[BUG] Disabled state file is still executable using salt-ssh

[hkroeber]

Description

For deployments to productive environments there is a need to avoid applying concurrent salt states to the same minion at a time. Disabling a critical salt state seems to be solution to that problem.

Following the documentation here a state file is disabled on a minion, but is still executable in that minion.

Setup

Please be as specific as possible and give set-up details.

• [x] on-prem machine
• [ ] VM (Virtualbox, KVM, etc. please specify)
• [ ] VM running on a cloud service, please be explicit and add details
• [ ] container (Kubernetes, Docker, containerd, etc. please specify)
• [ ] or a combination, please be explicit
• [ ] jails if it is FreeBSD

The salt master host uses salt-ssh to apply states on the remote minions. There are no current issues in our daily work using salt for remote management.

Steps to Reproduce the behavior

A state file with a dummy operation (for testing) is:

salt-ssh laphkroeber state.sls tmp.run_once
laphkroeber:
----------
          ID: deploy_file
    Function: file.managed
        Name: /home/hkroeber/tmp/test_deploy
      Result: True
     Comment: File /home/hkroeber/tmp/test_deploy exists with proper permissions. No changes made.
     Started: 14:21:22.379130
    Duration: 3.329 ms
     Changes:   

Summary for laphkroeber
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   3.329 ms

It is disabled using:

$ salt-ssh laphkroeber state.disable tmp.run_once
laphkroeber:
    ----------
    msg:
        Info: tmp.run_once state already disabled.
    res:
        True

List disabled states shows doesn't show the disabled state immediately. It takes multiple calls of the following command ti see that result (10 times in ~2 minutes).

salt-ssh laphkroeber state.list_disabled
laphkroeber:
    - tmp.run_once

The disable state file is still executable on that minion.

$ salt-ssh laphkroeber state.sls tmp.run_once
laphkroeber:
----------
          ID: deploy_file
    Function: file.managed
        Name: /home/hkroeber/tmp/test_deploy
      Result: True
     Comment: File /home/hkroeber/tmp/test_deploy exists with proper permissions. No changes made.
     Started: 14:47:54.442692
    Duration: 3.8 ms
     Changes:   

Summary for laphkroeber
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   3.800 ms

Expected behavior

• Disabled states must be listed using state.list_disabled immediately after disabling.
• As stated in the documentation a disabled state file / state must not be executable on the addressed minions.

Screenshots

Additional context

Content of the 'grains' file in the salt tmp - directory on the minion.

state_runs_disabled:
- tmp.run_once

[welcome[bot]]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!