'll have on that, but package publishing processes I've worked in the past with their CLI have been relatively painless.

In addition, I was partially part of a package repository migration process while at Basho. In that case, we put everything in packagecloud, made that the new source of truth in our docs, but kept the old setup running. Everything still worked the way people expected, but those who wanted in on the latest and greatest (or version pinning) had a clear path with packagecloud.

As for intermediate solutions to this problem, we've worked around it by pinning to Linux binary releases published on nodejs.org. Not as straightforward as a native operating system package, but usually better than compiling from source.

from distributions.

@ErisDS You can always just grab specific packages directly from the repo using something like curl. Assuming you're interested in installing something from the 8.x release, you can find all the files here:

https://deb.nodesource.com/node_8.x/pool/main/n/nodejs/

Hope this helps.

from distributions.

@abitrolly Just be careful, the -1nodesource1 part is part of the package version number and could change.

I'd also recommend installing a fixed version of Yarn, which you can do using something like apt install yarn=1.22.4-1. You can run apt list -a yarn to see all available versions:

root@vps03:~# apt list -a yarn
Listing... Done
yarn/stable,stable,now 1.22.4-1 all [installed]
yarn/stable,stable 1.22.1-1 all
yarn/stable,stable 1.22.0-1 all
yarn/stable,stable 1.21.1-1 all
yarn/stable,stable 1.19.2-1 all
yarn/stable,stable 1.19.1-1 all
yarn/stable,stable 1.19.0-1 all
yarn/stable,stable 1.17.3-1 all
yarn/stable,stable 1.16.0-1 all
yarn/stable,stable 1.15.2-1 all
yarn/stable,stable 1.13.0-1 all
yarn/stable,stable 1.12.3-1 all
yarn/stable,stable 1.12.1-1 all
yarn/stable,stable 1.10.1-1 all
yarn/stable,stable 1.10.0-1 all
yarn/stable,stable 1.9.4-1 all
yarn/stable,stable 1.9.2-1 all
yarn/stable,stable 1.7.0-1 all
yarn/stable,stable 1.6.0-1 all
yarn/stable,stable 1.5.1-1 all
yarn/stable,stable 1.3.2-1 all
yarn/stable,stable 1.2.1-1 all
yarn/stable,stable 1.2.0-1 all
yarn/stable,stable 1.1.0-1 all
yarn/stable,stable 1.0.2-1 all
yarn/stable,stable 1.0.1-1 all
yarn/stable,stable 0.27.5-1 all
yarn/stable,stable 0.27.4-1 all
yarn/stable,stable 0.27.3-1 all
yarn/stable,stable 0.27.2-1 all
yarn/stable,stable 0.24.6-1 all
yarn/stable,stable 0.24.5-1 all
yarn/stable,stable 0.24.4-1 all
yarn/stable,stable 0.24.3-1 all
yarn/stable,stable 0.23.4-1 all
yarn/stable,stable 0.23.3-1 all
yarn/stable,stable 0.23.2-1 all
yarn/stable,stable 0.22.0-1 all
yarn/stable,stable 0.21.3-1 all
yarn/stable,stable 0.20.3-1 all
yarn/stable,stable 0.19.1-1 all
yarn/stable,stable 0.18.1-1 all
yarn/stable,stable 0.17.10-1 all
yarn/stable,stable 0.17.9-1 all
yarn/stable,stable 0.17.8-1 all
yarn/stable,stable 0.17.6-1 all
yarn/stable,stable 0.17.5-1 all
yarn/stable,stable 0.17.4-1 all
yarn/stable,stable 0.17.3-1 all
yarn/stable,stable 0.17.2-1 all
yarn/stable,stable 0.17.0-1 all
yarn/stable,stable 0.16.1-1 all
yarn/stable,stable 0.16.0-1 all
yarn/stable,stable 0.15.0-1 all

from distributions.

@e-dong I faced the python-minimal issue as well and think it may have been linked to a past use of running the 16.x` script.

Running this on a totally fresh machine caused no issues, for instance.

curl -o nodejs.deb https://deb.nodesource.com/node_16.x/pool/main/n/nodejs/nodejs_16.17.1-deb-1nodesource1_arm64.deb
apt -y install ./nodejs.deb

(Sorry this comment isn't fully baked; I wanted to mention the clue for future folks facing the problem)

from distributions.

When I switched to using the -deb version it installed the latest version and printed this message:

root@063d58f6174d:/code# apt-get install -y ./$DEB_FILE
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'nodejs' instead of './nodejs_16.13.2-deb-1nodesource1_arm64.deb'

from distributions.

Good example why pinning is extremely important:
nodejs/node#48444

We are not sure what to do now with all builds failing

from distributions.

FYI: I was able to resolve the python-minimal issue by switching from nodejs_${NODEJS_VERSION}-1nodesource1_amd64.deb to nodejs_${NODEJS_VERSION}-deb-1nodesource1_amd64.deb

It seems the file with -deb in the filename includes metadata that fixes the issue.

you are a legend, thanks

from distributions.