salt.states.pkgrepo

Management of APT/DNF/YUM/Zypper package repos

States for managing software package repositories on Linux distros. Supported package managers are APT, DNF, YUM and Zypper. Here is some example SLS:

base:
  pkgrepo.managed:
    - humanname: CentOS-$releasever - Base
    - mirrorlist: http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
    - comments:
        - 'http://mirror.centos.org/centos/$releasever/os/$basearch/'
    - gpgcheck: 1
    - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
base:
  pkgrepo.managed:
    - humanname: Logstash PPA
    - name: deb http://ppa.launchpad.net/wolfnet/logstash/ubuntu precise main
    - dist: precise
    - file: /etc/apt/sources.list.d/logstash.list
    - keyid: 28B04E4A
    - keyserver: keyserver.ubuntu.com
    - require_in:
      - pkg: logstash

  pkg.latest:
    - name: logstash
    - refresh: True
base:
  pkgrepo.managed:
    - humanname: deb-multimedia
    - name: deb http://www.deb-multimedia.org stable main
    - file: /etc/apt/sources.list.d/deb-multimedia.list
    - key_url: salt://deb-multimedia/files/marillat.pub
base:
  pkgrepo.managed:
    - humanname: Google Chrome
    - name: deb http://dl.google.com/linux/chrome/deb/ stable main
    - dist: stable
    - file: /etc/apt/sources.list.d/chrome-browser.list
    - require_in:
      - pkg: google-chrome-stable
    - gpgcheck: 1
    - key_url: https://dl-ssl.google.com/linux/linux_signing_key.pub
base:
  pkgrepo.managed:
    - ppa: wolfnet/logstash
  pkg.latest:
    - name: logstash
    - refresh: True

Note

On Ubuntu systems, the python-software-properties package should be installed for better support of PPA repositories. To check if this package is installed, run dpkg -l python-software-properties.

On Ubuntu & Debian systems, the python-apt package is required to be installed. To check if this package is installed, run dpkg -l python-apt. python-apt will need to be manually installed if it is not present.

hello-copr:
    pkgrepo.managed:
        - copr: mymindstorm/hello
    pkg.installed:
        - name: hello

apt-key deprecated

apt-key is deprecated and will be last available in Debian 11 and Ubuntu 22.04. The recommended way to manage repo keys going forward is to download the keys into /etc/apt/keyrings and use signed-by in your repo file pointing to the key. This module was updated in version 3005 to implement the recommended approach. You need to add - aptkey: False to your state and set signed-by in your repo name, to use this recommended approach. If the cli command apt-key is not available it will automatically set aptkey to False.

Using aptkey: False with key_url example:

deb [signed-by=/etc/apt/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main:
  pkgrepo.managed:
    - file: /etc/apt/sources.list.d/salt.list
    - key_url: https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest/salt-archive-keyring.gpg
    - aptkey: False

Using aptkey: False with keyserver and keyid:

deb [signed-by=/etc/apt/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main:
  pkgrepo.managed:
    - file: /etc/apt/sources.list.d/salt.list
    - keyserver: keyserver.ubuntu.com
    - keyid: 0E08A149DE57BFBE
    - aptkey: False
salt.states.pkgrepo.absent(name, **kwargs)

This function deletes the specified repo on the system, if it exists. It is essentially a wrapper around pkg.del_repo.

name

The name of the package repo, as it would be referred to when running the regular package manager commands.

Note

On apt-based systems this must be the complete source entry. For example, if you include [arch=amd64], and a repo matching the specified URI, dist, etc. exists _without_ an architecture, then no changes will be made and the state will report a True result.

FEDORA/REDHAT-SPECIFIC OPTIONS

copr

Use community packages outside of the main package repository.

New in version 3002.

hello-copr:
    pkgrepo.absent:
      - copr: mymindstorm/hello

UBUNTU-SPECIFIC OPTIONS

ppa

On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name.

logstash-ppa:
  pkgrepo.absent:
    - ppa: wolfnet/logstash
ppa_auth

For Ubuntu PPAs there can be private PPAs that require authentication to access. For these PPAs the username/password can be specified. This is required for matching if the name format uses the ppa: specifier and is private (requires username/password to access, which is encoded in the URI).

logstash-ppa:
  pkgrepo.absent:
    - ppa: wolfnet/logstash
    - ppa_auth: username:password
keyid

If passed, then the GPG key corresponding to the passed KeyID will also be removed.

keyid_ppaFalse

If set to True, the GPG key's ID will be looked up from ppa.launchpad.net and removed, and the keyid argument will be ignored.

Note

This option will be disregarded unless the ppa argument is present.

salt.states.pkgrepo.managed(name, ppa=None, copr=None, aptkey=True, **kwargs)

This state manages software package repositories. Currently, yum, apt, and zypper repositories are supported.

