Repo and Bootstrap Changes

May 19, 2021 - Sage Robins

TL;DR

  • Use saltproject.io domains
  • Use https for installing Salt
  • Stop using repo rpms and $releasever in your .repo files.

Several changes to saltstack.com and saltproject.io domains on 2021-MAY-19


Bootstrap

What is changing:

  • bootstrap.saltstack.com will redirect to bootstrap.saltproject.io
  • winbootstrap.saltstack.com will redirect to winbootstrap.saltproject.io

What do I need to do?

All of these domains always redirected from http to https. Make sure, if you are using curl to fetch the bootstrap script, include the -L flag so it will follow redirects. We recommend changing all scripts using saltstack.com to use the saltproject.io but if you’re following redirects already, there should be no issue.

Example: curl -o bootstrap-salt.sh -fsSL https://bootstrap.saltproject.io

Repo

What is changing:

  • archive.repo.saltstack.com will redirect to archive.repo.saltproject.io
  • repo.saltstack.com will redirect to repo.saltproject.io
  • All http will be redirected to https for these sites
  • s3.repo.saltproject.io, s3.repo.saltstack.com, s3.archive.repo.saltstack.com, and s3.archive.repo.saltproject.io will redirect http to https but will not redirect from the saltstack.com version to the saltproject.io version.

What do I need to do?

  • Linux Package Managers already follow redirects but Debian 9, Ubuntu 16.04, and earlier versions of those OSs need apt-transport-https installed in order to fetch packages from https sites. Debian 10, Ubuntu 18.04, and newer versions need ca-certificates installed. ca-certificates is usually installed by default, but may not be in some docker containers, for example.
  • Ensure fetching installers for Windows or Mac follows redirects. This means using the -L flag on curl, for example.
  • If you are using PowerShell, ensure it has tls1.2 enabled in any scripts used
    • example: https://github.com/saltstack/salt-bootstrap/blob/v2021.03.02/bootstrap-salt.ps1#L108
  • If syncing with an s3 client, use https and not http for the s3 endpoint
  • Anywhere you use one of archive.repo.saltstack.com or repo.saltstack.com please switch to the saltproject.io version to avoid an extra redirect
  • Anywhere you use s3.archive.repo.saltstack.com or s3.repo.saltstack.com please switch to the saltproject.io version, but those will continue to work as they have via https for the foreseeable future.

OpenSUSE repos

What is changing:

  • OpenSUSE repos have been on archive.repo.saltproject.io for several months, they are being deleted from repo.saltproject.io

What do I need to do:

  • Install salt from the distro repos: https://software.opensuse.org/package/salt
  • If you need old insecure versions, you can install from https://archive.repo.saltproject.io/opensuse instead. To do that, look at your repo file for it in /etc/zypp/repos.d/ and update the baseurl to use archive.repo.saltproject.io instead of repo.saltproject.io or repo.saltstack.com

Repo RPMs

What is changing:

  • All repo rpms, such as https://archive.repo.saltstack.com/py3/redhat/salt-py3-repo-2019.2.el8.noarch.rpm are being removed from https://archive.repo.saltproject.io
  • No new repo RPMs will be added to https://repo.saltproject.io and existing RPMs will be removed when the major corresponding branch becomes unsupported.
  • The “latest” repo RPMs will be removed when 3002 becomes unsupported: 2022-APR-21

What do I need to do:

  • Follow the instructions on https://repo.saltproject.io/#rhel or https://repo.saltproject.io/#amzn for installing .repo files directly rather than through a repo rpm.

$releasever compatibility symlinks

What is changing:

  • Symlinks such as https://archive.repo.saltproject.io/yum/redhat/7Workstation or https://repo.saltproject.io/py3/redhat/7.5 will be removed from both https://repo.saltproject.io and https://archive.repo.saltproject.io
  • Symlinks for Amazon Linux 1 such as https://archive.repo.saltproject.io/yum/amazon/2015.03 will be removed. Amazon Linux 1 is end of life and is only present on https://archive.repo.saltproject.io

What do I need to do:

  • Ensure $releasever, 7Workstation, 8.4, or anything other than a 5, 6, 7, or 8 is not present in your .repo file for salt as the redhat version, typically either /etc/yum.repos.d/salt.repo, or /etc/yum.repos.d/saltstack.repo
  • Ensure for Amazon Linux 1, you don’t use $releasever, 2015.03, or any other date, and only use “latest” in your .repo file.

See https://github.com/saltstack/salt/issues/59647 for more information. Ask any questions in the #salt-package-updates channel in the Community Slack workspace.