mirror of
https://github.com/valitydev/salt.git
synced 2024-11-07 08:58:59 +00:00
Merge pull request #41033 from rallytime/merge-nitrogen
[nitrogen] Merge forward from 2016.11 to nitrogen
This commit is contained in:
commit
a1f83ebb1e
@ -194,6 +194,9 @@
|
||||
# a previous deleted minion ID.
|
||||
#preserve_minion_cache: False
|
||||
|
||||
# Allow or deny minions from requesting their own key revocation
|
||||
#allow_minion_key_revoke: True
|
||||
|
||||
# If max_minions is used in large installations, the master might experience
|
||||
# high-load situations because of having to check the number of connected
|
||||
# minions for every authentication. This cache provides the minion-ids of
|
||||
|
@ -1258,6 +1258,21 @@ constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23
|
||||
certfile: <path_to_certfile>
|
||||
ssl_version: PROTOCOL_TLSv1_2
|
||||
|
||||
.. conf_master:: allow_minion_key_revoke
|
||||
|
||||
``allow_minion_key_revoke``
|
||||
------------------
|
||||
|
||||
Default: ``True``
|
||||
|
||||
Controls whether a minion can request its own key revocation. When True
|
||||
the master will honor the minion's request and revoke its key. When False,
|
||||
the master will drop the request and the minion's key will remain accepted.
|
||||
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
rotate_aes_key: True
|
||||
|
||||
Master Module Management
|
||||
========================
|
||||
|
@ -3,3 +3,9 @@ Salt 2016.3.7 Release Notes
|
||||
===========================
|
||||
|
||||
Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.
|
||||
|
||||
New master configuration option `allow_minion_key_revoke`, defaults to True. This option
|
||||
controls whether a minion can request that the master revoke its key. When True, a minion
|
||||
can request a key revocation and the master will comply. If it is False, the key will not
|
||||
be revoked by the msater.
|
||||
|
||||
|
@ -1039,6 +1039,9 @@ VALID_OPTS = {
|
||||
# Number of times to try to auth with the master on a reconnect with the
|
||||
# tcp transport
|
||||
'tcp_authentication_retries': int,
|
||||
|
||||
# Permit or deny allowing minions to request revoke of its own key
|
||||
'allow_minion_key_revoke': bool,
|
||||
}
|
||||
|
||||
# default configurations
|
||||
@ -1594,6 +1597,7 @@ DEFAULT_MASTER_OPTS = {
|
||||
'clean_dynamic_modules': True,
|
||||
'django_auth_path': '',
|
||||
'django_auth_settings': '',
|
||||
'allow_minion_key_revoke': True,
|
||||
}
|
||||
|
||||
|
||||
|
@ -1577,6 +1577,11 @@ class AESFuncs(object):
|
||||
:return: True if key was revoked, False if not
|
||||
'''
|
||||
load = self.__verify_load(load, ('id', 'tok'))
|
||||
|
||||
if not self.opts.get('allow_minion_key_revoke', False):
|
||||
log.warning('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
|
||||
return load
|
||||
|
||||
if load is False:
|
||||
return load
|
||||
else:
|
||||
|
@ -83,14 +83,14 @@ in the ``docker-registries`` Pillar key, as well as any key ending in
|
||||
username: foo
|
||||
password: s3cr3t
|
||||
|
||||
To login to the configured registries, use the :py:func:`docker.login
|
||||
<salt.modules.dockermod.login>` function. This only needs to be done once for a
|
||||
To login to the configured registries, use the :py:func:`dockerng.login
|
||||
<salt.modules.dockerng.login>` function. This only needs to be done once for a
|
||||
given registry, and it will store/update the credentials in
|
||||
``~/.docker/config.json``.
|
||||
|
||||
.. note::
|
||||
For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`docker.login
|
||||
<salt.modules.dockermod.login>` is not available. Instead, Salt will try to
|
||||
For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`dockerng.login
|
||||
<salt.modules.dockerng.login>` is not available. Instead, Salt will try to
|
||||
authenticate using each of your configured registries for each push/pull,
|
||||
behavior which is not correct and has been resolved in newer releases.
|
||||
|
||||
@ -921,9 +921,9 @@ def login(*registries):
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
salt myminion docker.login
|
||||
salt myminion docker.login hub
|
||||
salt myminion docker.login hub https://mydomain.tld/registry/
|
||||
salt myminion dockerng.login
|
||||
salt myminion dockerng.login hub
|
||||
salt myminion dockerng.login hub https://mydomain.tld/registry/
|
||||
'''
|
||||
# NOTE: This function uses the "docker login" CLI command so that login
|
||||
# information is added to the config.json, since docker-py isn't designed
|
||||
|
Loading…
Reference in New Issue
Block a user