`datadog_agent_version` is not fully pinned on Linux with `apt`

[robin-wayve]

We set a pinned version with datadog_agent_version. Since the role does not use ansible.builtin.dpkg_selections to put a hold on datadog-agent, hosts can upgrade the datadog-agent package when new versions become available (via apt upgrade or similar).

If a host does this, the role can't be applied due to trying to downgrade the package (which is a thing you can enable, but only on ansible-core 2.12+, I think).

Workaround I have used:

• gather package facts
• run ansible.builtin.dpkg_selections with selection: deinstall (un-pin) if the version is newer than the installed version
• include the datadog role / install the package
• run ansible.builtin.dpkg_selections with selection: hold (pin) to prevent upgrades

I can provide more details if there's interest in handling this in the role.

[bkabrda]

Hi 👋 thanks for opening the issue. We've actually added similar functionality for Red Hat based distros already in #443, so I think adding it for Debian based distros makes a perfect sense. I'll add this to our backlog to implement. Thanks!