From 8ec5d989ad079e620ba577b5b592e672099bc307 Mon Sep 17 00:00:00 2001 From: Jacob Hammons Date: Wed, 23 Mar 2016 14:00:30 -0600 Subject: [PATCH] 2015.8.8 release docs --- doc/conf.py | 4 +- .../cli/_includes/target-selection-ssh.rst | 11 +++ doc/ref/cli/_includes/target-selection.rst | 3 + doc/ref/cli/salt-ssh.rst | 4 +- doc/ref/clients/index.rst | 2 + doc/topics/installation/debian.rst | 41 ++-------- doc/topics/installation/rhel.rst | 78 ++----------------- doc/topics/installation/suse.rst | 13 ++++ doc/topics/installation/ubuntu.rst | 54 ++----------- doc/topics/releases/2015.5.10.rst | 24 +++++- doc/topics/releases/2015.5.11.rst | 6 ++ doc/topics/releases/2015.8.8.rst | 45 ++++++++++- doc/topics/releases/2015.8.9.rst | 6 ++ 13 files changed, 130 insertions(+), 161 deletions(-) create mode 100644 doc/ref/cli/_includes/target-selection-ssh.rst create mode 100644 doc/topics/releases/2015.5.11.rst create mode 100644 doc/topics/releases/2015.8.9.rst diff --git a/doc/conf.py b/doc/conf.py index be2192faf9..aafa015d94 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -169,8 +169,8 @@ project = 'Salt' copyright = '2016 SaltStack, Inc.' version = salt.version.__version__ -latest_release = '2015.8.7' # latest release -previous_release = '2015.5.9' # latest release from previous branch +latest_release = '2015.8.8' # latest release +previous_release = '2015.5.10' # latest release from previous branch previous_release_dir = '2015.5' # path on web server for previous branch build_type = 'latest' # latest, previous, develop, inactive diff --git a/doc/ref/cli/_includes/target-selection-ssh.rst b/doc/ref/cli/_includes/target-selection-ssh.rst new file mode 100644 index 0000000000..e114d175d8 --- /dev/null +++ b/doc/ref/cli/_includes/target-selection-ssh.rst @@ -0,0 +1,11 @@ +Target Selection +---------------- + +The default matching that Salt utilizes is shell-style globbing around the +minion id. See https://docs.python.org/2/library/fnmatch.html#module-fnmatch. + +.. option:: -E, --pcre + + The target expression will be interpreted as a PCRE regular expression + rather than a shell glob. + diff --git a/doc/ref/cli/_includes/target-selection.rst b/doc/ref/cli/_includes/target-selection.rst index f51dca165d..1c8462c8f9 100644 --- a/doc/ref/cli/_includes/target-selection.rst +++ b/doc/ref/cli/_includes/target-selection.rst @@ -1,6 +1,9 @@ Target Selection ---------------- +The default matching that Salt utilizes is shell-style globbing around the +minion id. See https://docs.python.org/2/library/fnmatch.html#module-fnmatch. + .. option:: -E, --pcre The target expression will be interpreted as a PCRE regular expression diff --git a/doc/ref/cli/salt-ssh.rst b/doc/ref/cli/salt-ssh.rst index bec09bb51d..0e3998fe1a 100644 --- a/doc/ref/cli/salt-ssh.rst +++ b/doc/ref/cli/salt-ssh.rst @@ -72,7 +72,7 @@ Options .. include:: _includes/common-options.rst -.. include:: _includes/target-selection.rst +.. include:: _includes/target-selection-ssh.rst .. include:: _includes/logging-options.rst .. |logfile| replace:: /var/log/salt/ssh @@ -86,4 +86,4 @@ See also :manpage:`salt(7)` :manpage:`salt-master(1)` -:manpage:`salt-minion(1)` \ No newline at end of file +:manpage:`salt-minion(1)` diff --git a/doc/ref/clients/index.rst b/doc/ref/clients/index.rst index d0d0d5a458..f5eb1f342f 100644 --- a/doc/ref/clients/index.rst +++ b/doc/ref/clients/index.rst @@ -72,6 +72,8 @@ Each module type has a corresponding loader function. Salt's Client Interfaces ======================== +.. _local-client: + LocalClient ----------- diff --git a/doc/topics/installation/debian.rst b/doc/topics/installation/debian.rst index e4fa6e89bb..7f77b3e334 100644 --- a/doc/topics/installation/debian.rst +++ b/doc/topics/installation/debian.rst @@ -15,43 +15,16 @@ Installation from official Debian and Raspbian repositories is described .. _installation-debian-repo: -Installation from the SaltStack Repository -========================================== +Installation