Skip to content

apt

Collection Note

This module is part of the ansible.builtin collection. To install the collection, use:

ansible-galaxy collection install ansible.builtin
Added in version 0.0.2.

You need further requirements to be able to use this module, see the Requirements section for details.

Synopsis

  • Manages I(apt) packages (such as for Debian/Ubuntu).

Requirements

The following Python packages are needed on the host that executes this module:

Parameters

Parameter Defaults / Choices Comments
allow_change_held_packages
bool		 Default: no
 Allows changing the version of a package which is on the apt hold list.
Version Added: 2.13
allow_downgrade
bool		 Default: no
 Corresponds to the C(--allow-downgrades) option for I(apt).
This option enables the named package and version to replace an already installed higher version of that package.
Note that setting O(allow_downgrade=true) can make this module behave in a non-idempotent way.
(The task could end up with a set of packages that does not match the complete list of specified packages to install).
O(allow_downgrade) is only supported by C(apt) and will be ignored if C(aptitude) is detected or specified.
Version Added: 2.12
allow_unauthenticated
bool		 Default: no
 Ignore if packages cannot be authenticated. This is useful for bootstrapping environments that manage their own apt-key setup.
O(allow_unauthenticated) is only supported with O(state): V(install)/V(present).
Version Added: 2.1
auto_install_module_deps
bool		 Default: True
 Automatically install dependencies required to run this module.
Version Added: 2.19
autoclean
bool		 Default: no
 If V(true), cleans the local repository of retrieved package files that can no longer be downloaded.
Version Added: 2.4
autoremove
bool		 Default: no
 If V(true), remove unused dependency packages for all module states except V(build-dep). It can also be used as the only option.
Previous to version 2.4, O(autoclean) was also an alias for O(autoremove), now it is its own separate command. See documentation for further information.
Version Added: 2.1
cache_valid_time
int		 Update the apt cache if it is older than the O(cache_valid_time). This option is set in seconds.
As of Ansible 2.4, if explicitly set, this sets O(update_cache=yes).
clean
bool		 Default: no
 Run the equivalent of C(apt-get clean) to clear out the local repository of retrieved package files. It removes everything but the lock file from C(/var/cache/apt/archives/) and C(/var/cache/apt/archives/partial/).
Can be run as part of the package installation (clean runs before install) or as a separate step.
Version Added: 2.13
deb
path		 Path to a .deb package on the remote machine.
If C(://) in the path, ansible will attempt to download deb before installing. (Version added 2.1)
Requires the C(xz-utils) package to extract the control file of the deb package to install.
Version Added: 1.6
default_release
str		 Corresponds to the C(-t) option for I(apt) and sets pin priorities.
dpkg_options
str		 Default: force-confdef,force-confold
 Add C(dpkg) options to C(apt) command. Defaults to C(-o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold").
Options should be supplied as comma separated list.
fail_on_autoremove
bool		 Default: no
 Corresponds to the C(--no-remove) option for C(apt).
If V(true), it is ensured that no packages will be removed or the task will fail.
O(fail_on_autoremove) is only supported with O(state) except V(absent).
O(fail_on_autoremove) is only supported by C(apt) and will be ignored if C(aptitude) is detected or specified.
Version Added: 2.11
force
bool		 Default: no
 Corresponds to the C(--force-yes) to C(apt-get) and implies O(allow_unauthenticated=yes) and O(allow_downgrade=yes).
This option will disable checking both the packages' signatures and the certificates of the web servers they are downloaded from.
This option *is not* the equivalent of passing the C(-f) flag to C(apt-get) on the command line.
**This is a destructive operation with the potential to destroy your system, and it should almost never be used.** Please also see C(man apt-get) for more information.
force_apt_get
bool		 Default: no
 Force usage of apt-get instead of aptitude.
Version Added: 2.4
install_recommends
bool		 Corresponds to the C(--no-install-recommends) option for C(apt). V(true) installs recommended packages. V(false) does not install recommended packages. By default, Ansible will use the same defaults as the operating system. Suggested packages are never installed.
lock_timeout
int		 Default: 60
 How many seconds will this action wait to acquire a lock on the apt db.
Sometimes there is a transitory lock and this will retry at least until timeout is hit.
Version Added: 2.12
name
list / elements=str		 A list of package names, like V(foo), or package specifier with version, like V(foo=1.0) or V(foo>=1.0). Name wildcards (fnmatch) like V(apt*) and version wildcards like V(foo=1.0*) are also supported.
Do not use single or double quotes around the version when referring to the package name with a specific version, such as V(foo=1.0) or V(foo>=1.0).
only_upgrade
bool		 Default: no
 Only upgrade a package if it is already installed.
Version Added: 2.1
policy_rc_d
int		 Force the exit code of C(/usr/sbin/policy-rc.d).
For example, if O(policy_rc_d=101) the installed package will not trigger a service start.
If C(/usr/sbin/policy-rc.d) already exists, it is backed up and restored after the package installation.
If V(null), the C(/usr/sbin/policy-rc.d) is not created/changed.
Version Added: 2.8
purge
bool		 Default: no
 Will force purging of configuration files if O(state=absent) or O(autoremove=yes).
state
str		 Default: present
Choices: absent, build-dep, latest, present, fixed		 Indicates the desired package state. V(latest) ensures that the latest version is installed. V(build-dep) ensures the package build dependencies are installed. V(fixed) attempt to correct a system with broken dependencies in place.
update_cache
bool		 Run the equivalent of C(apt-get update) before the operation. Can be run as part of the package installation or as a separate step.
Default is not to update the cache.
update_cache_retries
int		 Default: 5
 Amount of retries if the cache update fails. Also see O(update_cache_retry_max_delay).
Version Added: 2.10
update_cache_retry_max_delay
int		 Default: 12
 Use an exponential backoff delay for each retry (see O(update_cache_retries)) up to this max delay in seconds.
Version Added: 2.10
upgrade
str		 Default: no
Choices: dist, full, no, safe, yes		 If yes or safe, performs an aptitude safe-upgrade.
If full, performs an aptitude full-upgrade.
If dist, performs an apt-get dist-upgrade.
Note: This does not upgrade a specific package, use state=latest for that.
Note: Since 2.4, apt-get is used as a fall-back if aptitude is not present.
Version Added: 1.1

