Installing gettext from Xenial repos is dangerous and can break the sytem

[heartsucker]

Description

If the playbook breaks during install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml and has not yet removed the xenial apt repo, the next run of the playbook will get things horribly out of sync, possibly destroy a system.

Steps to Reproduce

Change install_files/ansible-base/roles/app-test/tasks/modern_gettext.yml to this:

---
#
# This can be removed when VM against which this is run are more
# recent than trusty
#
- name: Add gettext xenial apt repository
  apt_repository:
    repo: deb http://archive.ubuntu.com/ubuntu/ xenial main
    state: present
    update_cache: yes 
  tags:
    - apt

- name: Install modern gettext
  apt:
    name: gettext
    state: latest
  tags:
    - apt

- fail:
    msg: "I am dead"

- name: Remove gettext xenial apt repository
  apt_repository:
    repo: deb http://archive.ubuntu.com/ubuntu/ xenial main
    state: absent
    update_cache: yes 
  tags:
    - apt

Then re-run the playbook. Watch the sadness.

Expected Behavior

The playbook failing midway through should not ruin the system.

Actual Behavior

It does.

Comments

Add a conditional to prevent this from erroring out until after the the apt repo has been removed. But really this is dangerous and we shouldn't be doing it because a ctrl-C in the middle wouldn't let the clean up task run and that's Very Bad.

[emkll]

Apt pinning [0] might also be a solution for this issue.

[0] : https://help.ubuntu.com/community/PinningHowto

[conorsch]

It's worth noting that the app-test logic in question is only run against "staging" VMs for developers—never against a production install maintained by a SecureDrop Administrator. Given that any problems affect developers exclusively, I'm inclined to focus on the Xenial transition (#3204), in which case we can simply use Xenial repos across the board.

@heartsucker have you actually observed such a failure, or is the situation you describe as yet a hypothetical one? If observed, we could use a try/except approach to recover in the gettext task list, and ensure the Xenial repo files are missing.

[heartsucker]

This just happened to me in dev. See the chat for me getting weird 404's from the apt.freedom.press repo because it carried over between runs. Also yes, I forgot this only runs in dev, so it's significantly less critical than I thought. Transitioning to Xenial makes way more sense.

[conorsch]

Thanks for clarifying, @heartsucker! Let's keep this open and use it to track reoccurences. Even if it's dev-only, if it's causing a lot of friction, may be worth addressing in a future sprint.