From 66c0a662fc71a9738d16ce584c263b5d05daa427 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 8 May 2026 09:26:42 -0400
Subject: [PATCH] convert wait to script

---
 salt/common/tools/sbin/so-salt-minion-wait | 35 ++++++++++++++++++++++
 salt/salt/minion/init.sls                  | 21 ++-----------
 2 files changed, 38 insertions(+), 18 deletions(-)
 create mode 100644 salt/common/tools/sbin/so-salt-minion-wait

diff --git a/salt/common/tools/sbin/so-salt-minion-wait b/salt/common/tools/sbin/so-salt-minion-wait
new file mode 100644
index 000000000..a30c67e80
--- /dev/null
+++ b/salt/common/tools/sbin/so-salt-minion-wait
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Block until the local salt-minion service is back up and can execute modules locally.
+# Invoked from the wait_for_salt_minion_ready state in salt/minion/init.sls after
+# salt_minion_service fires its watch-driven mod_watch (a non-blocking systemctl restart),
+# so follow-on jobs and the next highstate iteration do not race the in-flight restart.
+
+. /usr/sbin/so-common
+
+# Initial sleep gives the systemctl restart (--no-block by default for salt-minion on
+# >=3006.15) time to begin tearing down the old process before we probe for readiness.
+INITIAL_SLEEP=3
+TIMEOUT=120
+PING_TIMEOUT=5
+
+sleep "$INITIAL_SLEEP"
+
+elapsed="$INITIAL_SLEEP"
+while [ "$elapsed" -lt "$TIMEOUT" ]; do
+  if systemctl is-active --quiet salt-minion \
+     && salt-call --local --timeout="$PING_TIMEOUT" --out=quiet test.ping >/dev/null 2>&1; then
+    echo "salt-minion ready after ${elapsed}s"
+    exit 0
+  fi
+  sleep 1
+  elapsed=$((elapsed + 1))
+done
+
+echo "salt-minion did not become ready within ${TIMEOUT}s" >&2
+exit 1
diff --git a/salt/salt/minion/init.sls b/salt/salt/minion/init.sls
index 42f98de2a..01c24e698 100644
--- a/salt/salt/minion/init.sls
+++ b/salt/salt/minion/init.sls
@@ -111,26 +111,11 @@ salt_minion_service:
 # block until the just-restarted salt-minion is back and can execute modules locally, so
 # follow-on jobs and the next highstate iteration do not race the restart. onchanges +
 # require on salt_minion_service catches every restart trigger uniformly because watch
-# mod_watch results replace the service state's running entry. initial sleep gives the
-# systemctl restart (--no-block by default for salt-minion on >=3006.15) time to begin
-# tearing down the old process before we probe for readiness.
+# mod_watch results replace the service state's running entry. wait logic lives in
+# /usr/sbin/so-salt-minion-wait (deployed by common_sbin from common/tools/sbin/).
 wait_for_salt_minion_ready:
   cmd.run:
-    - name: |
-        sleep 3
-        timeout=120
-        elapsed=3
-        while [ $elapsed -lt $timeout ]; do
-          if systemctl is-active --quiet salt-minion \
-             && salt-call --local --timeout=5 --out=quiet test.ping >/dev/null 2>&1; then
-            echo "salt-minion ready after ${elapsed}s"
-            exit 0
-          fi
-          sleep 1
-          elapsed=$((elapsed+1))
-        done
-        echo "salt-minion did not become ready within ${timeout}s" >&2
-        exit 1
+    - name: /usr/sbin/so-salt-minion-wait
     - onchanges:
       - service: salt_minion_service
     - require: