Page MenuHomeDevCentral
Create Task
Maniphest T1993

Salt migration to 3007, 3008 and extensions
Open, HighPublic
Actions

Description

A proposal about SaltStack migration. We need to be aware of work currently needed to migrate Vault code from the core module to the extension.

Salt 3006

As of August 2024, FreeBSD packages repository still provide Salt 3006.

As such, this is the main version deployed on our servers and the version used for the primary server.

3006 is a LTS release with support until:

  • 2024-10-18 for active support
  • 2025-10-18 for security issues

Complector won't be upgraded to 3007 until one of those three scenarii occurs:

  • FreeBSD package is available and deployed everywhere
  • A critical need for features in extensions or 3008+
  • We're in October 2025 and there is no extension for 3006 LTS lifetime

Reference: https://docs.saltproject.io/salt/install-guide/en/latest/topics/salt-version-support-lifecycle.htm

Salt 3007

Salt 3007 provides new feature and a transition to 3008. See https://salt.tips/whats-new-in-salt-chlorine/

It's currently deployed on Linux servers without any issue.

If we're still on 3006 in October 2024, we'll skip 3007 on FreeBSD and we'll wait for 3008 until October 2025, per previously stated scenarii.

Extensions

Most of the features beyond OS-level management will be moved to modules. Complete list is available at https://github.com/saltstack/great-module-migration/.

Once 3007 is deployed everywhere, a priority is to start work to migrate to the Vault extension can be done. We'll gain in security and best practices, as documented in https://github.com/saltstack/salt/pull/62684.

Some considerations needs to be done for the ZFS community extension, including adoption.

If we need to directly migrate from 3006 to 3008, that will be tricker, especially for secrets provisioning, and will need an ad-hoc plan.

Salt 3008

Migration to Salt 3008 needs to be blocked by correct extension deployment:

  • ZFS
  • Vault

Revisions and Commits

rOPS Nasqueron Operations
D3394rOPSf1e9a736bb45 Downgrade to Salt 3006 on Fedora-downstream servers

Related Objects
Search...

Event Timeline

dereckson triaged this task as Normal priority.Aug 3 2024, 11:16
dereckson created this task.
dereckson raised the priority of this task from Normal to High.Aug 3 2024, 16:53

I've also discovered we can't deploy secrets to Salt 3007+ anymore from a Salt 3006 server:

Complector
$ salt dwellers credentials.get_username espacewin/bugzilla/mysql_root
dwellers:
    ERROR: Failed to read secret! InvalidConfigError: Invalid vault configuration: auth:token is required for token auth

This is critical, hence priority increase.

dereckson added a comment.Aug 3 2024, 17:33

Per previous comment, I'd advice to downgrade to 3006 LTS for paas-docker servers too.

That means using https://repo.saltproject.io/salt/py3/redhat/9/x86_64/3006/ as repository.

dereckson added a revision: D3394: Downgrade to Salt 3006 on Fedora-downstream servers.Aug 3 2024, 17:36
dereckson merged a task: T1976: Update Salt to 3007 on FreeBSD servers.Aug 4 2024, 09:58
dereckson added a subscriber: DorianWinty.
dereckson moved this task from Backlog to Nasqueron Operations SIG on the discussion board.Aug 4 2024, 17:33
dereckson closed subtask T1994: Upgrade Salt repository on Debian as Resolved.Aug 5 2024, 19:43
dereckson added a commit: rOPSf1e9a736bb45: Downgrade to Salt 3006 on Fedora-downstream servers.
dereckson moved this task from Backlog to Bug and issues on the Salt board.Sun, Oct 27, 01:01
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator