[meta-virtualization] [PATCH] salt: upgrade to 2016.11

Bruce Ashfield bruce.ashfield at gmail.com
Sun Dec 18 19:41:54 PST 2016


merged.

Bruce

On Wed, Dec 14, 2016 at 3:38 PM, Alejandro del Castillo <
alejandro.delcastillo at ni.com> wrote:

> Signed-off-by: Alejandro del Castillo <alejandro.delcastillo at ni.com>
> ---
>  meta-openstack/recipes-support/salt/files/cloud    |   6 +-
>  meta-openstack/recipes-support/salt/files/master   | 276
> ++++++++++++++++++---
>  meta-openstack/recipes-support/salt/files/minion   | 156 ++++++++++--
>  .../salt/files/salt-common.logrotate               |  21 +-
>  .../salt/{salt_2016.3.0.bb => salt_2016.11.0.bb}   |   4 +-
>  5 files changed, 403 insertions(+), 60 deletions(-)
>  rename meta-openstack/recipes-support/salt/{salt_2016.3.0.bb =>
> salt_2016.11.0.bb} (98%)
>
> diff --git a/meta-openstack/recipes-support/salt/files/cloud
> b/meta-openstack/recipes-support/salt/files/cloud
> index 5bd28df..921cc04 100644
> --- a/meta-openstack/recipes-support/salt/files/cloud
> +++ b/meta-openstack/recipes-support/salt/files/cloud
> @@ -1,4 +1,4 @@
> -# This file should normally be installed at: /etc/salt/cloud
> +# This file should normally be installed at: /etc/salt/cloud
>
>
>  ##########################################
> @@ -44,7 +44,7 @@
>  #log_level_logfile: info
>
>
> -# The date and time format used in log messages. Allowed date/time
> formating
> +# The date and time format used in log messages. Allowed date/time
> formatting
>  # can be seen here:
>  #
>  #      http://docs.python.org/library/time.html#time.strftime
> @@ -71,7 +71,7 @@
>  #log_fmt_console: '%(colorlevel)s %(colormsg)s'
>  #log_fmt_console: '[%(levelname)-8s] %(message)s'
>  #
> -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f
> [%(name)-17s][%(levelname)-8s] %(message)s'
> +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s]
> %(message)s'
>
>
>  # Logger levels can be used to tweak specific loggers logging levels.
> diff --git a/meta-openstack/recipes-support/salt/files/master
> b/meta-openstack/recipes-support/salt/files/master
> index 821f5fc..4ecb160 100644
> --- a/meta-openstack/recipes-support/salt/files/master
> +++ b/meta-openstack/recipes-support/salt/files/master
> @@ -39,12 +39,22 @@
>  # key_logfile, pidfile:
>  #root_dir: /
>
> +# The path to the master's configuration file.
> +#conf_file: /etc/salt/master
> +
>  # Directory used to store public key data:
>  #pki_dir: /etc/salt/pki/master
>
> +# Key cache. Increases master speed for large numbers of accepted
> +# keys. Available options: 'sched'. (Updates on a fixed schedule.)
> +# Note that enabling this feature means that minions will not be
> +# available to target for up to the length of the maintanence loop
> +# which by default is 60s.
> +#key_cache: ''
> +
>  # Directory to store job and cache data:
>  # This directory may contain sensitive data and should be protected
> accordingly.
> -#
> +#
>  #cachedir: /var/cache/salt/master
>
>  # Directory for custom modules. This directory can contain subdirectories
> for
> @@ -54,7 +64,7 @@
>
>  # Directory for custom modules. This directory can contain subdirectories
> for
>  # each of Salt's module types such as "runners", "output", "wheel",
> "modules",
> -# "states", "returners", etc.
> +# "states", "returners", "engines", etc.
>  # Like 'extension_modules' but can take an array of paths
>  #module_dirs: <no default>
>  #   - /var/cache/salt/minion/extmods
> @@ -65,6 +75,10 @@
>  # Set the number of hours to keep old job information in the job cache:
>  #keep_jobs: 24
>
> +# The number of seconds to wait when the client is requesting information
> +# about running jobs.
> +#gather_job_timeout: 10
> +
>  # Set the default timeout for the salt command and api. The default is 5
>  # seconds.
>  #timeout: 5
> @@ -77,6 +91,11 @@
>  # Set the default outputter used by the salt command. The default is
> "nested".
>  #output: nested
>
> +# Set the default output file used by the salt command. Default is to
> output
> +# to the CLI and not to a file. Functions the same way as the "--out-file"
> +# CLI option, only sets this to a single file for all salt commands.
