merged. Bruce
On Wed, Dec 14, 2016 at 3:38 PM, Alejandro del Castillo < [email protected]> wrote: > Signed-off-by: Alejandro del Castillo <[email protected]> > --- > meta-openstack/recipes-support/salt/files/cloud | 6 +- > meta-openstack/recipes-support/salt/files/master | 276 > ++++++++++++++++++--- > meta-openstack/recipes-support/salt/files/minion | 156 ++++++++++-- > .../salt/files/salt-common.logrotate | 21 +- > .../salt/{salt_2016.3.0.bb => salt_2016.11.0.bb} | 4 +- > 5 files changed, 403 insertions(+), 60 deletions(-) > rename meta-openstack/recipes-support/salt/{salt_2016.3.0.bb => > salt_2016.11.0.bb} (98%) > > diff --git a/meta-openstack/recipes-support/salt/files/cloud > b/meta-openstack/recipes-support/salt/files/cloud > index 5bd28df..921cc04 100644 > --- a/meta-openstack/recipes-support/salt/files/cloud > +++ b/meta-openstack/recipes-support/salt/files/cloud > @@ -1,4 +1,4 @@ > -# This file should normally be installed at: /etc/salt/cloud > +# This file should normally be installed at: /etc/salt/cloud > > > ########################################## > @@ -44,7 +44,7 @@ > #log_level_logfile: info > > > -# The date and time format used in log messages. Allowed date/time > formating > +# The date and time format used in log messages. Allowed date/time > formatting > # can be seen here: > # > # http://docs.python.org/library/time.html#time.strftime > @@ -71,7 +71,7 @@ > #log_fmt_console: '%(colorlevel)s %(colormsg)s' > #log_fmt_console: '[%(levelname)-8s] %(message)s' > # > -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f > [%(name)-17s][%(levelname)-8s] %(message)s' > +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] > %(message)s' > > > # Logger levels can be used to tweak specific loggers logging levels. > diff --git a/meta-openstack/recipes-support/salt/files/master > b/meta-openstack/recipes-support/salt/files/master > index 821f5fc..4ecb160 100644 > --- a/meta-openstack/recipes-support/salt/files/master > +++ b/meta-openstack/recipes-support/salt/files/master > @@ -39,12 +39,22 @@ > # key_logfile, pidfile: > #root_dir: / > > +# The path to the master's configuration file. > +#conf_file: /etc/salt/master > + > # Directory used to store public key data: > #pki_dir: /etc/salt/pki/master > > +# Key cache. Increases master speed for large numbers of accepted > +# keys. Available options: 'sched'. (Updates on a fixed schedule.) > +# Note that enabling this feature means that minions will not be > +# available to target for up to the length of the maintanence loop > +# which by default is 60s. > +#key_cache: '' > + > # Directory to store job and cache data: > # This directory may contain sensitive data and should be protected > accordingly. > -# > +# > #cachedir: /var/cache/salt/master > > # Directory for custom modules. This directory can contain subdirectories > for > @@ -54,7 +64,7 @@ > > # Directory for custom modules. This directory can contain subdirectories > for > # each of Salt's module types such as "runners", "output", "wheel", > "modules", > -# "states", "returners", etc. > +# "states", "returners", "engines", etc. > # Like 'extension_modules' but can take an array of paths > #module_dirs: <no default> > # - /var/cache/salt/minion/extmods > @@ -65,6 +75,10 @@ > # Set the number of hours to keep old job information in the job cache: > #keep_jobs: 24 > > +# The number of seconds to wait when the client is requesting information > +# about running jobs. > +#gather_job_timeout: 10 > + > # Set the default timeout for the salt command and api. The default is 5 > # seconds. > #timeout: 5 > @@ -77,6 +91,11 @@ > # Set the default outputter used by the salt command. The default is > "nested". > #output: nested > > +# Set the default output file used by the salt command. Default is to > output > +# to the CLI and not to a file. Functions the same way as the "--out-file" > +# CLI option, only sets this to a single file for all salt commands. > +#output_file: None > + > # Return minions that timeout when running commands like test.ping > #show_timeout: True > > @@ -88,6 +107,12 @@ > # (true by default). > # strip_colors: False > > +# To display a summary of the number of minions targeted, the number of > +# minions returned, and the number of minions that did not return, set the > +# cli_summary value to True. (False by default.) > +# > +#cli_summary: False > + > # Set the directory used to hold unix sockets: > #sock_dir: /var/run/salt/master > > @@ -106,7 +131,7 @@ > #minion_data_cache: True > > # Store all returns in the given