Gate so_kernel_repo on running salt matching the shipped version

During soup the grid is mid-salt-upgrade. Only assign the UEK8 kernel repo once the node's grains.saltversion matches salt.minion.version from minion.defaults.yaml, so the kernel repo and the update it enables don't activate until the node is fully on the target salt.
2026-06-30 14:18:31 +02:00 · 2026-06-26 09:21:11 -04:00
parent 94f31e1356
commit 67a9abadf2
1 changed files with 10 additions and 0 deletions
@@ -6,6 +6,10 @@
 {% from 'repo/client/map.jinja' import REPOPATH with context %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

+{% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
+{% set saltversion = saltversion.salt.minion.version %}
+{% set INSTALLEDSALTVERSION = grains.saltversion %}
+
 {% set role = grains.id.split('_') | last %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% if grains['os'] == 'OEL' %}
@@ -57,6 +61,11 @@ so_repo:
    - enabled: 1
    - gpgcheck: 1

+# Only assign the kernel repo once this node's running salt matches the version this
+# SO release ships. During a soup the grid is mid-salt-upgrade; gating here keeps the
+# UEK8 kernel repo (and the kernel update it enables) from activating until the node is
+# fully on the target salt, the same way other states defer across the upgrade window.
+{% if saltversion | string == INSTALLEDSALTVERSION | string %}
 so_kernel_repo:
  pkgrepo.managed:
    - name: securityonionkernel
@@ -76,6 +85,7 @@ so_kernel_repo:
    # UEK8 kernel update can't renumber interfaces SO binds by name (see pin_nic_names
    # in salt/common/init.sls, which drops this marker via /usr/sbin/so-nic-pin).
    - onlyif: 'test -e /opt/so/state/nic_names_pinned'
+{% endif %}

 {% endif %}