This flag should be set for packages that import pkg_resources
and thus need setuptools after the build step.
Set this flag for packages that need it and bump PKGREVISION.
SALT 3004 RELEASE NOTES - CODENAME SILICON
NEW FEATURES
TRANSACTIONAL SYSTEM SUPPORT (MICROOS)
A transactional system, like MicroOS, can present some challenges when the user decided to manage it via Salt.
MicroOS provide a read-only rootfs and a tool, transactional-update, that takes care of the management of the system (updating, upgrading, installation or reboot, among others) in an atomic way.
Atomicity is the main feature of MicroOS, and to guarantee this property, this model leverages snapper, zypper, btrfs and overlayfs to create snapshots that will be updated independently of the currently running system, and that are activated after the reboot. This implies, for example, that some changes made on the system are not visible until the next reboot, as those changes are living in a different snapshot of the file system.
Salt 3004 (Silicon) support this type of system via two new modules (transactional_update and rebootmgr) and a new executor (transactional_update).
The new modules will provide all the low level API for interacting with transactional systems, like defining a mantenance window where the system is free to reboot and activate the new state, or install new software in a new transaction. It will also provide hight level of abstractions that will allows us to execute Salt module functions or applying states inside new transactions.
The execution module will help us to treat the transactional system transparently (like the traditional ones), using a mechanism that will delegate some Salt modules execution into the new transactional_update module.
REMOVED
Removed the deprecated glance state and execution module in favor of the glance_image state module and the glanceng execution module.
Removed support for Ubuntu 16.04
Removed the deprecated support for gid_from_name from the user state module
Removed deprecated virt.migrate_non_shared, virt.migrate_non_shared_inc, ssh from virt.migrate, and python2/python3 args from salt.utils.thin.gen_min and .gen_thin
DEPRECATED
The _ext_nodes alias to the master_tops function was added back in 3004 to maintain backwards compatibility with older supported versions. This alias will now be removed in 3006. This change will break Master and Minion communication compatibility with Salt minions running versions 3003 and lower.
utils/boto3_elasticsearch is no longer needed
Changed "manufacture" grain to "manufacturer" for Solaris on SPARC to unify the name across all platforms. The old "manufacture" grain is now deprecated and will be removed in Sulfur
Deprecate salt.payload.Serial
CHANGED
Changed nginx.version to return version without nginx/ prefix.
Updated Slack webhook returner to support event returns on salt-master
Parsing Epoch out of version during pkg remove, since yum can't handle that in all of the cases.
Add extra onfail req check in the state engine to allow onfail to be used with onchanges and other reqs in the same state
Changed the default character set used by utils.pycrypto.secure_password() to include symbols and implemented arguments to control the used character set.
FIXED
Set default 'bootstrap_delay' to 0
Fixed issue where multiple args to netapi were not preserved
Handle all repo formats in the aptpkg module.
Do not break master_tops for minion with version lower to 3003 This is going to be removed in Salt 3006 (Sulfur)
Reverting changes in 60150. Updating installed and removed functions to return changes when test=True.
Handle signals and properly exit, instead of raising exceptions.
Redirect imports of salt.ext.six to six
Surface strerror to user state instead of returning false
Fixing _get_envs() to preserve the order of pillar_roots. _get_envs() returned pillar_roots in a non-deterministic order.
Fixes salt-cloud KeyError that occurs when there exists any subnets with no tags when profiles use subnetname
Fixes postgres_local_cache by removing duplicate unicode encoding.
Fixing the state aggregation system to properly handle requisities. Fixing pkg state to exclude packages from aggregation if the hold attribute is in the state.
fix issue that allows case sensitive files to be carried through
Allow GCE Salt Cloud to use previously created IP Addresses.
Fixing rabbitmq.list_user_permissions to ensure we are returning a permission list with three elements even when some values are empty.
Periodically restart the fileserver update process to avoid leaks
Fix default value to dictionary for mine_function
Allow user.present to work on Alpine Linux by fixing linux_shadow.info
Ensure that zypper is called with only one --no-refresh parameter
Fixed fileclient cachedir path switching from master to minion due to incorrect MasterMinion configuration
Fixed the container detection inside virtual machines
Fix invalid dnf command when obsoletes=True in pkg.update function
Jinja renderer resolves wrong relative paths when importing subdirectories
Fixed bug 55262 where salt.modules.iptables would call cmd.run and receive and interpret interspersed stdout and stderr output from subprocesses.
Updated pcs support to handle auth and setup for new syntax supporting version 0.10
Reinstate ignore_cidr option in salt-cloud openstack driver
Fix for network.wolmatch runner displaying 'invalid arguments' error with valid arguements
Fixed bug 57490, which prevented package installation for Open Euler and Issabel PBX. Both Open Euler and Issabel PBX use Yum for package management, added them to yumpkg.py.
Better handling of bad RSA public keys from minions
Fixing various functions in the file state module that use user.info to get group information, certain hosts particularly proxy minions do not have the user.info function avaiable.
Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules
Fix --subset command line option, and support old 'sub' parameter name in cmd_subset for backwards compatibility
When calling salt.utils.http.query with a HEAD method to check for the existence of a source ensure that decode_body is False, so the file is not downloaded into memory when we don't need the contents.
