Roots Discourse

Deb.sury.org or groovy-updates,groovy-security?

While doing updates and applying latest trellis on a provisioned staging system (before applying on production),
the php7.4-bcmath package failed to install, as it conflicted with other installed dependencies.
Most of the PHP-related packages on staging (including dependencies like libargon2-1; libpcre2-8-0/now; libpcre3/now and libzstd1/now) were installed from the deb.sury.org repository.
But the new PHP-related packages to be installed, in this case php7.4-bcmath should be installed from the groovy-updates,groovy-security repository instead, with slightly differing versions (hence the conflict).

From what I understand, Trellis used the deb.sury.org for newer PHP packages than upstream for some time, and now it switched to the Ubuntu upstream packages instead. Or the addition of a backport/update Ubuntu repository could caused this issue where multiple repositories now offer the same packages of different versions.

The issue can be resolved by removing all packages from the deb.sury.org repository and re-applying the Trellis playbook to re-install these packages (and dependencies) from the now preferred repository (groovy-updates,groovy-security) instead - this can cause some downtime though.

What repository the packages of your system (staging or production) are installed from?
When you run apt list --installed | grep sury - do you get any packages, only on older Trellis or also on most recent Trellis systems?

I believe Trellis always install PHP from https://deb.sury.org/.
See: https://github.com/roots/trellis/blame/b6fde51906a5a8a6fad2860a8db585c7a0c4ae1a/roles/php/tasks/main.yml#L4

Perhaps you confused with the opening https://github.com/roots/trellis/pull/1214 ?

So I re-applied latest Trellis on a base Ubuntu system (ansible-playbook server.yml -e env=staging or ansible-playbook server.yml -e env=staging --tags=php) and I noticed that
there are no packages installed from the external PPA repository afterwards, here the list of installed php* packages:

php-common/groovy,now 2:76 all [installed,automatic]
php-igbinary/groovy,now 3.1.2+2.0.8-1build1 amd64 [installed,automatic]
php-imagick/groovy,now 3.4.4-4.1 amd64 [installed]
php-memcached/groovy,now 3.1.4+2.2.0-1 amd64 [installed]
php-msgpack/groovy,now 2.1.0beta1-0ubuntu2 amd64 [installed,automatic]
php-pear/groovy-updates,groovy-security,now 1:1.10.9+submodules+notgz-1ubuntu0.20.10.2 all [installed,automatic]
php-xml/groovy,now 2:7.4+76 all [installed,automatic]
php7.4-bcmath/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-cli/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-common/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed,automatic]
php7.4-curl/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-dev/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-fpm/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-intl/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-json/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed,automatic]
php7.4-mbstring/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-mysql/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-opcache/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed,automatic]
php7.4-readline/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed,automatic]
php7.4-xml/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-xmlrpc/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
php7.4-zip/groovy-updates,groovy-security,now 7.4.9-1ubuntu1.2 amd64 [installed]
pkg-php-tools/groovy,now 1.39 all [installed,automatic]

When I use apt install php7.4 (and for the other PHP packages, too), it is not installed from the external PPA repository.
/etc/apt/sources.list.d/ppa_ondrej_php_groovy.list:

deb http://ppa.launchpad.net/ondrej/php/ubuntu groovy main

This should be the external PPA.

So for whatever reasons apt decides to install the PHP7.4* packages from the upstream repository instead from the PPA, even when the PPA got higher versions.
The php7.4-fpm

apt policy php7.4-fpm
php7.4-fpm:
  Installed: 7.4.9-1ubuntu1.2
  Candidate: 7.4.9-1ubuntu1.2
  Version table:
 *** 7.4.9-1ubuntu1.2 500
        500 http://de.archive.ubuntu.com/ubuntu groovy-updates/universe amd64 Packages
        500 http://de.archive.ubuntu.com/ubuntu groovy-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     7.4.9-1ubuntu1 500
        500 http://de.archive.ubuntu.com/ubuntu groovy/universe amd64 Packages

I also manually ran apt update and listed all packages, but no package from the PPA:

$ apt list | grep ondrej
(or)
$ apt list | grep sury

(empty list)

OK, so it appears that the PPA ppa:ondrej/php is not completely added by ansible.
It appears in apt sources, but it is not used by apt unless being manually added: add-apt-repository ppa:ondrej/php

Does this happen because of some initial incorrect state of the staging system?

After rebooting the system after ansible have added the PPA, apt is using it.
So when manually adding the PPA something is invalidated/refreshed/updated, what ansible does not.

Edit: After some further trying it seems that apt update indeed picks the repository up:

apt update
Hit:1 http://ppa.launchpad.net/ondrej/php/ubuntu groovy InRelease
Hit:2 http://de.archive.ubuntu.com/ubuntu groovy InRelease
Hit:3 http://de.archive.ubuntu.com/ubuntu groovy-updates InRelease
Hit:4 http://de.archive.ubuntu.com/ubuntu groovy-backports InRelease
Hit:5 http://de.archive.ubuntu.com/ubuntu groovy-security InRelease

But none of these PHP* packages are installed.

grep ^Package /var/lib/apt/lists/ppa.launchpad.net_ondrej_php_ubuntu_dists_groovy_InRelease | awk '{print $2}' | sort -u yields an empty list.

The staging system was using Ubuntu 20.10 non-LTS: This is probably the reason why there aren’t packages from the PPA. Trellis is currently tested for Ubuntu 20.04 LTS.

This topic was automatically closed after 42 days. New replies are no longer allowed.