States for managing software package repositories on Linux distros. Supported package managers are APT, DNF, YUM and Zypper. Here is some example SLS:
base: pkgrepo.managed: - humanname: CentOS-$releasever - Base - mirrorlist: http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os - comments: - 'http://mirror.centos.org/centos/$releasever/os/$basearch/' - gpgcheck: 1 - gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
base: pkgrepo.managed: - humanname: Logstash PPA - name: deb http://ppa.launchpad.net/wolfnet/logstash/ubuntu precise main - dist: precise - file: /etc/apt/sources.list.d/logstash.list - keyid: 28B04E4A - keyserver: keyserver.ubuntu.com - require_in: - pkg: logstash pkg.latest: - name: logstash - refresh: True
base: pkgrepo.managed: - humanname: deb-multimedia - name: deb http://www.deb-multimedia.org stable main - file: /etc/apt/sources.list.d/deb-multimedia.list - key_url: salt://deb-multimedia/files/marillat.pub
base: pkgrepo.managed: - humanname: Google Chrome - name: deb http://dl.google.com/linux/chrome/deb/ stable main - dist: stable - file: /etc/apt/sources.list.d/chrome-browser.list - require_in: - pkg: google-chrome-stable - gpgcheck: 1 - key_url: https://dl-ssl.google.com/linux/linux_signing_key.pub
base: pkgrepo.managed: - ppa: wolfnet/logstash pkg.latest: - name: logstash - refresh: True
On Ubuntu systems, the
python-software-properties package should be
installed for better support of PPA repositories. To check if this package
is installed, run
dpkg -l python-software-properties.
On Ubuntu & Debian systems, the
python-apt package is required to be
installed. To check if this package is installed, run
dpkg -l python-apt.
python-apt will need to be manually installed if it is not present.
hello-copr: pkgrepo.managed: - copr: mymindstorm/hello pkg.installed: - name: hello
apt-key is deprecated and will be last available in Debian 11 and
Ubuntu 22.04. The recommended way to manage repo keys going forward
is to download the keys into /etc/apt/keyrings and use
in your repo file pointing to the key. This module was updated
in version 3005 to implement the recommended approach. You need to add
- aptkey: False to your state and set
signed-by in your repo
name, to use this recommended approach. If the cli command
is not available it will automatically set
aptkey to False.
aptkey: False with
deb [signed-by=/etc/apt/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main: pkgrepo.managed: - file: /etc/apt/sources.list.d/salt.list - key_url: https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest/salt-archive-keyring.gpg - aptkey: False
aptkey: False with
deb [signed-by=/etc/apt/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main: pkgrepo.managed: - file: /etc/apt/sources.list.d/salt.list - keyserver: keyserver.ubuntu.com - keyid: 0E08A149DE57BFBE - aptkey: False
You can also use the
signedby option as an argument to the state.
This option is only supported if you do NOT have python3-apt installed.
Python3-apt does not currently support the
signed-by option in repo
definitions. You can set
signed-by in the name of the repo, but
NOT in the
signedby argument of the state if python3-apt is installed.
deb [arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main: pkgrepo.managed: - file: /etc/apt/sources.list.d/salt.list - signedby: /etc/apt/keyrings/salt-archive-keyring.gpg - keyserver: keyserver.ubuntu.com - keyid: 0E08A149DE57BFBE - aptkey: False
If you have the
signed-by option set in your pkgrepo.managed name
signedby arg set in the state, the
will override what is set in the name.
deb [arch=amd64 signed-by=/etc/apt/keyrings/salt-archive-keyring.gpg] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main: pkgrepo.managed: - file: /etc/apt/sources.list.d/salt.list - signedby: /etc/apt/keyrings/salt-archive-keyring-override.gpg - keyserver: keyserver.ubuntu.com - keyid: 0E08A149DE57BFBE - aptkey: False
This function deletes the specified repo on the system, if it exists. It
is essentially a wrapper around
The name of the package repo, as it would be referred to when running the regular package manager commands.
Use community packages outside of the main package repository.
New in version 3002.
hello-copr: pkgrepo.absent: - copr: mymindstorm/hello
On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name.
logstash-ppa: pkgrepo.absent: - ppa: wolfnet/logstash
For Ubuntu PPAs there can be private PPAs that require authentication
to access. For these PPAs the username/password can be specified. This
is required for matching if the name format uses the
and is private (requires username/password to access, which is encoded
in the URI).
logstash-ppa: pkgrepo.absent: - ppa: wolfnet/logstash - ppa_auth: username:password
If passed, then the GPG key corresponding to the passed KeyID will also be removed.