Update the runas user on freebsd for postgres versions >9.5, since freebsd will be removing the package on 2021-05-13.
Fix pip module linked requirements file parsing
Fix incorrect hostname quoting in /etc/sysconfig/networking on Red Hat family OS.
Fix Xen DomU virt detection in grains for long running machines.
add encoding when windows encoding is not defaulting to utf8
Fix "aptpkg.normalize_name" in case the arch is "all" for DEB packages
Astra Linux now considered a Debian family distro
Reworking the mysql module and state so that passwordless does not try to use unix_socket until unix_socket is set to True.
Fixed the zabbix module to read the connection data from pillar.
Fix crash on "yumpkg" execution module when unexpected output at listing patches
Remove return that had left over py2 code from win_path.py
Don't create spicevmc channel for Xen virtual machines
Fix win_servermanager.install so it will reboot when restart=True is passed
Clear the cached network interface grains during minion init and grains refresh
Normalized grain output for LXC containers
Fix typo in 'salt/states/cmd.py' to use "comment" instead of "commnd".
add aliyun linux support and set alinux as redhat family
Don't fail updating network without netmask ip attribute
Fixed using reserved keyword 'set' as function argument in modules/ipset.py
Return empty changes when nothing has been done in virt.defined and virt.running states
Import salt.utils.azurearm instead of using __utils__ from loader in azure cloud. This fixes an issue where __utils__ would become unavailable when we are using the ThreadPool in azurearm.
Fix an issue with the LGPO module when the gpt.ini file contains unix style line endings (/n). This was happening on a Windows Server 2019 instance created in Google Cloud Platform (GCP).
The ansiblegate module now correctly passes keyword arguments to Ansible module calls
Make sure cmdmod._log_cmd handles tuples properly
Updating the add, delete, modify, enable_job, and disable_job functions to return appropriate changes.
Apply pre-commit changes to entire codebase.
Fix Hetzner cloud driver does not recognize machines when rolling out a map
Update Windows build deps & DLLs, Use Python 3.8, libsodium.dll 1.0.18, OpenSSL dlls to 1.1.1k
Salt api verifies proper log file path when providing '--log-file' from the cli
Detect Mendel Linux as Debian
Fixed compilation of requisite_ins by also checking state type along with name/id
Fix xen._get_vm() to not break silently when a VM and a template on XenServer have the same name.
Added missing space for nftables.build_rule when using saddr or daddr.
Add back support to load old entrypoints by iterating instead of type checking
Fixed interrupting salt-call in a pdb session.
Validate we can import map files in states
Update alter_db to return True or False depending on the success of failure of the alter. Update grant_exists to only use the full list of available privileges when the grant is on the global level, eg. datbase is ".".
Fixed firewalld.list_zones when any "rich rules" is set
IPCMessageSubscriber objects expose their connect method as a corotine so they can be wrapped by SyncWrapper.
Allow for Napalm dependency netmiko_mod to load correctly when used by Napalm with Cisco IOS
Ensure proper access to the created temporary file when runas is passed to cmd.exec_code_all
Fixed an IndexError in pkgng.latest_version when querying an unknown package.
Fixed pkgng.latest_version when querying by origin (e.g. "shells/bash").
Gracefuly handle errors in virt.vm_info
The LGPO Module now uses "Success and Failure" for normal audit settings and advanced audit settings
Fixing tests/pytests/unit/utils/scheduler/test_eval.py tests so the sleep happens before the status, so the job is given time before we check it.
Update the external ipaddress to the latest 3.9.5 version which has some security fixes. Updating the compat.p to use the vendored version if the python version is below 3.9.5 and only run the test_ipaddress.py tests if below 3.9.5.
Fixed ValueError exception in state.show_state_usage
Redact the username and password when something goes wrong when using an HTTP source and we raise an exception.
Inject the Ansible functions into Salt's ansiblegate module which was broken on the 3001 release.
Figure out the available Python version inside containers when executing "dockermod.call" function
Handle IPv6 route types such as anycast, multicast, etc when returned from IPv6 route table queries
Move the commonly used code that converts a list to a dictionary into salt.utils.beacons. Fixing inotify beacon close function to ensure the configuration is converted from the provided list format into a dictionary.
Set name of engine subprocesses
Properly discover block devices path in virt.running
Avoid exceptions when handling some exception cases.
Fixed faulty error message in npm.installed state.
Port option reinstated for Junos Proxy (accidentally removed)
Now hosts.rm_host can remove entries from /etc/hosts when this file have inline comments.
Fixes issue where the full same name is not used when making rights assignments with group policy
Fixed zabbix_host.present to not overwrite inventory_mode to "manual" everytime inventory is updated.
Allowed zabbix_host.present to do partial updates of inventory, also don't erase everything if inventory is missing in state definition.
Fixing the mysql_cache module to handle binary inserting binary data into the database. Initially adding tests.
Fixed host_inventory_get to not throw an exception if host does not exist
Check for /dev/kvm to detect KVM hypervisor.
Fixing file.accumulated handling of dependencies when the state_id is used instead of {function: state_id} format.
Adding the ability for yumpkg.remove to handle package names with widdcards.
Pass emulator path to get guest capabilities from libvirt
virt.get_disks: properly report qemu-img errors
Make all platforms have psutils. This prevents a minion from starting if an instance is all ready running.