returner. > -# Setting this option requires that any returner-specific configuration > also > +# Setting this option requires that any returner-specific configuration > also > # be set. See various returners in salt/returners for details on required > # configuration values. (See also, event_return_queue below.) > # > @@ -118,15 +143,15 @@ > # By default, events are not queued. > #event_return_queue: 0 > > -# Only events returns matching tags in a whitelist > -# event_return_whitelist: > -# - salt/master/a_tag > -# - salt/master/another_tag > +# Only return events matching tags in a whitelist, supports glob matches. > +#event_return_whitelist: > +# - salt/master/a_tag > +# - salt/run/*/ret > > -# Store all event returns _except_ the tags in a blacklist > -# event_return_blacklist: > -# - salt/master/not_this_tag > -# - salt/master/or_this_one > +# Store all event returns **except** the tags in a blacklist, supports > globs. > +#event_return_blacklist: > +# - salt/master/not_this_tag > +# - salt/wheel/*/ret > > # Passing very large events can cause the minion to consume large amounts > of > # memory. This value tunes the maximum size of a message allowed onto the > @@ -145,12 +170,12 @@ > # the key rotation event as minions reconnect. Consider this carefully if > this > # salt master is managing a large number of minions. > # > -# If disabled, it is recommended to handle this event by listening for the > +# If disabled, it is recommended to handle this event by listening for the > # 'aes_key_rotate' event with the 'key' tag and acting appropriately. > # ping_on_rotate: False > > # By default, the master deletes its cache of minion data when the key > for that > -# minion is removed. To preserve the cache after key deletion, set > +# minion is removed. To preserve the cache after key deletion, set > # 'preserve_minion_cache' to True. > # > # WARNING: This may have security implications if compromised minions > auth with > @@ -230,6 +255,14 @@ > # ZMQ high-water-mark for EventPublisher pub socket > #event_publisher_pub_hwm: 10000 > > +# The master may allocate memory per-event and not > +# reclaim it. > +# To set a high-water mark for memory allocation, use > +# ipc_write_buffer to set a high-water mark for message > +# buffering. > +# Value: In bytes. Set to 'dynamic' to have Salt select > +# a value for you. Default is disabled. > +# ipc_write_buffer: 'dynamic' > > > ##### Security settings ##### > @@ -244,7 +277,7 @@ > # public keys from the minions. Note that this is insecure. > #auto_accept: False > > -# Time in minutes that a incoming public key with a matching name found in > +# Time in minutes that an incoming public key with a matching name found > in > # pki_dir/minion_autosign/keyid is automatically accepted. Expired > autosign keys > # are removed when the master checks the minion_autosign directory. > # 0 equals no timeout > @@ -272,7 +305,7 @@ > # This setting should be treated with care since it opens up execution > # capabilities to non root users. By default this capability is completely > # disabled. > -#pulisher_acl: > +#publisher_acl: > # larry: > # - test.ping > # - network.* > @@ -283,6 +316,11 @@ > # running any commands. It would also blacklist any use of the "cmd" > # module. This is completely disabled by default. > # > +# > +# Check the list of configured users in client ACL against users on the > +# system and throw errors if they do not exist. > +#client_acl_verify: True > +# > #publisher_acl_blacklist: > # users: > # - root > @@ -295,7 +333,7 @@ > # publisher_acl_blacklist instead. > > # Enforce publisher_acl & publisher_acl_blacklist when users have sudo > -# access to the salt command. > +# access to the salt command. > # > #sudo_acl: False > > @@ -308,6 +346,18 @@ > # > # Time (in seconds) for a newly generated token to live. Default: 12 hours > #token_expire: 43200 > +# > +# Allow eauth users to specify the expiry time of the tokens they > generate. > +# A boolean applies to all users or a dictionary of whitelisted eauth > backends > +# and usernames may be given. > +# token_expire_user_override: > +# pam: > +# - fred > +# - tom > +# ldap: > +# - gary > +# > +#token_expire_user_override: False > > # Allow minions to push files to the master. This is disabled by default, > for > # security purposes. > @@ -344,6 +394,10 @@ > #ssh_minion_opts: > # gpg_keydir: /root/gpg > > +# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh > +# authentication with minions > +#ssh_use_home_key: False > + > ##### Master Module Management ##### > ########################################## > # Manage how master side modules are loaded. > @@ -455,7 +509,7 @@ > # When using multiple environments, each with their own top file, the > # default behaviour is an unordered merge. To prevent top files from > # being merged together and instead to only use the top file from the > -# requested environment, set this value to 'same'. > +# requested environment, set this value to 'same'. > #top_file_merging_strategy: merge > > # To specify the order in which environments are merged, set the ordering > @@ -469,12 +523,15 @@ > #default_top: base > > # The hash_type is the hash to use when discovering the hash of a file on > -# the master server. The default is md5, but sha1, sha224, sha256, sha384 > +# the master server. The default is md5 but sha1, sha224, sha256, sha384 > # and sha512 are also supported. > # > -# Prior to changing this value, the master should be stopped and all Salt > +# WARNING: While md5 is also supported, do not use it due to the high > chance > +# of possible collisions and thus security breach. > +# > +# Prior to changing this value, the master should be stopped and all Salt > # caches should be cleared. > -#hash_type: md5 > +#hash_type: sha256 > > # The buffer size in the file server can be adjusted here: > #file_buffer_size: 1048576 > @@ -540,10 +597,37 @@ > > # Git File Server Backend Configuration > # > -# Gitfs can be provided by one of two python modules: GitPython or > pygit2. If > -# using pygit2, both libgit2 and git must also be installed. > -#gitfs_provider: gitpython > -# > +# Optional parameter used to specify the provider to be used for gitfs. > Must > +# be one of the following: pygit2, gitpython, or dulwich. If unset, then > each > +# will be tried in that same order, and the first one with a compatible > +# version installed will be the provider that is used. > +#gitfs_provider: pygit2 > + > +# Along with gitfs_password, is used to authenticate to HTTPS remotes. > +# gitfs_user: '' > + > +# Along with gitfs_user, is used to authenticate to HTTPS remotes. > +# This parameter is not required if the repository does not use > authentication. > +#gitfs_password: '' > + > +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. > +# This parameter enables authentication over HTTP. Enable this at your > own risk. > +#gitfs_insecure_auth: False > + > +# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to > +# authenticate to SSH remotes. This parameter (or its per-remote > counterpart) > +# is required for SSH remotes. > +#gitfs_pubkey: '' > + > +# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to > +# authenticate to SSH remotes. This parameter (or its per-remote > counterpart) > +# is required for SSH remotes. > +#gitfs_privkey: '' > + > +# This parameter is optional, required only when the SSH key being used to > +# authenticate is protected by a passphrase. > +#gitfs_passphrase: '' > + > # When using the git fileserver backend at least one git remote needs to > be > # defined. The user running the salt master will need read access to the > repo. > # > @@ -551,7 +635,7 @@ > # and the first repo to have the file will return it. > # When using the git backend branches and tags are translated into salt > # environments. > -# Note: file:// repos will be treated as a remote, so refs you want used > must > +# Note: file:// repos will be treated as a remote, so refs you want used > must > # exist in that repo as *local* refs. > #gitfs_remotes: > # - git://github.com/saltstack/salt-states.git > @@ -610,10 +694,10 @@ > #pillar_safe_render_error: True > > # The pillar_source_merging_strategy option allows you to configure > merging strategy > -# between different sources. It accepts four values: recurse, aggregate, > overwrite, > -# or smart. Recurse will merge recursively mapping of data. Aggregate > instructs > -# aggregation of elements between sources that use the #!yamlex renderer. > Overwrite > -# will verwrite elements according the order in which they are processed. > This is > +# between different sources. It accepts five values: none, recurse, > aggregate, overwrite, > +# or smart. None will not do any merging at all. Recurse will merge > recursively mapping of data. > +# Aggregate instructs aggregation of elements between sources that use > the #!yamlex renderer. Overwrite > +# will overwrite elements according the order in which they are > processed. This is > # behavior of the 2014.1 branch and earlier. Smart guesses the best > strategy based > # on the "renderer" setting and is the default value. > #pillar_source_merging_strategy: smart > @@ -621,6 +705,107 @@ > # Recursively merge lists by aggregating them instead of replacing them. > #pillar_merge_lists: False > > +# Set this option to 'True' to force a 'KeyError' to be raised whenever an > +# attempt to retrieve a named value from pillar fails. When this option > is set > +# to 'False', the failed attempt returns an empty string. Default is > 'False'. > +#pillar_raise_on_missing: False > + > +# Git External Pillar (git_pillar) Configuration Options > +# > +# Specify the provider to be used for git_pillar. Must be either pygit2 or > +# gitpython. If unset, then both will be tried in that same order, and the > +# first one with a compatible version installed will be the provider that > +# is used. > +#git_pillar_provider: pygit2 > + > +# If the desired branch matches this value, and the environment is omitted > +# from the git_pillar configuration, then the environment for that > git_pillar > +# remote will be base. > +#git_pillar_base: master > + > +# If the branch is omitted from a git_pillar remote, then this branch will > +# be used instead > +#git_pillar_branch: master > + > +# Environment to use for git_pillar remotes. This is normally derived from > +# the branch/tag (or from a per-remote env parameter), but if set this > will > +# override the process of deriving the env from the branch/tag name. > +#git_pillar_env: '' > + > +# Path relative to the root of the repository where the git_pillar top > file > +# and SLS files are located. > +#git_pillar_root: '' > + > +# Specifies whether or not to ignore SSL certificate errors when > contacting > +# the remote repository. > +#git_pillar_ssl_verify: False > + > +# When set to False, if there is an update/checkout lock for a git_pillar > +# remote and the pid written to it is not running on the master, the lock > +# file will be automatically cleared and a new lock will be obtained. > +#git_pillar_global_lock: True > + > +# Git External Pillar Authentication Options > +# > +# Along with git_pillar_password, is used to authenticate to HTTPS > remotes. > +#git_pillar_user: '' > + > +# Along with git_pillar_user, is used to authenticate to HTTPS remotes. > +# This parameter is not required if the repository does not use > authentication. > +#git_pillar_password: '' > + > +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. > +# This parameter enables authentication over HTTP. > +#git_pillar_insecure_auth: False > + > +# Along with git_pillar_privkey (and optionally git_pillar_passphrase), > +# is used to authenticate to SSH remotes. > +#git_pillar_pubkey: '' > + > +# Along with git_pillar_pubkey (and optionally git_pillar_passphrase), > +# is used to authenticate to SSH remotes. > +#git_pillar_privkey: '' > + > +# This parameter is optional, required only when the SSH key being used > +# to authenticate is protected by a passphrase. > +#git_pillar_passphrase: '' > + > +# A master can cache pillars locally to bypass the expense of having to > render them > +# for each minion on every request. This feature should only be enabled > in cases > +# where pillar rendering time is known to be unsatisfactory and any > attendant security > +# concerns about storing pillars in a master cache have been addressed. > +# > +# When enabling this feature, be certain to read through the additional > ``pillar_cache_*`` > +# configuration options to fully understand the tunable parameters and > their implications. > +# > +# Note: setting ``pillar_cache: True`` has no effect on targeting Minions > with Pillars. > +# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html > +#pillar_cache: False > + > +# If and only if a master has set ``pillar_cache: True``, the cache TTL > controls the amount > +# of time, in seconds, before the cache is considered invalid by a master > and a fresh > +# pillar is recompiled and stored. > +#pillar_cache_ttl: 3600 > + > +# If and only if a master has set `pillar_cache: True`, one of several > storage providers > +# can be utililzed. > +# > +# `disk`: The default storage backend. This caches rendered pillars to > the master cache. > +# Rendered pillars are serialized and deserialized as msgpack > structures for speed. > +# Note that pillars are stored UNENCRYPTED. Ensure that the > master cache > +# has permissions set appropriately. (Same defaults are provided.) > +# > +# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses > a pure-Python > +# in-memory data structure for maximal