> +#output_file: None
> +
>  # Return minions that timeout when running commands like test.ping
>  #show_timeout: True
>
> @@ -88,6 +107,12 @@
>  # (true by default).
>  # strip_colors: False
>
> +# To display a summary of the number of minions targeted, the number of
> +# minions returned, and the number of minions that did not return, set the
> +# cli_summary value to True. (False by default.)
> +#
> +#cli_summary: False
> +
>  # Set the directory used to hold unix sockets:
>  #sock_dir: /var/run/salt/master
>
> @@ -106,7 +131,7 @@
>  #minion_data_cache: True
>
>  # Store all returns in the given returner.
> -# Setting this option requires that any returner-specific configuration
> also
> +# Setting this option requires that any returner-specific configuration
> also
>  # be set. See various returners in salt/returners for details on required
>  # configuration values. (See also, event_return_queue below.)
>  #
> @@ -118,15 +143,15 @@
>  # By default, events are not queued.
>  #event_return_queue: 0
>
> -# Only events returns matching tags in a whitelist
> -# event_return_whitelist:
> -#   - salt/master/a_tag
> -#   - salt/master/another_tag
> +# Only return events matching tags in a whitelist, supports glob matches.
> +#event_return_whitelist:
> +#  - salt/master/a_tag
> +#  - salt/run/*/ret
>
> -# Store all event returns _except_ the tags in a blacklist
> -# event_return_blacklist:
> -#   - salt/master/not_this_tag
> -#   - salt/master/or_this_one
> +# Store all event returns **except** the tags in a blacklist, supports
> globs.
> +#event_return_blacklist:
> +#  - salt/master/not_this_tag
> +#  - salt/wheel/*/ret
>
>  # Passing very large events can cause the minion to consume large amounts
> of
>  # memory. This value tunes the maximum size of a message allowed onto the
> @@ -145,12 +170,12 @@
>  # the key rotation event as minions reconnect. Consider this carefully if
> this
>  # salt master is managing a large number of minions.
>  #
> -# If disabled, it is recommended to handle this event by listening for the
> +# If disabled, it is recommended to handle this event by listening for the
>  # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
>  # ping_on_rotate: False
>
>  # By default, the master deletes its cache of minion data when the key
> for that
> -# minion is removed. To preserve the cache after key deletion, set
> +# minion is removed. To preserve the cache after key deletion, set
>  # 'preserve_minion_cache' to True.
>  #
>  # WARNING: This may have security implications if compromised minions
> auth with
> @@ -230,6 +255,14 @@
>  # ZMQ high-water-mark for EventPublisher pub socket
>  #event_publisher_pub_hwm: 10000
>
> +# The master may allocate memory per-event and not
> +# reclaim it.
> +# To set a high-water mark for memory allocation, use
> +# ipc_write_buffer to set a high-water mark for message
> +# buffering.
> +# Value: In bytes. Set to 'dynamic' to have Salt select
> +# a value for you. Default is disabled.
> +# ipc_write_buffer: 'dynamic'
>
>
>  #####        Security settings       #####
> @@ -244,7 +277,7 @@
>  # public keys from the minions. Note that this is insecure.
>  #auto_accept: False
>
> -# Time in minutes that a incoming public key with a matching name found in
> +# Time in minutes that an incoming public key with a matching name found
> in
>  # pki_dir/minion_autosign/keyid is automatically accepted. Expired
> autosign keys
>  # are removed when the master checks the minion_autosign directory.
>  # 0 equals no timeout
> @@ -272,7 +305,7 @@
>  # This setting should be treated with care since it opens up execution
>  # capabilities to non root users. By default this capability is completely
>  # disabled.
> -#pulisher_acl:
> +#publisher_acl:
>  #  larry:
>  #    - test.ping
>  #    - network.*
> @@ -283,6 +316,11 @@
>  # running any commands. It would also blacklist any use of the "cmd"
>  # module. This is completely disabled by default.
>  #
> +#
> +# Check the list of configured users in client ACL against users on the
> +# system and throw errors if they do not exist.
> +#client_acl_verify: True
> +#
>  #publisher_acl_blacklist:
>  #  users:
>  #    - root
> @@ -295,7 +333,7 @@
>  # publisher_acl_blacklist instead.
>
>  # Enforce publisher_acl & publisher_acl_blacklist when users have sudo
> -# access to the salt command.
> +# access to the salt command.
>  #
>  #sudo_acl: False
>
> @@ -308,6 +346,18 @@
>  #
>  # Time (in seconds) for a newly generated token to live. Default: 12 hours
>  #token_expire: 43200
> +#
> +# Allow eauth users to specify the expiry time of the tokens they
> generate.
