Signed-off-by: Alejandro del Castillo <[email protected]> --- meta-openstack/recipes-support/salt/files/cloud | 6 +- meta-openstack/recipes-support/salt/files/master | 276 ++++++++++++++++++--- meta-openstack/recipes-support/salt/files/minion | 156 ++++++++++-- .../salt/files/salt-common.logrotate | 21 +- .../salt/{salt_2016.3.0.bb => salt_2016.11.0.bb} | 4 +- 5 files changed, 403 insertions(+), 60 deletions(-) rename meta-openstack/recipes-support/salt/{salt_2016.3.0.bb => salt_2016.11.0.bb} (98%)
diff --git a/meta-openstack/recipes-support/salt/files/cloud b/meta-openstack/recipes-support/salt/files/cloud index 5bd28df..921cc04 100644 --- a/meta-openstack/recipes-support/salt/files/cloud +++ b/meta-openstack/recipes-support/salt/files/cloud @@ -1,4 +1,4 @@ -# This file should normally be installed at: /etc/salt/cloud +# This file should normally be installed at: /etc/salt/cloud ########################################## @@ -44,7 +44,7 @@ #log_level_logfile: info -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: # # http://docs.python.org/library/time.html#time.strftime @@ -71,7 +71,7 @@ #log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' # -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s' # Logger levels can be used to tweak specific loggers logging levels. diff --git a/meta-openstack/recipes-support/salt/files/master b/meta-openstack/recipes-support/salt/files/master index 821f5fc..4ecb160 100644 --- a/meta-openstack/recipes-support/salt/files/master +++ b/meta-openstack/recipes-support/salt/files/master @@ -39,12 +39,22 @@ # key_logfile, pidfile: #root_dir: / +# The path to the master's configuration file. +#conf_file: /etc/salt/master + # Directory used to store public key data: #pki_dir: /etc/salt/pki/master +# Key cache. Increases master speed for large numbers of accepted +# keys. Available options: 'sched'. (Updates on a fixed schedule.) +# Note that enabling this feature means that minions will not be +# available to target for up to the length of the maintanence loop +# which by default is 60s. +#key_cache: '' + # Directory to store job and cache data: # This directory may contain sensitive data and should be protected accordingly. -# +# #cachedir: /var/cache/salt/master # Directory for custom modules. This directory can contain subdirectories for @@ -54,7 +64,7 @@ # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", -# "states", "returners", etc. +# "states", "returners", "engines", etc. # Like 'extension_modules' but can take an array of paths #module_dirs: <no default> # - /var/cache/salt/minion/extmods @@ -65,6 +75,10 @@ # Set the number of hours to keep old job information in the job cache: #keep_jobs: 24 +# The number of seconds to wait when the client is requesting information +# about running jobs. +#gather_job_timeout: 10 + # Set the default timeout for the salt command and api. The default is 5 # seconds. #timeout: 5 @@ -77,6 +91,11 @@ # Set the default outputter used by the salt command. The default is "nested". #output: nested +# Set the default output file used by the salt command. Default is to output +# to the CLI and not to a file. Functions the same way as the "--out-file" +# CLI option, only sets this to a single file for all salt commands. +#output_file: None + # Return minions that timeout when running commands like test.ping #show_timeout: True @@ -88,6 +107,12 @@ # (true by default). # strip_colors: False +# To display a summary of the number of minions targeted, the number of +# minions returned, and the number of minions that did not return, set the +# cli_summary value to True. (False by default.) +# +#cli_summary: False + # Set the directory used to hold unix sockets: #sock_dir: /var/run/salt/master @@ -106,7 +131,7 @@ #minion_data_cache: True # Store all returns in the given returner. -# Setting this option requires that any returner-specific configuration also +# Setting this option requires that any returner-specific configuration also # be set. See various returners in salt/returners for details on required # configuration values. (See also, event_return_queue below.) # @@ -118,15 +143,15 @@ # By default, events are not queued. #event_return_queue: 0 -# Only events returns matching tags in a whitelist -# event_return_whitelist: -# - salt/master/a_tag -# - salt/master/another_tag +# Only return events matching tags in a whitelist, supports glob matches. +#event_return_whitelist: +# - salt/master/a_tag +# - salt/run/*/ret -# Store all event returns _except_ the tags in a blacklist -# event_return_blacklist: -# - salt/master/not_this_tag -# - salt/master/or_this_one +# Store all event returns **except** the tags in a blacklist, supports globs. +#event_return_blacklist: +# - salt/master/not_this_tag +# - salt/wheel/*/ret # Passing very large events can cause the minion to consume large amounts of # memory. This value tunes the maximum size of a message allowed onto the @@ -145,12 +170,12 @@ # the key rotation event as minions reconnect. Consider this carefully if this # salt master is managing a large