Ignore configuration for 'enable_fqdns_grains' for AIX, Solaris and Juniper, assume False
Remove check for TIAMAT_BUILD enforcing USE_STATIC_REQUIREMENTS, this is now controled by Tiamat v7.10.1 and above
Have the beacon call run through a try...except, catching any errors, logging and firing an event that includes the error. Fixing the swapusage beacon to ensure value is a string before we attempt to filter out the %.
Refactor loader into logical sub-modules
Clean up references to ZMQDefaultLoop
change dep warn from Silicon to Phosphorus for the cmd,show,system_info and add_config functions in the nxos module.
Fix bug 60602 where the hetzner cloud provider isn't recognized correctly
Fix the pwd.getpwnam caching issue on macOS user module
Fixing beacons that can include a value in their configuration that may or may not included a percentage. We want to handle the situation where the percentage sign is not included and the value is not handled as a string.
Fix RuntimeError in process manager
Ensure all data that is being passed along to LDAP is in an OrderedSet and contains bytes.
Update the AWS API version so VMs spun up by salt-cloud where the VPC has it enabled to assign ipv6 addresses by default, actually get ipv6 addresses assigned by default.
Remove un-needed singletons from tranports
ADDED
Add windows support for file.patch with patch.exe from git for windows optional packages
Added ability to pass exclude kwarg to salt.state inside orchestrate.
Added success_stdout and success_stderr arguments to cmd.run, to override default return code behavior.
The netbox pillar now been enhanced to add support for querying virtual machines (in addition to devices), as well as minion interfaces and associated IP addresses.
Add support for transactional systems, like openSUSE MicroOS
Added namespace headers to allow use of namespace from config to communicate with Vault Enterprise namespaces
boto3mod unit tests
New decorators allow_one_of() and require_one_of()
Added nosync switch to disable initial raid synchronization
Expanded the documentation for the netbox pillar.
Rocky Linux has been added to the RedHat os_family.
Add "poudriere -i -j jail_name" option to list jail information for poudriere
Added the grains.uuid on Windows platform
Add a salt.util.platform check to detect the AArch64 64-bit extension of the ARM architecture.
Adding support for Deltaproxy controlled proxy minions into Salt Open.
Added functions to slsutil execution module to test if files exist in the state tree Added funtion to slsutil execution module to search for a file by walking up the state tree
Allow module_refresh to also refresh available beacons, eg. following a Python library being installed and "refresh_modules" being passed as an argument in a state.
Add the detect_remote_minions and remote_minions_port options to allow the master to detect remote ports for connected minions. This will allow users to detect Heist-Salt minions the master is connected to over port 22 by default.
Add the python rpm-vercmp library in the rpm_lowpkg.py module.
Allow a user to use the aptpkg.py module without installing python-apt.
A typical case is that PKGMANDIR is man, not share/man. That path does
not occur in the Python files, which would then make the build fail in
SUBST_NOOP_OK=no mode.
SALT 2019.2.2 RELEASE NOTES
Version 2019.2.2 is a bugfix release for 2019.2.0.
ISSUE 54817: (tomlaredo) [REGRESSION] git.latest displays errors (refs: 54844)
* (garethgreenaway) [master] Fix to git state module when calling git.config_get_regexp
52fee6f Merge pull request 54844 from garethgreenaway/54817_git_latest_error_calling_git_config_get_regexp
cb1b75a Adding test.
6ba8ff2 When calling git.config_get_regexp to check for filter.lfs. in git config, if the option is not available this would result with a return code of 1 which would result in an error being logged. Since one possible result is that the configuration would not be there, we ignore the return code.
* (frogunder) update 2019.2.2 release notes
d6593c2 Merge pull request 54973 from frogunder/update_releasenotes_2019.2.2
0c01cfb update 2019.2.2 release notes
* (twangboy) Add missing docs for win_wusa state and module (2019.2.1)
7d253bc Merge pull request 54919 from twangboy/update_docs
57ff199 Add docs for win_wusa
ISSUE 54941: (UtahDave) Pillar data is refreshed for EVERY salt command in 2019.2.1 and 2019.2.2 (refs: 54942)
* (dwoz) Fix for 54941 pillar_refresh regression
2f817bc Merge pull request 54942 from dwoz/fix-54941
cb5d326 Add a test for 54941 using test.ping
348d1c4 Add regression tests for issue 54941
766f3ca Initial commit of a potential fix for 54941
* (bryceml) update version numbers to be correct
f783108 Merge pull request 54897 from bryceml/2019.2.1_fix_docs
e9a2a70 update version numbers to be correct
* (bryceml) 2019.2.1 fix docs
3233663 Merge pull request 54894 from bryceml/2019.2.1_fix_docs
c7b7474 modifying saltconf ads
d48057b add new saltconf ads
* (frogunder) remove in progress from releasenotes 2019.2.2
4b06eca Merge pull request 54858 from frogunder/releasenotes_remove2019.2.2
a697abd remove in progress from releasenotes 2019.2.2
* (frogunder) releasenotes 2019.2.2
aaf2d1c Merge pull request 54854 from frogunder/release_notes_2019.2.2
a41dc59 Update 2019.2.2.rst
9bea043 releasenotes 2019.2.2
* (frogunder) Update man pages for 2019.2.2
10d433f Merge pull request 54852 from frogunder/man_pages_2019.2.2
92bc4b2 Update man pages for 2019.2.2
* (s0undt3ch) Remove debug print
8ca6b20 Merge pull request 54845 from s0undt3ch/hotfix/event-return-fix-2019.2.1
3937890 Remove debug print
ISSUE 54755: (Reiner030) 2019.2.1/2019.2.0 pip failures even when not using pip (refs: 54826)
* (dwoz) Fix issue 54755 and add regression tests
9e3914a Merge pull request 54826 from dwoz/issue_54755
0bad9cb Handle locals and globals separatly
bcbe9a2 Only purge pip when needed
d2f98ca Fix issue 54755 and add regression tests
* (frogunder) Add known issues to 2019.2.1 release notes
ba569d0 Merge pull request 54830 from frogunder/update_relasenotes_2019.2.1
8cdb27b Update 2019.2.1.rst
14f955c Add known issues to 2019.2.1 release notes
ISSUE 54521: (Oloremo) [Regression] Failhard, batch and retcodes (refs: 54806)
* (Oloremo) [Regression] Batch with failhard fix
433b6fa Merge pull request 54806 from Oloremo/failhard-batch-fix-2019.2.1
6684793 Merge branch '2019.2.1' into failhard-batch-fix-2019.2.1
3e0e928 Added tests for cli and runner
2416516 Made batch work properly with failhard in cli and runner
ISSUE 54820: (OrangeDog) schedule.present not idempotent when scheduler disabled (refs: 54828)
* (garethgreenaway) [2019.2.1] Fix global disabling code in scheduler
ed94aa5 Merge pull request 54828 from garethgreenaway/54820_fix_schedule_disabled_job_enabled_bug
be15a28 Rework code that handles individual jobs being disabled and scheduler being globally being disabled. Previously disabling the schedule would result in individual jobs being disabled when they were run through eval. This change does not change schedule items.
* (Akm0d) fix broken salt-cloud openstack query
435b40c Merge pull request 54778 from Akm0d/master_openstack_query_fix
ba4ba2a fixed pylint errors in openstack test
d9a8517 Added openstack tests for openstack --query fix
59214ad Fallback to image id if we don't have an image name
3a42a4d fixed pylint error
0074d18 created unit tests for openstack
4255e3e Merge branch '2019.2.1' of https://github.com/saltstack/salt into HEAD
1c2821b Return a configured provider, not a bool
c585550 fix broken salt-cloud openstack query
ISSUE 54762: (margau) 2019.2.1: Breaks Minion-Master Communication (refs: 54784, 54823, 54807)
* (dhiltonp) ip_bracket can now accept ipv6 addresses with brackets
93b1c4d Merge pull request 54823 from dhiltonp/maybe-bracket
faa1d98 ip_bracket can now accept ipv6 addresses with brackets
ISSUE 54762: (margau) 2019.2.1: Breaks Minion-Master Communication (refs: 54784, 54823, 54807)
* (dwoz) Fix pip state pip >=10.0 and <=18.0
* (OrlandoArcapix) Fix import of pip modules (refs: 54807)
b61b30d Merge pull request 54807 from dwoz/patch-2
664806b Add unit test for pip state fix
e637658 Revert change to pip version query
42810a2 Fix import of pip modules
ISSUE 54741: (kjkeane) Schedulers Fail to Run (refs: 54799)
* (garethgreenaway) Fix to scheduler when job without a time element is run with schedule.run_job
4ee1ff6 Merge pull request 54799 from garethgreenaway/54741_run_job_fails_without_time_element
44caa81 Merge branch '54741_run_job_fails_without_time_element' of github.com:garethgreenaway/salt into 54741_run_job_fails_without_time_element
3ae4f75 Merge branch '2019.2.1' into 54741_run_job_fails_without_time_element
8afd2d8 Removing extra, unnecessary code.
549cfb8 Fixing test_run_job test to ensure the right data is being asserted. Updating unit/test_module_names.py to include integration.scheduler.test_run_job.
7d716d6 Fixing lint.
ec68591 If a scheduled job does not contains a time element parameter then running that job with schedule.run_job fails with a traceback because data['run'] does not exist.
* (Ch3LL) Fix state.show_states when sls file missing in top file
b90c3f2 Merge pull request 54785 from Ch3LL/fix_show_states
96540be Clean up files after state.show_states test
ad265ae Fix state.show_states when sls file missing
ISSUE 54768: (paul-palmer) 2019.2.1 Some Jinja imports not found (refs: 54780)
ISSUE 54765: (awerner) 2019.2.1: Jinja from import broken (refs: 54780)
* (dwoz) Fix masterless jinja imports
b9459e6 Merge pull request 54780 from dwoz/fix-masterless-jinja-imports
5d873cc Merge branch '2019.2.1' into fix-masterless-jinja-imports
e901a83 Add regression tests for jinja import bug
3925bb7 Fix broken jinja imports in masterless salt-call
ISSUE 54776: (javierbertoli) Setting ping_interval in salt-minion's config (version 2019.2.1) prevents it from starting (refs: 54777)
* (javierbertoli) Fix minion's remove_periodic_callback()
4c240e5 Merge pull request 54777 from netmanagers/2019.2.1
459c790 Merge branch '2019.2.1' into 2019.2.1
* (bryceml) improve lint job
83f8f5c Merge pull request 54805 from bryceml/2019.2.1_update_lint_salt
ffa4ed6 improve lint job
fa1a767 Merge branch '2019.2.1' into 2019.2.1
ISSUE 54751: (jnmatlock) NXOS_API Proxy Minions Error KeyError: 'proxy.post_master_init' after upgrading to 2019.2.1 (refs: 54783)
* (garethgreenaway) Ensure metaproxy directory is included in sdist
6b43fbe Merge pull request 54783 from garethgreenaway/54751_fixing_missing_metaproxy_directory
67d9938 Merge branch '2019.2.1' into 54751_fixing_missing_metaproxy_directory
a35e609 Adding __init__.py to metaproxy directory so that metaproxy is included when running setup.py.
