Attempting to ensure the latest collectd 5 on Ubuntu 12.04 with PE3.

If ppa:raravena80/collectd5 has never been added, the following will add the repo on a puppet run:

  apt::ppa { 'ppa:raravena80/collectd5': }

  package { 'collectd':
    ensure  => latest,
    require => Apt::Ppa['ppa:raravena80/collectd5'],
  }

If you then issue

add-apt-repository --remove ppa:raravena80/collectd5
or
ppa-purge ppa:raravena80/collectd5

subsequent puppet runs will not add the repo.

This occurs because ppa files remain in /etc/apt/sources.list.d/, causing puppet to assume the ppa is currently added, even though the ppa has been removed.

Troubleshooting:
Run puppet agent -t, see that the ppa repo is added, collectd 5 is installed.
Remove or purge the ppa repo, remove collectd 5.
Run puppet agent -t, see that the ppa repo is not added, collectd 4 is installed.
Remove collectd 4, then remove /etc/apt/sources.list.d/raravena80-collectd5* and /etc/apt/sources.list.d/.raravena80-collectd5*.
Run puppet agent -t, see that the ppa repo is added, collectd 5 is installed.

proxy_host shouldn't be boolean as it can not be used as a paramterized class in foreman due to foreman's parameter validation.

proxy_host should be undef by default and the switch case to set ensure should be changed from

..
false => absent
..

to
..
undef => absent
..

this would make it possible to set the default value (in foreman) to an empty string meaning not adding a proxy.

Rather than writing require => Apt::ppa['...'] for each package that needs a ppa, could I write something to tell Puppet to load all ppa's before any packages?

The same way that we can write something to force apt-get update before any packages are processed:

exec { 'apt-update':
  command => 'apt-get update',
  path    => '/bin:/usr/bin'
}

Exec['apt-update'] -> Package <| |>

I was looking at apt::force and I want to kill it. The way it forces a package to be installed from a specific release is entirely horrible. Doing it in such a way should really be a last resort and might cause weird behaviour as policies change or newer packages start rolling in to different mirrors.

The correct way of doing this is dropping a pin/preferences file in apt that causes the policy to reflect the origin you want those packages from and then just leveraging Puppet's package type's ensure attribute to do the rest.

Describe the Bug

When a proxy location contains options before an HTTPS URI (example), setting https_acng => true has not effect and updating from that repo fails with:

Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)

Expected Behavior

https:// should be replaced by http://HTTPS/// in the APT source line and updating from that repo should succeed.

Steps to Reproduce

Run this script in a disposable environment:

#!/bin/sh

export DEBIAN_FRONTEND=noninteractive
sudo --preserve-env=DEBIAN_FRONTEND apt-get -y install puppet git apt-cacher-ng

TEMPDIR=$( mktemp -d )
trap "rm -rf ${TEMPDIR}" EXIT

cd ${TEMPDIR}

git clone https://github.com/puppetlabs/puppetlabs-stdlib.git stdlib
git clone https://github.com/puppetlabs/puppetlabs-apt.git apt

git -C ./apt/ checkout v9.0.0

curl -s http://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -

cat >  manifest.pp <<EOF
class { 'apt':
  proxy => {
    host       => '127.0.0.1',
    port       => 3142,
    https_acng => true,
  },
}

ensure_packages('apt-transport-https')

apt::source { 'torproject':
  comment  => 'TorProject',
  location => '[Check-Date=yes] https://deb.torproject.org/torproject.org',
  repos    => 'main',
  release  => 'stable',
  require  => Package['apt-transport-https'];
}
EOF

sudo puppet apply --modulepath=./ ./manifest.pp
sudo apt update
echo "\n---------- /etc/apt/sources.list.d/torproject.list ----------"
cat /etc/apt/sources.list.d/torproject.list

The output ends with:

(...)
Hit:1 http://deb.debian.org/debian bullseye InRelease                      
Hit:2 http://deb.debian.org/debian bullseye-updates InRelease                                                                  
Hit:3 http://security.debian.org/debian-security bullseye-security InRelease                                                   
Err:4 https://deb.torproject.org/torproject.org stable InRelease                                                               
  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 3142]
Reading package lists... Done                                                                                                 
Building dependency tree... Done
Reading state information... Done
W: Failed to fetch https://deb.torproject.org/torproject.org/dists/stable/InRelease  Invalid response from proxy: HTTP/1.0 403 CONNECT denied (ask the admin to allow HTTPS tunnels)     [IP: 127.0.0.1 3142]                                        
W: Some index files failed to download. They have been ignored, or old ones used instead.

