2012-09-11 00:12:35 +00:00
|
|
|
=========================
|
|
|
|
Salt 0.10.3 Release Notes
|
|
|
|
=========================
|
|
|
|
|
2013-12-25 15:48:37 +00:00
|
|
|
:release: 2012-09-30
|
|
|
|
|
2012-09-11 00:12:35 +00:00
|
|
|
The latest taste of Salt has come, this release has many fixes and feature
|
|
|
|
additions. Modifications have been made to make ZeroMQ connections more
|
2012-11-19 01:14:21 +00:00
|
|
|
reliable, the beginning of the ACL system is in place, a new command line
|
2012-09-11 00:12:35 +00:00
|
|
|
parsing system has been added, dynamic module distribution has become more
|
2012-09-18 17:20:12 +00:00
|
|
|
environment aware, the new `master_finger` option and many more!
|
2012-09-11 00:12:35 +00:00
|
|
|
|
|
|
|
Major Features
|
|
|
|
==============
|
|
|
|
|
|
|
|
ACL System
|
|
|
|
----------
|
|
|
|
|
|
|
|
The new ACL system has been introduced. The ACL system allows for system users
|
|
|
|
other than root to execute salt commands. Users can be allowed to execute
|
|
|
|
specific commands in the same way that minions are opened up to the peer
|
|
|
|
system.
|
|
|
|
|
|
|
|
The configuration value to open up the ACL system is called ``client_acl``
|
|
|
|
and is configured like so:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
client_acl:
|
|
|
|
fred:
|
|
|
|
- test..*
|
|
|
|
- pkg.list_pkgs
|
|
|
|
|
|
|
|
Where `fred` is allowed access to functions in the test module and to the
|
|
|
|
``pkg.list_pkgs`` function.
|
|
|
|
|
2012-09-18 18:21:49 +00:00
|
|
|
Master Finger Option
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
The `master_finger` option has been added to improve the security of minion
|
|
|
|
provisioning. The `master_finger` option allows for the fingerprint of the
|
|
|
|
master public key to be set in the configuration file to double verify that the
|
2013-05-05 08:04:49 +00:00
|
|
|
master is valid. This option was added in response to a motivation to
|
|
|
|
pre-authenticate the master when provisioning new minions to help prevent
|
2012-09-18 18:21:49 +00:00
|
|
|
man in the middle attacks in some situations.
|
|
|
|
|
|
|
|
Salt Key Fingerprint Generation
|
|
|
|
-------------------------------
|
|
|
|
|
|
|
|
The ability to generate fingerprints of keys used by Salt has been added to
|
|
|
|
``salt-key``. The new option `finger` accepts the name of the key to generate
|
|
|
|
and display a fingerprint for.
|
|
|
|
|
2012-10-04 21:00:26 +00:00
|
|
|
.. code-block:: bash
|
2012-09-18 18:21:49 +00:00
|
|
|
|
|
|
|
salt-key -F master
|
|
|
|
|
|
|
|
Will display the fingerprints for the master public and private keys.
|
|
|
|
|
2012-09-11 00:12:35 +00:00
|
|
|
Parsing System
|
|
|
|
--------------
|
|
|
|
|
|
|
|
Pedro Algavio, aka s0undt3ch, has added a substantial update to the command
|
|
|
|
line parsing system that makes the help message output much cleaner and easier
|
2013-12-25 15:48:37 +00:00
|
|
|
to search through. Salt parsers now have `--versions-report` besides usual
|
2012-09-11 22:00:33 +00:00
|
|
|
`--version` info which you can provide when reporting any issues found.
|
|
|
|
|
|
|
|
Key Generation
|
|
|
|
--------------
|
|
|
|
|
2013-12-25 15:48:37 +00:00
|
|
|
We have reduced the requirements needed for `salt-key` to generate minion keys.
|
|
|
|
You're no longer required to have salt configured and it's common directories
|
|
|
|
created just to generate keys. This might prove useful if you're batch creating
|
2012-09-11 22:00:33 +00:00
|
|
|
keys to pre-load on minions.
|
|
|
|
|
2012-09-20 19:34:54 +00:00
|
|
|
Startup States
|
|
|
|
--------------
|
|
|
|
|
|
|
|
A few configuration options have been added which allow for states to be run
|
|
|
|
when the minion daemon starts. This can be a great advantage when deploying
|
|
|
|
with Salt because the minion can apply states right when it first runs. To
|
|
|
|
use startup states set the ``startup_states`` configuration option on the
|
|
|
|
minion to `highstate`.