> +# A boolean applies to all users or a dictionary of whitelisted eauth
> backends
> +# and usernames may be given.
> +# token_expire_user_override:
> +#   pam:
> +#     - fred
> +#     - tom
> +#   ldap:
> +#     - gary
> +#
> +#token_expire_user_override: False
>
>  # Allow minions to push files to the master. This is disabled by default,
> for
>  # security purposes.
> @@ -344,6 +394,10 @@
>  #ssh_minion_opts:
>  #  gpg_keydir: /root/gpg
>
> +# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
> +# authentication with minions
> +#ssh_use_home_key: False
> +
>  #####    Master Module Management    #####
>  ##########################################
>  # Manage how master side modules are loaded.
> @@ -455,7 +509,7 @@
>  # When using multiple environments, each with their own top file, the
>  # default behaviour is an unordered merge. To prevent top files from
>  # being merged together and instead to only use the top file from the
> -# requested environment, set this value to 'same'.
> +# requested environment, set this value to 'same'.
>  #top_file_merging_strategy: merge
>
>  # To specify the order in which environments are merged, set the ordering
> @@ -469,12 +523,15 @@
>  #default_top: base
>
>  # The hash_type is the hash to use when discovering the hash of a file on
> -# the master server. The default is md5, but sha1, sha224, sha256, sha384
> +# the master server. The default is md5 but sha1, sha224, sha256, sha384
>  # and sha512 are also supported.
>  #
> -# Prior to changing this value, the master should be stopped and all Salt
> +# WARNING: While md5 is also supported, do not use it due to the high
> chance
> +# of possible collisions and thus security breach.
> +#
> +# Prior to changing this value, the master should be stopped and all Salt
>  # caches should be cleared.
> -#hash_type: md5
> +#hash_type: sha256
>
>  # The buffer size in the file server can be adjusted here:
>  #file_buffer_size: 1048576
> @@ -540,10 +597,37 @@
>
>  # Git File Server Backend Configuration
>  #
> -# Gitfs can be provided by one of two python modules: GitPython or
> pygit2. If
> -# using pygit2, both libgit2 and git must also be installed.
> -#gitfs_provider: gitpython
> -#
> +# Optional parameter used to specify the provider to be used for gitfs.
> Must
> +# be one of the following: pygit2, gitpython, or dulwich. If unset, then
> each
> +# will be tried in that same order, and the first one with a compatible
> +# version installed will be the provider that is used.
> +#gitfs_provider: pygit2
> +
> +# Along with gitfs_password, is used to authenticate to HTTPS remotes.
> +# gitfs_user: ''
> +
> +# Along with gitfs_user, is used to authenticate to HTTPS remotes.
> +# This parameter is not required if the repository does not use
> authentication.
> +#gitfs_password: ''
> +
> +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
> +# This parameter enables authentication over HTTP. Enable this at your
> own risk.
> +#gitfs_insecure_auth: False
> +
> +# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
> +# authenticate to SSH remotes. This parameter (or its per-remote
> counterpart)
> +# is required for SSH remotes.
> +#gitfs_pubkey: ''
> +
> +# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
> +# authenticate to SSH remotes. This parameter (or its per-remote
> counterpart)
> +# is required for SSH remotes.
> +#gitfs_privkey: ''
> +
> +# This parameter is optional, required only when the SSH key being used to
> +# authenticate is protected by a passphrase.
> +#gitfs_passphrase: ''
> +
>  # When using the git fileserver backend at least one git remote needs to
> be
>  # defined. The user running the salt master will need read access to the
> repo.
>  #
> @@ -551,7 +635,7 @@
>  # and the first repo to have the file will return it.
>  # When using the git backend branches and tags are translated into salt
>  # environments.
> -# Note:  file:// repos will be treated as a remote, so refs you want used
> must
> +# Note: file:// repos will be treated as a remote, so refs you want used
> must
>  # exist in that repo as *local* refs.
>  #gitfs_remotes:
>  #  - git://github.com/saltstack/salt-states.git
> @@ -610,10 +694,10 @@
>  #pillar_safe_render_error: True
>
>  # The pillar_source_merging_strategy option allows you to configure
> merging strategy
> -# between different sources. It accepts four values: recurse, aggregate,
> overwrite,
> -# or smart. Recurse will merge recursively mapping of data. Aggregate
> instructs
> -# aggregation of elements between sources that use the #!yamlex renderer.
> Overwrite
> -# will verwrite elements according the order in which they are processed.