number of minions. # -# If disabled, it is recommended to handle this event by listening for the +# If disabled, it is recommended to handle this event by listening for the # 'aes_key_rotate' event with the 'key' tag and acting appropriately. # ping_on_rotate: False # By default, the master deletes its cache of minion data when the key for that -# minion is removed. To preserve the cache after key deletion, set +# minion is removed. To preserve the cache after key deletion, set # 'preserve_minion_cache' to True. # # WARNING: This may have security implications if compromised minions auth with @@ -230,6 +255,14 @@ # ZMQ high-water-mark for EventPublisher pub socket #event_publisher_pub_hwm: 10000 +# The master may allocate memory per-event and not +# reclaim it. +# To set a high-water mark for memory allocation, use +# ipc_write_buffer to set a high-water mark for message +# buffering. +# Value: In bytes. Set to 'dynamic' to have Salt select +# a value for you. Default is disabled. +# ipc_write_buffer: 'dynamic' ##### Security settings ##### @@ -244,7 +277,7 @@ # public keys from the minions. Note that this is insecure. #auto_accept: False -# Time in minutes that a incoming public key with a matching name found in +# Time in minutes that an incoming public key with a matching name found in # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys # are removed when the master checks the minion_autosign directory. # 0 equals no timeout @@ -272,7 +305,7 @@ # This setting should be treated with care since it opens up execution # capabilities to non root users. By default this capability is completely # disabled. -#pulisher_acl: +#publisher_acl: # larry: # - test.ping # - network.* @@ -283,6 +316,11 @@ # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. # +# +# Check the list of configured users in client ACL against users on the +# system and throw errors if they do not exist. +#client_acl_verify: True +# #publisher_acl_blacklist: # users: # - root @@ -295,7 +333,7 @@ # publisher_acl_blacklist instead. # Enforce publisher_acl & publisher_acl_blacklist when users have sudo -# access to the salt command. +# access to the salt command. # #sudo_acl: False @@ -308,6 +346,18 @@ # # Time (in seconds) for a newly generated token to live. Default: 12 hours #token_expire: 43200 +# +# Allow eauth users to specify the expiry time of the tokens they generate. +# A boolean applies to all users or a dictionary of whitelisted eauth backends +# and usernames may be given. +# token_expire_user_override: +# pam: +# - fred +# - tom +# ldap: +# - gary +# +#token_expire_user_override: False # Allow minions to push files to the master. This is disabled by default, for # security purposes. @@ -344,6 +394,10 @@ #ssh_minion_opts: # gpg_keydir: /root/gpg +# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh +# authentication with minions +#ssh_use_home_key: False + ##### Master Module Management ##### ########################################## # Manage how master side modules are loaded. @@ -455,7 +509,7 @@ # When using multiple environments, each with their own top file, the # default behaviour is an unordered merge. To prevent top files from # being merged together and instead to only use the top file from the -# requested environment, set this value to 'same'. +# requested environment, set this value to 'same'. #top_file_merging_strategy: merge # To specify the order in which environments are merged, set the ordering @@ -469,12 +523,15 @@ #default_top: base # The hash_type is the hash to use when discovering the hash of a file on -# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# the master server. The default is md5 but sha1, sha224, sha256, sha384 # and sha512 are also supported. # -# Prior to changing this value, the master should be stopped and all Salt +# WARNING: While md5 is also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# +# Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. -#hash_type: md5 +#hash_type: sha256 # The buffer size in the file server can be adjusted here: #file_buffer_size: 1048576 @@ -540,10 +597,37 @@ # Git File Server Backend Configuration # -# Gitfs can be provided by one of two python modules: GitPython or pygit2. If -# using pygit2, both libgit2 and git must also be installed. -#gitfs_provider: gitpython -# +# Optional parameter used to specify the provider to be used for gitfs. Must +# be one of the following: pygit2, gitpython, or dulwich. If unset, then each +# will be tried in that same order, and the first one with a compatible +# version installed will be the provider that is used. +#gitfs_provider: pygit2 + +# Along with gitfs_password, is used to authenticate to HTTPS remotes. +# gitfs_user: '' + +# Along with gitfs_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +#gitfs_password: '' + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. Enable this at your own risk. +#gitfs_insecure_auth: False + +# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to +# authenticate to SSH remotes. This parameter (or its per-remote