Check if no packages are left unupgraded
We sometimes stumbled on cases where a package was left unupgraded and lead to malfunctions. This can happen e.g. for packages we fetch (via APT pinning) from Debian testing, that get new dependencies that can’t be resolved under the constraints of our current APT pinning.
Our current notification system does not report if packages are left in this state. We should implement such a check in our monitoring infra.
apt-show-versions might help.
This task requires a bit of shell (or whatever) scripting knowledge, and reading the documentation about adding new Icinga2 checks in our infrastructure. The Puppet part can be handled by our sysadmin team if this is a blocker for a contributor to work on that ticket. Ideally the check script could be used/tested independently from Icinga2.
Test case (untested, sorry, but at least this should convey what the problem looks like in practice):
- enter a clean, throw-away Jessie VM or chroot
- add to APT sources an old jessie-backports that had
python-letsencrypt 0.5 (e.g. snapshot.debian.org around 2016-04-21),
- configure APT pinning so that packages from jessie-backports have priority –1 by default
- configure APT pinning so that letsencrypt and any package it needs to pull from jessie-backports have priority 500
apt install letsencrypt=> this should install version 0.5
- update the jessie-backports APT source to point to the current one,
apt upgrade=> this will probably not manage to upgrade letsencrypt, as the newly available one has new dependencies from jessie-backports, that the default –1 pinning doesn’t allow
- Blocks #13232 (closed)