> This is
> +# between different sources. It accepts five values: none, recurse,
> aggregate, overwrite,
> +# or smart. None will not do any merging at all. Recurse will merge
> recursively mapping of data.
> +# Aggregate instructs aggregation of elements between sources that use
> the #!yamlex renderer. Overwrite
> +# will overwrite elements according the order in which they are
> processed. This is
>  # behavior of the 2014.1 branch and earlier. Smart guesses the best
> strategy based
>  # on the "renderer" setting and is the default value.
>  #pillar_source_merging_strategy: smart
> @@ -621,6 +705,107 @@
>  # Recursively merge lists by aggregating them instead of replacing them.
>  #pillar_merge_lists: False
>
> +# Set this option to 'True' to force a 'KeyError' to be raised whenever an
> +# attempt to retrieve a named value from pillar fails. When this option
> is set
> +# to 'False', the failed attempt returns an empty string. Default is
> 'False'.
> +#pillar_raise_on_missing: False
> +
> +# Git External Pillar (git_pillar) Configuration Options
> +#
> +# Specify the provider to be used for git_pillar. Must be either pygit2 or
> +# gitpython. If unset, then both will be tried in that same order, and the
> +# first one with a compatible version installed will be the provider that
> +# is used.
> +#git_pillar_provider: pygit2
> +
> +# If the desired branch matches this value, and the environment is omitted
> +# from the git_pillar configuration, then the environment for that
> git_pillar
> +# remote will be base.
> +#git_pillar_base: master
> +
> +# If the branch is omitted from a git_pillar remote, then this branch will
> +# be used instead
> +#git_pillar_branch: master
> +
> +# Environment to use for git_pillar remotes. This is normally derived from
> +# the branch/tag (or from a per-remote env parameter), but if set this
> will
> +# override the process of deriving the env from the branch/tag name.
> +#git_pillar_env: ''
> +
> +# Path relative to the root of the repository where the git_pillar top
> file
> +# and SLS files are located.
> +#git_pillar_root: ''
> +
> +# Specifies whether or not to ignore SSL certificate errors when
> contacting
> +# the remote repository.
> +#git_pillar_ssl_verify: False
> +
> +# When set to False, if there is an update/checkout lock for a git_pillar
> +# remote and the pid written to it is not running on the master, the lock
> +# file will be automatically cleared and a new lock will be obtained.
> +#git_pillar_global_lock: True
> +
> +# Git External Pillar Authentication Options
> +#
> +# Along with git_pillar_password, is used to authenticate to HTTPS
> remotes.
> +#git_pillar_user: ''
> +
> +# Along with git_pillar_user, is used to authenticate to HTTPS remotes.
> +# This parameter is not required if the repository does not use
> authentication.
> +#git_pillar_password: ''
> +
> +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
> +# This parameter enables authentication over HTTP.
> +#git_pillar_insecure_auth: False
> +
> +# Along with git_pillar_privkey (and optionally git_pillar_passphrase),
> +# is used to authenticate to SSH remotes.
> +#git_pillar_pubkey: ''
> +
> +# Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
> +# is used to authenticate to SSH remotes.
> +#git_pillar_privkey: ''
> +
> +# This parameter is optional, required only when the SSH key being used
> +# to authenticate is protected by a passphrase.
> +#git_pillar_passphrase: ''
> +
> +# A master can cache pillars locally to bypass the expense of having to
> render them
> +# for each minion on every request. This feature should only be enabled
> in cases
> +# where pillar rendering time is known to be unsatisfactory and any
> attendant security
> +# concerns about storing pillars in a master cache have been addressed.
> +#
> +# When enabling this feature, be certain to read through the additional
> ``pillar_cache_*``
> +# configuration options to fully understand the tunable parameters and
> their implications.
> +#
> +# Note: setting ``pillar_cache: True`` has no effect on targeting Minions
> with Pillars.
> +# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
> +#pillar_cache: False
> +
> +# If and only if a master has set ``pillar_cache: True``, the cache TTL
> controls the amount
> +# of time, in seconds, before the cache is considered invalid by a master
> and a fresh
> +# pillar is recompiled and stored.
> +#pillar_cache_ttl: 3600
> +
> +# If and only if a master has set `pillar_cache: True`, one of several
> storage providers
> +# can be utililzed.
> +#
> +# `disk`: The default storage backend. This caches rendered pillars to
> the master cache.
> +#         Rendered pillars are serialized and deserialized as msgpack
> structures for speed.
> +#         Note that pillars are stored UNENCRYPTED. Ensure that the
> master cache
> +#         has permissions set appropriately. (Same defaults are provided.)
> +#
> +# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses
> a pure-Python
> +#         in-memory data structure for maximal performance. There are
> several caveats,
> +#         however. First, because each master worker contains its own
> in-memory cache,
> +#         there is no guarantee of cache consistency between minion
> requests. This
> +#         works best in situations where the pillar rarely if ever
> changes. Secondly,
> +#         and perhaps more importantly, this means that unencrypted
> pillars will
> +#         be accessible to any process which can examine the memory of
> the ``salt-master``!
> +#         This may represent a substantial security risk.
> +#
> +#pillar_cache_backend: disk
> +
>
>  #####          Syndic settings       #####
>  ##########################################
> @@ -649,6 +834,12 @@
>  # LOG file of the syndic daemon:
>  #syndic_log_file: syndic.log
>
> +# The behaviour of the multi-syndic when connection to a master of
> masters failed.
> +# Can specify ``random`` (default) or ``ordered``. If set to ``random``,
> masters
> +# will be iterated in random order. If ``ordered`` is specified, the
> configured
> +# order will be used.
> +#syndic_failover: random
> +
>
>  #####      Peer Publish settings     #####
>  ##########################################
> @@ -738,7 +929,7 @@
>  # If using 'log_granular_levels' this must be set to the highest desired
> level.
>  #log_level_logfile: warning
>
> -# The date and time format used in log messages. Allowed date/time
> formating
> +# The date and time format used in log messages. Allowed date/time
> formatting
>  # can be seen here: http://docs.python.org/library/time.html#time.
> strftime
>  #log_datefmt: '%H:%M:%S'
>  #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
> @@ -760,7 +951,7 @@
>  #log_fmt_console: '%(colorlevel)s %(colormsg)s'
>  #log_fmt_console: '[%(levelname)-8s] %(message)s'
>  #
> -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f
> [%(name)-17s][%(levelname)-8s] %(message)s'
> +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s]
> %(message)s'
>
>  # This can be used to control logging levels more specificically.  This
>  # example sets the main salt library at the 'warning' level, but sets
> @@ -774,11 +965,18 @@
>
>  #####         Node Groups           ######
>  ##########################################
> -# Node groups allow for logical groupings of minion nodes. A group
> consists of a group
> -# name and a compound target.
> +# Node groups allow for logical groupings of minion nodes. A group
> consists of
> +# a group name and a compound target. Nodgroups can reference other
> nodegroups
> +# with 'N@' classifier. Ensure that you do not have circular references.
> +#
>  #nodegroups:
> -#  group1: 'L at foo.domain.com,bar.domain.com,baz.domain.com and bl*.
> domain.com'
> +#  group1: 'L at foo.domain.com,bar.domain.com,baz.domain.com or bl*.
> domain.com'
>  #  group2: 'G at os:Debian and foo.domain.com'
> +#  group3: 'G at os:Debian and N at group1'
> +#  group4:
> +#    - 'G at foo:bar'
> +#    - 'or'
> +#    - 'G at foo:baz'
>
>
>  #####     Range Cluster settings     #####
> @@ -824,3 +1022,13 @@
>  ############################################
>  # Default match type for filtering events tags: startswith, endswith,
> find, regex, fnmatch
>  #event_match_type: startswith
> +
> +# Save runner returns to the job cache
> +#runner_returns: True
> +
> +# Permanently include any available Python 3rd party modules into Salt
> Thin
> +# when they are generated for Salt-SSH or other purposes.
> +# The modules should be named by the names they are actually imported
> inside the Python.
> +# The value of the parameters can be either one module or a comma
> separated list of them.
> +#thin_extra_mods: foo,bar
> +
> diff --git a/meta-openstack/recipes-support/salt/files/minion
> b/meta-openstack/recipes-support/salt/files/minion
> index bd97c43..ad7a374 100644
> --- a/meta-openstack/recipes-support/salt/files/minion
> +++ b/meta-openstack/recipes-support/salt/files/minion
> @@ -38,6 +38,8 @@
>  # value to "str".  Failover masters can be requested by setting
>  # to "failover".  MAKE SURE TO SET master_alive_interval if you are
>  # using failover.
> +# Setting master_type to 'disable' let's you have a running minion (with
> engines and
> +# beacons) without a master connection
>  # master_type: str
>
>  # Poll interval in seconds for checking if the master is still there.
> Only
> @@ -46,6 +48,16 @@
>  # of TCP connections, such as load balancers.)
>  # master_alive_interval: 30
>
> +# If the minion is in multi-master mode and the master_type configuration
> option
> +# is set to "failover", this setting can be set to "True" to force the
> minion
> +# to fail back to the first master in the list if the first master is
> back online.