ISSUE 54762: (margau) 2019.2.1: Breaks Minion-Master Communication (refs: 54784, 54823, 54807)
* (dhiltonp) fix dns_check to return uri-compatible ipv6 addresses, add tests
7912b67 Merge pull request 54784 from dhiltonp/ipv46
042a101 Merge branch '2019.2.1' into ipv46
* (frogunder) Add 2019.2.2 release notes
2f94b44 Merge pull request 54779 from frogunder/releasenotes_2019.2.2
67f564b Add 2019.2.2 release notes
ac6b54f Merge branch '2019.2.1' into ipv46
93ebd09 update mock (py2) from 2.0.0 to 3.0.5
37bcc4c fix dns_check to return uri-compatible ipv6 addresses, add tests
dd86c46 Merge pull request 1 from waynew/pull/54777-callback-typo
a57f7d0 Add tests
c19d0b0 Fix minion's remove_periodic_callback()
* (pizzapanther) Fix returners not loading properly
46bec3c Merge pull request 54731 from pizzapanther/not-so-__new__-and-shiny
bdf24f4 Make sure we tests salt-master's event_return setting
5499518 remove unnecessary import
3f8a382 fix module import
0746aa7 remove __new__ method since it was removed from parent class
* (bryceml) 2019.2.1 ruby
e2b86bf Merge pull request 54706 from bryceml/2019.2.1_ruby
168a6c1 switch to ruby 2.6.3
SALT 2018.3.3
CVE-2018-15751 Remote command execution and incorrect access control when using salt-api.
CVE-2018-15750 Directory traversal vulnerability when using salt-api. Allows an attacker to determine what files exist on a server when querying /run or /events.
Improves timezone detection by using the pytz module.
The tojson filter (from Jinja 2.9 and later) has been ported to Salt, and will be used when this filter is not available. This allows older LTS releases such as CentOS 7 and Ubuntu 14.04 to use this filter.
pkgsrc changes:
- Add patch for NetBSD 8 support
- Update patches to note they can be removed in the next release
- Fix existing patch so it doesn't crash when running with swap enabled
Changes:
Version 2018.3.2 is a bugfix release for 2018.3.0.
The 2018.3.2 release contains only a small number of fixes, which are
detailed below.
This release fixes two critical issues.
The first is Issue #48038, which is a critical bug that occurs in a
multi-syndic setup where the same job is run multiple times on a minion.
The second issue is #48130. This bug appears in certain setups where the
Master reports a Minion time-out, even though the job is still running
on the Minion.
Both of these issues have been fixed with this release.
patches/patch-salt_grains_core.py:
- Reapply patch in a NetBSD/OpenBSD specific code block after package update
to 2018.3.1, from PR pkg/53278
- upstream pull #47600
patches/patch-salt_modules_pkgin.py:
- Apply patch in pkgin specific code block from PR pkg/53344
- upstream pull #47814
bump PKGREVISION
ok <leot>
2018.3.0:
LOTS OF DOCKER IMPROVEMENTS
FULL API SUPPORT FOR NETWORK MANAGEMENT
CUSTOM SUBNETS
NETWORK CONFIGURATION IN DOCKER_CONTAINER.RUNNING() STATES
USE SALTSSH MINIONS LIKE REGULAR MASTER-MINIONS
EXCEPTIONS RAISED FOR AUTHENTICATION/AUTHORIZATION ERRORS
COMPARISON OPERATORS IN PACKAGE INSTALLATION
MASTER TOPS CHANGES
SEVERAL JINJA FILTERS RENAMED
RETURN CODES FOR RUNNER/WHEEL FUNCTIONS
VARIABLE UPDATE INTERVALS FOR FILESERVER BACKENDS
LDAP VIA EXTERNAL AUTHENTICATION CHANGES
STORMPATH EXTERNAL AUTHENTICATION REMOVED
NEW (PROXY) MINION CONFIGURATION OPTIONS
ENVIRONMENT CONFIG OPTION RENAMED TO SALTENV
LOCK_SALTENV CONFIG OPTION ADDED
FAILED MINIONS FOR STATE/FUNCTION ORCHESTRATION JOBS ADDED TO CHANGES DICTIONARY
NEW GRAINS
SALT MINION AUTO-DISCOVERY
2017.7.4:
Pin tornado version in requirements file
Fix regression with identity file usage
Add 2017.7.4 Release Notes with PRs
use local config for vault when masterless
Due to the critical nature of issue 41230 we have decided to patch the 2016.11.5 packages with P.R.41244. This issue affects all calls to a salt-minion if there is an ipv6 nameserver set on the minion's host. The patched packages on repo.saltstack.com will divert from the v2016.11.5 tag and pypi packages due to the additional PR applied to the packages.