Notes

Note

  • Three of the upgrade modes (V(full), V(safe) and its alias V(true)) required C(aptitude) up to 2.3, since 2.4 C(apt-get) is used as a fall-back.
  • In most cases, packages installed with I(apt) will start newly installed services by default. Most distributions have mechanisms to avoid this. For example when installing Postgresql-9.5 in Debian 9, creating an executable shell script (/usr/sbin/policy-rc.d) that throws a return code of 101 will stop Postgresql 9.5 starting up after install. Remove the file or its execute permission afterward.
  • The C(apt-get) commandline supports implicit regex matches here but we do not because it can let typos through easier (If you typo C(foo) as C(fo) apt-get would install packages that have "fo" in their name with a warning and a prompt for the user. Since there are no warnings and prompts before installing, we disallow this. Use an explicit fnmatch pattern if you want wildcarding).
  • When used with a C(loop:) each package will be processed individually, it is much more efficient to pass the list directly to the O(name) option.
  • When O(default_release) is used, an implicit priority of 990 is used. This is the same behavior as C(apt-get -t).
  • When an exact version is specified, an implicit priority of 1001 is used.
  • If the interpreter can't import C(python3-apt) the module will check for it in system-owned interpreters as well. If the dependency can't be found, depending on the value of O(auto_install_module_deps) the module will attempt to install it. If the dependency is found or installed, the module will be respawned under the correct interpreter.

Examples

- name: Install apache httpd (state=present is optional)
  ansible.builtin.apt:
    name: apache2
    state: present

- name: Update repositories cache and install "foo" package
  ansible.builtin.apt:
    name: foo
    update_cache: yes

- name: Remove "foo" package
  ansible.builtin.apt:
    name: foo
    state: absent

- name: Install the package "foo"
  ansible.builtin.apt:
    name: foo

- name: Install a list of packages
  ansible.builtin.apt:
    pkg:
    - foo
    - foo-tools

- name: Install the version '1.00' of package "foo"
  ansible.builtin.apt:
    name: foo=1.00

- name: Update the repository cache and update package "nginx" to latest version using default release squeeze-backport
  ansible.builtin.apt:
    name: nginx
    state: latest
    default_release: squeeze-backports
    update_cache: yes

- name: Install the version '1.18.0' of package "nginx" and allow potential downgrades
  ansible.builtin.apt:
    name: nginx=1.18.0
    state: present
    allow_downgrade: yes

- name: Install zfsutils-linux with ensuring conflicted packages (e.g. zfs-fuse) will not be removed.
  ansible.builtin.apt:
    name: zfsutils-linux
    state: latest
    fail_on_autoremove: yes

- name: Install latest version of "openjdk-6-jdk" ignoring "install-recommends"
  ansible.builtin.apt:
    name: openjdk-6-jdk
    state: latest
    install_recommends: no

- name: Update all packages to their latest version
  ansible.builtin.apt:
    name: "*"
    state: latest

- name: Upgrade the OS (apt-get dist-upgrade)
  ansible.builtin.apt:
    upgrade: dist

- name: Run the equivalent of "apt-get update" as a separate step
  ansible.builtin.apt:
    update_cache: yes

- name: Only run "update_cache=yes" if the last one is more than 3600 seconds ago
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: 3600

- name: Pass options to dpkg on run
  ansible.builtin.apt:
    upgrade: dist
    update_cache: yes
    dpkg_options: 'force-confold,force-confdef'

- name: Install a .deb package
  ansible.builtin.apt:
    deb: /tmp/mypackage.deb

- name: Install the build dependencies for package "foo"
  ansible.builtin.apt:
    pkg: foo
    state: build-dep

- name: Install a .deb package from the internet
  ansible.builtin.apt:
    deb: https://example.com/python-ppq_0.1-1_all.deb

- name: Remove useless packages from the cache
  ansible.builtin.apt:
    autoclean: yes

- name: Remove dependencies that are no longer required
  ansible.builtin.apt:
    autoremove: yes

- name: Remove dependencies that are no longer required and purge their configuration files
  ansible.builtin.apt:
    autoremove: yes
    purge: true

- name: Run the equivalent of "apt-get clean" as a separate step
  ansible.builtin.apt:
    clean: yes

Return Values

Key Data Type Description Returned
cache_update_time int time of the last cache update (0 if unknown) success, in some cases
cache_updated bool if the cache was updated or not success, in some cases
stderr str error output from apt success, when needed
stdout str output from apt success, when needed

Authors

  • Matthew Williams (@mgwilliams)