Debian – how to do version-specific backup/restore of Debian packages

backupdebianpackage-managementrestore

summary

Note version-specific in the question title! This question is not, how to

On one Debian host, capture a list of all installed packages.
On another Debian host, install the latest versions of the listed packages.

This question is rather, how to

On a Debian host at some point in time,
1. capture a package map containing
  - the name of each installed package
  - the version of each package currently installed
2. any additional data required to …
On that same host later in time, restore the package map, such that subsequently
1. only the packages in the package map are installed
2. for each packages in the map, only the appropriate version is installed

details

motivation

Recently I did a "big update" (i.e., involving lots of packages, or major packages like kernels, or both) to one of my Debian boxes, which did not update "cleanly" (i.e., with no significant problems). In future, when I apply a bad update to a Debian box, I'd like to be able to rollback (a) the package set on that same box (b) to the previous versions. (Without previously doing an image backup, which is slow.) Unfortunately I don't know how to do that. I do know how to

On one Debian box, capture a list of every package name in its installed package set.
On another box, install the latest version of every package in the list.

thanks to numerous webpages discussing how to do this, including several SEs. Most (including this, this, and this) do more or less sophisticated variations on

backup: dpkg --get-selections > ${PACKAGE_LIST_FILEPATH}
restore: dpkg --set-selections < ${PACKAGE_LIST_FILEPATH}

Probably the most comprehensive (and among the most scripted, which I prefer) SE on this topic is this one: it's one of few to recommend also backing up repository lists (with cp -R /etc/apt/sources.list*) and repo keys (with apt-key exportall), but it also uses dpkg as above. This SE recommends using aptitude (which, FWIW, I prefer, and suspect does a better job than dpkg) for both backup and install, and this SE recommends deborphan for the backup.

But none of the above save package versions, and so none work for my usecase. (IIUC–am I missing something?)

hypothesis

Obviously one must backup (and be able to restore as needed) arbitrary files from one's devices. Similarly, one should be able to backup/restore ones packages, and integrate that into one's periodically-run backup tool. Fortunately, backup/restore of a package list is well-understood. One can backup with, e.g., bash code like

## setup

PACKAGE_LIST_FILENAME='package.list'         # see use below
REPO_KEYS_FILENAME='repo.keys'               # ditto
DATE_FORMAT="%Y%m%d_%H%M%S"
BACKUP_TIMESTAMP="$(date +${DATE_FORMAT})"   # get current timestamp, to the second

# Parent directory of that to which you will backup.
BACKUP_ROOT="/media/$(whoami)/my_backup_drive"
BACKUP_DIR="${BACKUP_ROOT}/backup_${BACKUP_TIMESTAMP}"
echo -e "Backing up to ${BACKUP_DIR}" # debugging
# TODO: check BACKUP_DIR is writable, has sufficient freespace, etc

# ASSERT: all following are subdirs of BACKUP_DIR
ETC_BACKUP_DIR="${BACKUP_DIR}/etc"           # backup /etc , typically not large
PKG_BACKUP_DIR="${BACKUP_DIR}/packages"
REPO_BACKUP_DIR="${BACKUP_DIR}/repos"   # duplicates some of /etc, but disk is cheap ...
for DIR in \
  "${ETC_BACKUP_DIR}" \
  "${PKG_BACKUP_DIR}" \
  "${REPO_BACKUP_DIR}" \
; do
  # make the backup dirs
  mkdir -p "${DIR}"  # TODO: test retval/errorcode, exit on failure
done

PACKAGE_LIST_FILEPATH="${PKG_BACKUP_DIR}/${PACKAGE_LIST_FILENAME}"
touch "${PACKAGE_LIST_FILEPATH}"             # TODO: check that it's writable, exit if not

REPO_KEYS_FILEPATH="${REPO_BACKUP_DIR}/${REPO_KEYS_FILENAME}"
touch "${REPO_KEYS_FILEPATH}"                # TODO: check that it's writable, exit if not

## backup
## TODO: for all following: test retval/errorcode, exit on failure
## TODO: give user some progress indication (e.g., echo commands)

deborphan -a --no-show-section > "${PACKAGE_LIST_FILEPATH}" # or other op you prefer
sudo cp -R /etc/apt/sources.list* "${REPO_BACKUP_DIR}/"
sudo apt-key exportall > "${REPO_KEYS_FILEPATH}"
rsync --progress /etc "${ETC_BACKUP_DIR}"

