962af3e24e
Python3.12 (which is the python version on Noble) is not compatible with
our pinned borgbackup version (1.1.18). We get his errors when building
borgbackup on python3.12:
‘PyLongObject’ {aka ‘struct _longobject’} has no member named ‘ob_digit’
We update to 1.2.8 on Noble which is one of the oldest versions claiming
python3.12 support. We try to use the oldest version to ensure maximum
compatiblity with 1.1.18 on the backup servers. Our CI job should give
us decent coverage and then the new paste02 will be the production
canary for whether or not these versions are compatible enough with each
other. No other servers should be effected in the initial pass.
Note there is an upgrade event horizon for using repos with borg<1.2.5
and borg >=1.2.5. It only affects repos that have archives that lack
TAMs. My read on it is that newer borg can treat those archives as
invalid and unceremoniously delete them. This is a problem if they are
valid archives and don't have a TAM. I suspect we will avoid this
problem because borg >= 1.0.9 creates TAMs with archives and we prune
our archives so older ones should be long gone. More info on this can be
found in these documents and reviewers are encouraged to read them:
https://borgbackup.readthedocs.io/en/1.2-maint/changes.html#pre-1-2-5-archives-spoofing-vulnerability-cve-2023-36811
https://borgbackup.readthedocs.io/en/1.2-maint/changes.html#borg-1-1-x-to-1-2-x
https://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#borg-1-x-y-upgrades
I have left a todo for us to upgrade all of the services to 1.2.8 that
can run it (it requires python3.8 or newer so Focal or newer) but for
now we are taking baby steps.
Change-Id: I0c5ca758149b85aeec5321a704300489a57a3cc1
61 lines
1.7 KiB
YAML
61 lines
1.7 KiB
YAML
# We install into a virtualenv here for two reasons; we want a
|
|
# specific version pinned between server and client -- borg has had
|
|
# updates that required transitions so we don't want to use system
|
|
# packages where thing might get out of sync. Secondly we want to
|
|
# keep as few things as possible to go wrong when running backups.
|
|
- name: Install build deps
|
|
package:
|
|
name:
|
|
- python3-dev
|
|
- python3-venv
|
|
- libssl-dev
|
|
- openssl
|
|
- libacl1-dev
|
|
- libacl1
|
|
- build-essential
|
|
- pkg-config
|
|
|
|
- name: Install Noble specific fuse build deps
|
|
package:
|
|
name:
|
|
- libfuse3-dev
|
|
- fuse3
|
|
when: ansible_distribution_release == 'noble'
|
|
|
|
- name: Install fuse build deps for everything else
|
|
package:
|
|
name:
|
|
- libfuse-dev
|
|
- fuse
|
|
when: ansible_distribution_release != 'noble'
|
|
|
|
# Noble's python3.12 can't run 1.1.18 so we special case a newer
|
|
# version here.
|
|
# TODO(clarkb) Update borg across the board.
|
|
- name: Set fuse and version variables for Noble
|
|
set_fact:
|
|
_borg_version: "{{ borg_version | default('1.2.8', true) }}"
|
|
_fuse_extra: "pyfuse3"
|
|
when: ansible_distribution_release == 'noble'
|
|
|
|
- name: Set fuse and version variables for everything else
|
|
set_fact:
|
|
_borg_version: "{{ borg_version | default('1.1.18', true) }}"
|
|
_fuse_extra: "fuse"
|
|
when: ansible_distribution_release != 'noble'
|
|
|
|
- name: Create venv
|
|
include_role:
|
|
name: create-venv
|
|
vars:
|
|
create_venv_path: '/opt/borg'
|
|
|
|
- name: Install borg
|
|
pip:
|
|
# borg build deps are a little ... interesting, it needs cython
|
|
# but the requirements don't bring it in.
|
|
name:
|
|
- cython
|
|
- "borgbackup[{{ _fuse_extra }}]=={{ _borg_version }}"
|
|
virtualenv: /opt/borg
|