counterpart) +# is required for SSH remotes. +#gitfs_pubkey: '' + +# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to +# authenticate to SSH remotes. This parameter (or its per-remote counterpart) +# is required for SSH remotes. +#gitfs_privkey: '' + +# This parameter is optional, required only when the SSH key being used to +# authenticate is protected by a passphrase. +#gitfs_passphrase: '' + # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. # @@ -551,7 +635,7 @@ # and the first repo to have the file will return it. # When using the git backend branches and tags are translated into salt # environments. -# Note: file:// repos will be treated as a remote, so refs you want used must +# Note: file:// repos will be treated as a remote, so refs you want used must # exist in that repo as *local* refs. #gitfs_remotes: # - git://github.com/saltstack/salt-states.git @@ -610,10 +694,10 @@ #pillar_safe_render_error: True # The pillar_source_merging_strategy option allows you to configure merging strategy -# between different sources. It accepts four values: recurse, aggregate, overwrite, -# or smart. Recurse will merge recursively mapping of data. Aggregate instructs -# aggregation of elements between sources that use the #!yamlex renderer. Overwrite -# will verwrite elements according the order in which they are processed. This is +# between different sources. It accepts five values: none, recurse, aggregate, overwrite, +# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data. +# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will overwrite elements according the order in which they are processed. This is # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based # on the "renderer" setting and is the default value. #pillar_source_merging_strategy: smart @@ -621,6 +705,107 @@ # Recursively merge lists by aggregating them instead of replacing them. #pillar_merge_lists: False +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +#pillar_raise_on_missing: False + +# Git External Pillar (git_pillar) Configuration Options +# +# Specify the provider to be used for git_pillar. Must be either pygit2 or +# gitpython. If unset, then both will be tried in that same order, and the +# first one with a compatible version installed will be the provider that +# is used. +#git_pillar_provider: pygit2 + +# If the desired branch matches this value, and the environment is omitted +# from the git_pillar configuration, then the environment for that git_pillar +# remote will be base. +#git_pillar_base: master + +# If the branch is omitted from a git_pillar remote, then this branch will +# be used instead +#git_pillar_branch: master + +# Environment to use for git_pillar remotes. This is normally derived from +# the branch/tag (or from a per-remote env parameter), but if set this will +# override the process of deriving the env from the branch/tag name. +#git_pillar_env: '' + +# Path relative to the root of the repository where the git_pillar top file +# and SLS files are located. +#git_pillar_root: '' + +# Specifies whether or not to ignore SSL certificate errors when contacting +# the remote repository. +#git_pillar_ssl_verify: False + +# When set to False, if there is an update/checkout lock for a git_pillar +# remote and the pid written to it is not running on the master, the lock +# file will be automatically cleared and a new lock will be obtained. +#git_pillar_global_lock: True + +# Git External Pillar Authentication Options +# +# Along with git_pillar_password, is used to authenticate to HTTPS remotes. +#git_pillar_user: '' + +# Along with git_pillar_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +#git_pillar_password: '' + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. +#git_pillar_insecure_auth: False + +# Along with git_pillar_privkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +#git_pillar_pubkey: '' + +# Along with git_pillar_pubkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +#git_pillar_privkey: '' + +# This parameter is optional, required only when the SSH key being used +# to authenticate is protected by a passphrase. +#git_pillar_passphrase: '' + +# A master can cache pillars locally to bypass the expense of having to render them +# for each minion on every request. This feature should only be enabled in cases +# where pillar rendering time is known to be unsatisfactory and any attendant security +# concerns about storing pillars in a master cache have been addressed. +# +# When enabling this feature, be certain to read through the additional ``pillar_cache_*`` +# configuration options to fully understand the tunable parameters and their implications. +# +# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars. +# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html +#pillar_cache: False + +# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount +# of time, in seconds, before the cache is considered invalid by a master and a fresh +# pillar is recompiled and stored. +#pillar_cache_ttl: 3600 + +# If and only if a master has set `pillar_cache: True`, one of several storage providers +# can be utililzed. +# +# `disk`: The default storage backend. This caches rendered pillars to the master cache. +# Rendered pillars are serialized and deserialized as msgpack structures for speed. +# Note that pillars are stored UNENCRYPTED. Ensure that the master cache +# has permissions set appropriately. (Same defaults are provided.) +# +# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python +# in-memory data structure for maximal performance. There are several caveats, +# however. First, because each master worker contains its own in-memory cache, +# there is no guarantee of cache consistency between minion requests. This +# works best in situations where the pillar rarely if ever changes. Secondly, +# and perhaps more importantly, this means that unencrypted pillars will +# be accessible to any process which can examine the memory of the ``salt-master``! +# This may represent a substantial security risk. +# +#pillar_cache_backend: disk + ##### Syndic settings ##### ########################################## @@ -649,6 +834,12 @@ # LOG file of the syndic daemon: #syndic_log_file: syndic.log +# The behaviour of the multi-syndic when connection to a master of masters failed. +# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters +# will be iterated in random order. If ``ordered`` is specified, the configured +# order will be used. +#syndic_failover: random + ##### Peer Publish settings ##### ########################################## @@ -738,7 +929,7 @@ # If using 'log_granular_levels' this must be set to the highest desired level. #log_level_logfile: warning -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' @@ -760,7 +951,7 @@ #log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' # -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s' # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets @@ -774,11 +965,18 @@ ##### Node Groups ###### ########################################## -# Node groups allow for logical groupings of minion nodes. A group consists of a group -# name and a compound target. +# Node groups allow for logical groupings of minion nodes. A group consists of +# a group name and a compound target. Nodgroups can reference other nodegroups +# with 'N@' classifier. Ensure that you do not have circular references. +# #nodegroups: -# group1: '[email protected],bar.domain.com,baz.domain.com and bl*.domain.com' +# group1: '[email protected],bar.domain.com,baz.domain.com or bl*.domain.com' # group2: 'G@os:Debian and foo.domain.com' +# group3: 'G@os:Debian and N@group1' +# group4: +# - 'G@foo:bar' +# - 'or' +# - 'G@foo:baz' ##### Range Cluster settings ##### @@ -824,3 +1022,13 @@ ############################################ # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch #event_match_type: startswith + +# Save runner returns to the job cache +#runner_returns: True + +# Permanently include any available Python 3rd party modules into Salt Thin +# when they are generated for Salt-SSH or other purposes. +# The modules should be named by the names they are actually imported inside the Python. +# The value of the parameters can be either one module or a comma separated list of them. +#thin_extra_mods: foo,bar + diff --git a/meta-openstack/recipes-support/salt/files/minion b/meta-openstack/recipes-support/salt/files/minion index bd97c43..ad7a374 100644 --- a/meta-openstack/recipes-support/salt/files/minion +++ b/meta-openstack/recipes-support/salt/files/minion @@ -38,6 +38,8 @@ # value to "str". Failover masters can be requested by setting # to "failover". MAKE SURE TO SET master_alive_interval if you are # using failover. +# Setting master_type to 'disable' let's you have a running minion (with engines and +# beacons) without a master connection # master_type: str # Poll interval in seconds for checking if the master is still there. Only @@ -46,6 +48,16 @@ # of TCP connections, such as load balancers.) # master_alive_interval: 30 +# If the minion is in multi-master mode and the master_type configuration option +# is set to "failover", this setting can be set to "True" to force the minion +# to fail back to the first master in the list if the first master is back online. +#master_failback: False + +# If the minion is in multi-master mode, the "master_type" configuration is set to +# "failover", and the "master_failback" option is enabled, the master failback +# interval can be set to ping the top master with this interval, in seconds. +#master_failback_interval: 0 + # Set whether the minion should connect to the master via IPv6: #ipv6: False @@ -60,11 +72,15 @@ # The user to run salt. #user: root -# Setting sudo_user will cause salt to run all execution modules under an sudo -# to the user given in sudo_user. The user under which the salt minion process -# itself runs will still be that provided in the user config above, but all -# execution modules run by the minion will be rerouted through sudo. -#sudo_user: saltdev +# The user to run salt remote execution commands as