Saltstack: Formula for enabling a repository in /etc/yum.d/redhat.repo

Question

I have a Saltstack formula for installing a package that is only found in the [rhel-7-server-optional-rpms] repository on Red Hat Enterprise Linux 7. Because this repository is disabled by default I am trying to write a formula that enables the repository, so that the package formula can depend on it.

The file /etc/yum.repos.d/redhat.repo contains all the repositories separated into sections like this (shortened version, removed some lines):

[rhel-7-server-fastrack-source-rpms]
baseurl = https://cdn.redhat.com/content/fastrack/rhel/server/7/$basearch/source/SRPMS
sslverify = 1
sslclientcert = /etc/pki/entitlement/<long number>.pem
sslclientkey = /etc/pki/entitlement/<long number>-key.pem
name = Red Hat Enterprise Linux 7 Server - Fastrack (Source RPMs)
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled = 0
gpgcheck = 1

[rhel-7-server-source-rpms]
baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/source/SRPMS
sslverify = 1
sslclientcert = /etc/pki/entitlement/<long number>.pem
sslclientkey = /etc/pki/entitlement/<long number>-key.pem
name = Red Hat Enterprise Linux 7 Server (Source RPMs)
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled = 0
gpgcheck = 1

[rhel-7-server-optional-rpms]
baseurl = https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/optional/os
sslverify = 1
sslclientcert = /etc/pki/entitlement/<long number>.pem
sslclientkey = /etc/pki/entitlement/<long number>-key.pem
name = Red Hat Enterprise Linux 7 Server - Optional (RPMs)
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled = 0
gpgcheck = 1

What I have to do is replace the line "enabled=0" with "enabled=1" in the correct section in /etc/yum.repos.d/redhat.repo. Any tips on how to do this are much appreciated.

Something like this works, but will only replace the first occurence of enabled=[0,1] in the file, while I need to replace it only in the section [rhel-7-server-optional-rpms]. My regex knowledge is much too limited to make this work.

enable_optional_rpms:
  file.replace:
    - name: /etc/yum.repos.d/redhat.repo
    - pattern: '^enabled=[0,1]'
    - repl: 'enabled=1'

I would also like to have support for older versions of RHEL, so if [rhel-7-server-optional-rpms] is not found it should look for [rhel-6-server-optional-rpms] and [rhel-5-server-optional-rpms] too.

Any help with this would be appreciated.

Please add a comment if you downvote my question, explaining why. — arnefm, Sep 09 '15 at 12:31

score 0 · Answer 1 · answered Sep 11 '15 at 08:13

The standard way of adding a new package repository with saltstack is with the pkgrepo state. https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkgrepo.html

For example to add the last repo in your example:

rhel-7-server-optional-rpms:
    - humanname: "Red Hat Enterprise Linux 7 Server - Optional (RPMs)"
    - mirrorlist: https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/optional/os
    - gpgcheck: 1
    - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    - enabled: 1

As for conditionally adding the correct repo based on the OS version, you do that by templatizing the state file and doing some conditional logic based on information from the salt grains https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html#using-grains-in-sls-modules:

{% if grains["osrelease"] == "7.0" %}
    rhel-7-server-optional-rpms:
    - humanname: "Red Hat Enterprise Linux 7 Server - Optional (RPMs)"
    - mirrorlist: https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/optional/os
    - gpgcheck: 1
    - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    - enabled: 1
{% elif grains["osrelease"].startswith("6") %}
# RHEL6 REPO GOES HERE
{% endif %}

If you really want to do it with file based replacement, I would make it a jinja template and replace each enabled value with something like:

enabled: {{ rhel7_repo_enabled }}

And in the RHEL6 repo definition:

enabled: {{ rhel6_repo_enabled }}

And then render it as a managed file:

/etc/yum.repos.d/redhat.repo:
    file.managed:
        template: jinja
        source: salt://PATH_TO_FILE_ON_MASTER
        context:
            {% if grains["osrelease"] == "7.0" %}
            rhel7_repo_enabled: 1
            {% else %}
            rhel7_repo_enabled: 0
            {% endif %}

But I strongly recommend you use the former approach as it is the most maintainable and robust.

Thank you but I already tried this approach. I should have mentioned that in the question. The problem is that every repository in /etc/yum.repos.d/redhat.repo has a field named `sslclientcert` and `sslclientkey` that is used to authenticate the server. It looks like `sslclientcert = /etc/pki/entitlement/.pem` and is different for every server. I removed those lines from the example above as I am not sure if the key name should be secret or not. — arnefm, Sep 11 '15 at 12:31
As the key name is unique to each server I can't know in advance what the file should look like. I considered writing a formula that renames the key file, but I don't know what else depends on this key having that specific name. — arnefm, Sep 11 '15 at 12:43
If you are only fetching from public repositories ssl client certificates are not necessary. That is only needed for repositories which require a signed client certificate for access. — egalano, Sep 12 '15 at 00:42
This, however, is a not a public repository. Take a look at the `baseurl`. This is an official Red Hat repository that requires users to be subscribed. I have tried using it without specifying the sslclientkey/sslclientcert but that does not work. If it was this simple to solve I wouldn't have to visit stackoverflow :)_ — arnefm, Sep 13 '15 at 17:49
Sorry I don't run RHEL. I didnt know those were subscription only. Makes sense now. How easy would it be for you to create a symlink to the generated key names and replace the ssl key paths with a known name like this? ln -s ${GENERATED_NAME} /etc/pki/entitlement/host.pem — egalano, Sep 14 '15 at 19:07
Is the generated hash/int something that shows up in a salt-call --local grains.items? It may require writing a custom grain or pillar to make it something that is accessible as a template variable — egalano, Sep 14 '15 at 19:14

Saltstack: Formula for enabling a repository in /etc/yum.d/redhat.repo

1 Answers1