Debian Salt Packages No Longer Maintained

[NoRePercussions]

The salt-minion package (and other packages) have not been updated since 3002.6 (currently 3007.0) and Debian 11 (currently 12).

• The salt-bootstrap script silently fails on Debian 12 due to apt being unable to find salt-minion
• Using the Debian 11 version causes python package versioning issues with Debian 12 packages (saltstack/salt#61848 does not appear to be backported to 3002)

Salt Project moved to providing their own repository for installing packages:

Debian 11: https://repo.saltproject.io/salt/py3/debian/11/amd64/latest bullseye main Debian 12: https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main

Switching to these may allow access to current patches, installation on newer versions of Debian, and access to newer version of Salt.

[NoRePercussions]

The repos can be added with:

d-i apt-setup/local0/repository string \
        https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main
d-i apt-setup/local0/key string https://repo.saltproject.io/salt/py3/debian/11/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg

However, this doesn't appear to happen in time for bootstrap-salt.sh. It fails to install during preseeding, but succeeds when run manually after boot (without an apt-get update). This doesn't happen when using the Debian 11 repository, so I am not yet sure what is causing the difference, but solving that should make Debian 12 preseeding succeed.

[NoRePercussions]

repo.saltproject.io is https-only, which is an issue as debian-installer doesn't have ca-certificates and thus cannot verify any SSL certs. Tracked by saltstack/salt#66399.

[merichar]

Ok, our future is certainly with the new repos. Can you alter the preseed postinstall command to do the d-i, wait a sec, and proceed? Also, would it be helpful to try this repo change on the 11 first?

[NoRePercussions]

There's two ways I see to get it in apt sources.

The first is to set it up with d-i, which happens during a specific installation phase. Unfortunately, until salt patches their repo, the only way to add the repo through d-i during install-time is not officially supported by the debian installer, and disables SSL cert verification of the salt repo and GPG verification of all repos.

Alternatively, I believe this can be done in the post-install step (by removing the -b flag), except for the fact that a apt-get update step fails during post-install and will need some further debugging. This seems more desirable both now and in the future because it isn't incredibly insecure and is entirely self-contained.

I'm not sure if it makes a difference whether it is on 11 or 12; I'll certainly try 11 to be sure there aren't any problems from 12.

[merichar]

Let's hold off on being creative, since it sounds like time and the salt team's labor will solve this problem.

Let's let it sit for a month and you can bang on something else in the meantime.

[NoRePercussions]

Note for after this is patched: this repo is added to our machines after salt initialization by the os/debian/salt.sls state, and is perhaps then upgraded by unattended-upgrades. It still needs to be added earlier to work on debian 12.