> +#master_failback: False
> +
> +# If the minion is in multi-master mode, the "master_type" configuration
> is set to
> +# "failover", and the "master_failback" option is enabled, the master
> failback
> +# interval can be set to ping the top master with this interval, in
> seconds.
> +#master_failback_interval: 0
> +
>  # Set whether the minion should connect to the master via IPv6:
>  #ipv6: False
>
> @@ -60,11 +72,15 @@
>  # The user to run salt.
>  #user: root
>
> -# Setting sudo_user will cause salt to run all execution modules under an
> sudo
> -# to the user given in sudo_user.  The user under which the salt minion
> process
> -# itself runs will still be that provided in the user config above, but
> all
> -# execution modules run by the minion will be rerouted through sudo.
> -#sudo_user: saltdev
> +# The user to run salt remote execution commands as via sudo. If this
> option is
> +# enabled then sudo will be used to change the active user executing the
> remote
> +# command. If enabled the user will need to be allowed access via the
> sudoers
> +# file for the user that the salt minion is configured to run as. The most
> +# common option would be to use the root user. If this option is set the
> user
> +# option should also be set to a non-root user. If migrating from a root
> minion
> +# to a non root minion the minion cache should be cleared and the minion
> pki
> +# directory will need to be changed to the ownership of the new user.
> +#sudo_user: root
>
>  # Specify the location of the daemon process ID file.
>  #pidfile: /var/run/salt-minion.pid
> @@ -73,6 +89,9 @@
>  # sock_dir, pidfile.
>  #root_dir: /
>
> +# The path to the minion's configuration file.
> +#conf_file: /etc/salt/minion
> +
>  # The directory to store the pki information in
>  #pki_dir: /etc/salt/pki/minion
>
> @@ -83,6 +102,13 @@
>  # clusters.
>  #id:
>
> +# Cache the minion id to a file when the minion's id is not statically
> defined
> +# in the minion config. Defaults to "True". This setting prevents
> potential
> +# problems when automatic minion id resolution changes, which can cause
> the
> +# minion to lose connection with the master. To turn off minion id
> caching,
> +# set this config to ``False``.
> +#minion_id_caching: True
> +
>  # Append a domain to a hostname in the event that it does not exist.
> This is
>  # useful for systems where socket.getfqdn() does not actually result in a
>  # FQDN (for instance, Solaris).
> @@ -103,6 +129,13 @@
>  # This data may contain sensitive data and should be protected
> accordingly.
>  #cachedir: /var/cache/salt/minion
>
> +# Append minion_id to these directories.  Helps with
> +# multiple proxies and minions running on the same machine.
> +# Allowed elements in the list: pki_dir, cachedir, extension_modules
> +# Normally not needed unless running several proxies and/or minions on
> the same machine
> +# Defaults to ['cachedir'] for proxies, [] (empty list) for regular
> minions
> +#append_minionid_config_dirs:
> +
>  # Verify and set permissions on configuration directories at startup.
>  #verify_env: True
>
> @@ -171,6 +204,20 @@
>  # authenticate.
>  #auth_tries: 7
>
> +# The number of attempts to connect to a master before giving up.
> +# Set this to -1 for unlimited attempts. This allows for a master to have
> +# downtime and the minion to reconnect to it later when it comes back up.
> +# In 'failover' mode, it is the number of attempts for each set of
> masters.
> +# In this mode, it will cycle through the list of masters for each
> attempt.
> +#
> +# This is different than auth_tries because auth_tries attempts to
> +# retry auth attempts with a single master. auth_tries is under the
> +# assumption that you can connect to the master but not gain
> +# authorization from it. master_tries will still cycle through all
> +# the masters in a given try, so it is appropriate if you expect
> +# occasional downtime from the master(s).
> +#master_tries: 1
> +
>  # If authentication fails due to SaltReqTimeoutError during a
> ping_interval,
>  # cause sub minion process to restart.
>  #auth_safemode: False
> @@ -249,10 +296,17 @@
>  #
>  #
>  # The loop_interval sets how long in seconds the minion will wait between
> -# evaluating the scheduler and running cleanup tasks. This defaults to a
> -# sane 60 seconds, but if the minion scheduler needs to be evaluated more
> -# often lower this value
> -#loop_interval: 60
> +# evaluating the scheduler and running cleanup tasks.  This defaults to 1
> +# second on the minion scheduler.
> +#loop_interval: 1
> +
> +# Some installations choose to start all job returns in a cache or a
> returner
> +# and forgo sending the results back to a master. In this workflow, jobs
> +# are most often executed with --async from the Salt CLI and then results
> +# are evaluated by examining job caches on the minions or any configured
> returners.
> +# WARNING: Setting this to False will **disable** returns back to the
> master.
> +#pub_ret: True
> +
>
>  # The grains can be merged, instead of overridden, using this option.
>  # This allows custom grains to defined different subvalues of a dictionary
> @@ -286,6 +340,26 @@
>  # is not enabled.
>  # grains_cache_expiration: 300
>
> +# Determines whether or not the salt minion should run scheduled mine
> updates.
> +# Defaults to "True". Set to "False" to disable the scheduled mine updates
> +# (this essentially just does not add the mine update function to the
> minion's
> +# scheduler).
> +#mine_enabled: True
> +
> +# Determines whether or not scheduled mine updates should be accompanied
> by a job
> +# return for the job cache. Defaults to "False". Set to "True" to include
> job
> +# returns in the job cache for mine updates.
> +#mine_return_job: False
> +
> +# Example functions that can be run via the mine facility
> +# NO mine functions are established by default.
> +# Note these can be defined in the minion's pillar as well.
> +#mine_functions:
> +#  test.ping: []
> +#  network.ip_addrs:
> +#    interface: eth0
> +#    cidr: '10.0.0.0/8'
> +
>  # Windows platforms lack posix IPC and must rely on slower TCP based
> inter-
>  # process communications. Set ipc_mode to 'tcp' on such systems
>  #ipc_mode: ipc
> @@ -319,16 +393,33 @@
>  #include:
>  #  - /etc/salt/extra_config
>  #  - /etc/roles/webserver
> +
> +# The syndic minion can verify that it is talking to the correct master
> via the
> +# key fingerprint of the higher-level master with the "syndic_finger"
> config.
> +#syndic_finger: ''
>  #
>  #
>  #
>  #####   Minion module management     #####
>  ##########################################
>  # Disable specific modules. This allows the admin to limit the level of
> -# access the master has to the minion.
> -#disable_modules: [cmd,test]
> +# access the master has to the minion.  The default here is the empty
> list,
> +# below is an example of how this needs to be formatted in the config file
> +#disable_modules:
> +#  - cmdmod
> +#  - test
>  #disable_returners: []
> -#
> +
> +# This is the reverse of disable_modules.  The default, like
> disable_modules, is the empty list,
> +# but if this option is set to *anything* then *only* those modules will
> load.
> +# Note that this is a very large hammer and it can be quite difficult to
> keep the minion working
> +# the way you think it should since Salt uses many modules internally
> itself.  At a bare minimum
> +# you need the following enabled or else the minion won't start.
> +#whitelist_modules:
> +#  - cmdmod
> +#  - test
> +#  - config
> +
>  # Modules can be loaded from arbitrary paths. This enables the easy
> deployment
>  # of third party modules. Modules for returners and minions can be loaded.
>  # Specify a list of extra directories to search for minion modules and
> @@ -389,6 +480,15 @@
>  # environments is to isolate via the top file.
>  #environment: None
>  #
> +# Isolates the pillar environment on the minion side. This functions the
> same
> +# as the environment setting, but for pillar instead of states.
> +#pillarenv: None
> +#
> +# Set this option to 'True' to force a 'KeyError' to be raised whenever an
> +# attempt to retrieve a named value from pillar fails. When this option
> is set
> +# to 'False', the failed attempt returns an empty string. Default is
> 'False'.
> +#pillar_raise_on_missing: False
> +#
>  # If using the local file directory, then the state top file name needs
> to be
>  # defined, by default this is top.sls.
>  #state_top: top.sls
> @@ -448,6 +548,18 @@
>  #  base:
>  #    - /srv/salt
>
> +# Uncomment the line below if you do not want the file_server to follow
> +# symlinks when walking the filesystem tree. This is set to True
> +# by default. Currently this only applies to the default roots
> +# fileserver_backend.
> +#fileserver_followsymlinks: False
> +#
> +# Uncomment the line below if you do not want symlinks to be
> +# treated as the files they are pointing to. By default this is set to
> +# False. By uncommenting the line below, any detected symlink while
> listing
> +# files on the Master will not be returned to the Minion.
> +#fileserver_ignoresymlinks: True
> +#
>  # By default, the Salt fileserver recurses fully into all defined
> environments
>  # to attempt to find files. To limit this behavior so that the fileserver
> only
>  # traverses directories with SLS files and special Salt directories like
> _modules,
> @@ -456,13 +568,19 @@
>  # is False.
