Automated SaltStack Minion Updates through winrepo

By | 9. November 2023

This blog article is a follow-up to the previous article that explains a different way to do minion updates. For Windows minions there’s an even easier method to run the update automatically. This is by using winrepo. Winrepo is a mechanism provided by SaltStack to build a package manager like yum or apt on Linux. The beauty of it is that it already contains a package for the salt-minion installation which can be leveraged for automated mass updates as well. It also seems to include some way of wrapping mechanism that overcomes the issue of salt-minion service restart.

Installing winrepo

To install winrepo the SaltStack master must have internet connection. There is only 1 command needed to run on the master which initializes the winrepo:

salt-run winrepo.update_git_repos

After that you will find the directory /srv/salt/win/repo-ng/salt-winrepo-ng/_ which contains all predefined repo files (make sure you include the _ character).

In this directory there is a specification for the salt-minion installation (salt-minion.sls). If you have a closer look at the file, you will find different sections that represent different salt-minion versions with some details how they are handled.

In the version I was using at creation of the blog, salt-minion version 3006.4 and 3005.4 were fully supported. All versions which have CVEs are handled in a separate list in the file and will only be supported for removal, not for updates.

Using winrepo

There are some commands you should be aware of when using winrepo.

salt ‘<minionname>’ pkg.list_pkgs

Lists all packages that are installed on the minion and identified by SaltStack.

salt ‘<minionname>’ pkg.list_available salt-minion-py3

Lists all available versions of the package salt-minon-py3 including the CVE-versions which only can be uninstalled.

salt ‘<minionname>’ pkg.install ‘salt-minion-py3‘ version 3006.4

Installs salt-minion version 3006.4 on the target (requires previous minion installation on the target). Be aware that the winrepo package is called ‘salt-minion-py3’. This includes update installations.

salt ‘<minionname>’ pkg.remove ‘salt-minion-py3’

Removes salt-minion from the target.

The related commands will show up in the UI as jobs:

Additional note

In some situations, I saw that after an upgrade of the salt-minion through winrepo, the upgrade in general was running fine, however there was still a running .exe installation process in the Windows task manager. Once I killed it manually everything looked good.

I will monitor this behavior and provide an update once new information is available.

 

Have fun!

print
Christian Ferber

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.