---------- /etc/apt/sources.list.d/torproject.list ----------
# This file is managed by Puppet. DO NOT EDIT.
# TorProject
deb [Check-Date=yes] https://deb.torproject.org/torproject.org stable main

The URI above should've been replaced accordingly to work with apt-cacher-ng.

Environment

• Version: 9.0.0
• Platform Debian Bullseye 11.3

Additional Context

To fix this, I think the regexp should be improved here.

So, I have a list of keys added via

apt::keys.... This works fine.

I then added a few PPAs today using

apt::ppa { 'ppa:ondrej/php5': }
apt::ppa { 'ppa:ondrej/mysql-5.6': }

this added the key:

pub 1024R/E5267A6C 2009-01-26
uid Launchpad PPA for Ondřej Surý

so now every time I run puppet, I believe because of the accent characters in this persons name I am seeing the message "Error: Could not prefetch apt_key provider 'apt_key': invalid byte sequence in UTF-8" and all of the keys using apt::keys are reinstalled every time.

Declaring

class { '::apt': always_apt_update => true }
::apt::ppa { 'ppa:ondrej/php5': }

on a clean Ubuntu installation fails due to outdated package sources.

Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/main/s/software-properties/python-software-properties_0.82.7.6_all.deb  404  Not Found [IP: 91.189.91.13 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

I tried to define global dependencies like this:

::Apt::Source <| |> ~> Exec['apt_update'] -> Package <| |>

But this causes a dependency cycle:

Found 1 dependency cycle:
(Exec[add-apt-repository-ppa:ondrej/php5] => Exec[apt_update] => Package[python-software-properties] => Exec[add-apt-repository-ppa:ondrej/php5])

The workaround is to update the package sources and install python-software-properties before executing puppet.

Nevertheless I think it should be a good thing to remove all dependencies on apt::update and define a global dependency as described above.

Is that an appropriate solution?

Describe the Bug

After updating the module from 8.3.0 to 8.4.0, I get a dependency cycle on all Debian family nodes, for any repo I manage:

Found 1 dependency cycle:
(Exec[apt_update] => Class[Apt::Update] => Package[gnupg] => Apt::Key[Add key: 5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A from Apt::Source theforman_buster] => Apt::Setting[list-theforman_buster] => File[/etc/apt/sources.list.d/theforman_buster.list] => Class[Apt::Update] => Exec[apt_update])\nTry the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz

Expected Behavior

No dependency cycle.

Steps to Reproduce

1. Update the module
2. Start an agent run

Environment

• Version 8.4.0
• Platform Debian 10 / Ubuntu 20.04

Additional Context

• After adding back the lines

  # required for adding GPG keys on Debian 9 (and derivatives)
  ensure_packages(['gnupg'])

in init.pp the cycle was gone.

• I do all the repository setup in a separate Puppet stage, executed before the main stage.

In our case we want to specify our own mirror to get the binary packages, but the ftp.us.debian.org mirror for source packages. For a given apt::source definition we can say "include_src" to include a "deb-src" entry along with the "deb" entry, but there's no way to instantiate an apt::source definition to create only a "deb-src" entry.

The fix is actually quite easy, and I coded it for our internal use. I'd like to submit it to the PuppetLabs team, if you think this is a reasonable feature.

Hello,

I am trying to figure out the purpose of that anchor in sources.pp :

Need anchor to provide containment for dependencies.

anchor { "apt::source::${name}":
require => Class['apt::update'],
}

Indeed, in my manifest, I've added :

Apt::Source <| |> -> Exec["apt_update"]

And I got a dependency cycle :

(Anchor[apt::source::source1] => Apt::Source[source1] => Exec[apt_update] => Class[Apt::Update] => Anchor[apt::source::source1])

I think setting all our sources before doing an apt-get update is the normal way, or am i missing something ?