from the Official SaltStack Repository +=================================================== -2015.5 and later packages for Debian 8 ("Jessie") are available in the -SaltStack repository. +Packages for Debian 8 (Jessie) and Debian 7 (Wheezy) are available in the +Official SaltStack repository. -.. note:: - SaltStack repository contains only packages suitable for ``i386`` (32-bit - Intel-compatible CPUs) and ``amd64`` (64-bit) architectures. While Salt - packages are built for all Debian ports (have ``all`` suffix in package - names), some of the dependencies are avaivable only for ``amd64`` systems. +Instructions are at http://repo.saltstack.com/#debian. -.. important:: - The repository folder structure changed in the 2015.8.3 release, though the - previous repository structure that was documented in 2015.8.1 can continue to - be used. - -To install using the SaltStack repository: - -#. Run the following command to import the SaltStack repository key: - - .. code-block:: bash - - wget -O - https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - - -#. Add the following line to ``/etc/apt/sources.list``: - - .. code-block:: bash - - deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main - -#. Run ``sudo apt-get update``. - -#. Now go to the :ref:`packages installation ` section. - -Installation from the Community Repository -========================================== +Installation from the Community-Maintained Repository +===================================================== The SaltStack community maintains a Debian repository at debian.saltstack.com. Packages for Debian Old Stable, Stable, and Unstable (Wheezy, Jessie, and Sid) diff --git a/doc/topics/installation/rhel.rst b/doc/topics/installation/rhel.rst index 4ffcf899f7..cd46f52585 100644 --- a/doc/topics/installation/rhel.rst +++ b/doc/topics/installation/rhel.rst @@ -12,76 +12,14 @@ Report any bugs or issues on the `issue tracker`__. .. __: https://github.com/saltstack/salt/issues -Installation from the SaltStack Repository -========================================== +Installation from the Official SaltStack Repository +=================================================== -2015.5 and later packages for RHEL 5, 6, and 7 are available in the -SaltStack repository. +Packages for Redhat, CentOS, and Amazon Linux are available in +the SaltStack Repository. -.. important:: - The repository folder structure changed in the 2015.8.3 release, though the - previous repository structure that was documented in 2015.8.1 can continue to - be used. - -To install using the SaltStack repository: - -#. Run one of the following commands based on your version to import the SaltStack repository key: - - Version 7: - - .. code-block:: bash - - rpm --import https://repo.saltstack.com/yum/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub - - Version 6: - - .. code-block:: bash - - rpm --import https://repo.saltstack.com/yum/redhat/6/x86_64/latest/SALTSTACK-GPG-KEY.pub - - Version 5: - - .. code-block:: bash - - wget https://repo.saltstack.com/yum/redhat/5/x86_64/latest/SALTSTACK-EL5-GPG-KEY.pub - rpm --import SALTSTACK-EL5-GPG-KEY.pub - rm -f SALTSTACK-EL5-GPG-KEY.pub - -#. Save the following file to ``/etc/yum.repos.d/saltstack.repo``: - - Version 7 and 6: - - .. code-block:: cfg - - [saltstack-repo] - name=SaltStack repo for RHEL/CentOS $releasever - baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest - enabled=1 - gpgcheck=1 - gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-GPG-KEY.pub - - Version 5: - - .. code-block:: cfg - - [saltstack-repo] - name=SaltStack repo for RHEL/CentOS $releasever - baseurl=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest - enabled=1 - gpgcheck=1 - gpgkey=https://repo.saltstack.com/yum/redhat/$releasever/$basearch/latest/SALTSTACK-EL5-GPG-KEY.pub - -#. Run ``sudo yum clean expire-cache``. - -#. Run ``sudo yum update``. - -#. Install the salt-minion, salt-master, or other Salt components: - - - ``yum