Due to the critical nature of issue 41230 we have decided to patch the 2016.11.5 packages with P.R.41244. This issue affects all calls to a salt-minion if there is an ipv6 nameserver set on the minion's host. The patched packages on repo.saltstack.com will divert from the v2016.11.5 tag and pypi packages due to the additional PR applied to the packages.
Bug fixes.
From the pull request pending, #31320:
On NetBSD, Salt currently defaults to using lsof(8) to determine which
minions are connected. It is however not always available, and even
then quite unreliable. I found that just like on FreeBSD, sockstat(1)
is a much safer alternative. Unfortunately its output is not exactly
the same on NetBSD, where the port delimiter is a dot character
instead. As a consequence I have decided to duplicate the relevant
function for NetBSD; let me know if I should try to re-use the code
supporting FreeBSD instead.
See also https://github.com/saltstack/salt/pull/31230.
Salt 2015.8.5 is identical to the 2015.8.4 release with the addition of a fix
for issue 30820, fixed by PR #30833.
SECURITY FIX
CVE-2016-1866: Improper handling of clear messages on the minion, which could
result in executing commands not sent by the master.
This issue affects only the 2015.8.x releases of Salt. In order for an attacker
to use this attack vector, they would have to execute a successful attack on an
existing TCP connection between minion and master on the pub port. It does not
allow an external attacker to obtain the shared secret or decrypt any encrypted
traffic between minion and master.
We recommend everyone upgrade to 2015.8.4 as soon as possible.
CORE CHANGES
PR #28994: timcharper Salt S3 module has learned how to assume IAM roles
Added option mock=True for state.sls and state.highstate. This allows the salt
state compiler to process sls data in a state run without actually calling the
state functions, thus providing feedback on the validity of the arguments used
for the functions beyond the preprocessing validation provided by state.show_sls
(issue 30118 and issue 30189).
salt '*' state.sls core,edit.vim mock=True
salt '*' state.highstate mock=True
salt '*' state.apply edit.vim mock=True
CHANGES FOR V2015.8.3..V2015.8.4
Extended changelog courtesy of Todd Stansell
(https://github.com/tjstansell/salt-changelogs):
Generated at: 2016-01-25T17:48:35Z
Total Merges: 320
Changes:
PR #30613: (basepi) Fix minion/syndic clearfuncs
PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is
False, not …
PR #30584: (julianbrost) file.line state: add missing colon in docstring
PR #30589: (terminalmage) Merge 2015.5 into 2015.8
PR #30599: (multani) Documentation formatting fixes
PR #30554: (rallytime) Make the salt-cloud actions output more verbose and
helpful
PR #30549: (techhat) Salt Virt cleanup
PR #30553: (techhat) AWS: Support 17-character IDs
PR #30532: (whiteinge) Add execution module for working in sls files
PR #30529: (terminalmage) Merge 2015.5 into 2015.8
PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk
PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8
PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type
'boolean'
PR #30506: (jacksontj) Properly remove newlines after reading the file
PR #30508: (rallytime) Fix Linode driver cloning functionality
PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return
data
PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8)
PR #30491: (jacksontj) Add multi-IP support to network state
PR #30496: (anlutro) Fix KeyError when adding ignored pillars
PR #30359: (kingsquirrel152) Removes suspected copy/paste error for
zmq_filtering functionailty
PR #30448: (cournape) Fix osx scripts location
PR #30457: (rallytime) Remove fsutils references from modules list
PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode
driver
PR #30458: (rallytime) Back-port #30062 to 2015.8
PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog
PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel
function
PR #30450: (gtmanfred) fix extension loading in novaclient
PR #30212: (abednarik) Fix incorrect file permissions in file.line
PR #29947: (jfindlay) fileclient: decode file list from master
PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees
PR #30445: (jtand) Boto uses False for is_default instead of None
PR #30406: (frioux) Add an example of how to use file.managed/check_cmd
PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8
PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility.
PR #30396: (pass-by-value) Remove hardcoded val
PR #30391: (jtand) Added else statements
PR #30375: (rallytime) Wrap formatted log statements with six.u() in
cloud/__init__.py
PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11
series
PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8
PR #30389: (jtand) Older versions of ipset don't support comments
PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to
2016
PR #30370: (rallytime) Remove incomplete function
PR #30366: (rallytime) Back-port #28702 to 2015.8
PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more
fns for esxi proxy
PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes
filtering
PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal
PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 `#26845`_
PR #30358: (terminalmage) Add libgit2 version to versions-report
PR #30346: (pass-by-value) Prevent orphaned volumes
PR #30349: (rallytime) Back-port #30347 to 2015.8
PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught
PR #30356: (nmadhok) Adding code author
PR #30340: (jtand) Updated seed_test.py for changes made to seed module
PR #30339: (jfindlay) Backport #26511
PR #30343: (rallytime) Fix 2015.8 from incomplete back-port
PR #30342: (eliasp) Correct whitespace placement in error message
PR #30308: (rallytime) Back-port #30257 to 2015.8
PR #30187: (rallytime) Back-port #27606 to 2015.8
PR #30223: (serge-p) adding support for DragonFly BSD
PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating
keys.
PR #30246: (dmacvicar) Add missing return data to scheduled jobs (`#24237`_)
PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry
PR #30275: (abednarik) Add permanent argument in firewalld.
PR #30328: (cachedout) Fix file test
PR #30310: (pass-by-value) Empty bucket fix
PR #30211: (techhat) Execute choot on the correct path
PR #30309: (rallytime) Back-port #30304 to 2015.8
PR #30278: (nmadhok) If datacenter is specified in the config, then look for
managed objects under it
PR #30305: (jacobhammons) Changed examples to use the "example.com" domain
instead of "mycompan…
PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install
PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run
PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed
to allow for binary contents
PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is
default region
PR #30299: (rallytime) ESXi Proxy minions states are located at
salt.states.esxi, not vsphere.
PR #30202: (opdude) Fixed the periodic call to beacons
PR #30303: (jacobhammons) Changed notes to indicate that functions are matched
using regular ex…
PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and
submodule handling
PR #30280: (jfindlay) add state mocking to release notes
PR #30273: (rallytime) Back-port #30121 to 2015.8
PR #30301: (cachedout) Accept whatever comes into hightstate mock for state
tests
PR #30282: (cachedout) Fix file.append logic
PR #30289: (cro) Fix problems with targeting proxies by grains
PR #30293: (cro) Ensure we don't log stuff we shouldn't
PR #30279: (cachedout) Allow modules to be packed into boto utils
PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct
arg/kwarg positioning
PR #30156: (abednarik) Add option in file.append to ignore_whitespace.
PR #30189: (rallytime) Back-port #30185 to 2015.8
PR #30215: (jacobhammons) Assorted doc bug fixes
PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line"
PR #30190: (jacobhammons) Updated doc site banners
PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat
PR #30179: (terminalmage) Backport #26962 to 2015.8 branch
PR #29693: (abednarik) Handle missing source file in ssh_auth.
PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use
region OR profile
PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in
boto utils
PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX
values in Kilos
PR #30162: (rallytime) Update list_present and append grains state function docs
to be more clear.
PR #30163: (rallytime) Add warning about using "=" in file.line function
PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30168: (abednarik) Fix incorrect file permissions in file.line
PR #30154: (Oro) Fix file serialize on windows
PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion
PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images
PR #30075: (joejulian) Convert glusterfs module to use xml
PR #30129: (optix2000) Clean up _uptodate() in git state
PR #30139: (rallytime) Back-port #29589 to 2015.8
PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD.