>  #fileserver_limit_traversal: False
>
> -# The hash_type is the hash to use when discovering the hash of a file in
> +# The hash_type is the hash to use when discovering the hash of a file on
>  # the local fileserver. The default is md5, but sha1, sha224, sha256,
> sha384
>  # and sha512 are also supported.
>  #
> +# WARNING: While md5 and sha1 are also supported, do not use it due to
> the high chance
> +# of possible collisions and thus security breach.
> +#
> +# WARNING: While md5 is also supported, do not use it due to the high
> chance
> +# of possible collisions and thus security breach.
> +#
>  # Warning: Prior to changing this value, the minion should be stopped and
> all
>  # Salt caches should be cleared.
> -#hash_type: md5
> +#hash_type: sha256
>
>  # The Salt pillar is searched for locally if file_client is set to local.
> If
>  # this is the case, and pillar data is defined, then the pillar_roots
> need to
> @@ -470,6 +588,10 @@
>  #pillar_roots:
>  #  base:
>  #    - /srv/pillar
> +
> +# Set a hard-limit on the size of the files that can be pushed to the
> master.
> +# It will be interpreted as megabytes. Default: 100
> +#file_recv_max_size: 100
>  #
>  #
>  ######        Security settings       #####
> @@ -508,7 +630,7 @@
>
>  # Fingerprint of the master public key to validate the identity of your
> Salt master
>  # before the initial key exchange. The master fingerprint can be found by
> running
> -# "salt-key -F master" on the Salt master.
> +# "salt-key -f master.pub" on the Salt master.
>  #master_finger: ''
>
>
> @@ -548,7 +670,7 @@
>  # Default: 'warning'
>  #log_level_logfile:
>
> -# The date and time format used in log messages. Allowed date/time
> formating
> +# The date and time format used in log messages. Allowed date/time
> formatting
>  # can be seen here: http://docs.python.org/library/time.html#time.
> strftime
>  #log_datefmt: '%H:%M:%S'
>  #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
> @@ -570,7 +692,7 @@
>  #log_fmt_console: '%(colorlevel)s %(colormsg)s'
>  #log_fmt_console: '[%(levelname)-8s] %(message)s'
>  #
> -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f
> [%(name)-17s][%(levelname)-8s] %(message)s'
> +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s]
> %(message)s'
>
>  # This can be used to control logging levels more specificically.  This
>  # example sets the main salt library at the 'warning' level, but sets
> diff --git a/meta-openstack/recipes-support/salt/files/salt-common.logrotate
> b/meta-openstack/recipes-support/salt/files/salt-common.logrotate
> index dcfd268..3cd0023 100644
> --- a/meta-openstack/recipes-support/salt/files/salt-common.logrotate
> +++ b/meta-openstack/recipes-support/salt/files/salt-common.logrotate
> @@ -1,7 +1,20 @@
> -/var/log/salt/master
> -/var/log/salt/minion
> -/var/log/salt/*.log
> -{
> +/var/log/salt/master {
> +       weekly
> +       missingok
> +       rotate 7
> +       compress
> +       notifempty
> +}
> +
> +/var/log/salt/minion {
> +       weekly
> +       missingok
> +       rotate 7
> +       compress
> +       notifempty
> +}
> +
> +/var/log/salt/key {
>         weekly
>         missingok
>         rotate 7
> diff --git a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb
> b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb
> similarity index 98%
> rename from meta-openstack/recipes-support/salt/salt_2016.3.0.bb
> rename to meta-openstack/recipes-support/salt/salt_2016.11.0.bb
> index 7024f42..ba1def7 100644
> --- a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb
> +++ b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb
> @@ -28,8 +28,8 @@ SRC_URI = "https://files.pythonhosted.
> org/packages/source/s/${SRCNAME}/${SRCNAME
>             file://roster \
>  "
>
> -SRC_URI[md5sum] = "8ed82cfb3f9b1764a035edbdacf0fea9"
> -SRC_URI[sha256sum] = "e316dd103b7faeaa97820197e4d0d7
> d358519f0ca2a6dcb1d9b718eea801ed30"
> +SRC_URI[md5sum] = "eced07a652cc6a31870fc098d5325a9c"
> +SRC_URI[sha256sum] = "b516285926ee95cedc64ecddab05d1
> 4422b7c8819c9f6d046a431c41d608e6bc"
>
>  S = "${WORKDIR}/${SRCNAME}-${PV}"
>
> --
> 2.7.4
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
>



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-virtualization/attachments/20161218/5235ce17/attachment-0001.html>


More information about the meta-virtualization mailing list