Update MariaDB repo and key for Xenial #659
Conversation
|
Good catch on this. One issue is that Trellis currently works on both Trusty and Xenial (as far as I know). We should definitely encourage and even require Xenial for new installs, but someone can re-provision an existing Trusty server right now without breaking anything. With this PR as it is, it would update MariaDB to Xenial which might break Trusty? Maybe we have to conditionally set those default variables based on Ubuntu version? |
|
Without looking I'm 90% sure I worked that in. It only runs the repo update On Sep 28, 2016 6:43 PM, "Scott Walkinshaw" notifications@github.com
|
|
Yeah, just took a look.
I'm running this on the step that changes the repo out and all the following steps related to upgrading all only when this step runs, so it should be 100% safe on Trusty setups because it simply will skip all my additions. Although it would probably be more elegant to set the repos based on your version of Ubuntu, I can make that change if you feel like it's better for long term support even past Xenial. |
|
Oops, I did kind of gloss over that. I was also worried about the task above it: - name: Add MariaDB MySQL apt-key
apt_key:
url: "http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search={{ mariadb_keyserver_fingerprint }}"
state: presentSince |
|
Good call on that. I'm gonna switch this around a bit and make it so it will be distribution dependent the whole way through. Add the keys and repo for trusty if you are on trusty, add the keys and repo for xenial if you are running that, and also upgrade from trusty to xenial if you are running the old trusty keys and repo on xenial. I'll commit the changes here and comment back when it's done. |
MariaDB was still using the repo and signing keys for Trusty which was also using weak digest algorithm (SHA 1). This is safe to run on existing installs because it will detect if you have the Trusty apt repo currently configured, conditionally remove those lines, conditionally upgrade mariadb-client mariadb-server to the correct version but only if you had the Trusty repo previously configured so it won't upgrade those packages on every run.
|
Ok, so I added a check for the key based on which distribution and also for the repo to configure just using the ansible distribution variable instead of having a variable for it, to avoid confusion. Also just hard coding the old trusty key as the important part is having the key for Xenial editable. |
|
I've been dealing with some related issues, and wanted to note that MariaDB is available in Trusty Tahr 14.04 onwards - the first two tasks in |
|
Seems the the versions are a match on the packages I checked. I guess at this point it's more about who you want maintaining your packages and updates for MariaDB and its deps. Keep it as is Remove the repo completely (would probably just need to add a step for existing installs that removes the MariaDB repo and runs apt-get update, also side note would need tested to make sure after update and upgrade nothing breaks) Thoughts on the subject? |
|
I'd lean towards just using the official Ubuntu package now. Unless we have a good reason not to, it's usually a good thing to default to that. Even that page says:
|
|
mariadb_binary_logging_disabled: true from roles/mariadb/defaults/main.yml |
|
agree with @swalkinshaw - keeps the code DRYer too |
|
@RiFi2k are you still able to take care of this, or want us to finish it? |
|
Oops, my fault for going MIA on you. I can for sure finish this up, but not thinking I got rid of my fork, doh! Did some research and even re-forking and pulling this pull request into the new fork won't let me make an update. I don't know if you care about losing this conversation if I had to submit a new pull request with the fix, also I'm quite sure you don't want this orphaned pull request hanging out just so it can be linked to the new one either. Then I saw the File System & Backups protocol from that Github blog so I already put in a support request to have it restored into my account. I would assume they would be able to take care of restoring it for me quickly and right after they do I'll shoot an update. |
|
@RiFi2k don't worry about this PR. You can just create a new one if you need to and reference this one. Thanks 👍 |
MariaDB was still using the repo and signing keys for Trusty which was also using weak digest algorithm (SHA 1) you can see this when you run
apt-get updatecurrently.This change should cover all the bases and be non-breaking on existing installs as well as work as it currently does in relation to remote database setups.
mariadb-clientbut if you have local databases then it will updatemariadb-serveras well.You can easily test this by spinning up a VM as the role stands currently. Then switch to this new branch and re-provision and you will see it gracefully updates everything. Then run it again and you will see that it doesn't try updating MariaDB packages again.