What's correct way to upgrade APT packages using Ansible?

Question

When setting up a new Linux server, I typically run apt-get update and then apt-get upgrade. The first command updates the list of available packages and their versions, but it does not install or upgrade any packages. The second command actually installs newer versions of the packages I have.

What is the correct way to do this in Ansible? One way you could do it is like this:

- name: update and upgrade apt packages
  apt: >
    upgrade=yes
    update_cache=yes
    cache_valid_time=3600

Or you could do it in two separate steps:

- name: update apt packages
  apt: >
    update_cache=yes
    cache_valid_time=3600

- name: upgrade apt packages
  apt: upgrade=yes

If you do it the first way, is Ansible smart enough to know that it should run 'update' before 'upgrade'? The Ansible apt documentation doesn't address this finer point.

Answer 1

The apt module documentation does actually state that it will run the update first:

Run the equivalent of apt-get update before the operation. Can be run as part of the package installation or as a separate step.

(emphasis mine)

So both of those plays should be functionally the same.

Answer 2

Here is the better version of upgrading and updating packages. The below executable playbook will update and upgrade packages to all hosts specified in the inventory file.

- hosts: all
  become: yes
  tasks:
  - name: Update and upgrade apt packages
    apt:
      upgrade: yes
      update_cache: yes
      cache_valid_time: 86400 # 1 day

The cache_valid_time value is optional. The docs says:

Update the apt cache if its older than the cache_valid_time. This option is set in seconds.

I think its good practice to include this if you don't want to update the cache when it has only recently been updated.