performance. There are > several caveats, > +# however. First, because each master worker contains its own > in-memory cache, > +# there is no guarantee of cache consistency between minion > requests. This > +# works best in situations where the pillar rarely if ever > changes. Secondly, > +# and perhaps more importantly, this means that unencrypted > pillars will > +# be accessible to any process which can examine the memory of > the ``salt-master``! > +# This may represent a substantial security risk. > +# > +#pillar_cache_backend: disk > + > > ##### Syndic settings ##### > ########################################## > @@ -649,6 +834,12 @@ > # LOG file of the syndic daemon: > #syndic_log_file: syndic.log > > +# The behaviour of the multi-syndic when connection to a master of > masters failed. > +# Can specify ``random`` (default) or ``ordered``. If set to ``random``, > masters > +# will be iterated in random order. If ``ordered`` is specified, the > configured > +# order will be used. > +#syndic_failover: random > + > > ##### Peer Publish settings ##### > ########################################## > @@ -738,7 +929,7 @@ > # If using 'log_granular_levels' this must be set to the highest desired > level. > #log_level_logfile: warning > > -# The date and time format used in log messages. Allowed date/time > formating > +# The date and time format used in log messages. Allowed date/time > formatting > # can be seen here: http://docs.python.org/library/time.html#time. > strftime > #log_datefmt: '%H:%M:%S' > #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' > @@ -760,7 +951,7 @@ > #log_fmt_console: '%(colorlevel)s %(colormsg)s' > #log_fmt_console: '[%(levelname)-8s] %(message)s' > # > -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f > [%(name)-17s][%(levelname)-8s] %(message)s' > +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] > %(message)s' > > # This can be used to control logging levels more specificically. This > # example sets the main salt library at the 'warning' level, but sets > @@ -774,11 +965,18 @@ > > ##### Node Groups ###### > ########################################## > -# Node groups allow for logical groupings of minion nodes. A group > consists of a group > -# name and a compound target. > +# Node groups allow for logical groupings of minion nodes. A group > consists of > +# a group name and a compound target. Nodgroups can reference other > nodegroups > +# with 'N@' classifier. Ensure that you do not have circular references. > +# > #nodegroups: > -# group1: '[email protected],bar.domain.com,baz.domain.com and bl*. > domain.com' > +# group1: '[email protected],bar.domain.com,baz.domain.com or bl*. > domain.com' > # group2: 'G@os:Debian and foo.domain.com' > +# group3: 'G@os:Debian and N@group1' > +# group4: > +# - 'G@foo:bar' > +# - 'or' > +# - 'G@foo:baz' > > > ##### Range Cluster settings ##### > @@ -824,3 +1022,13 @@ > ############################################ > # Default match type for filtering events tags: startswith, endswith, > find, regex, fnmatch > #event_match_type: startswith > + > +# Save runner returns to the job cache > +#runner_returns: True > + > +# Permanently include any available Python 3rd party modules into Salt > Thin > +# when they are generated for Salt-SSH or other purposes. > +# The modules should be named by the names they are actually imported > inside the Python. > +# The value of the parameters can be either one module or a comma > separated list of them. > +#thin_extra_mods: foo,bar > + > diff --git a/meta-openstack/recipes-support/salt/files/minion > b/meta-openstack/recipes-support/salt/files/minion > index bd97c43..ad7a374 100644 > --- a/meta-openstack/recipes-support/salt/files/minion > +++ b/meta-openstack/recipes-support/salt/files/minion > @@ -38,6 +38,8 @@ > # value to "str". Failover masters can be requested by setting > # to "failover". MAKE SURE TO SET master_alive_interval if you are > # using failover. > +# Setting master_type to 'disable' let's you have a running minion (with > engines and > +# beacons) without a master connection > # master_type: str > > # Poll interval in seconds for checking if the master is still there. > Only > @@ -46,6 +48,16 @@ > # of TCP connections, such as load balancers.) > # master_alive_interval: 30 > > +# If the minion is in multi-master mode and the master_type configuration > option > +# is set to "failover", this setting can be set to "True" to force the > minion > +# to fail back to the first master in the list if the first master is > back