PR #30133: (stanislavb) Fix typo in gpgkey URL
PR #30126: (stanislavb) Log S3 API error message
PR #30128: (oeuftete) Log retryable transport errors as warnings
PR #30096: (cachedout) Add rm_special to crontab module
PR #30106: (techhat) Ensure last dir
PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass
PR #30090: (techhat) Add argument to isdir()
PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py
state
PR #30095: (rallytime) Add the list_nodes_select function to linode driver
PR #30082: (abednarik) Fixed saltversioninfo grain return
PR #30084: (rallytime) Back-port #29987 to 2015.8
PR #30071: (rallytime) Merge branch '2015.5' into '2015.8'
PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids
explicitly
PR #30069: (techhat) Ensure that pki_dir exists
PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud
config options
PR #30049: (rallytime) Add some more unit tests for the vsphere execution module
PR #30060: (rallytime) Back-port #27104 to 2015.8
PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs.
PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to
avoid circular imports
PR #30038: (rallytime) Back-port #30017 to 2015.8
PR #30036: (rallytime) Back-port #29995 to 2015.8
PR #30035: (rallytime) Back-port #29895 to 2015.8
PR #30034: (rallytime) Back-port #29893 to 2015.8
PR #30033: (rallytime) Back-port #29876 to 2015.8
PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches
PR #30016: (anlutro) Properly normalize locales in locale.gen_locale
PR #30015: (anlutro) locale module: don't escape the slash in \n
PR #30022: (gqgunhed) Two minor typos fixed
PR #30026: (anlutro) states.at: fix wrong variable being used
PR #29966: (multani) Fix bigip state/module documentation + serializers
documentation
PR #29904: (twangboy) Improvements to osx packaging scripts
PR #29950: (multani) boto_iam: fix deletion of IAM users when using
delete_keys=true
PR #29937: (multani) Fix states.boto_iam group users
PR #29934: (multani) Fix state.boto_iam virtual name
PR #29943: (cachedout) Check args correctly in boto_rds
PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows
PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd()
PR #29894: (techhat) Support Saltfile in SPM
PR #29856: (rallytime) Added some initial unit tests for the
salt.modules.vsphere.py file
PR #29855: (rallytime) Back-port #29740 to 2015.8
PR #29890: (multani) Various documentation fixes
PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29811: (anlutro) influxdb: add retention policy module functions
PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows
PR #29819: (rallytime) Add esxi module and state to docs build
PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL
without systemd
PR #29803: (rallytime) Add vSphere module to doc ref module tree
PR #29767: (abednarik) Hosts file update in mod_hostname.
PR #29772: (terminalmage) pygit2: skip submodules when traversing tree
PR #29765: (gtmanfred) allow nova driver to be boot from volume
PR #29773: (l2ol33rt) Append missing wget in debian installation guide
PR #29800: (rallytime) Back-port #29769 to 2015.8
PR #29775: (paulnivin) Change listen requisite resolution from name to ID
declaration
PR #29754: (rallytime) Back-port #29719 to 2015.8
PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of
deprecated 'provider'
PR #29729: (rallytime) Further clarifications on "unless" and "onlyif"
requisites.
PR #29737: (akissa) fix pillar sqlite3 documentation examples
PR #29743: (akissa) fix pillar sqlite not honouring config options
PR #29723: (rallytime) Clarify db_user and db_password kwargs for
postgres_user.present state function
PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful"
means for cmd state.
PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar
docs
PR #29726: (cachedout) Disable some boto tests per resolution of moto issue
PR #29708: (lagesag) Fix test=True for file.directory with recurse
ignore_files/ignore_dirs.
PR #29642: (cachedout) Correctly restart deamonized minions on failure
PR #29599: (cachedout) Clean up minion shutdown
PR #29675: (clinta) allow returning all refs
PR #29683: (rallytime) Catch more specific error to pass the error message
through elegantly.
PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29681: (clinta) fix bare/mirror in git.latest
PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs
PR #29645: (rallytime) Back-port #29558 to 2015.8
PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging
PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network
configuration.
PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes
PR #29628: (DmitryKuzmenko) Don't create io_loop before fork
PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask
in roster
PR #29603: (basepi) Fix orchestration failure-checking
PR #29597: (terminalmage) dockerng: Prevent exception when API response contains
empty dictionary
PR #29596: (rallytime) Back-port #29587 to 2015.8
PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial
PR #29572: (gtmanfred) [nova] use old discover_extensions if available
PR #29545: (terminalmage) git.latest: init submodules if not yet initialized
PR #29548: (rallytime) Back-port #29449 to 2015.8
PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of
esxi_hosts
PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb
PR #29565: (bdrung) Fix typos and missing release note
PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29499: (rallytime) Initial commit of ESXi Proxy Minion
PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released
PR #29531: (jfindlay) grains.core: handle undefined variable
PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for
salt-ssh
PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax
for "tags" option.
PR #29513: (bdrung) Drop obsolete syslog.target from systemd services
PR #29500: (rallytime) Back-port #29467 to 2015.8
PR #29463: (abednarik) Add **kwargs to debconf.set.
PR #29399: (jfindlay) modules.status: add human_readable option to uptime
PR #29433: (cro) Files for building .pkg files for MacOS X
PR #29455: (jfindlay) modules.nova.__init__: do not return None
PR #29454: (jfindlay) rh_service module __virtual__ return error messages
PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not
subnets) as a key
PR #29487: (rallytime) Back-port #29450 to 2015.8
PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs
PR #29440: (rallytime) Back-port #28925 to 2015.8
PR #29435: (galet) Grains return wrong OS version and other OS related values
for Oracle Linux
PR #29430: (rall0r) Fix host.present state limitation
PR #29417: (jacobhammons) Repo install updates
PR #29402: (techhat) Add rate limiting to linode
PR #29400: (twangboy) Fix#19332
PR #29398: (cachedout) Lint 29288
PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error
PR #29390: (jacobhammons) updated version numbers in documentation
PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy
PR #29349: (cro) Fix mis-setting chassis names
PR #29334: (rallytime) Back-port #29237 to 2015.8
PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng
PR #29218: (clan) check service enable state in test mode
PR #29315: (jfindlay) dev tutorial doc: fix markup errors
PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other]
PR #29305: (lorengordon) Add 'file' as a source_hash proto
PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime
PR #29289: (terminalmage) file.managed: Allow local file sources to use
source_hash
PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True
PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar
config schema
PR #29283: (cachedout) Single-quotes and use format
PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting
options for the flat roster
PR #29282: (cachedout) dev docs: add development tutorial
PR #28994: (timcharper) add support to s3 for aws role assumption
PR #29278: (techhat) Add verify_log to SPM
PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of
SLSs
PR #29207: (jfindlay) do not shadow ret function argument
PR #29215: (rallytime) Back-port #29192 to 2015.8
PR #29217: (clan) show duration only if state_output_profile is False
PR #29221: (ticosax) [dokcerng] Docu network mode
PR #29269: (jfindlay) win_status module: fix function names in docs
PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware
utils
PR #29271: (techhat) Pass full path for digest (SPM)
PR #29244: (isbm) List products consistently across all SLES systems
PR #29255: (garethgreenaway) fixes to consul module
PR #29208: (whytewolf) Glance more profile errors
PR #29200: (jfindlay) mount state: unmount by device is optional
PR #29205: (trevor-h) Fixes#29187 - using winrm on EC2
PR #29170: (cachedout) Migrate pydsl tests to integration test suite
PR #29198: (jfindlay) rh_ip module: only set the mtu once
PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc
PR #29196: (s0undt3ch) We need novaclient imported to compare versions
PR #29059: (terminalmage) Work around upstream pygit2 bug
PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present
state
Security Fix
CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions
This affects users of the state.sls function. The state run cache
on the minion was being created with incorrect permissions. This
file could potentially contain sensitive data that was inserted
via jinja into the state SLS files. The permissions for this file
are now being set correctly. Thanks to @zmalone for bringing this
issue to our attention.
Problems found with existing digests:
Package memconf distfile memconf-2.16/memconf.gz
b6f4b736cac388dddc5070670351cf7262aba048 [recorded]
95748686a5ad8144232f4d4abc9bf052721a196f [calculated]
Problems found locating distfiles:
Package dc-tools: missing distfile dc-tools/abs0-dc-burn-netbsd-1.5-0-gae55ec9
Package ipw-firmware: missing distfile ipw2100-fw-1.2.tgz
Package iwi-firmware: missing distfile ipw2200-fw-2.3.tgz
Package nvnet: missing distfile nvnet-netbsd-src-20050620.tgz
Package syslog-ng: missing distfile syslog-ng-3.7.2.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Version 2014.7.2 is a bugfix release for 2014.7.0. The changes include:
Fix erroneous warnings for systemd service enabled check (issue 19606)
Fix FreeBSD kernel module loading, listing, and persistence kmod (issue 197151, issue 19682)
Allow case-sensitive npm package names in the npm state. This may break behavior for people expecting the state to lowercase their npm package names for
them. The npm module was never affected by mandatory lowercasing. (issue 20329) Deprecate the activate parameter for pip.install for both the module and the state. If bin_env is given and points to a virtualenv, there is no need to activate that virtualenv in a shell for pip to install to the virtualenv.
Fix a file-locking bug in gitfs (issue 18839)
Deprecated archive_user in favor of standardized user parameter in state and added group parameter.
Salt 2014.7.0 changes
* New Transport
* RAET Transport Option
* Salt SSH Enhancements
* Install salt-ssh Using pip
* Fileserver Backends
* Saltfile Support
* Ext Pillar
* No More sshpass
* Pure Python Shim
* Custom Module Delivery
* CP Module Support
* More Thin Directory Options
* State System Enhancements
* New Imperative State Keyword "Listen"
* Mod Aggregate Runtime Manipulator
* New Requisites: onchanges and onfail
* Global onlyif and unless
* Use names to expand and override values
* Major Features
* Scheduler Additions
* Red Hat 7 Family Support
* Fileserver Backends in salt-call
* Amazon Execution Modules
* LXC Runner Enhancements
* Next Gen Docker Management
* Peer System Performance Improvements
* SDB
* GPG Renderer
* OpenStack Expansion
* Queues System
* Multi Master Failover Additions
* Chef Execution Module
* salt-api Project Merge
* Synchronous and Asynchronous Execution of Runner and
Wheel Modules
* rest_cherrypy Additions
* Web Hooks
* Generating and Accepting Minion Keys
* Fileserver Backend Enhancements
* New gitfs Features
* Pygit2 and Dulwich
* Mountpoints
* Environment Whitelisting/Blacklisting
* Expanded Authentication Support
* New hgfs Features
* Mountpoints
* Environment Whitelisting/Blacklisting
* New svnfs Features
* Mountpoints
* Environment Whitelisting/Blacklisting
* Configurable Trunk/Branches/Tags Paths
* New minionfs Features
* Mountpoint
* Changing the Saltenv from Which Files are Served
* Minion Whitelisting/Blacklisting
* Pyobjects Renderer
* New Modules
* New Runners
* New External Pillars
* New Salt-Cloud Providers
* Salt Call Change
* Deprecations
* salt.modules.virtualenv_mod
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
This release fixes a serious security issue found in the way that RSA keys
were being generated.
It recommended that existing Salt keys be regenerated once 0.15.1 has been
deployed on the master and all minions.
A 'key_regen' routine has been added to 0.15.1 to make this transition easier.
The following sequence is a convenient way to regenerate all keys in an
environment:
salt-run manage.key_regen
You will be prompted to restart the master. Once completed, all keys in the
environment will have been regenerated and you will need to accept the new
keys using the following command:
salt-key -A
. Updated salt to version 0.15.0
From SaltStack website:
Salt 0.15.0 comes with many smaller features and a few larger ones.
The Salt Mine
First there was the peer system, allowing for commands to be executed from a
minion to other minions to gather data live. Then there was the external job
cache for storing and accessing long term data. Now the middle ground is being
filled in with the Salt Mine. The Salt Mine is a system used to execute
functions on a regular basis on minions and then store only the most recent
data from the functions on the master, then the data is looked up via targets.
The mine caches data that is public to all minions, so when a minion posts
data to the mine all other minions can see it.
IPV6 Support
0.13.0 saw the addition of initial IPV6 support but errors were encountered
and it needed to be stripped out. This time the code covers more cases and
must be explicitly enabled. But the support is much more extensive than before.
Copy Files From Minions to the Master
Minions have long been able to copy files down from the master file server,
but until now files could not be easily copied from the minion up to the
master.
A new function called cp.push can push files from the minions up to the master
server. The uploaded files are then cached on the master in the master
cachedir for each minon.
Better Template Debugging
Template errors have long been a burden when writing states and pillar. 0.15.0
will now send the compiled template data to the debug log, this makes tracking
down the intermittent stage templates much easier. So running state.sls or
state.highstate with -l debug will now print out the rendered templates in the
debug information.
State Event Firing
The state system is now more closely tied to the master's event bus. Now when
a state fails the failure will be fired on the master event bus so that the
reactor can respond to it.
Major Syndic Updates
The Syndic system has been basically re-written. Now it runs in a completely
asynchronous way and functions primarily as an event broker. This means that
the events fired on the syndic are now pushed up to the higher level master
instead of the old method used which waited for the client libraries to return.
This makes the syndic much more accurate and powerful, it also means that all
events fired on the syndic master make it up the pipe as well making a reactor
on the higher level master able to react to minions further downstream.
Peer System Updates
The Peer System has been updated to run using the client libraries instead of
firing directly over the publish bus. This makes the peer system much more
consistent and reliable.
Minion Key Revocation
In the past when a minion was decommissioned the key needed to be manually
deleted on the master, but now a function on the minion can be used to revoke
the calling minion's key:
salt-call saltutil.revoke_auth
Function Return Codes
Functions can now be assigned numeric return codes to determine if the
function executed successfully. While not all functions have been given return
codes, many have and it is an ongoing effort to fill out all functions that
might return a non-zero return code.
Functions in Overstate
The overstate system was originally created to just manage the execution of
states, but with the addition of return codes to functions, requisite logic
can now be used with respect to the overstate. This means that an overstate
stage can now run single functions instead of just state executions.
Pillar Error Reporting
Previously if errors surfaced in pillar, then the pillar would consist of only
and empty dict. Now all data that was successfully rendered stays in pillar
and the render error is also made available. If errors are found in the
pillar, states will refuse to run.
Using Cached State Data
Sometimes states are executed purely to maintain a specific state rather than
to update states with new configs. This is grounds for the new cached state
system. By adding cache=True to a state call the state will not be generated
fresh from the master but the last state data to be generated will be used.
If no previous state data is available then fresh data will be generated.
Monitoring States
The new monitoring states system has been started. This is very young but
allows for states to be used to configure monitoring routines. So far only one
monitoring state is available, the disk.status state. As more capabilities are
added to Salt UI the monitoring capabilities of Salt will continue to be
expanded.
The new DESCR is taken from the "Introduction to Salt" at
<http://docs.saltstack.org/en/v0.10.5/topics/index.html>.
Here's a copy of the introductory paragraphs from the release notes
for all the intervening versions:
Salt 0.9.6 Release Notes
========================
Salt 0.9.6 is a release targeting a few bugs and changes. This is primarily
targeting an issue found in the names declaration in the state system. But a
few other bugs were also repaired, like missing support for grains in extmods.
Due to a conflict in distribution packaging msgpack will no longer be bundled
with Salt, and is required as a dependency.
Salt 0.9.7 Release Notes
========================
Salt 0.9.7 is here! The latest iteration of Salt brings more features and many
fixes. This release is a great refinement over 0.9.6, adding many conveniences
under the hood, as well as some features that make working with Salt much
better.
A few highlights include the new Job system, refinements to the requisite
system in states, the ``mod_init`` interface for states, external node
classification, search path to managed files in the file state, and refinements
and additions to dynamic module loading.