And one can restore with, e.g., bash code like

## setup
## (remember to transfer constants used above)

RESTORE_DIR="set this equal to the BACKUP_DIR from which you are restoring!"
ETC_RESTORE_DIR="${RESTORE_DIR}/etc"
PKG_RESTORE_DIR="${RESTORE_DIR}/packages"
REPO_RESTORE_DIR="${PKG_RESTORE_DIR}/repos"
PACKAGE_LIST_FILEPATH="${PKG_RESTORE_DIR}/${PACKAGE_LIST_FILENAME}"
REPO_KEYS_FILEPATH="${REPO_RESTORE_DIR}/${REPO_KEYS_FILENAME}"

## restore
## TODO: test that all following are readable, exit if not
## TODO: for all following: test retval/errorcode, exit on failure
## TODO: give user some progress indication (e.g., echo commands)

rsync --progress "${ETC_BACKUP_DIR}" /etc
# following will overwrite some of /etc restored above
sudo apt-key add "${REPO_KEYS_FILEPATH}"
sudo cp -R "${REPO_RESTORE_DIR}/sources.list*" /etc/apt/
# TODO: CHECK THIS SYNTAX!
# see my question @ https://serverfault.com/questions/56848/install-the-same-debian-packages-on-another-system/61472#comment920243_61472
sudo xargs aptitude --schedule-only install < "${PACKAGE_LIST_FILEPATH}" ; aptitude install

So IIUC, we must extend the above to handle package versions. This seems doable using a strategy like the following:

backup

Write a package map file, instead of a package list file. Thanks to RobertL and cas, I now know that I can get a package map file for a Debian host in a useful format (one package per line, each line containing {package name (and architecture, but only if more than one), TAB, package version string}. One can then access
- package names with awk '{print $1}' < "${PACKAGE_LIST_FILEPATH}"
- package versions with awk '{print $2}' < "${PACKAGE_LIST_FILEPATH}"
(extra credit) Archive the current versions of the raw/.deb packages (as indicated by cas) by feeding the package names to dpkg-repack.
(extra credit) Convert the archived packages into a local APT repository. This is hopefully described in operational detail by this Debian wikipage, but I'm still trying to figure that out.

restore

glossary:
* current refers to the state of the host before the user attempts to restore.
* current PMF refers to a package map file generated for the current host, containing package tuples (key=package name, value=package version) currently installed.
* backup PMF refers to a package map file generated for the host at some prior time, containing package tuples to be restored.

Create a current PMF.
Restore repositories and keys by "the usual means" (see above).
Read the backup PMF.
For each package tuple in the current PMF but not the backup PMF: uninstall the package (e.g., sudo aptitude remove [package_name]).
For each package tuple in the backup PMF: install the given version of the package (e.g., sudo aptitude install [package_name]=[package_version]). Thanks to Rui F Ribeiro and bigbenaugust for noting that aptitude and apt-get support install package=version.
- (extra credit) If the restored repositories do not contain the desired version of a package, install it from the backup-local APT repository.

test

TODO! I'll start by doing a manual restore for a box for which I don't yet have a backup like the above (since, of course, I don't yet have a backup like the above for any box 🙂 but for which I have console spew.

Best Answer

Some useful notes to help you achieve your goal:

You can get a list of installed packages and their versions by running:

dpkg-query -W

You can create an archive of .deb packages of all currently installed packages by installing dpkg-repack and running something like this:

dpkg-query -W | awk '{print $1}' | xargs dpkg-repack

This will dpkg-repack all currently installed packages. This archive is the crucial missing part to your restore - without it, you may not be able to restore the exact same package set (especially if you use testing or unstable).

WARNING: dpkg-repack repacks the current, possibly modified, contents of all conffiles. If you want the pristine, original packages, you'll have to get the .deb files from /var/cache/apt/archives or from a Debian mirror.

The .deb archive can be turned into an apt-gettable repository by following the instructions at https://wiki.debian.org/HowToSetupADebianRepository or you can just install them all with dpkg -iBE *.deb (or dpkg -iRBE /path/to/deb/files/ if there are too many to fit on one command line).

You'll still need to use -get-selections and --set-selections in order to retain details like de-installed packages.

Related Solutions

Debian – How to keep the Debian system with the latest packages

Wanting more recent packages is a common issue on any OS. Debian's release cycle has averaged 2 years in recent years, so towards the end of this cycle, it is perhaps a more pressing issue. One way of mitigating this is to move to testing towards the end of the stable release cycle, when the next version is almost stable. It is not clear from the question whether it is talking about stable on more generally about testing and/or unstable as well. Regardless, having the most recent version can be an issue even if one if running unstable, as the most recent version may not be packaged yet. Debian developers/packagers are volunteers, so they may get bored, or busy with other things, with the result that the package languishes.

For simplicity and concreteness I assume in what follows that the plan is to backport a package to stable, but it applies more generally. So, here is what I do if I want a more recent version of software that is not present in stable, in an approximate order.

