From 67a9abadf2292ac3005844ef4b581020adecc7ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Jun 2026 09:21:11 -0400 Subject: [PATCH] Gate so_kernel_repo on running salt matching the shipped version During soup the grid is mid-salt-upgrade. Only assign the UEK8 kernel repo once the node's grains.saltversion matches salt.minion.version from minion.defaults.yaml, so the kernel repo and the update it enables don't activate until the node is fully on the target salt. --- salt/repo/client/oracle.sls | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/repo/client/oracle.sls b/salt/repo/client/oracle.sls index 2019a56d1..bf0a02751 100644 --- a/salt/repo/client/oracle.sls +++ b/salt/repo/client/oracle.sls @@ -6,6 +6,10 @@ {% from 'repo/client/map.jinja' import REPOPATH with context %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'salt/minion.defaults.yaml' as saltversion %} +{% set saltversion = saltversion.salt.minion.version %} +{% set INSTALLEDSALTVERSION = grains.saltversion %} + {% set role = grains.id.split('_') | last %} {% set MANAGER = salt['grains.get']('master') %} {% if grains['os'] == 'OEL' %} @@ -57,6 +61,11 @@ so_repo: - enabled: 1 - gpgcheck: 1 +# Only assign the kernel repo once this node's running salt matches the version this +# SO release ships. During a soup the grid is mid-salt-upgrade; gating here keeps the +# UEK8 kernel repo (and the kernel update it enables) from activating until the node is +# fully on the target salt, the same way other states defer across the upgrade window. +{% if saltversion | string == INSTALLEDSALTVERSION | string %} so_kernel_repo: pkgrepo.managed: - name: securityonionkernel @@ -76,6 +85,7 @@ so_kernel_repo: # UEK8 kernel update can't renumber interfaces SO binds by name (see pin_nic_names # in salt/common/init.sls, which drops this marker via /usr/sbin/so-nic-pin). - onlyif: 'test -e /opt/so/state/nic_names_pinned' +{% endif %} {% endif %}