YUM/DNF/ZYPPER-BASED SYSTEMS

Note

One of baseurl or mirrorlist below is required. Additionally, note that this state is not presently capable of managing more than one repo in a single repo file, so each instance of this state will manage a single repo file containing the configuration for a single repo.

name

This value will be used in two ways: Firstly, it will be the repo ID, as seen in the entry in square brackets (e.g. [foo]) for a given repo. Secondly, it will be the name of the file as stored in /etc/yum.repos.d (e.g. /etc/yum.repos.d/foo.conf).

enabledTrue

Whether the repo is enabled or not. Can be specified as True/False or 1/0.

disabledFalse

Included to reduce confusion due to APT's use of the disabled argument. If this is passed for a YUM/DNF/Zypper-based distro, then the reverse will be passed as enabled. For example passing disabled=True will assume enabled=False.

copr

Fedora and RedHat based distributions only. Use community packages outside of the main package repository.

New in version 3002.

humanname

This is used as the name value in the repo file in /etc/yum.repos.d/ (or /etc/zypp/repos.d for SUSE distros).

baseurl

The URL to a yum repository

mirrorlist

A URL which points to a file containing a collection of baseurls

comments

Sometimes you want to supply additional information, but not as enabled configuration. Anything supplied for this list will be saved in the repo configuration with a comment marker (#) in front.

gpgautoimport

Only valid for Zypper package manager. If set to True, automatically trust and import the new repository signing key. The key should be specified with gpgkey parameter. See details below.

Additional configuration values seen in YUM/DNF/Zypper repo files, such as gpgkey or gpgcheck, will be used directly as key-value pairs. For example:

foo:
  pkgrepo.managed:
    - humanname: Personal repo for foo
    - baseurl: https://mydomain.tld/repo/foo/$releasever/$basearch
    - gpgkey: file:///etc/pki/rpm-gpg/foo-signing-key
    - gpgcheck: 1

APT-BASED SYSTEMS

ppa

On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name. The keyid will be queried from launchpad and everything else is set automatically. You can override any of the below settings by simply setting them as you would normally. For example:

logstash-ppa:
  pkgrepo.managed:
    - ppa: wolfnet/logstash
ppa_auth

For Ubuntu PPAs there can be private PPAs that require authentication to access. For these PPAs the username/password can be passed as an HTTP Basic style username/password combination.

logstash-ppa:
  pkgrepo.managed:
    - ppa: wolfnet/logstash
    - ppa_auth: username:password
name

On apt-based systems this must be the complete entry as it would be seen in the sources.list file. This can have a limited subset of components (e.g. main) which can be added/modified with the comps option.

precise-repo:
  pkgrepo.managed:
    - name: deb http://us.archive.ubuntu.com/ubuntu precise main

Note

The above example is intended as a more readable way of configuring the SLS, it is equivalent to the following:

'deb http://us.archive.ubuntu.com/ubuntu precise main':
  pkgrepo.managed
disabledFalse

Toggles whether or not the repo is used for resolving dependencies and/or installing packages.

enabledTrue

Included to reduce confusion due to YUM/DNF/Zypper's use of the enabled argument. If this is passed for an APT-based distro, then the reverse will be passed as disabled. For example, passing enabled=False will assume disabled=False.

architectures

On apt-based systems, architectures can restrict the available architectures that the repository provides (e.g. only amd64). architectures should be a comma-separated list.

comps

On apt-based systems, comps dictate the types of packages to be installed from the repository (e.g. main, nonfree, ...). For purposes of this, comps should be a comma-separated list.

file

The filename for the *.list that the repository is configured in. It is important to include the full-path AND make sure it is in a directory that APT will look in when handling packages

dist

This dictates the release of the distro the packages should be built for. (e.g. unstable). This option is rarely needed.

keyid

The KeyID or a list of KeyIDs of the GPG key to install. This option also requires the keyserver option to be set.

keyserver

This is the name of the keyserver to retrieve GPG keys from. The keyid option must also be set for this option to work.

key_url

URL to retrieve a GPG key from. Allows the usage of https:// as well as salt://. If allow_insecure_key is True, this also allows http://.

Note

Use either keyid/keyserver or key_url, but not both.

key_text

The string representation of the GPG key to install.

New in version 2018.3.0.

Note

Use either keyid/keyserver, key_url, or key_text but not more than one method.

consolidateFalse

If set to True, this will consolidate all sources definitions to the sources.list file, cleanup the now unused files, consolidate components (e.g. main) for the same URI, type, and architecture to a single line, and finally remove comments from the sources.list file. The consolidation will run every time the state is processed. The option only needs to be set on one repo managed by Salt to take effect.

clean_fileFalse

If set to True, empty the file before configuring the defined repository

Note

Use with care. This can be dangerous if multiple sources are configured in the same file.

New in version 2015.8.0.

refreshTrue

If set to False this will skip refreshing the apt package database on Debian based systems.

refresh_dbTrue

Deprecated since version 2018.3.0: Use refresh instead.

require_in

Set this to a list of pkg.installed or pkg.latest to trigger the running of apt-get update prior to attempting to install these packages. Setting a require in the pkg state will not work for this.

aptkey:

Use the binary apt-key. If the command apt-key is not found in the path, aptkey will be False, regardless of what is passed into this argument.

allow_insecure_keyTrue

Whether to allow an insecure (e.g. http vs. https) key_url.

New in version 3006.0.