Regards

Olivier

Describe the Bug

This new commit, merged and released for tag v9.0.0, hardcodes the Puppet path for the $script_path variable, in the manifests/ppa.pp file:

$script_path = "/opt/puppetlabs/puppet/cache/add-apt-repository-${dash_filename_no_specialchars}-${release}.sh"

/opt/puppetlabs/puppet is not the path used by the Debian Puppet packages (also used by Ubuntu). This uses it's /etc/puppet/).

Expected Behavior

The script_path var should either default to the right path by itself, or at least be modifiable by a user variable.

I only seem to be able to get apt-get update to "always_apt_update". but the desired behavior is to update on the first run, or if there has been a change to sources.

Amy I missing a setting?

Looking at this debug output: https://gist.github.com/slamont/6010067

It seems that packages from the system are installed instead of those from the configured ppa.

With this code: https://gist.github.com/slamont/6010094

I assumed (may be wrong) that apt::ppa should execute the update before the installation of the package.

So simply want to know if there should be a dependency in the icinga module like so:
Apt::Ppa <| |> -> Package <| |> ???

Failures:

  1) apt::force when using default parameters 
     Failure/Error: ) }
     Puppet::Error:
       Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
     # ./spec/defines/force_spec.rb:25

  2) apt::force when specifying release parameter 
     Failure/Error: ) }
     Puppet::Error:
       Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
     # ./spec/defines/force_spec.rb:34

  3) apt::force when specifying version parameter 
     Failure/Error: ) }
     Puppet::Error:
       Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
     # ./spec/defines/force_spec.rb:43

  4) apt::force when specifying release and version parameters 
     Failure/Error: ) }
     Puppet::Error:
       Could not parse for environment production: Syntax error at '{'; expected '}' at line 2 on node bowmore.sbo.sd63.bc.ca
     # ./spec/defines/force_spec.rb:55

Finished in 8.62 seconds
175 examples, 4 failures

I'm not particularly good at Ruby, so it's not obvious to me what's going on here.

include_class was deprecated in favour of contain_class, but that's only a warning.

Please explain the steps to change the contents of sources.list

I want to add a native type for apt_ppa especially now that Debian Wheezy has a new enough python-software-properties that includes this command.

However, since not everyone might want to install / pull in Python just for apt_ppa we'd still need to support the 'old' way of doing it as apt::ppa is now doing. The other choice would be to decide that apt::ppa now requires the target system to have python-software-properties installed which is the case on Ubuntu installations. Seeing that apt::ppa is geared towards Ubuntu that seems like a sensible second option.

Is this worth the effort or should we leave it as is?

The module handles proxies well with proxy_host and proxy_port but it is not working with apt_key when using key_source (wget does not use any proxy)

It works OK with a simple modification of the the key.pp file, by setting up environment variables for wget to work. Something like this:

environment => [ "http_proxy=$::proxy_host:$::proxy_port", "https_proxy=$::proxy_host:$::proxy_port" ],

There may be a cleaner way to do it, I am very new to puppet

The following check in manifests/ppa.pp fails for Linux Mint Maja LTS and facter 1.7.5:

if $::operatingsystem != 'Ubuntu' {
  fail("apt::ppa is currently supported on Ubuntu only.")
}

From personal experience, though, the Ubuntu based Mint’s are pretty compatible with the ppa system.

$ facter --version
1.7.5
$ facter operatingsystem
Debian

On Lucid, and probably other versions of Ubuntu, -y is an invalid option. This causes use of the apt::ppa resource to fail with "Error: /usr/bin/add-apt-repository -y ppa:git-core/ppa returned 2 instead of one of [0]".

The $option parameter should only be set to "-y" by default on versions of Debian/Ubuntu that support it.

See #146, where this option was introduced.

Hey puppetlabs,

I have a feature request for your module. My DC hosts their own apt mirror and it would be cool to have your module set it. I have found a way to do it using Hiera, but it's a bit cumbersome. I think it would be better having something like "apt::mirror"

relevant code from hiera.yaml:

...
:hierarchy:
- location/%{::customfact_location}-%{::lsbdistcodename}
- common

relevant code from /etc/puppet/hieradata/location/myDCcompany-precise.yaml

---
apt::purge_sources_list: true
apt::purge_sources_list_d: true
apt::source:
 'ubuntu':
  location:     'http://mirror.myDCcompany.com/ubuntu/'
  repos:        'main restricted universe multiverse'
  include_src:  'true'
 'precise-backports':
  location:     'http://mirror.myDCcompany.com/ubuntu/'
  repos:        'main restricted universe multiverse'
  release:      'precise-backports'
 'precise-security':
  location:     'http://mirror.myDCcompany.com/ubuntu/'
  repos:        'main restricted universe multiverse'
  release:      'precise-security'

It's not available in the 3.x branch for instance but is used anyway in ppa.pp.

It's available on master again, but metadata should be fixed to include correct stdlib supported versions or get rid of the getparam function usage.

Describe the Bug

puppetlabs-apt creates a malformed sources entry when an apt::source contains a location parameter that includes a [signed-by] string:

deb [ ] [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ stable 7

Expected Behavior

When an apt::source location parameter contains a [string] entry, puppetlabs-apt should not prepend [ ]

Steps to Reproduce

Create an apt::source{} block with a location parameter containing a [string] such as [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg]. This can be seen 'in the wild' by attempting to install the datadog agent with https://github.com/DataDog/puppet-datadog-agent

Environment

• Version - puppetlabs-apt 9.0.0
• Platform - Ubuntu 22.04

Additional Context

The specific apt::source call from datadog is:

$location = "[signed-by=${apt_usr_share_keyring}] https://apt.datadoghq.com/"

apt::source { 'datadog':
  comment  => 'Datadog Agent Repository',
  location => $location,
  release  => $release,
  repos    => $repos,
}

Debian apt-get will look in both /etc/apt/preferences as well as files in /etc/apt/preferences.d for pinning information. This module will purge /etc/apt/sources.list, but will not touch /etc/apt/preferences.

I have code to address this issue, though there is an underlying issue with 'apt-get upgrade' that requires a valid entry in /etc/apt/preferences to function. An empty file, or a file with a single comment, will throw an error (see Debian bug 641245). It makes the Puppet solution look a little sloppy.

The 50unattended-upgrades file we write is completely incompatible with Wheezy.

It should write

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,archive=stable,label=Debian-Security";
};

But we get:

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

Apparently there've been a few changes...

Describe the Bug

For hosts that have no pending updates (neither security, or other), the 'apt_security_updates' fact is not reported.
By comparison, if a host has no pending security updates, but has other updates pending, the 'apt_security_updates' fact is reported with a value of 0

Expected Behavior

The 'apt_security_updates' fact should always be reported, even if there are no updates pending.

Steps to Reproduce

Steps to reproduce the behavior:

1. From any debian-based host, install all pending updates (security and non-security).
2. Force check-in with Puppet server
3. View reported facts on the Puppet server.

Environment

• Module Version 9.0.0
• Agent Platform Ubuntu 20.04 and 22.04

Hello,

simmple code

class { 'apt': }
apt::ppa { 'ppa:sjinks/phalcon': }

fails if you running it on system which packages lists are out of date. This occurs because add-apt-repository used by apt::ppa require to install python-software-properties (or software-properties-common), and if for some reason you didn't run apt-get update long time you will get something like that:

Err http://us.archive.ubuntu.com/ubuntu/ precise-updates/main python-software-properties all 0.82.7.2
  404  Not Found [IP: 91.189.91.15 80]

Probably we need to run apt-get update before this package installed.

The 1.3.0 tag is missing from github, please push it.

Use Case

The apt-key command has been deprecated in Debian testing aka bookworm in favor of storing key files directly into either /etc/apt/trusted.gpg.d/ or /etc/apt/keyrings/ and (in case of the latter) refer to them directly in individual sources.list entries (like [ signed-by=/path/to/file.gpg ].

This also already works in Debian stable aka bullseye (and maybe oldstable/buster) and corresponding Ubuntu versions. So it would be nice to have this in place already before bookworm is released, esp. so as apt-get update will emit warnings for all keys still stored in the /etc/apt/trusted.gpg file.

Describe the Solution You Would Like

apt::key should have options to store keys downloaded as .gpg or .asc files in one of the directories above.

Describe Alternatives You've Considered

Only alternative I see currently is to use a file resource instead of apt::key.