Look for the package in Debian Backports. Sometimes you can find a package that is recent enough to satisfy your purposes. However, it is often the case that these packages are outdated compared to the version in unstable or experimental or upstream.
Try to install the package directly from testing, unstable, or experimental. If stable has not diverged much from whatever version you are trying to install from, this may work. You'll know this approach is a bad one if the system starts trying to install or upgrade basic packages from the more recent version. Suppose you are trying to install from unstable, then
```
apt-get install packagename/unstable
```
is the first thing to try. With versions of apt in stable, this will often fail, as it requires other packages from unstable, and this incantation only ups the preference of packagename sufficiently high for it to be installed in unstable. If you don't understand what this means, go away and read man apt_preferences. Carry on adding dependencies from unstable, making sure that it is not trying to upgrade basic packages. For example, if it starts trying to upgrade libc6 or X or KDE or Gnome, abort immediately. It is usually fine if it is tries to upgrade other packages from the same source package, as these are usually tightly coupled together. To see what source package a binary package depends on, do
```
apt-cache showsrc packagename
```
Since lots of stuff depends on the GNU C library (libc6) this used to be a problem. More recently, the API seems to have stabilized, so it is now more often possible to get away with not having to upgrade it. If a package satisfies its runtime dependencies on stable, but still does not work correctly, file a bug. If the packager tells you it is not a bug, they are wrong. :-)
Backport the package yourself from testing, unstable or experimental.

As mentioned above, backports is one option, but often these packages are outdated compared to the version in unstable or experimental or upstream.

This can often require a recursive dependency build loop type thing. You first need to get the build dependencies with
```
apt-get build-dep packagename    
```
If this fails because one of the dependencies is not recent enough, you'll need to backport that dependency first. This can spriral out of control. I usually give up if I have to deal with more than 2 levels of recursion. Note however, that the real dependencies aren't necessarily as tight as stated ie. an older version may work. The packager often don't try to find the oldest version of a build (or, indeed, runtime) dependency that will work.
Check for the availability of packages from the corresponding upstream. Ideally these would match your distribution version, but you might also be able to rebuild them if necessary.
Create packages for version of the software more recent than the most recent packages in testing/unstable/experimental. This can be relatively challenging, but still sometimes surprisingly doable. The first thing to note is that if you are trying to package a more recent version of a package that is already in Debian, you are already starting with a big advantage, namely that you have the existing packaging to work with. Just do
```
apt-get source packagename
```
and apt-get will download the corresponding source package, including the debian subdirectory where the packaging lives. Note furthermore that these days, this packaging often lives inside some verson control repository (git seems popular with Debian) and stable apt (currently 0.8.10.3) helpfully tells you where this is when you invoke apt-get source. You should look at this, because the packagers may have more recent versions of the packaging than corresponds to any released package. Eg.
```
$ apt-get source mercurial
  Reading package lists... Done
  Building dependency tree       
  Reading state information... Done
  NOTICE: 'mercurial' packaging is maintained in the 'Svn' version control system at:
  svn://svn.debian.org/python-apps/packages/mercurial/trunk
```
Alternatively, you could simply use
```
apt-cache showsrc mercurial | grep Vcs
```
to list the repository.

If the package is badly out of date, you may have to make modifications to the
package, refresh the applied patches but it is still usually a good starting
point. Debian seems to be in the process of standardizing package management on
quilt per the dpkg-source 3.0 (quilt) format, so that helps with patch refreshing.

I'll conclude with a real-life example of how I backported the Debian package of pgf. The last packaged version of pgf was 2.00 in 2008, and since then 2.10 had been released. See the discussion in Please update to newest stable version of pgf (2.10), and my followup bug with a patch, pgf: patches against 2.0 Debian packaging. As it turns out, the Debian packaging of pgf was very simple, and I just had to change one line in the 2.10 packaging to make it work. I ended up quelling all the lintian complaints as well, but that was strictly optional.

Debian – How to de-select packages of a certain architecture in aptitude

The package actions for aptitude are stored in /var/lib/aptitude/pkgstates, this is separate from any dpkg states. You might want to back the above file up before trying the following in case the results are undesirable and it is difficult for you to get back to where you were. The following should do what you are looking for (remember to quit any running aptitude instance first and also run as root):

aptitude -F %p search '~ri386 ~ainstall' | cut -d : -f 1 >i386
aptitude -F %p search '~ramd64 ~i | ~ramd64 ~ainstall' | cut -d : -f 1 | sort >amd64
aptitude --schedule-only keep $(comm -13 amd64 i386 | sed 's/$/:i386/')
rm i386 amd64

When you restart the GUI, hopefully you have what you are looking for :)