From 27c1c35e62e90f6d11ae92817abda2a443ab992f Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 24 Jun 2026 13:20:10 -0400
Subject: [PATCH] Mark kernel repo skip_if_unavailable so an empty repo can't
 brick dnf

When the kernel repo is assigned but /nsm/kernelrepo isn't populated
yet, its missing repomd.xml makes every dnf/pkg operation fail (e.g.
pkg.held for salt during highstate). The kernel repo is supplementary,
so set skip_if_unavailable=1 in both the salt-managed client repo and
the four install-time bootstrap repo files; dnf ignores it until it is
populated instead of aborting. The main repo stays strict.
---
 salt/repo/client/oracle.sls | 4 ++++
 setup/so-functions          | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/salt/repo/client/oracle.sls b/salt/repo/client/oracle.sls
index 8c8a1ac0a..2019a56d1 100644
--- a/salt/repo/client/oracle.sls
+++ b/salt/repo/client/oracle.sls
@@ -68,6 +68,10 @@ so_kernel_repo:
   {% endif %}
     - enabled: 1
     - gpgcheck: 1
+    # Supplementary kernel repo: tolerate it being empty/unreachable (e.g. before the
+    # manager has populated /nsm/kernelrepo) so a missing repomd.xml can't make every
+    # dnf/pkg operation on the grid fail.
+    - skip_if_unavailable: 1
     # Only assign the kernel repo once physical NIC names are pinned by MAC, so the
     # UEK8 kernel update can't renumber interfaces SO binds by name (see pin_nic_names
     # in salt/common/init.sls, which drops this marker via /usr/sbin/so-nic-pin).
diff --git a/setup/so-functions b/setup/so-functions
index 15856d710..b9a061168 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1820,6 +1820,9 @@ securityonion_repo() {
 			echo "mirrorlist=file:///etc/yum/mirror-kernel.txt" >> /etc/yum.repos.d/securityonionkernel.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
+			# Supplementary kernel repo: tolerate it being empty/unreachable so a missing
+			# repomd.xml can't make every dnf operation fail before the repo is populated.
+			echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
 			logCmd "dnf repolist"
 		else
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
@@ -1834,6 +1837,7 @@ securityonion_repo() {
 			echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
 			echo "sslverify=0" >> /etc/yum.repos.d/securityonionkernel.repo
+			echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
 			logCmd "dnf repolist"
 		fi
 	elif [[ ! $waitforstate ]]; then
@@ -1849,6 +1853,7 @@ securityonion_repo() {
 		echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
 		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
 		echo "sslverify=0" >> /etc/yum.repos.d/securityonionkernel.repo
+		echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
 	elif [[ $waitforstate ]]; then
 		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
@@ -1860,6 +1865,7 @@ securityonion_repo() {
 		echo "baseurl=file:///nsm/kernelrepo/" >> /etc/yum.repos.d/securityonionkernel.repo
 		echo "enabled=1" >> /etc/yum.repos.d/securityonionkernel.repo
 		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonionkernel.repo
+		echo "skip_if_unavailable=1" >> /etc/yum.repos.d/securityonionkernel.repo
 	fi
 	logCmd "dnf repolist all"
 	if [[ $waitforstate ]]; then