online. > +#master_failback: False > + > +# If the minion is in multi-master mode, the "master_type" configuration > is set to > +# "failover", and the "master_failback" option is enabled, the master > failback > +# interval can be set to ping the top master with this interval, in > seconds. > +#master_failback_interval: 0 > + > # Set whether the minion should connect to the master via IPv6: > #ipv6: False > > @@ -60,11 +72,15 @@ > # The user to run salt. > #user: root > > -# Setting sudo_user will cause salt to run all execution modules under an > sudo > -# to the user given in sudo_user. The user under which the salt minion > process > -# itself runs will still be that provided in the user config above, but > all > -# execution modules run by the minion will be rerouted through sudo. > -#sudo_user: saltdev > +# The user to run salt remote execution commands as via sudo. If this > option is > +# enabled then sudo will be used to change the active user executing the > remote > +# command. If enabled the user will need to be allowed access via the > sudoers > +# file for the user that the salt minion is configured to run as. The most > +# common option would be to use the root user. If this option is set the > user > +# option should also be set to a non-root user. If migrating from a root > minion > +# to a non root minion the minion cache should be cleared and the minion > pki > +# directory will need to be changed to the ownership of the new user. > +#sudo_user: root > > # Specify the location of the daemon process ID file. > #pidfile: /var/run/salt-minion.pid > @@ -73,6 +89,9 @@ > # sock_dir, pidfile. > #root_dir: / > > +# The path to the minion's configuration file. > +#conf_file: /etc/salt/minion > + > # The directory to store the pki information in > #pki_dir: /etc/salt/pki/minion > > @@ -83,6 +102,13 @@ > # clusters. > #id: > > +# Cache the minion id to a file when the minion's id is not statically > defined > +# in the minion config. Defaults to "True". This setting prevents > potential > +# problems when automatic minion id resolution changes, which can cause > the > +# minion to lose connection with the master. To turn off minion id > caching, > +# set this config to ``False``. > +#minion_id_caching: True > + > # Append a domain to a hostname in the event that it does not exist. > This is > # useful for systems where socket.getfqdn() does not actually result in a > # FQDN (for instance, Solaris). > @@ -103,6 +129,13 @@ > # This data may contain sensitive data and should be protected > accordingly. > #cachedir: /var/cache/salt/minion > > +# Append minion_id to these directories. Helps with > +# multiple proxies and minions running on the same machine. > +# Allowed elements in the list: pki_dir, cachedir, extension_modules > +# Normally not needed unless running several proxies and/or minions on > the same machine > +# Defaults to ['cachedir'] for proxies, [] (empty list) for regular > minions > +#append_minionid_config_dirs: > + > # Verify and set permissions on configuration directories at startup. > #verify_env: True > > @@ -171,6 +204,20 @@ > # authenticate. > #auth_tries: 7 > > +# The number of attempts to connect to a master before giving up. > +# Set this to -1 for unlimited attempts. This allows for a master to have > +# downtime and the minion to reconnect to it later when it comes back up. > +# In 'failover' mode, it is the number of attempts for each set of > masters. > +# In this mode, it will cycle through the list of masters for each > attempt. > +# > +# This is different than auth_tries because auth_tries attempts to > +# retry auth attempts with a single master. auth_tries is under the > +# assumption that you can connect to the master but not gain > +# authorization from it. master_tries will still cycle through all > +# the masters in a given try, so it is appropriate if you expect > +# occasional downtime from the master(s). > +#master_tries: 1 > + > # If authentication fails due to SaltReqTimeoutError during a > ping_interval, > # cause sub minion process to restart. > #auth_safemode: False > @@ -249,10 +296,17 @@ > # > # > # The loop_interval sets how long in seconds the minion will wait between > -# evaluating the scheduler and running cleanup tasks. This defaults to a > -# sane 60 seconds, but if the minion scheduler needs to be evaluated more > -# often lower this value > -#loop_interval: 60 > +# evaluating the scheduler and running cleanup tasks. This defaults to 1 > +# second on the minion scheduler. > +#loop_interval: 1 > + > +# Some installations choose to start all job returns in a cache or a > returner > +# and forgo sending the results back to a master. In this workflow, jobs > +# are most often executed with --async from the Salt CLI and then results > +# are evaluated by examining job caches on the minions or any configured > returners. > +# WARNING: Setting this to False will **disable** returns back to the > master. > +#pub_ret: True > + > > # The grains can be merged, instead of overridden, using this option. > # This allows custom grains to defined different subvalues of a dictionary > @@ -286,6 +340,26 @@ > # is not enabled. > # grains_cache_expiration: 300 > > +# Determines whether or not the salt minion should run scheduled mine > updates. > +# Defaults to "True". Set to "False" to disable the scheduled mine updates > +# (this essentially just does not add the mine update function to the > minion's > +# scheduler). > +#mine_enabled: True > + > +# Determines whether or not scheduled mine updates should be accompanied > by a job > +# return for the job cache. Defaults to "False". Set to "True" to include > job > +# returns in the job cache for mine updates. > +#mine_return_job: False > + > +# Example functions that can be run via the mine facility > +# NO mine functions are established by default. > +# Note these can be defined in the minion's pillar as well. > +#mine_functions: > +# test.ping: [] > +# network.ip_addrs: > +# interface: eth0 > +# cidr: '10.0.0.0/8' > + > # Windows platforms lack posix IPC and must rely on slower TCP based > inter- > # process communications. Set ipc_mode to 'tcp' on such systems > #ipc_mode: ipc > @@ -319,16 +393,33 @@ > #include: > # - /etc/salt/extra_config > # - /etc/roles/webserver > + > +# The syndic minion can verify that it is talking to the correct master > via the > +# key fingerprint of the higher-level master with the "syndic_finger" > config. > +#syndic_finger: '' > # > # > # > ##### Minion module management ##### > ########################################## > # Disable specific modules. This allows the admin to limit the level of > -# access the master has to the minion. > -#disable_modules: [cmd,test] > +# access the master has to the minion. The default here is the empty > list, > +# below is an example of how this needs to be formatted in the config file > +#disable_modules: > +# - cmdmod > +# - test > #disable_returners: [] > -# > + > +# This is the reverse of disable_modules. The default, like > disable_modules, is the empty list, > +# but if this option is set to *anything* then *only* those modules will > load. > +# Note that this is a very large hammer and it can be quite difficult to > keep the minion working > +# the way you think it should since Salt uses many modules internally > itself. At a bare minimum > +# you need the following enabled or else the minion won't start. > +#whitelist_modules: > +# - cmdmod > +# - test > +# - config > + > # Modules can be loaded from arbitrary paths. This enables the easy > deployment > # of third party modules. Modules for returners and minions can be loaded. > # Specify a list of extra directories to search for minion modules and > @@ -389,6 +480,15 @@ > # environments is to isolate via the top file. > #environment: None > # > +# Isolates the pillar environment on the minion side. This functions the > same > +# as the environment setting, but for pillar instead of states. > +#pillarenv: None > +# > +# Set this option to 'True' to force a 'KeyError' to be raised whenever an > +# attempt to retrieve a named value from pillar fails. When this option > is set > +# to 'False', the failed attempt returns an empty string. Default is > 'False'. > +#pillar_raise_on_missing: False > +# > # If using the local file directory, then the state top file name needs > to be > # defined, by default this is top.sls. > #state_top: top.sls > @@ -448,6 +548,18 @@ > # base: > # - /srv/salt > > +# Uncomment the line below if you do not want the file_server to follow > +# symlinks when walking the filesystem tree. This is set to True > +# by default. Currently this only applies to the default roots > +# fileserver_backend. > +#fileserver_followsymlinks: False > +# > +# Uncomment the line below if you do not want symlinks to be > +# treated as the files they are pointing to. By default this is set to > +# False. By uncommenting the line below, any detected symlink while > listing > +# files on the Master will not be returned to the Minion. > +#fileserver_ignoresymlinks: True > +# > # By default, the