via sudo. If this option is +# enabled then sudo will be used to change the active user executing the remote +# command. If enabled the user will need to be allowed access via the sudoers +# file for the user that the salt minion is configured to run as. The most +# common option would be to use the root user. If this option is set the user +# option should also be set to a non-root user. If migrating from a root minion +# to a non root minion the minion cache should be cleared and the minion pki +# directory will need to be changed to the ownership of the new user. +#sudo_user: root # Specify the location of the daemon process ID file. #pidfile: /var/run/salt-minion.pid @@ -73,6 +89,9 @@ # sock_dir, pidfile. #root_dir: / +# The path to the minion's configuration file. +#conf_file: /etc/salt/minion + # The directory to store the pki information in #pki_dir: /etc/salt/pki/minion @@ -83,6 +102,13 @@ # clusters. #id: +# Cache the minion id to a file when the minion's id is not statically defined +# in the minion config. Defaults to "True". This setting prevents potential +# problems when automatic minion id resolution changes, which can cause the +# minion to lose connection with the master. To turn off minion id caching, +# set this config to ``False``. +#minion_id_caching: True + # Append a domain to a hostname in the event that it does not exist. This is # useful for systems where socket.getfqdn() does not actually result in a # FQDN (for instance, Solaris). @@ -103,6 +129,13 @@ # This data may contain sensitive data and should be protected accordingly. #cachedir: /var/cache/salt/minion +# Append minion_id to these directories. Helps with +# multiple proxies and minions running on the same machine. +# Allowed elements in the list: pki_dir, cachedir, extension_modules +# Normally not needed unless running several proxies and/or minions on the same machine +# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions +#append_minionid_config_dirs: + # Verify and set permissions on configuration directories at startup. #verify_env: True @@ -171,6 +204,20 @@ # authenticate. #auth_tries: 7 +# The number of attempts to connect to a master before giving up. +# Set this to -1 for unlimited attempts. This allows for a master to have +# downtime and the minion to reconnect to it later when it comes back up. +# In 'failover' mode, it is the number of attempts for each set of masters. +# In this mode, it will cycle through the list of masters for each attempt. +# +# This is different than auth_tries because auth_tries attempts to +# retry auth attempts with a single master. auth_tries is under the +# assumption that you can connect to the master but not gain +# authorization from it. master_tries will still cycle through all +# the masters in a given try, so it is appropriate if you expect +# occasional downtime from the master(s). +#master_tries: 1 + # If authentication fails due to SaltReqTimeoutError during a ping_interval, # cause sub minion process to restart. #auth_safemode: False @@ -249,10 +296,17 @@ # # # The loop_interval sets how long in seconds the minion will wait between -# evaluating the scheduler and running cleanup tasks. This defaults to a -# sane 60 seconds, but if the minion scheduler needs to be evaluated more -# often lower this value -#loop_interval: 60 +# evaluating the scheduler and running cleanup tasks. This defaults to 1 +# second on the minion scheduler. +#loop_interval: 1 + +# Some installations choose to start all job returns in a cache or a returner +# and forgo sending the results back to a master. In this workflow, jobs +# are most often executed with --async from the Salt CLI and then results +# are evaluated by examining job caches on the minions or any configured returners. +# WARNING: Setting this to False will **disable** returns back to the master. +#pub_ret: True + # The grains can be merged, instead of overridden, using this option. # This allows custom grains to defined different subvalues of a dictionary @@ -286,6 +340,26 @@ # is not enabled. # grains_cache_expiration: 300 +# Determines whether or not the salt minion should run scheduled mine updates. +# Defaults to "True". Set to "False" to disable the scheduled mine updates +# (this essentially just does not add the mine update function to the minion's +# scheduler). +#mine_enabled: True + +# Determines whether or not scheduled mine updates should be accompanied by a job +# return for the job cache. Defaults to "False". Set to "True" to include job +# returns in the job cache for mine updates. +#mine_return_job: False + +# Example functions that can be run via the mine facility +# NO mine functions are established by default. +# Note these can be defined in the minion's pillar as well. +#mine_functions: +# test.ping: [] +# network.ip_addrs: +# interface: eth0 +# cidr: '10.0.0.0/8' + # Windows platforms lack posix IPC and must rely on slower TCP based inter- # process communications. Set ipc_mode to 'tcp' on such systems #ipc_mode: ipc @@ -319,16 +393,33 @@ #include: # - /etc/salt/extra_config # - /etc/roles/webserver + +# The syndic minion can verify that it is talking to the correct master via the +# key fingerprint of the higher-level master with the "syndic_finger" config. +#syndic_finger: '' # # # ##### Minion module management ##### ########################################## # Disable specific modules. This allows the admin to limit the level of -# access the master has to the minion. -#disable_modules: [cmd,test] +# access the master has to the minion. The default here is the empty list, +# below is an example of how this needs to be formatted in the config file +#disable_modules: +# - cmdmod +# - test #disable_returners: [] -# + +# This is the reverse of disable_modules. The default, like disable_modules, is the empty list, +# but if this option is set to *anything* then *only* those modules will load. +# Note that this is a very large hammer and it can be quite difficult to keep the minion working +# the way you think it should since Salt uses many modules internally itself. At a bare minimum +# you need the following enabled or else the minion won't start. +#whitelist_modules: +# - cmdmod +# - test +# - config + # Modules can be loaded from arbitrary paths. This enables the easy deployment # of third party modules. Modules for returners and minions can be loaded. # Specify a list of extra directories to search for minion modules and @@ -389,6 +480,15 @@ # environments is to isolate via the top file. #environment: None # +# Isolates the pillar environment on the minion side. This functions the same +# as the environment setting, but for pillar instead of states. +#pillarenv: None +# +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +#pillar_raise_on_missing: False +# # If using the local file directory, then the state top file name needs to be # defined, by default this is top.sls. #state_top: top.sls @@ -448,6 +548,18 @@ # base: # - /srv/salt +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +#fileserver_followsymlinks: False +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +#fileserver_ignoresymlinks: True +# # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only # traverses directories with SLS files and special Salt directories like _modules, @@ -456,13 +568,19 @@ # is False. #fileserver_limit_traversal: False -# The hash_type is the hash to use when discovering the hash of a file in +# The hash_type is the hash to use when discovering the hash of a file on # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# +# WARNING: While md5 is also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. -#hash_type: md5 +#hash_type: sha256 # The Salt pillar is searched for locally if file_client is set to local. If # this is the case, and pillar data is defined, then the pillar_roots need to @@ -470,6 +588,10 @@ #pillar_roots: # base: # - /srv/pillar + +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +#file_recv_max_size: 100 # # ###### Security settings ##### @@ -508,7 +630,7 @@ # Fingerprint of the master public key to validate the identity of your Salt master # before the initial key exchange. The master fingerprint can be found by running -# "salt-key -F master" on the Salt master. +# "salt-key -f master.pub" on the Salt master. #master_finger: '' @@ -548,7 +670,7 @@ # Default: 'warning' #log_level_logfile: -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' @@ -570,7 +692,7 @@ #log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' # -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s' # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets diff --git a/meta-openstack/recipes-support/salt/files/salt-common.logrotate b/meta-openstack/recipes-support/salt/files/salt-common.logrotate index dcfd268..3cd0023 100644 --- a/meta-openstack/recipes-support/salt/files/salt-common.logrotate +++ b/meta-openstack/recipes-support/salt/files/salt-common.logrotate @@ -1,7 +1,20 @@ -/var/log/salt/master -/var/log/salt/minion -/var/log/salt/*.log -{ +/var/log/salt/master { + weekly + missingok + rotate 7 + compress + notifempty +} + +/var/log/salt/minion { + weekly + missingok + rotate 7 + compress + notifempty +} + +/var/log/salt/key { weekly missingok rotate 7 diff --git a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb similarity index 98% rename from meta-openstack/recipes-support/salt/salt_2016.3.0.bb rename to meta-openstack/recipes-support/salt/salt_2016.11.0.bb index 7024f42..ba1def7 100644 --- a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb +++ b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb @@ -28,8 +28,8 @@ SRC_URI = "https://files.pythonhosted.org/packages/source/s/${SRCNAME}/${SRCNAME file://roster \ " -SRC_URI[md5sum] = "8ed82cfb3f9b1764a035edbdacf0fea9" -SRC_URI[sha256sum] = "e316dd103b7faeaa97820197e4d0d7d358519f0ca2a6dcb1d9b718eea801ed30" +SRC_URI[md5sum] = "eced07a652cc6a31870fc098d5325a9c" +SRC_URI[sha256sum] = "b516285926ee95cedc64ecddab05d14422b7c8819c9f6d046a431c41d608e6bc" S = "${WORKDIR}/${SRCNAME}-${PV}" -- 2.7.4 -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
