package-latest¶
此规则检查包管理器是否以受控、安全的方式安装软件。
包管理器模块(例如ansible.builtin.yum)包含一个state参数,用于配置Ansible如何安装软件。在生产环境中,应将state设置为present并指定目标版本,以确保软件包安装到已规划和测试的版本。
将state设置为latest不仅会安装软件,还会执行更新并安装其他软件包。这可能导致性能下降或服务中断。如果您确实想要将软件包更新到最新版本,还应根据包管理器将update_only或only_upgrade参数设置为true,以避免安装其他软件包。
问题代码¶
---
- name: Example playbook
hosts: localhost
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible
state: latest # <- Installs the latest package.
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
args:
state: latest # <- Installs the latest package.
- name: Install some-package
ansible.builtin.package:
name: some-package
state: latest # <- Installs the latest package.
- name: Install sudo with update_only to false
ansible.builtin.yum:
name: sudo
state: latest
update_only: false # <- Updates and installs packages.
- name: Install sudo with only_upgrade to false
ansible.builtin.apt:
name: sudo
state: latest
only_upgrade: false # <- Upgrades and installs packages
正确代码¶
---
- name: Example playbook
hosts: localhost
tasks:
- name: Install Ansible
ansible.builtin.yum:
name: ansible-2.12.7.0
state: present # <- Pins the version to install with yum.
- name: Install Ansible-lint
ansible.builtin.pip:
name: ansible-lint
args:
state: present
version: 5.4.0 # <- Pins the version to install with pip.
- name: Install some-package
ansible.builtin.package:
name: some-package
state: present # <- Ensures the package is installed.
- name: Update sudo with update_only to true
ansible.builtin.yum:
name: sudo
state: latest
update_only: true # <- Updates but does not install additional packages.
- name: Install sudo with only_upgrade to true
ansible.builtin.apt:
name: sudo
state: latest
only_upgrade: true # <- Upgrades but does not install additional packages.