If set to
True, the GPG key's ID will be looked up from
ppa.launchpad.net and removed, and the
keyid argument will be
This option will be disregarded unless the
ppa argument is
managed(name, ppa=None, copr=None, aptkey=True, **kwargs)¶
mirrorlist below is required. Additionally,
note that this state is not presently capable of managing more than one
repo in a single repo file, so each instance of this state will manage
a single repo file containing the configuration for a single repo.
This value will be used in two ways: Firstly, it will be the repo ID,
as seen in the entry in square brackets (e.g.
[foo]) for a given
repo. Secondly, it will be the name of the file as stored in
Whether the repo is enabled or not. Can be specified as
Included to reduce confusion due to APT's use of the
argument. If this is passed for a YUM/DNF/Zypper-based distro, then the
reverse will be passed as
enabled. For example passing
disabled=True will assume
Fedora and RedHat based distributions only. Use community packages outside of the main package repository.
New in version 3002.
This is used as the
name value in the repo file in
/etc/zypp/repos.d for SUSE distros).
The URL to a yum repository
A URL which points to a file containing a collection of baseurls
Sometimes you want to supply additional information, but not as enabled configuration. Anything supplied for this list will be saved in the repo configuration with a comment marker (#) in front.
Only valid for Zypper package manager. If set to
trust and import the new repository signing key. The key should be
gpgkey parameter. See details below.
Additional configuration values seen in YUM/DNF/Zypper repo files, such as
gpgcheck, will be used directly as key-value pairs.
foo: pkgrepo.managed: - humanname: Personal repo for foo - baseurl: https://mydomain.tld/repo/foo/$releasever/$basearch - gpgkey: file:///etc/pki/rpm-gpg/foo-signing-key - gpgcheck: 1
On Ubuntu, you can take advantage of Personal Package Archives on Launchpad simply by specifying the user and archive name. The keyid will be queried from launchpad and everything else is set automatically. You can override any of the below settings by simply setting them as you would normally. For example:
logstash-ppa: pkgrepo.managed: - ppa: wolfnet/logstash
For Ubuntu PPAs there can be private PPAs that require authentication to access. For these PPAs the username/password can be passed as an HTTP Basic style username/password combination.
logstash-ppa: pkgrepo.managed: - ppa: wolfnet/logstash - ppa_auth: username:password
On apt-based systems this must be the complete entry as it would be
seen in the
sources.list file. This can have a limited subset of
main) which can be added/modified with the
precise-repo: pkgrepo.managed: - name: deb http://us.archive.ubuntu.com/ubuntu precise main
The above example is intended as a more readable way of configuring the SLS, it is equivalent to the following:
'deb http://us.archive.ubuntu.com/ubuntu precise main': pkgrepo.managed
Toggles whether or not the repo is used for resolving dependencies and/or installing packages.
Included to reduce confusion due to YUM/DNF/Zypper's use of the
enabled argument. If this is passed for an APT-based distro, then
the reverse will be passed as
disabled. For example, passing
enabled=False will assume
On apt-based systems,
architectures can restrict the available
architectures that the repository provides (e.g. only
architectures should be a comma-separated list.
On apt-based systems, comps dictate the types of packages to be
installed from the repository (e.g.
nonfree, ...). For
purposes of this,
comps should be a comma-separated list.
The filename for the
*.list that the repository is configured in.
It is important to include the full-path AND make sure it is in
a directory that APT will look in when handling packages
This dictates the release of the distro the packages should be built
unstable). This option is rarely needed.
The KeyID or a list of KeyIDs of the GPG key to install.
This option also requires the
keyserver option to be set.
This is the name of the keyserver to retrieve GPG keys from. The
keyid option must also be set for this option to work.
URL to retrieve a GPG key from. Allows the usage of
https:// as well as
key_url, but not both.
The string representation of the GPG key to install.
New in version 2018.3.0.
not more than one method.
If set to
True, this will consolidate all sources definitions to the
sources.list file, cleanup the now unused files, consolidate components
main) for the same URI, type, and architecture to a single line,
and finally remove comments from the
sources.list file. The consolidation
will run every time the state is processed. The option only needs to be
set on one repo managed by Salt to take effect.
If set to
True, empty the file before configuring the defined repository
Use with care. This can be dangerous if multiple sources are configured in the same file.
New in version 2015.8.0.
If set to
False this will skip refreshing the apt package database
on Debian based systems.
Deprecated since version 2018.3.0: Use
apt-keyis not found
in the path, aptkey will be False, regardless of what is passed into this argument.
On apt-based systems,
signedby is the the path to the key file
the repository will use. This is required if apt-key is False.