Open mbargull opened 3 weeks ago
My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!
Both suggestions sound reasonable.
My fault, it didn't occur to me that on a fresh host the freeipa installation runs after the ntp role and breaks it. Sorry!
No worries!
I tried the hold/pin stuff out in 22.04
and 24.04
containers.
dpkg --set-selections
doesn't like it if listed packages are not installed (apt-mark hold
work, though).
We could just go with the pinning file to also be a bit more stern about not installing the packages.For 24.04
we do have a problem though:
Recent Debian/Ubuntu freeipa-client
packages mark systemd-timesyncd
as conflicting, see:
So, when we'll do a 24.04 upgrade, we'll need to adjust this again.
E.g., by switching to chrony
-- but I haven't yet looked into which parts need to be adjusted to have that one working.
So, since we might do change it go the other way around and install chrony
instead of preventing its installation, I'd say, for now let's only go with the --no-install-recommends
option and revisit possible pinnings later.
While declaring the timesyncd package conflicting for freeipa-client altogether seems rather ham-fisted, I agree it would be better for us to just switch to chrony.
Thank you Marcel for diving into this!
@johanneskoester reported non-synced times on some nodes.
Taking a look at it, I noticed that we have
chrony
instead ofsystemd-timesyncd
running. We apparently do haveto make sure
systemd-timesyncd
is set up. But we also havewhich brings in
chrony
as a "recommended" dependency offreeipa-client
.A couple of things we could do:
freeipa-client
without recommended packages ( https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-install_recommends ) in case it's appropriate.ntpclient
role do things likeprintf '%s hold\n' ntp chrony | dpkg --set-selections
orprintf '\nPackage: %s\nPin: release *\nPin-Priority: -1\n' chrony ntp > /etc/apt/preferences.d/pin-no-chrony-ntp
. AFAICT, the former could be done via https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dpkg_selections_module.html#ansible-collections-ansible-builtin-dpkg-selections-module instead of doing it "manually".Just going for 1. is of course not sufficient to prevent the observed failure, so 2. (or something equivalent) should be done in any case and 1. is an optional thing we might consider.