Additional Context

https://manpages.debian.org/testing/apt/apt-key.8.en.html

Describe the Bug

I have set these options:

class { 'apt':
  purge  => {
    'sources.list'   => true,
    'sources.list.d' => true,
  }
}

then I add:

apt::ppa { 'ppa:deadsnakes/ppa': }

the repo name is taken here: deadsnakes-ppa

and every time Puppet runs the repo is added and then it's removed, again and again.

Expected Behavior

it should not purge the repository added through apt::ppa

Steps to Reproduce

see above

Environment

• puppetlabs/apt version: 9.0.0
• puppet agent and server version: 7.xx
• Platform: Ubuntu 20.04

Additional Context

N/A

Can we get a new release to the Forge?

I want to submit a PR adding the ability to exclude some hosts from the apt proxy when a direct connection is needed (acquire::http::proxy::$host DIRECT).

There are two ways I could do it:

1. add a module parameter that takes an array of hosts, enter those in the main proxy configuration file
2. add a boolean parameter to apt::source that drops an additional file in apt.conf.d.

Which of those would you prefer to see?

Describe the Bug

I was recently trying to add a repo for r project, the formatting seems a little different from normal source list files. It was essential for the list file to be formatted as below or it wouldn't allow apt update to run.

deb https://cloud.r-project.org/bin/linux/ubuntu bionic-cran40/

This repo allows the more up to date version of r to be installed.
More info : https://cran.r-project.org/bin/linux/ubuntu/fullREADME.html

Expected Behavior

I was struggling to get the line formatting correct using the manifest script, I tried a few combinations setting bionic-cran40/ as the release and repo as ' ' but this resulted in a formatting failure when the agent checked in. If I left out repo completely, the list file came out as the following:

deb https://cloud.r-project.org/bin/linux/ubuntu bionic-cran40/ main

I had to resort to a file directive which isn't the end of the world, just interested to know what I could have done better here.

Environment

centos 7 puppet master
ubuntu 20.04 / 18.04

At the time of writing this the Modulefile lists the project under the Apache 2.0 license. However the LICENSE file in the base of the project is MIT. Which is it?

When trying to add the CDH4 repository to APT I ran into the following problem:

Using the following

    apt::source {'cdh4':                                                                  
        always_apt_update => true,                                                        
        location => 'http://archive.cloudera.com/cdh4/ubuntu/precise/amd64/cdh',          
        release  => 'precise-cdh4',                                                       
        repos => 'contrib',                                                               
        architecture => 'amd64',                                                          
        include_src => false,                                                             
        key => '02A818DD',                                                                
        key_server => 'keys.gnupg.net'                                                    
    }                                                                                              

Generates /etc/apt/sources.list.d/cdh4.list containing:

# cdh4
deb [arch=amd64]http://archive.cloudera.com/cdh4/ubuntu/precise/amd64/cdh precise-cdh4 contrib

Notice there is a missing space between [arch=amd64] and http:///...

The source of this bug is in the templates/sources.list.erb file which is not adding a space in the optional architecture statement.

Hi,
I have this message when I use Vagrant :

Warning: Variable access via 'name' is deprecated. Use '@name' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:1
(at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:1:in block in result') Warning: Variable access via 'location' is deprecated. Use '@location' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:2 (at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:2:inblock in result')
Warning: Variable access via 'include_src' is deprecated. Use '@include_src' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb]:3
(at /tmp/vagrant-puppet/modules-0/apt/templates/source.list.erb:3:in block in result') Warning: Not collecting exported resources without storeconfigs Warning: Variable access via 'name' is deprecated. Use '@name' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:1 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:1:inblock in result')
Warning: Variable access via 'explanation' is deprecated. Use '@explanation' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:2
(at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:2:in block in result') Warning: Variable access via 'packages' is deprecated. Use '@packages' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:3 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:3:inblock in result')
Warning: Variable access via 'pin' is deprecated. Use '@pin' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:4
(at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:4:in block in result') Warning: Variable access via 'priority' is deprecated. Use '@priority' instead. template[/tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb]:5 (at /tmp/vagrant-puppet/modules-0/apt/templates/pin.pref.erb:5:inblock in result')

Use Case

I would like to manage configuration for the Debian snapshot repositories using apt::source, however there is currently no way to add the check-valid-until option at a per-repository granularity. This is required when using the Debian security snapshots, because the Release files specify a Valid-Until date only a short time in the future. For more information about snapshot repositories, see https://snapshot.debian.org/.

From the snapshot documentation (link above):

To access snapshots of suites using Valid-Until that are older than a dozen days, it is necessary to ignore the Valid-Until header within Release files, in order to prevent apt from disregarding snapshot entries ("Release file expired"). Use aptitude -o Acquire::Check-Valid-Until=false update or apt-get -o Acquire::Check-Valid-Until=false update for this purpose.

If you use at least apt version 1.1.exp9 (stretch and later), you can use this instead:

deb     [check-valid-until=no] https://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main
deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main
deb     [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main
deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main

Whilst I can add a global-level configuration for apt to ignore all Check-Valid-Until dates, I'd prefer to do this at the repository level.

Describe the Solution You Would Like

An additional configuration option for the apt::source module, check_valid_until: Boolean, e.g.

'debian-snapshot':
  location          => 'https://snapshot.debian.org/archive/debian/20220412T025122Z/',
  release           => 'bullseye',
  repos             => 'main',
  check_valid_until => false,
  include  => {
    'deb' => true,
    'src' => false,
  };

Which resolves in an on-disk representation including the [check-valid-until=no] option in the apt.lists.d file.

Describe Alternatives You've Considered

As above, it is possible to set this globally for apt to ignore all Valid-Until dates.

Currently, apt::backports adds the contrib and non-free sources. If the repos are desired, the user should be able to turn them on, but this should not be the default. Only 'main' should be the default.

Sometimes one could define an Exec user globally. This would make add-apt-repository fail because it do not use user root.

We would like to keep the keys in the puppet repo and let the puppet agent fetch it from the fileserver. Example overloading key_source:

apt::key { 'jenkins':
  key        => 'D50582E6',
  key_source => 'puppet:///modules/infrastructure/jenkins.key',
}

Describe the Bug

apt::mark { 'containerd.io': setting => 'hold' }

Expected Behavior

Package should be held (this is a regression)

Steps to Reproduce

Mark any package containing a . in the package name

Environment

• puppet-agent 6.28.0-1jammy
• Ubuntu 22.04

Additional Context

there are some other packages with a . in the name.

For installing mariadb on ubuntu I tried the following resource:

apt::source { 'mariadb':
  location   => 'http://mirror2.hs-esslingen.de/mariadb/repo/5.5/ubuntu',
  release    => 'precise',
  repos      => 'main',
  key        => '0xcbcb082a1bb943db',
  key_server => 'hkp://keyserver.ubuntu.com:80',
}

This fails because the key will be upper cased in key.pp

 $upkey = upcase($key)

I fixed it by using the parameter $key instead. Should I contribute this change? @see janschumann/puppetlabs-apt@9ab5da3

Or can I work around it otherwise?

I'm trying set "apt" module to use aptitude instead apt-get using hiera but I couldn't:

apt::params::provider: "/usr/bin/aptitude"

Other hiera configurations are working fine, as for example:

apt::always_apt_update: true

Describe the Bug

I've configured the apt module to purge all non-managed sources.list and sources.list.d entries. Unfortunately, in combination with apt::ppa resources, this results in Puppet adding the PPA in sources.list.d and removing it again on the next Puppet run.

Expected Behavior

Puppet should not purge sources.list.d entries for apt::ppa resources.

Steps to Reproduce

Steps to reproduce the behavior:

1. Configure purge for sources.list.d
2. Add any PPA using apt::ppa
3. Execute Puppet at least two times. In the second run, it will remove the PPA added in the first run.

Environment

• Version puppetlabs-apt 9.0.0
• Platform Ubuntu 22.04

Describe the Bug

This is a valid PPA name from the MAAS documentation: ppa:maas/3.1 but does not pass the regex validation in ppa.pp due to the . in the version number 3.1.

Found from the docs here: https://maas.io/docs/how-to-install-maas

Expected Behavior

It should pass regex checks and be added as normal

Steps to Reproduce

Steps to reproduce the behavior:
call this resource:

  apt::ppa { "ppa:maas/3.1": }

Environment

This should be effecting all versions

Additional Context

Issue is here: https://github.com/puppetlabs/puppetlabs-apt/blob/main/manifests/ppa.pp#L43

I want to mark some debs in the sources as trusted, this can be done by adding [trusted=yes] to a source line.

