Add a task that manages held packages on deb systems.

2026-02-26 15:46:29 +01:00 · 2026-02-26 15:46:29 +01:00 · 3e824a6cea
parent 76eab10a4f
commit 3e824a6cea
4 changed files with 78 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -28,6 +28,7 @@ Tasks run in the following order:

 | Task File | Description | Condition |
 | --------- | ----------- | --------- |
+| `apt-hold.yml` | Sets or releases dpkg hold on a list of packages (Debian/Ubuntu only) | `apt_hold_packages` non-empty |
 | `http_client_proxy.yml` | Configures system-wide HTTP/HTTPS proxy environment variables | `enable_env_proxy` |
 | `ansible-python3-pkgs.yml` | Installs Python 3 packages required by Ansible modules | always |
 | `hostname.yml` | Sets the system hostname from inventory | `explicitly_set_hostname` |
@ -61,6 +62,39 @@ Tasks run in the following order:

 ## Role Variables

+### Package Hold Management (Debian/Ubuntu only)
+
+Prevents APT from upgrading (or removing) specific packages by placing them on
+dpkg hold. Any package in the list that is not known to dpkg is skipped with a
+warning rather than causing the play to fail.
+
+```yaml
+# List of packages to manage. Empty list → tasks are a no-op.
+apt_hold_packages: []
+
+# true  → put packages on hold (default)
+# false → release hold (dpkg selection reset to 'install')
+apt_hold_set: true
+```
+
+Example — hold the running kernel packages:
+
+```yaml
+apt_hold_packages:
+  - linux-image-generic
+  - linux-headers-generic
+apt_hold_set: true
+```
+
+Example — release the hold later:
+
+```yaml
+apt_hold_packages:
+  - linux-image-generic
+  - linux-headers-generic
+apt_hold_set: false
+```
+
 ### Timezone and Locale

 ```yaml
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,4 +1,14 @@
 ---
+
+#
+# Package hold management (Debian/Ubuntu only)
+#
+# List of packages to hold or unhold. Tasks are skipped for any package not
+# known to dpkg; a warning is printed instead.
+apt_hold_packages: []
+# When true, packages are put on hold; when false, hold is removed (set to install).
+apt_hold_set: true
+
 # timezone
 timezone: Europe/Rome
 default_locale_lang: en_US.UTF-8
--- a/tasks/apt-hold.yml
+++ b/tasks/apt-hold.yml
@ -0,0 +1,31 @@
+---
+- name: apt-hold | Manage package hold status on Debian/Ubuntu
+  when:
+    - ansible_distribution_file_variety == "Debian"
+    - apt_hold_packages | length > 0
+  tags: apt_hold
+  block:
+    - name: apt-hold | Check which packages are known to dpkg
+      ansible.builtin.command:
+        cmd: "dpkg-query -W {{ item }}"
+      loop: "{{ apt_hold_packages }}"
+      register: apt_hold_pkg_check
+      changed_when: false
+      failed_when: false
+
+    - name: apt-hold | Warn about packages not known to dpkg
+      ansible.builtin.debug:
+        msg: "WARNING: Package '{{ item.item }}' is not known to dpkg and will be skipped"
+      loop: "{{ apt_hold_pkg_check.results }}"
+      when: item.rc != 0
+      loop_control:
+        label: "{{ item.item }}"
+
+    - name: apt-hold | Apply hold status to known packages
+      ansible.builtin.dpkg_selections:
+        name: "{{ item.item }}"
+        selection: "{{ 'hold' if apt_hold_set else 'install' }}"
+      loop: "{{ apt_hold_pkg_check.results }}"
+      when: item.rc == 0
+      loop_control:
+        label: "{{ item.item }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,4 +1,7 @@
 ---
+- name: Manage package hold status on deb systems
+  ansible.builtin.import_tasks: apt-hold.yml
+
 - name: HTTP client proxy
  ansible.builtin.import_tasks: http_client_proxy.yml