install salt-master`` - - ``yum install salt-minion`` - - ``yum install salt-ssh`` - - ``yum install salt-syndic`` - - ``yum install salt-cloud`` +- `Red Hat / CentOS `_ +- `Amazon Linux `_ .. note:: As of 2015.8.0, EPEL repository is no longer required for installing on @@ -108,8 +46,8 @@ To install using the SaltStack repository: installed by the Red Hat 7 ``@base`` installation or by the Salt installation. These dependencies might need to be installed before Salt. -Installation from the Community Repository -========================================== +Installation from the Community-Maintained Repository +===================================================== Beginning with version 0.9.4, Salt has been available in `EPEL`_. For RHEL/CentOS 5, `Fedora COPR`_ is a single community repository that provides diff --git a/doc/topics/installation/suse.rst b/doc/topics/installation/suse.rst index 806265cafd..31a36c1c05 100644 --- a/doc/topics/installation/suse.rst +++ b/doc/topics/installation/suse.rst @@ -1,7 +1,20 @@ +.. _installation-suse: + ==== SUSE ==== +Installation from the SaltStack Repository +========================================== + +Packages for SUSE 12 SP1, SUSE 12, SUSE 11, openSUSE 13 and openSUSE Leap 42.1 +are available in the SaltStack Repository. + +Instructions are at http://repo.saltstack.com/#suse. + +Installation from the SUSE Repository +===================================== + With openSUSE 13.2, Salt 2014.1.11 is available in the primary repositories. The devel:language:python repo will have more up to date versions of salt, all package development will be done there. diff --git a/doc/topics/installation/ubuntu.rst b/doc/topics/installation/ubuntu.rst index 6c6376f459..8fe869a9d3 100644 --- a/doc/topics/installation/ubuntu.rst +++ b/doc/topics/installation/ubuntu.rst @@ -6,58 +6,16 @@ Ubuntu .. _installation-ubuntu-repo: -Installation from the SaltStack Repository -========================================== +Installation from the Official SaltStack Repository +=================================================== -2015.5 and later packages for Ubuntu 14 (Trusty) and Ubuntu 12 (Precise) are +Packages for Ubuntu 14 (Trusty) and Ubuntu 12 (Precise) are available in the SaltStack repository. -.. note:: - While Salt packages are built for all Ubuntu supported CPU architectures - (``i386`` and ``amd64``), some of the dependencies avaivable from SaltStack - corporate repository are only suitable for ``amd64`` systems. +Instructions are at http://repo.saltstack.com/#ubuntu. -.. important:: - The repository folder structure changed in the 2015.8.3 release, though the - previous repository structure that was documented in 2015.8.1 can continue to - be used. - -To install using the SaltStack repository: - -#. Run the following command to import the SaltStack repository key: - - Ubuntu 14: - - .. code-block:: bash - - wget -O - https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - - - Ubuntu 12: - - .. code-block:: bash - - wget -O - https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add - - -#. Add the following line to ``/etc/apt/sources.list``: - - Ubuntu 14: - - .. code-block:: bash - - deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main - - Ubuntu 12: - - .. code-block:: bash - - deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main - -#. Run ``sudo apt-get update``. - -#. Now go to the :ref:`packages installation ` section. - -Installation from the Community Repository -========================================== +Installation from the Community-Maintained Repository +===================================================== Packages for Ubuntu are also published in the saltstack PPA. If you have the ``add-apt-repository`` utility, you can add the repository and import the diff --git a/doc/topics/releases/2015.5.10.rst b/doc/topics/releases/2015.5.10.rst index 311ad7c5ed..49a5598140 100644 --- a/doc/topics/releases/2015.5.10.rst +++ b/doc/topics/releases/2015.5.10.rst @@ -1,5 +1,21 @@ -========================================== -Salt 2015.5.10 Release Notes (In Progress) -========================================== +============================ +Salt 2015.5.10 Release Notes +============================ + +Security Fix +============ + +CVE-2016-3176: Insecure configuration of PAM external authentication service + +This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM +:ref:`external authentication ` is enabled. This issue involves +passing an alternative PAM authentication service with a command that is sent +to :ref:`LocalClient `, enabling the attacker to bypass the +configured authentication service. Thank you to Dylan Frese +for bringing this issue to our attention. + +This update defines the PAM eAuth ``service`` that users authenticate against +in the Salt Master configuration. + +(No additional fixes are contained in this release). -In progress, not yet released. diff --git a/doc/topics/releases/2015.5.11.rst b/doc/topics/releases/2015.5.11.rst new file mode 100644 index 0000000000..787ae49b47 --- /dev/null +++ b/doc/topics/releases/2015.5.11.rst @@ -0,0 +1,6 @@ +========================================== +Salt 2015.5.11 Release Notes (In Progress) +========================================== + +In progress, not yet released. + diff --git a/doc/topics/releases/2015.8.8.rst b/doc/topics/releases/2015.8.8.rst index f43f65da40..b4b1defd22 100644 --- a/doc/topics/releases/2015.8.8.rst +++ b/doc/topics/releases/2015.8.8.rst @@ -2,6 +2,49 @@ Salt 2015.8.8 Release Notes =========================== +Security Fix +============ + +CVE-2016-3176: Insecure configuration of PAM external authentication service + +This issue affects all Salt versions prior to 2015.8.8/2015.5.10 when PAM +:ref:`external authentication ` is enabled. This issue involves +passing an alternative PAM authentication service with a command that is sent +to :ref:`LocalClient `, enabling the attacker to bypass the +configured authentication service. Thank you to Dylan Frese +for bringing this issue to our attention. + +This update defines the PAM eAuth ``service`` that users authenticate against +in the Salt Master configuration. + +Read Before Upgrading Debian 7 (Wheezy) from 2015.8.7 to 2015.8.8 +================================================================= + +Before you upgrade from 2015.8.7 on Debian 7, you must run the following +commands to remove previous packages: + +.. code-block:: bash + + sudo apt-get remove python-pycrypto + sudo apt-get remove python-apache-libcloud + +Note that ``python-pycrypto`` will likely remove ``python-apache-libcloud``, so +the second command might not be necessary. These have been replaced by +``python-crypto`` and ``python-libcloud`` with ~bpo70+1 moniker. + +Read Before Upgrading Debian 8 (Jessie) from Salt Versions Earlier than 2015.8.4 +================================================================================ + +Salt ``systemd`` service files are missing the following statement in these versions: + +.. code-block:: ini + + [Service] + KillMode=process + +This statement must be added to successfully upgrade on these earlier versions +of Salt. + Changes for v2015.8.7..v2015.8.8 -------------------------------- @@ -411,7 +454,7 @@ Changes: - **PR** `#30750`_: (*jfindlay*) extract whole war version -- **PR** `#30884`_: (*rallytime*) Move checks for private_key file existence and permissions to create function +- **PR** `#30884`_: (*rallytime*) Move checks for private_key file existence and permissions to create function - **PR** `#30888`_: (*ticosax*) Backport `#30797`_ to 2015.8 diff --git a/doc/topics/releases/2015.8.9.rst b/doc/topics/releases/2015.8.9.rst new file mode 100644 index 0000000000..6df0dff8b8 --- /dev/null +++ b/doc/topics/releases/2015.8.9.rst @@ -0,0 +1,6 @@ +========================================= +Salt 2015.8.9 Release Notes (In Progress) +========================================= + +In progress, not yet released. +