-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add apt datasource #3722
Comments
Debian API documentation: https://sources.debian.org/doc/api/ I'm surprised/concerned though by how few versions are available for some common packages I've checked, e.g. https://sources.debian.org/api/src/curl/ |
apt package versions can and will, at times, differ based on the different debian-based distributions(debian/ubuntu/linux mint/etc) and release versions(Debian wheezy/jessie/stretch, Ubuntu xenial/bionic/disco).
It would be a pain to take into consideration all of the various distros, so for this yeah, it could just use the debian.org packages but I don't know how reliable or safe that would be. using packages from Also, I know from experience that updating packages from |
Is there any safe “default” we can use to begin with? Eg default to latest Debian LTS? |
Defaulting to the latest release implies that we're sure that that's what the given software repo will be running on, but we can't be totally sure of that really.. i think this apt thing would work only in those cases where the official release name is specified somewhere. that's just my thought on this. hope i can be proven wrong. |
Csn you help me understand?
|
I'm not aware of any rest-based (or otherwise) API to determine this. Most systems have multiple repositories defined for package management. On each 'update' command, the tooling downloads a big index file from each repository. It then looks for the 'newest' version of a particular package across all repos to determine what might get installed. It get further complicated by internal repo mirrors set up at organizations which may have 'approved' versions of packages, even if there is a newer on upstream. For my own use cases, I would be happy with allowing me to set what endpoint to check. Though, even in this scenario, there will be the potential for a lot of file downloading and parsing. |
Hi @joerocklin thanks for the info. I guess this corresponds with what I experience when I use |
I just came to the GitHub issues to ask about support for Debian package versions, so it was great to see that this is already being discussed! I'm using Debian stretch for my Docker images. Sorry for the long comment, but I thought I would add some context about what I'm currently doing, and how this could be improved with RenovateBot! Context:I have a base Docker image with system packages, and this is used for both the CI builds on GitLab CI, and my app images when I deploy. I always run I also run a few scheduled tasks. I have a daily CI build that updates all system packages and ensures that the build is still passing. I also have a scheduled task that runs Another issue: My build started failing with the latest Google Chrome update. The latest version of I'm not sure how the versions could be managed in my git repo. I wasn't sure if apt has some kind of "Packagefile", or a "lock file" for versions. But I found
Maybe RenovateBot could manage an Or we could come up with a new P.S. Congrats on the acquisition by WhiteSource, that's awesome news! |
Thanks for the kind words and extensive description, @ndbroadbent. The way people have "non-reproducible builds" today by apt-get installing open-versioned packages seems risky to me. Everyone does it including this project in its Re: managing apt-get versions in a repo, I actually had a more simple idea in mind initially, but perhaps you can tell me if it's too simple. Renovate already has a concept of "pinning" dependencies. e.g. if your So my idea was to start by looking for cases of |
I found this StackOverflow Q&A that explains more about Debian's philosophy for removing previous versions of packages. So I think the problem with I also have some more complex requirements (e.g. a custom DSL for some Dockerfiles, and passing in versions as build args). But I could let RenovateBot manage a dummy Another use-case: I had to downgrade Chromium to version 76, because the latest version of 78 was crashing and breaking my tests. Here's how I'm currently installing chromium version
This installs the current version of chromium and all the dependencies. Then downgrades to the older package version from It would be awesome if RenovateBot could create a PR where it pushes new versions of chromium until the CI build is stable again. But I don't know if that would be possible, since I had to jump through a lot of hoops to install the older version. Maybe the solution is to use a different OS or different package manager that has better support for older package versions. Maybe NixOS and the Nix package manager. |
@ppmathis do you think your repology datasource now satisfies this? |
This specific issue could indeed be solved by using the new repology datasource. While I am mostly working with Alpine packages, Repology supports all kinds of OS repositories. As Debian unfortunately does not keep old package versions, a Dockerfile with outdated package versions immediately breaks. As I was struggling with the same issue on Alpine, I've decided to configure Renovate to group all OS package upgrades together, as this will guarantee that status checks may still pass when multiple dependencies are outdated. First of all, you have to configure a regex manager to parse version environment variables within your Dockerfile, e.g.: {
"regexManagers": [
{
"fileMatch": [
"(^|/)Dockerfile$"
],
"matchStrings": [
"#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"?(?<currentValue>.*?)\"?\\s"
],
"versioningTemplate": "{{#if versioning}}{{versioning}}{{else}}semver{{/if}}"
}
]
} Then you may configure a package rule for grouping all OS package upgrades together to avoid CI failure when multiple packages are out of date, as this will allow Renovate to upgrade these dependencies in one shot. Please note that you may have to change/adjust the package patterns based on your needs, as the example would match all dependencies named {
"packageRules": [
{
"datasources": [
"repology"
],
"packagePatterns": [
"^debian_stable/"
],
"separateMajorMinor": false,
"groupName": "debian packages",
"groupSlug": "debian"
}
]
} After that has been done, you may start adding environment variables to your Dockerfile which contain the package version and annotate them using comments, which the regex manager will end up parsing: # renovate: datasource=repology depName=debian_stable/make-dfsg versioning=loose
ENV MAKE_VERSION="4.2.0"
# renovate: datasource=repology depName=debian_stable/libssl-dev versioning=loose
ENV LIBSSL_DEV_VERSION="1.1.1c-0+deb10u3" The examples above will look for the newest version of Please note that in case of Debian, it is usually recommended to specify the source package name as Last but not least, you may find a example of the above instructions (contains both Debian and CentOS, although only the first is relevant here) at snapserv/renovate-test. You may also take a look at this PR to see how these grouped package updates show up. If you want to see a more advanced example, you may take a look at this repository. While it is using Alpine, you can see how it uses regex managers to keep all dependencies of the image up-to-date. Given that these regex managers can be used in any kind of file, this should even support some complex scenarios as mentioned by @ndbroadbent with a custom DSL for Dockerfiles, as it does not really matter where those version numbers are stored after all. It will not help in super complicated cases where snapshotted version archives and custom repositories are required, but it should solve common use cases like keeping a Dockerfile with sanely pinned APT packages updated. |
I'm having a similar situation, but using an Ubuntu base docker image (20.04).
But what package would I then put as depName? Are there alternative renovate datasources I can use for Ubuntu? |
Ah, nevermind. Found a workaround:
|
What would you like Renovate to be able to do?
Retrieve versions of
apt
packagesAdditional context
Would be used for things like #3720
The text was updated successfully, but these errors were encountered: