Open NoRePercussions opened 3 months ago
The repos can be added with:
d-i apt-setup/local0/repository string \
https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main
d-i apt-setup/local0/key string https://repo.saltproject.io/salt/py3/debian/11/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
However, this doesn't appear to happen in time for bootstrap-salt.sh
. It fails to install during preseeding, but succeeds when run manually after boot (without an apt-get update
). This doesn't happen when using the Debian 11 repository, so I am not yet sure what is causing the difference, but solving that should make Debian 12 preseeding succeed.
repo.saltproject.io
is https-only, which is an issue as debian-installer doesn't have ca-certificates and thus cannot verify any SSL certs. Tracked by saltstack/salt#66399.
Ok, our future is certainly with the new repos. Can you alter the preseed postinstall command to do the d-i, wait a sec, and proceed? Also, would it be helpful to try this repo change on the 11 first?
There's two ways I see to get it in apt sources.
The first is to set it up with d-i, which happens during a specific installation phase. Unfortunately, until salt patches their repo, the only way to add the repo through d-i during install-time is not officially supported by the debian installer, and disables SSL cert verification of the salt repo and GPG verification of all repos.
Alternatively, I believe this can be done in the post-install step (by removing the -b
flag), except for the fact that a apt-get update
step fails during post-install and will need some further debugging. This seems more desirable both now and in the future because it isn't incredibly insecure and is entirely self-contained.
I'm not sure if it makes a difference whether it is on 11 or 12; I'll certainly try 11 to be sure there aren't any problems from 12.
Let's hold off on being creative, since it sounds like time and the salt team's labor will solve this problem.
Let's let it sit for a month and you can bang on something else in the meantime.
Note for after this is patched: this repo is added to our machines after salt initialization by the os/debian/salt.sls
state, and is perhaps then upgraded by unattended-upgrades. It still needs to be added earlier to work on debian 12.
The salt-minion package (and other packages) have not been updated since 3002.6 (currently 3007.0) and Debian 11 (currently 12).
salt-minion
Salt Project moved to providing their own repository for installing packages:
Debian 11:
https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye main
Debian 12:https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main
Switching to these may allow access to current patches, installation on newer versions of Debian, and access to newer version of Salt.