From f45631af3ae03b4e684ac8327a8bdbeabe624356 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Jun 2026 12:15:10 -0400 Subject: [PATCH] Guard kernel reposync on its config section existing During soup, so-repo-sync runs before the highstate deploys the new repodownload.conf. On the first upgrade to a kernel-aware version the on-disk config lacks the [securityonionkernel] section, so dnf aborts with "Unknown repo: 'securityonionkernel'" (set -e kills soup). Guard the kernel reposync on the section being present; the next sync after the highstate deploys it picks it up. --- salt/manager/tools/sbin/so-repo-sync | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync index bc90122d3..6c1b9d509 100755 --- a/salt/manager/tools/sbin/so-repo-sync +++ b/salt/manager/tools/sbin/so-repo-sync @@ -14,5 +14,12 @@ curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.secur dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo -dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/ -createrepo /nsm/kernelrepo +# The kernel repo section is deployed to repodownload.conf by the manager highstate, which +# runs AFTER this script during soup. On the first upgrade to a kernel-aware version the +# on-disk config still predates the section, so guard on its presence to avoid dnf's +# "Unknown repo: 'securityonionkernel'" aborting the sync (set -e). The next sync after the +# highstate deploys the section will pick it up. +if grep -q '^\[securityonionkernel\]' /opt/so/conf/reposync/repodownload.conf; then + dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/ + createrepo /nsm/kernelrepo +fi