0.9.7 also introduces the long developed (and oft changed) unit test framework
and the initial unit tests.
Salt 0.9.8 Release Notes
========================
Salt 0.9.8 is a big step forward, with many additions and enhancements, as
well as a number of precursors to advanced future developments.
This version of Salt adds much more power to the command line, making the
old hard timeout issues a thing of the past and adds keyword argument
support. These additions are also available in the salt client api, making
the available api tools much more powerful.
The new pillar system allows for data to be stored on the master and
assigned to minions in a granular way similar to the state system. It also
allows flexibility for users who want to keep data out of their state tree
similar to 'external lookup' functionality in other tools.
A new way to extend requisites was added, the "requisite in" statement.
This makes adding requires or watch statements to external state decs
much easier.
Additions to requisites making them much more powerful have been added as well
as improved error checking for sls files in the state system. A new provider
system has been added to allow for redirecting what modules run in the
background for individual states.
Support for OpenSUSE has been added and support for Solaris has begun
serious development. Windows support has been significantly enhanced as well.
The matcher and target systems have received a great deal of attention. The
default behavior of grain matching has changed slightly to reflect the rest
of salt and the compound matcher system has been refined.
A number of impressive features with keyword arguments have been added to both
the cli and to the state system. This makes states much more powerful and
flexible while maintaining the simple configuration everyone loves.
The new batch size capability allows for executions to be rolled through a
group of targeted minions a percentage or specific number at a time. This
was added to prevent the "thundering herd" problem when targeting large
numbers of minions for things like service restarts or file downloads.
Salt 0.9.9 Release Notes
========================
0.9.9 is out and comes with some serious bug fixes and even more serious
features. This release is the last major feature release before 1.0.0 and
could be considered the 1.0.0 release candidate.
A few updates include more advanced kwargs support, the ability for salt
states to more safely configure a running salt minion, better job directory
management and the new state test interface.
Many new tests have been added as well, including the new minion swarm test
that allows for easier testing of Salt working with large groups of minions.
This means that if you have experienced stability issues with Salt before,
particularly in larger deployments, that these bugs have been tested for,
found, and killed.
Salt 0.10.0 Release Notes
=========================
0.10.0 has arrived! This release comes with MANY bug fixes, and new
capabilities which greatly enhance performance and reliability. This
release is primarily a bug fix release with many new tests and many repaired
bugs. This release also introduces a few new key features which were brought
in primarily to repair bugs and some limitations found in some of the
components of the original architecture.
Salt 0.10.2 Release Notes
=========================
0.10.2 is out! This release comes with enhancements to the pillar interface,
cleaner ways to access the salt-call capabilities in the API, minion data
caching and the event system has been added to salt minions.
There have also been updates to the zeromq functions, many more tests
(thanks to sponsors, the code sprint and many contributors) and a swath
of bug fixes.
Salt 0.10.3 Release Notes
=========================
The latest taste of Salt has come, this release has many fixes and feature
additions. Modifications have been made to make ZeroMQ connections more
reliable, the begining of the ACL system is in place, a new command line
parsing system has been added, dynamic module distribution has become more
environment aware, the new `master_finger` option and many more!
Salt 0.10.4 Release Notes
=========================
Salt 0.10.4 is a monumental release for the Salt team, with two new module
systems, many additions to allow granular access to Salt, improved platform
support and much more.
This release is also exciting because we have been able to shorten the release
cycle back to under a month. We are working hard to keep up the aggressive pace
and look forward to having releases happen more frequently!
This release also includes a serious security fix and all users are very
strongly recommended to upgrade. As usual, upgrade the master first, and then
the minion to ensure that the process is smooth.
Salt 0.10.5 Release Notes
=========================
Salt 0.10.5 is ready, and comes with some great new features. A few more
interfaces have been modularized, like the outputter system. The job cache
system has been made more powerful and can now store and retrieve jobs archived
in external databases. The returner system has been extended to allow minions
to easily retrieve data from a returner interface.
As usual, this is an exciting release, with many noteworthy additions!