My problem here is how to implement it nice. because the [] can also contain other options, like arch.

Right now I've implemented it like this:
changed in templates/source.list.erb:
deb <%= @options %><%= @location %> <%= @release_real %> <%= @repos %>

In manifest/source.pp I've added a trusted parameter and code like this:
case $trusted {
true: { $trust = 'yes' }
false: { $trust = 'no' }
undef: { } # do nothing
default: { fail('Valid values for trusted are true or false') }
}

if $architecture and $trust {
$options = "[arch=$architecture trusted=$trust] "
} elsif $architecture and $trust == undef {
$options = "[arch=$architecture] "
} elsif $architecture == undef and $trust {
$options = "[trusted=$trust] "
}

Is this the way to go? Is there is a better way to do this?

Use Case

I want a class that configures an APT repository to also ensure that apt-get update has run before any dependencies on that class.
This way I can depend on the class that configures the repository without needing to know how this repository is configured.
E.g.:

class mymod::repository {
  if $facts['os']['family'] == 'Debian' {
    apt::source { 'somerepo':
      ...
    }
    contain apt::update
  } else {...}
}

class mymod {
  require mymod::repository # Make sure that the repository is configured and available.
  package { 'somepackage':
    ensure => 'present',
  }
}

This is currently not possible by using contain apt::source because that class is private.
Instead if fails with:

error during compilation: Evaluation Error: Error while evaluating a Function Call, Class apt::update is private

Describe the Solution You Would Like

Since the apt::update class is a documented part of this module, I think it could be marked as public.
That would allow it to be used both through contain and through direct dependencies (require => Class['apt::update']).

Describe Alternatives You've Considered

Two alternatives:

1. Using an anchor: `Class['apt::update'] -> anchor { 'mymod::repository::last' }'. The downside of this is that anchors are deprecated and no longer documented as part of containment.
2. Directly depending on `Class['apt::update'] in the package resource. This only works if the repository configured is always an APT repository

Nevermind, I filed this on the wrong project!

Describe the Bug

With olderversion of apt module this used to work:

    apt::source { 'elastic-7':
      comment  => "Elastic packages 7",
      location => "http://artifacts.elastic.co/packages/7.x/apt",
      release  => 'stable',
      repos    => 'main',
      key      => {
        'id'     => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
        'source' => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
        'proxy'  => "http://${::location}-aptcacher-001.mydomain.com:3142/",
      },
      include  => {
        'deb' => true,
      },
    }

Now this timeout:

Error: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Error: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Wrapped exception:
execution expired
Error: /Stage[main]/repos::Elastic7/Apt::Source[elastic-7]/Apt::Key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/Apt_key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: execution expired (file: /opt/data/puppet_git/modules/apt/manifests/key.pp, line: 54)
Notice: /Stage[main]/repos::Elastic7/Apt::Source[elastic-7]/Apt::Key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7]/Anchor[apt_key 46095ACC8548582C1A2699A9D27D666CD88E42B4 present]: Dependency Apt_key[Add key: 46095ACC8548582C1A2699A9D27D666CD88E42B4 from Apt::Source elastic-7] has failures: true

Expected Behavior

Be able to provide proxy information when using "source" parameter to key.

Environment

• Version 8.4.0
• Platform ubuntu 20.04

Additional Context

Thw workaround I have for now is to use

      key      => {
        'id'      => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
        'server'  => 'keyserver.ubuntu.com',
        'options' => "http-proxy=\"http://${::location}-aptcacher-001.mydomain.com:3142\"",
      },

But this works only when the key is available in keyserver.ubuntu.com

apt::params looks for $::lsbdistid and $::lsbdistcodename.

If any combination of those values aren't supported, catalog compilation fails with this error: Unsupported osfamily (XXX) or lsbdistid (YYY)

lsbdistcodename should be mentioned instead of osfamily.

Note: This bug is particularly frustrating as a new default clause as been added to the case in apt::params. Having a misleading error message makes debugging harder, especially for existing rspec tests in other modules which are now all suddenly failing.

Those rspec tests might not always inject those facts due to puppetlabs-apt not having a hard requirement on them before ; because OS specific configurations defined in params were only used by apt::backports and apt::ppa.