Salt fileserver recurses fully into all defined > environments > # to attempt to find files. To limit this behavior so that the fileserver > only > # traverses directories with SLS files and special Salt directories like > _modules, > @@ -456,13 +568,19 @@ > # is False. > #fileserver_limit_traversal: False > > -# The hash_type is the hash to use when discovering the hash of a file in > +# The hash_type is the hash to use when discovering the hash of a file on > # the local fileserver. The default is md5, but sha1, sha224, sha256, > sha384 > # and sha512 are also supported. > # > +# WARNING: While md5 and sha1 are also supported, do not use it due to > the high chance > +# of possible collisions and thus security breach. > +# > +# WARNING: While md5 is also supported, do not use it due to the high > chance > +# of possible collisions and thus security breach. > +# > # Warning: Prior to changing this value, the minion should be stopped and > all > # Salt caches should be cleared. > -#hash_type: md5 > +#hash_type: sha256 > > # The Salt pillar is searched for locally if file_client is set to local. > If > # this is the case, and pillar data is defined, then the pillar_roots > need to > @@ -470,6 +588,10 @@ > #pillar_roots: > # base: > # - /srv/pillar > + > +# Set a hard-limit on the size of the files that can be pushed to the > master. > +# It will be interpreted as megabytes. Default: 100 > +#file_recv_max_size: 100 > # > # > ###### Security settings ##### > @@ -508,7 +630,7 @@ > > # Fingerprint of the master public key to validate the identity of your > Salt master > # before the initial key exchange. The master fingerprint can be found by > running > -# "salt-key -F master" on the Salt master. > +# "salt-key -f master.pub" on the Salt master. > #master_finger: '' > > > @@ -548,7 +670,7 @@ > # Default: 'warning' > #log_level_logfile: > > -# The date and time format used in log messages. Allowed date/time > formating > +# The date and time format used in log messages. Allowed date/time > formatting > # can be seen here: http://docs.python.org/library/time.html#time. > strftime > #log_datefmt: '%H:%M:%S' > #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' > @@ -570,7 +692,7 @@ > #log_fmt_console: '%(colorlevel)s %(colormsg)s' > #log_fmt_console: '[%(levelname)-8s] %(message)s' > # > -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f > [%(name)-17s][%(levelname)-8s] %(message)s' > +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] > %(message)s' > > # This can be used to control logging levels more specificically. This > # example sets the main salt library at the 'warning' level, but sets > diff --git a/meta-openstack/recipes-support/salt/files/salt-common.logrotate > b/meta-openstack/recipes-support/salt/files/salt-common.logrotate > index dcfd268..3cd0023 100644 > --- a/meta-openstack/recipes-support/salt/files/salt-common.logrotate > +++ b/meta-openstack/recipes-support/salt/files/salt-common.logrotate > @@ -1,7 +1,20 @@ > -/var/log/salt/master > -/var/log/salt/minion > -/var/log/salt/*.log > -{ > +/var/log/salt/master { > + weekly > + missingok > + rotate 7 > + compress > + notifempty > +} > + > +/var/log/salt/minion { > + weekly > + missingok > + rotate 7 > + compress > + notifempty > +} > + > +/var/log/salt/key { > weekly > missingok > rotate 7 > diff --git a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb > b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb > similarity index 98% > rename from meta-openstack/recipes-support/salt/salt_2016.3.0.bb > rename to meta-openstack/recipes-support/salt/salt_2016.11.0.bb > index 7024f42..ba1def7 100644 > --- a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb > +++ b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb > @@ -28,8 +28,8 @@ SRC_URI = "https://files.pythonhosted. > org/packages/source/s/${SRCNAME}/${SRCNAME > file://roster \ > " > > -SRC_URI[md5sum] = "8ed82cfb3f9b1764a035edbdacf0fea9" > -SRC_URI[sha256sum] = "e316dd103b7faeaa97820197e4d0d7 > d358519f0ca2a6dcb1d9b718eea801ed30" > +SRC_URI[md5sum] = "eced07a652cc6a31870fc098d5325a9c" > +SRC_URI[sha256sum] = "b516285926ee95cedc64ecddab05d1 > 4422b7c8819c9f6d046a431c41d608e6bc" > > S = "${WORKDIR}/${SRCNAME}-${PV}" > > -- > 2.7.4 > > -- > _______________________________________________ > meta-virtualization mailing list > [email protected] > https://lists.yoctoproject.org/listinfo/meta-virtualization > -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end"
-- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