Bug fixes.
From the pull request pending, #31320:
On NetBSD, Salt currently defaults to using lsof(8) to determine which
minions are connected. It is however not always available, and even
then quite unreliable. I found that just like on FreeBSD, sockstat(1)
is a much safer alternative. Unfortunately its output is not exactly
the same on NetBSD, where the port delimiter is a dot character
instead. As a consequence I have decided to duplicate the relevant
function for NetBSD; let me know if I should try to re-use the code
supporting FreeBSD instead.
See also https://github.com/saltstack/salt/pull/31230.
Salt 2015.8.5 is identical to the 2015.8.4 release with the addition of a fix
for issue 30820, fixed by PR #30833.
SECURITY FIX
CVE-2016-1866: Improper handling of clear messages on the minion, which could
result in executing commands not sent by the master.
This issue affects only the 2015.8.x releases of Salt. In order for an attacker
to use this attack vector, they would have to execute a successful attack on an
existing TCP connection between minion and master on the pub port. It does not
allow an external attacker to obtain the shared secret or decrypt any encrypted
traffic between minion and master.
We recommend everyone upgrade to 2015.8.4 as soon as possible.
CORE CHANGES
PR #28994: timcharper Salt S3 module has learned how to assume IAM roles
Added option mock=True for state.sls and state.highstate. This allows the salt
state compiler to process sls data in a state run without actually calling the
state functions, thus providing feedback on the validity of the arguments used
for the functions beyond the preprocessing validation provided by state.show_sls
(issue 30118 and issue 30189).
salt '*' state.sls core,edit.vim mock=True
salt '*' state.highstate mock=True
salt '*' state.apply edit.vim mock=True
CHANGES FOR V2015.8.3..V2015.8.4
Extended changelog courtesy of Todd Stansell
(https://github.com/tjstansell/salt-changelogs):
Generated at: 2016-01-25T17:48:35Z
Total Merges: 320
Changes:
PR #30613: (basepi) Fix minion/syndic clearfuncs
PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is
False, not …
PR #30584: (julianbrost) file.line state: add missing colon in docstring
PR #30589: (terminalmage) Merge 2015.5 into 2015.8
PR #30599: (multani) Documentation formatting fixes
PR #30554: (rallytime) Make the salt-cloud actions output more verbose and
helpful
PR #30549: (techhat) Salt Virt cleanup
PR #30553: (techhat) AWS: Support 17-character IDs
PR #30532: (whiteinge) Add execution module for working in sls files
PR #30529: (terminalmage) Merge 2015.5 into 2015.8
PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk
PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8
PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type
'boolean'
PR #30506: (jacksontj) Properly remove newlines after reading the file
PR #30508: (rallytime) Fix Linode driver cloning functionality
PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return
data
PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8)
PR #30491: (jacksontj) Add multi-IP support to network state
PR #30496: (anlutro) Fix KeyError when adding ignored pillars
PR #30359: (kingsquirrel152) Removes suspected copy/paste error for
zmq_filtering functionailty
PR #30448: (cournape) Fix osx scripts location
PR #30457: (rallytime) Remove fsutils references from modules list
PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode
driver
PR #30458: (rallytime) Back-port #30062 to 2015.8
PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog
PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel
function
PR #30450: (gtmanfred) fix extension loading in novaclient
PR #30212: (abednarik) Fix incorrect file permissions in file.line
PR #29947: (jfindlay) fileclient: decode file list from master
PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees
PR #30445: (jtand) Boto uses False for is_default instead of None
PR #30406: (frioux) Add an example of how to use file.managed/check_cmd
PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8
PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility.
PR #30396: (pass-by-value) Remove hardcoded val
PR #30391: (jtand) Added else statements
PR #30375: (rallytime) Wrap formatted log statements with six.u() in
cloud/__init__.py
PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11
series
PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8
PR #30389: (jtand) Older versions of ipset don't support comments
PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to
2016
PR #30370: (rallytime) Remove incomplete function
PR #30366: (rallytime) Back-port #28702 to 2015.8
PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more
fns for esxi proxy
PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes
filtering
PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal
PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 `#26845`_
PR #30358: (terminalmage) Add libgit2 version to versions-report
PR #30346: (pass-by-value) Prevent orphaned volumes
PR #30349: (rallytime) Back-port #30347 to 2015.8
PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught
PR #30356: (nmadhok) Adding code author
PR #30340: (jtand) Updated seed_test.py for changes made to seed module
PR #30339: (jfindlay) Backport #26511
PR #30343: (rallytime) Fix 2015.8 from incomplete back-port
PR #30342: (eliasp) Correct whitespace placement in error message
PR #30308: (rallytime) Back-port #30257 to 2015.8
PR #30187: (rallytime) Back-port #27606 to 2015.8
PR #30223: (serge-p) adding support for DragonFly BSD
PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating
keys.
PR #30246: (dmacvicar) Add missing return data to scheduled jobs (`#24237`_)
PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry
PR #30275: (abednarik) Add permanent argument in firewalld.
PR #30328: (cachedout) Fix file test
PR #30310: (pass-by-value) Empty bucket fix
PR #30211: (techhat) Execute choot on the correct path
PR #30309: (rallytime) Back-port #30304 to 2015.8
PR #30278: (nmadhok) If datacenter is specified in the config, then look for
managed objects under it
PR #30305: (jacobhammons) Changed examples to use the "example.com" domain
instead of "mycompan…
PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install
PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run
PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed
to allow for binary contents
PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is
default region
PR #30299: (rallytime) ESXi Proxy minions states are located at
salt.states.esxi, not vsphere.
PR #30202: (opdude) Fixed the periodic call to beacons
PR #30303: (jacobhammons) Changed notes to indicate that functions are matched
using regular ex…
PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and
submodule handling
PR #30280: (jfindlay) add state mocking to release notes
PR #30273: (rallytime) Back-port #30121 to 2015.8
PR #30301: (cachedout) Accept whatever comes into hightstate mock for state
tests
PR #30282: (cachedout) Fix file.append logic
PR #30289: (cro) Fix problems with targeting proxies by grains
PR #30293: (cro) Ensure we don't log stuff we shouldn't
PR #30279: (cachedout) Allow modules to be packed into boto utils
PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct
arg/kwarg positioning
PR #30156: (abednarik) Add option in file.append to ignore_whitespace.
PR #30189: (rallytime) Back-port #30185 to 2015.8
PR #30215: (jacobhammons) Assorted doc bug fixes
PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line"
PR #30190: (jacobhammons) Updated doc site banners
PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat
PR #30179: (terminalmage) Backport #26962 to 2015.8 branch
PR #29693: (abednarik) Handle missing source file in ssh_auth.
PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use
region OR profile
PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in
boto utils
PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX
values in Kilos
PR #30162: (rallytime) Update list_present and append grains state function docs
to be more clear.
PR #30163: (rallytime) Add warning about using "=" in file.line function
PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #30168: (abednarik) Fix incorrect file permissions in file.line
PR #30154: (Oro) Fix file serialize on windows
PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion
PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images
PR #30075: (joejulian) Convert glusterfs module to use xml
PR #30129: (optix2000) Clean up _uptodate() in git state
PR #30139: (rallytime) Back-port #29589 to 2015.8
PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD.
PR #30133: (stanislavb) Fix typo in gpgkey URL
PR #30126: (stanislavb) Log S3 API error message
PR #30128: (oeuftete) Log retryable transport errors as warnings
PR #30096: (cachedout) Add rm_special to crontab module
PR #30106: (techhat) Ensure last dir
PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass
PR #30090: (techhat) Add argument to isdir()
PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py
state
PR #30095: (rallytime) Add the list_nodes_select function to linode driver
PR #30082: (abednarik) Fixed saltversioninfo grain return
PR #30084: (rallytime) Back-port #29987 to 2015.8
PR #30071: (rallytime) Merge branch '2015.5' into '2015.8'
PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids
explicitly
PR #30069: (techhat) Ensure that pki_dir exists
PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud
config options
PR #30049: (rallytime) Add some more unit tests for the vsphere execution module
PR #30060: (rallytime) Back-port #27104 to 2015.8
PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs.
PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to
avoid circular imports
PR #30038: (rallytime) Back-port #30017 to 2015.8
PR #30036: (rallytime) Back-port #29995 to 2015.8
PR #30035: (rallytime) Back-port #29895 to 2015.8
PR #30034: (rallytime) Back-port #29893 to 2015.8
PR #30033: (rallytime) Back-port #29876 to 2015.8
PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches
PR #30016: (anlutro) Properly normalize locales in locale.gen_locale
PR #30015: (anlutro) locale module: don't escape the slash in \n
PR #30022: (gqgunhed) Two minor typos fixed
PR #30026: (anlutro) states.at: fix wrong variable being used
PR #29966: (multani) Fix bigip state/module documentation + serializers
documentation
PR #29904: (twangboy) Improvements to osx packaging scripts
PR #29950: (multani) boto_iam: fix deletion of IAM users when using
delete_keys=true
PR #29937: (multani) Fix states.boto_iam group users
PR #29934: (multani) Fix state.boto_iam virtual name
PR #29943: (cachedout) Check args correctly in boto_rds
PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows
PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd()
PR #29894: (techhat) Support Saltfile in SPM
PR #29856: (rallytime) Added some initial unit tests for the
salt.modules.vsphere.py file
PR #29855: (rallytime) Back-port #29740 to 2015.8
PR #29890: (multani) Various documentation fixes
PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29811: (anlutro) influxdb: add retention policy module functions
PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows
PR #29819: (rallytime) Add esxi module and state to docs build
PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL
without systemd
PR #29803: (rallytime) Add vSphere module to doc ref module tree
PR #29767: (abednarik) Hosts file update in mod_hostname.
PR #29772: (terminalmage) pygit2: skip submodules when traversing tree
PR #29765: (gtmanfred) allow nova driver to be boot from volume
PR #29773: (l2ol33rt) Append missing wget in debian installation guide
PR #29800: (rallytime) Back-port #29769 to 2015.8
PR #29775: (paulnivin) Change listen requisite resolution from name to ID
declaration
PR #29754: (rallytime) Back-port #29719 to 2015.8
PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of
deprecated 'provider'
PR #29729: (rallytime) Further clarifications on "unless" and "onlyif"
requisites.
