Salt 2015.8.4 Release Notes

Known Issues

in_ requisites (issue 30820)

This issue affects all users targeting an explicit - name: <name> with a _in requisite (such as watch_in or require_in). If you are not using explicit - name: <name> arguments, are targeting with the state ID instead of the name, or are not using _in requisites, then you should be safe to upgrade to 2015.8.4.

This issue is resolved in the 2015.8.5 release.

Security Fix

CVE-2016-1866: Improper handling of clear messages on the minion, which could result in executing commands not sent by the master.

This issue affects only the 2015.8.x releases of Salt. In order for an attacker to use this attack vector, they would have to execute a successful attack on an existing TCP connection between minion and master on the pub port. It does not allow an external attacker to obtain the shared secret or decrypt any encrypted traffic between minion and master. Thank you to Sebastian Krahmer <krahmer@suse.com> for bringing this issue to our attention.

We recommend everyone upgrade to 2015.8.4 as soon as possible.

Core Changes

  • PR #28994: timcharper Salt S3 module has learned how to assume IAM roles

  • Added option mock=True for state.sls and state.highstate. This allows the salt state compiler to process sls data in a state run without actually calling the state functions, thus providing feedback on the validity of the arguments used for the functions beyond the preprocessing validation provided by state.show_sls (issue 30118 and issue 30189).

    salt '*' state.sls core,edit.vim mock=True
    salt '*' state.highstate mock=True
    salt '*' state.apply edit.vim mock=True
    

Changes for v2015.8.3..v2015.8.4

Extended changelog courtesy of Todd Stansell (https://github.com/tjstansell/salt-changelogs):

Generated at: 2016-01-25T17:48:35Z

Total Merges: 320

Changes:

