allow users to lock pkgs from upgrade

2025-12-20 07:53:06 +01:00 · 2024-10-16 17:06:03 -04:00
parent a3933bdc79
commit 73ce526467
5 changed files with 60 additions and 0 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -16,6 +16,8 @@ base:
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
+    - versionlock.soc_versionlock
+    - versionlock.adv_versionlock

  '* and not *_desktop':
    - firewall.soc_firewall
--- a/salt/versionlock/defaults.yaml
+++ b/salt/versionlock/defaults.yaml
@@ -0,0 +1,3 @@
+versionlock:
+  kernel: False
+  hold: []
--- a/salt/versionlock/init.sls
+++ b/salt/versionlock/init.sls
@@ -0,0 +1,13 @@
+{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
+
+{% for pkg in VERSIONLOCKMERGED.hold %}
+{{pkg}}_held:
+  pkg.held:
+    - name: {{pkg}}
+{% endfor %}
+
+{% for pkg in VERSIONLOCKMERGED.UNHOLD %}
+{{pkg}}_unheld:
+  pkg.unheld:
+    - name: {{pkg}}
+{% endfor %}
--- a/salt/versionlock/map.jinja
+++ b/salt/versionlock/map.jinja
@@ -0,0 +1,32 @@
+{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
+{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
+{% set HELD = salt['pkg.list_holds']() %}
+
+{% set PACKAGES_HELD_IN_OTHER_STATES = [
+   'salt',
+   'salt-master',
+   'salt-minion',
+   'containerd.io',
+   'docker-ce',
+   'docker-ce-cli',
+   'docker-ce-rootless-extras'
+] %}
+
+{% if VERSIONLOCKMERGED.kernel %}
+    {% do VERSIONLOCKMERGED['hold'].append('kernel') %}
+{% endif %}
+
+{# remove packages held in other states from hold list #}
+{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %}
+
+{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %}
+
+{# if a package is currently held but not set to be held, unhold it #}
+{% for item in HELD %}
+    {% set base_name = item.rsplit('-', 2)[0] %}
+    {% if base_name not in VERSIONLOCKMERGED['hold']
+       and base_name not in PACKAGES_HELD_IN_OTHER_STATES
+       and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
+        {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %}
+    {% endif %}
+{% endfor %}
--- a/salt/versionlock/soc_versionlock.yaml
+++ b/salt/versionlock/soc_versionlock.yaml
@@ -0,0 +1,10 @@
+versionlock:
+  kernel:
+    description: Lock the kernel to prevent upgrade.
+    global: True
+    forcedType: bool
+  hold:
+    description: List of packages to hold
+    global: True
+    forcedType: "[]string"
+    multiline: True