Add package lock feature (#12)

.talismanrc

@@ -1,8 +1,6 @@
 fileignoreconfig:
   - filename: poetry.lock
     ignore_detectors: [filecontent]
-  - filename: Makefile
-    ignore_detectors: [filecontent]
   - filename: .github/workflows/release.yml
     ignore_detectors: [filecontent]
   - filename: templates/systemd.service.j2

defaults/main.yml

@@ -3,11 +3,14 @@ mongos_package_name:
   - mongodb-org-server
   - mongodb-org-mongos
   - mongodb-mongosh
+  - python3-pymongo
+  - python3-gnupg
   - pkg-config
 mongos_package_state: present
 mongos_service_name: mongos
 mongos_service_port: 27017
 mongos_service_state: started
+mongos_service_manage: true
 mongos_service_enabled: "{{ mongos_service_state != 'stopped' }}"
 mongos_config_file: /etc/mongos.yaml
 mongos_config_verbosity: 2

molecule/hold/converge.yml

@@ -0,0 +1,40 @@
+---
+- name: Deploy mongodb mongos servers
+  hosts: mongos
+  become: true
+  roles:
+    - nephelaiio.mongos
+  pre_tasks:
+    - name: Query package versions
+      ansible.builtin.shell:
+        cmd: "apt-cache madison {{ item }} | awk -F'|' '{ print $2 }'"
+      loop: "{{ mongos_package_name }}"
+      register: _mongos_package_query
+      changed_when: false
+
+    - name: Initialize package versions
+      ansible.builtin.set_fact:
+        mongos_package_name: []
+
+    - name: Verify target package versions
+      ansible.builtin.fail:
+        msg: "{{ _package }} has no installation candidate: {{ item }}"
+      vars:
+        _stdout: "{{ item.stdout_lines }}"
+        _package: "{{ item.item }}"
+      loop_control:
+        label: "{{ item.item }}"
+      loop: "{{ _mongos_package_query.results }}"
+      when: _stdout | length == 0
+
+    - name: Set target package versions
+      ansible.builtin.set_fact:
+        mongos_package_name: "{{ mongos_package_name + [_package] }}"
+      vars:
+        _stdout: "{{ item.stdout_lines }}"
+        _multiple: "{{ _stdout | length > 1 }}"
+        _version: "{{ _stdout[0] if not _multiple else _stdout[1] }}"
+        _package: "{{ item.item }}={{ _version | trim }}"
+      loop_control:
+        label: "{{ item.item }}"
+      loop: "{{ _mongos_package_query.results }}"

molecule/hold/molecule.yml

@@ -0,0 +1,64 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: requirements.yml
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: mongos-hold-mongos01
+    image: "geerlingguy/docker-${MOLECULE_DOCKER_IMAGE:-ubuntu2004}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /tmp
+      - /opt
+    groups:
+      - mongos
+  - name: mongos-hold-mongos02
+    image: "geerlingguy/docker-${MOLECULE_DOCKER_IMAGE:-ubuntu2004}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    tmpfs:
+      - /tmp
+      - /opt
+    groups:
+      - mongos
+provisioner:
+  name: ansible
+  inventory:
+    hosts:
+      all:
+        vars:
+          mongos_service_name: mongos
+          mongos_service_manage: false
+          mongos_service_restart: false
+          mongos_replicaset_config_name: config
+          mongos_replicaset_shard_name: shard
+          mongodb_shell: mongosh
+          mongos_package_name:
+            - mongodb-org-server
+            - mongodb-org-mongos
+            - mongodb-mongosh
+            - pkg-config
+scenario:
+  converge_sequence:
+    - converge
+  test_sequence:
+    - destroy
+    - dependency
+    - create
+    - prepare
+    - converge
+    - verify
+verifier:
+  name: ansible

molecule/hold/prepare.yml

@@ -0,0 +1,12 @@
+---
+- name: Prepare mongos servers
+  hosts: mongos
+  become: true
+  roles:
+    - nephelaiio.mongodb_repo
+  pre_tasks:
+    - name: Update apt package cache
+      ansible.builtin.apt:
+        update_cache: yes
+      when: ansible_os_family == 'Debian'
+      changed_when: false

molecule/hold/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Verify mongos deployment
+  hosts: mongos
+  become: true
+  tasks:
+    - name: Query package versions
+      ansible.builtin.shell:
+        cmd: "apt-cache madison {{ item }} | awk -F'|' '{ print $2 }'"
+      loop: "{{ mongos_package_name }}"
+      register: _mongos_package_query
+      changed_when: false
+
+    - name: Initialize package versions
+      ansible.builtin.set_fact:
+        mongos_package_name: []
+
+    - name: Set target package versions
+      ansible.builtin.set_fact:
+        mongos_package_name: "{{ mongos_package_name + [_package] }}"
+      vars:
+        _stdout: "{{ item.stdout_lines }}"
+        _multiple: "{{ _stdout | length > 1 }}"
+        _version: "{{ _stdout[0] if not _multiple else _stdout[1] }}"
+        _package: "{{ item.item }}={{ _version | trim }}"
+      loop_control:
+        label: "{{ item.item }}"
+      loop: "{{ _mongos_package_query.results }}"
+
+    - name: Gather package facts
+      ansible.builtin.package_facts:
+
+    - name: Verify package versions
+      ansible.builtin.fail:
+        msg: "Expected installed version for package {{ _package }} to be {{ _version }}, found {{ _installed }}"
+      vars:
+        _package: "{{ item.split('=') | first }}"
+        _version: "{{ item.split('=') | last }}"
+        _installed: "{{ (packages[_package] | default([{'version': 'None'}]))[0].version }}"
+      loop: "{{ mongos_package_name }}"
+      when: _package not in packages or _version != _installed

tasks/lock.yml

@@ -0,0 +1,12 @@
+---
+- name: Configure apt package holds
+  ansible.builtin.dpkg_selections:
+    name: "{{ item.split('=') | first }}"
+    selection: "{{ _lock_state }}"
+  vars:
+    _version_regex: ".*=.*"
+    _package_versions: "{{ [mongos_package_name] | flatten | map('regex_search', _version_regex) }}"
+    _package_holds: "{{ _package_versions | select('string') }}"
+  loop: "{{ _package_holds }}"
+  when: ansible_os_family == "Debian"
+  changed_when: false

tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Release apt package holds
+  ansible.builtin.include_tasks: lock.yml
+  vars:
+    _lock_state: hold
+
 - name: Install packages
   ansible.builtin.package:
     name: "{{ mongos_package_name }}"
@@ -22,13 +27,9 @@
   register: _mongos_query
   changed_when: false
 
-- name: Verify configuration cluster members
-  ansible.builtin.fail:
-    msg: "Configuration cluster member set cannot be empty"
-  when: mongos_replicaset_config_members | length == 0
-
 - name: Include configuration tasks
   ansible.builtin.include_tasks: config.yml
+  when: mongos_replicaset_config_members | length > 0
 
 - name: Create systemd configuration
   ansible.builtin.template:
@@ -66,3 +67,9 @@
 
 - name: Include service tasks
   ansible.builtin.include_tasks: service.yml
+  when: mongos_service_manage
+
+- name: Configure apt package holds
+  ansible.builtin.include_tasks: lock.yml
+  vars:
+    _lock_state: install