|
|
|
|
|
2012-09-22 21:59:35 +00:00
|
|
|
New Exclude Declaration
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
Some users have asked about adding the ability to ensure that other sls files
|
|
|
|
or ids are excluded from a state run. The exclude statement will delete all of
|
|
|
|
the data loaded from the specified sls file or will delete the specified id:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
exclude:
|
|
|
|
- sls: http
|
|
|
|
- id: /etc/vimrc
|
|
|
|
|
2012-09-11 22:00:33 +00:00
|
|
|
Max Open Files
|
|
|
|
--------------
|
|
|
|
|
2013-12-25 15:48:37 +00:00
|
|
|
While we're currently unable to properly handle ZeroMQ's abort signals when the
|
|
|
|
max open files is reached, due to the way that's handled on ZeroMQ's, we have
|
2012-09-11 22:00:33 +00:00
|
|
|
minimized the chances of this happening without at least warning the user.
|
2012-09-11 00:12:35 +00:00
|
|
|
|
|
|
|
More State Output Options
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
Some major changes have been made to the state output system. In the past state
|
2012-09-11 22:00:33 +00:00
|
|
|
return data was printed in a very verbose fashion and only states that failed
|
|
|
|
or made changes were printed by default. Now two options can be passed to the
|
2012-09-11 00:12:35 +00:00
|
|
|
master and minion configuration files to change the behavior of the state
|
|
|
|
output. State output can be set to verbose (default) or non-verbose with the
|
|
|
|
``state_verbose`` option:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
state_verbose: False
|
|
|
|
|
|
|
|
It is noteworthy that the state_verbose option used to be set to `False` by
|
|
|
|
default but has been changed to `True` by default in 0.10.3 due to many
|
|
|
|
requests for the change.
|
|
|
|
|
|
|
|
Te next option to be aware of new and called ``state_output``. This option
|
|
|
|
allows for the state output to be set to `full` (default) or `terse`.
|
|
|
|
|
|
|
|
The `full` output is the standard state output, but the new `terse` output
|
|
|
|
will print only one line per state making the output much easier to follow when
|
|
|
|
executing a large state system.
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
state_output: terse
|
|
|
|
|
2012-09-11 22:00:33 +00:00
|
|
|
|
|
|
|
`state.file.append` Improvements
|
|
|
|
--------------------------------
|
|
|
|
|
2013-12-25 15:48:37 +00:00
|
|
|
The salt state `file.append()` tries *not* to append existing text. Previously
|
|
|
|
the matching check was being made line by line. While this kind of check might
|
|
|
|
be enough for most cases, if the text being appended was multi-line, the check
|
|
|
|
would not work properly. This issue is now properly handled, the match is done
|
|
|
|
as a whole ignoring any white space addition or removal except inside commas.
|
|
|
|
For those thinking that, in order to properly match over multiple lines, salt
|
|
|
|
will load the whole file into memory, that's not true. For most cases this is
|
|
|
|
not important but an erroneous order to read a 4GB file, if not properly
|
|
|
|
handled, like salt does, could make salt chew that amount of memory. Salt has
|
|
|
|
a buffered file reader which will keep in memory a maximum of 256KB and
|
|
|
|
iterates over the file in chunks of 32KB to test for the match, more than
|
|
|
|
enough, if not, explain your usage on a ticket. With this change, also
|
|
|
|
`salt.modules.file.contains()`, `salt.modules.file.contains_regex()`,
|
|
|
|
`salt.modules.file.contains_glob()` and `salt.utils.find` now do the searching
|
2012-09-11 22:00:33 +00:00
|
|
|
and/or matching using the buffered chunks approach explained above.
|
|
|
|
|
2014-12-12 19:31:43 +00:00
|
|
|
Two new keyword arguments were also added, `makedirs`, and `source`.
|
2013-12-25 15:48:37 +00:00
|
|
|
The first, `makedirs` will create the necessary directories in order to append
|
|
|
|
to the specified file, of course, it only applies if we're trying to append to
|
2012-09-11 22:00:33 +00:00
|
|
|
a non-existing file on a non-existing directory:
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
/tmp/salttest/file-append-makedirs:
|
|
|
|
file.append:
|
|
|
|
text: foo
|
|
|
|
makedirs: True
|
|
|
|
|
|
|
|
|
2012-11-19 01:14:21 +00:00
|
|
|
The second, `source`, allows one to append the contents of a file instead of
|
2012-09-11 22:00:33 +00:00
|
|
|
specifying the text.
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
/tmp/salttest/file-append-source:
|
|
|
|
|
|
|
|
file.append:
|
|
|
|
- source: salt://testfile
|
|
|
|
|
2012-09-18 18:21:49 +00:00
|
|
|
Security Fix
|
|
|
|
============
|
2012-09-11 22:00:33 +00:00
|
|
|
|
2012-09-18 18:21:49 +00:00
|
|
|
A timing vulnerability was uncovered in the code which decrypts the AES
|
|
|
|
messages sent over the network. This has been fixed and upgrading is
|
|
|
|
strongly recommended.
|