[BUG] Configs with SaveConfig = true always yield file changes

[emansom]

Your setup

Formula commit hash / release tag

b88246c / master

Versions reports (master & minion)

[root@REDACTED ~]# salt -V
Salt Version:
          Salt: 3004.1

Dependency Versions:
          cffi: 1.11.5
      cherrypy: unknown
      dateutil: 2.6.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.10.1
       libgit2: 0.26.8
      M2Crypto: 0.35.2
          Mako: Not Installed
       msgpack: 0.6.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.14
      pycrypto: Not Installed
  pycryptodome: Not Installed
        pygit2: 0.26.4
        Python: 3.6.8 (default, Apr 12 2022, 06:55:39)
  python-gnupg: Not Installed
        PyYAML: 3.12
         PyZMQ: 19.0.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: rocky 8.6 Green Obsidian
        locale: UTF-8
       machine: x86_64
       release: 4.18.0-372.9.1.el8.x86_64
        system: Linux
       version: Rocky Linux 8.6 Green Obsidian

Pillar / config used

/srv/pillar/wireguard.sls

wireguard:
  interfaces:
    vpn0:
      Interface:
        Address: REDACTED
        SaveConfig: true
        ListenPort: REDACTED
        PrivateKey: REDACTED
      Peers:
        REDACTED:
          PublicKey: REDACTED
          AllowedIPs: REDACTED
          Endpoint: REDACTED
        REDACTED:
          PublicKey: REDACTED
          AllowedIPs: REDACTED
          Endpoint: REDACTED

---

Bug details

Describe the bug

When running this formula with a pillar configuration definition containing SaveConfig: true within the Interface dict: file changes and service restart are always triggered on subsequent runs.

As the configuration file WireGuard saves contains no boilerplate, the formula detects changes, applies them and triggers a restart. This restart then triggers a stop, which saves the stripped config file again. The cycle continues.

Steps to reproduce the bug

Running the wireguard formula (from PR #4 to let installation succeed) twice on a CentOS Stream or Rocky Linux 8 machine with given pillar data.

Expected behaviour

It not overwriting files with slightly different ordering and/or no boilerplate comments.

Proposed fix

Given WireGuard configuration files have the INI file format, we can utilize the built-in ini_manage state.

That will make it resilient to small changes, while ensuring all pillar data is reflected.

The route of using ini_manage should only be taken when SaveConfig: true is set, as to remain behaviorally compatible with existing setups as well as guarantee no configuration drift on minions without SaveConfig: true.

Attempts to fix the bug

Removing SaveConfig from pillar data removes the circular config override issue, however, that will result in dropped connection states on service restart triggered by this formula. Which is not ideal.

Update: Tried the ini_manage route in my own fork: it's a no go. It doesn't handle duplicate sections with the same name. Next up: writing a custom execution module to do the heavy lifting of merging template with existing/runtime config.