PR #29737: (akissa) fix pillar sqlite3 documentation examples
PR #29743: (akissa) fix pillar sqlite not honouring config options
PR #29723: (rallytime) Clarify db_user and db_password kwargs for
postgres_user.present state function
PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful"
means for cmd state.
PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar
docs
PR #29726: (cachedout) Disable some boto tests per resolution of moto issue
PR #29708: (lagesag) Fix test=True for file.directory with recurse
ignore_files/ignore_dirs.
PR #29642: (cachedout) Correctly restart deamonized minions on failure
PR #29599: (cachedout) Clean up minion shutdown
PR #29675: (clinta) allow returning all refs
PR #29683: (rallytime) Catch more specific error to pass the error message
through elegantly.
PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29681: (clinta) fix bare/mirror in git.latest
PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs
PR #29645: (rallytime) Back-port #29558 to 2015.8
PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging
PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network
configuration.
PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes
PR #29628: (DmitryKuzmenko) Don't create io_loop before fork
PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask
in roster
PR #29603: (basepi) Fix orchestration failure-checking
PR #29597: (terminalmage) dockerng: Prevent exception when API response contains
empty dictionary
PR #29596: (rallytime) Back-port #29587 to 2015.8
PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial
PR #29572: (gtmanfred) [nova] use old discover_extensions if available
PR #29545: (terminalmage) git.latest: init submodules if not yet initialized
PR #29548: (rallytime) Back-port #29449 to 2015.8
PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of
esxi_hosts
PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb
PR #29565: (bdrung) Fix typos and missing release note
PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29499: (rallytime) Initial commit of ESXi Proxy Minion
PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released
PR #29531: (jfindlay) grains.core: handle undefined variable
PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for
salt-ssh
PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax
for "tags" option.
PR #29513: (bdrung) Drop obsolete syslog.target from systemd services
PR #29500: (rallytime) Back-port #29467 to 2015.8
PR #29463: (abednarik) Add **kwargs to debconf.set.
PR #29399: (jfindlay) modules.status: add human_readable option to uptime
PR #29433: (cro) Files for building .pkg files for MacOS X
PR #29455: (jfindlay) modules.nova.__init__: do not return None
PR #29454: (jfindlay) rh_service module __virtual__ return error messages
PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not
subnets) as a key
PR #29487: (rallytime) Back-port #29450 to 2015.8
PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs
PR #29440: (rallytime) Back-port #28925 to 2015.8
PR #29435: (galet) Grains return wrong OS version and other OS related values
for Oracle Linux
PR #29430: (rall0r) Fix host.present state limitation
PR #29417: (jacobhammons) Repo install updates
PR #29402: (techhat) Add rate limiting to linode
PR #29400: (twangboy) Fix#19332
PR #29398: (cachedout) Lint 29288
PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error
PR #29390: (jacobhammons) updated version numbers in documentation
PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy
PR #29349: (cro) Fix mis-setting chassis names
PR #29334: (rallytime) Back-port #29237 to 2015.8
PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng
PR #29218: (clan) check service enable state in test mode
PR #29315: (jfindlay) dev tutorial doc: fix markup errors
PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other]
PR #29305: (lorengordon) Add 'file' as a source_hash proto
PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime
PR #29289: (terminalmage) file.managed: Allow local file sources to use
source_hash
PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True
PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar
config schema
PR #29283: (cachedout) Single-quotes and use format
PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting
options for the flat roster
PR #29282: (cachedout) dev docs: add development tutorial
PR #28994: (timcharper) add support to s3 for aws role assumption
PR #29278: (techhat) Add verify_log to SPM
PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of
SLSs
PR #29207: (jfindlay) do not shadow ret function argument
PR #29215: (rallytime) Back-port #29192 to 2015.8
PR #29217: (clan) show duration only if state_output_profile is False
PR #29221: (ticosax) [dokcerng] Docu network mode
PR #29269: (jfindlay) win_status module: fix function names in docs
PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware
utils
PR #29271: (techhat) Pass full path for digest (SPM)
PR #29244: (isbm) List products consistently across all SLES systems
PR #29255: (garethgreenaway) fixes to consul module
PR #29208: (whytewolf) Glance more profile errors
PR #29200: (jfindlay) mount state: unmount by device is optional
PR #29205: (trevor-h) Fixes#29187 - using winrm on EC2
PR #29170: (cachedout) Migrate pydsl tests to integration test suite
PR #29198: (jfindlay) rh_ip module: only set the mtu once
PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc
PR #29196: (s0undt3ch) We need novaclient imported to compare versions
PR #29059: (terminalmage) Work around upstream pygit2 bug
PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present
state
Security Fix
CVE-2015-8034: Saving state.sls cache data to disk with insecure permissions
This affects users of the state.sls function. The state run cache
on the minion was being created with incorrect permissions. This
file could potentially contain sensitive data that was inserted
via jinja into the state SLS files. The permissions for this file
are now being set correctly. Thanks to @zmalone for bringing this
issue to our attention.