  • PR #30613: (basepi) Fix minion/syndic clearfuncs
  • PR #30609: (seanjnkns) Fix documentation for pillar_merge_lists which default is False, not …
  • PR #30584: (julianbrost) file.line state: add missing colon in docstring
  • PR #30589: (terminalmage) Merge 2015.5 into 2015.8
  • PR #30599: (multani) Documentation formatting fixes
  • PR #30554: (rallytime) Make the salt-cloud actions output more verbose and helpful
  • PR #30549: (techhat) Salt Virt cleanup
  • PR #30553: (techhat) AWS: Support 17-character IDs
  • PR #30532: (whiteinge) Add execution module for working in sls files
  • PR #30529: (terminalmage) Merge 2015.5 into 2015.8
  • PR #30526: (twangboy) Added FlushKey to make sure it's changes are saved to disk
  • PR #30521: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #30485: (jtand) Updated pip_state to work with pip 8.0 on 2015.8
  • PR #30494: (isbm) Zypper: info_installed — 'errors' flag change to type 'boolean'
  • PR #30506: (jacksontj) Properly remove newlines after reading the file
  • PR #30508: (rallytime) Fix Linode driver cloning functionality
  • PR #30522: (terminalmage) Update git.list_worktree tests to reflect new return data
  • PR #30483: (borgstrom) Pyobjects recursive import support (for 2015.8)
  • PR #30491: (jacksontj) Add multi-IP support to network state
  • PR #30496: (anlutro) Fix KeyError when adding ignored pillars
  • PR #30359: (kingsquirrel152) Removes suspected copy/paste error for zmq_filtering functionailty
  • PR #30448: (cournape) Fix osx scripts location
  • PR #30457: (rallytime) Remove fsutils references from modules list
  • PR #30453: (rallytime) Make sure private AND public IPs are listed for Linode driver
  • PR #30458: (rallytime) Back-port #30062 to 2015.8
  • PR #30468: (timcharper) make note of s3 role assumption in upcoming changelog
  • PR #30470: (whiteinge) Add example of the match_dict format to accept_dict wheel function
  • PR #30450: (gtmanfred) fix extension loading in novaclient
  • PR #30212: (abednarik) Fix incorrect file permissions in file.line
  • PR #29947: (jfindlay) fileclient: decode file list from master
  • PR #30363: (terminalmage) Use native "list" subcommand to list git worktrees
  • PR #30445: (jtand) Boto uses False for is_default instead of None
  • PR #30406: (frioux) Add an example of how to use file.managed/check_cmd
  • PR #30424: (isbm) Check if byte strings are properly encoded in UTF-8
  • PR #30405: (jtand) Updated glusterfs.py for python2.6 compatibility.
  • PR #30396: (pass-by-value) Remove hardcoded val
  • PR #30391: (jtand) Added else statements
  • PR #30375: (rallytime) Wrap formatted log statements with six.u() in cloud/__init__.py
  • PR #30384: (isbm) Bugfix: info_available does not work correctly on SLE 11 series
  • PR #30376: (pritambaral) Fix FLO_DIR path in 2015.8
  • PR #30389: (jtand) Older versions of ipset don't support comments
  • PR #30373: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #30372: (jacobhammons) Updated man pages for 2015.8.4, updated copyright to 2016
  • PR #30370: (rallytime) Remove incomplete function
  • PR #30366: (rallytime) Back-port #28702 to 2015.8
  • PR #30361: (cro) Flip the sense of the test for proxymodule imports, add more fns for esxi proxy
  • PR #30267: (isbm) Fix RPM issues with the date/time and add package attributes filtering
  • PR #30360: (jfindlay) file.remove, file.absent: mention recursive dir removal
  • PR #30221: (mbarrien) No rolcatupdate for user_exist in Postgres>=9.5 #26845
  • PR #30358: (terminalmage) Add libgit2 version to versions-report
  • PR #30346: (pass-by-value) Prevent orphaned volumes
  • PR #30349: (rallytime) Back-port #30347 to 2015.8
  • PR #30354: (anlutro) Make sure all ignore_missing SLSes are caught
  • PR #30356: (nmadhok) Adding code author
  • PR #30340: (jtand) Updated seed_test.py for changes made to seed module
  • PR #30339: (jfindlay) Backport #26511
  • PR #30343: (rallytime) Fix 2015.8 from incomplete back-port
  • PR #30342: (eliasp) Correct whitespace placement in error message
  • PR #30308: (rallytime) Back-port #30257 to 2015.8
  • PR #30187: (rallytime) Back-port #27606 to 2015.8
  • PR #30223: (serge-p) adding support for DragonFly BSD
  • PR #30238: (rallytime) Reinit crypto before calling RSA.generate when generating keys.
  • PR #30246: (dmacvicar) Add missing return data to scheduled jobs (#24237)
  • PR #30292: (thegoodduke) ipset: fix test=true & add comment for every entry
  • PR #30275: (abednarik) Add permanent argument in firewalld.
  • PR #30328: (cachedout) Fix file test
  • PR #30310: (pass-by-value) Empty bucket fix
  • PR #30211: (techhat) Execute choot on the correct path
  • PR #30309: (rallytime) Back-port #30304 to 2015.8
  • PR #30278: (nmadhok) If datacenter is specified in the config, then look for managed objects under it
  • PR #30305: (jacobhammons) Changed examples to use the "example.com" domain instead of "mycompan…
  • PR #30249: (mpreziuso) Fixes performance and timeout issues on win_pkg.install
  • PR #30217: (pass-by-value) Make sure cloud actions can be called via salt run
  • PR #30268: (terminalmage) Optimize file_tree ext_pillar and update file.managed to allow for binary contents
  • PR #30245: (rallytime) Boto secgroup/iam_role: Add note stating us-east-1 is default region
  • PR #30299: (rallytime) ESXi Proxy minions states are located at salt.states.esxi, not vsphere.
  • PR #30202: (opdude) Fixed the periodic call to beacons
  • PR #30303: (jacobhammons) Changed notes to indicate that functions are matched using regular ex…
  • PR #30284: (terminalmage) salt.utils.gitfs: Fix Dulwich env detection and submodule handling
  • PR #30280: (jfindlay) add state mocking to release notes
  • PR #30273: (rallytime) Back-port #30121 to 2015.8
  • PR #30301: (cachedout) Accept whatever comes into hightstate mock for state tests
  • PR #30282: (cachedout) Fix file.append logic
  • PR #30289: (cro) Fix problems with targeting proxies by grains
  • PR #30293: (cro) Ensure we don't log stuff we shouldn't
  • PR #30279: (cachedout) Allow modules to be packed into boto utils
  • PR #30186: (rallytime) Update CLI Examples in boto_ec2 module to reflect correct arg/kwarg positioning
  • PR #30156: (abednarik) Add option in file.append to ignore_whitespace.
  • PR #30189: (rallytime) Back-port #30185 to 2015.8
  • PR #30215: (jacobhammons) Assorted doc bug fixes
  • PR #30206: (cachedout) Revert "Fix incorrect file permissions in file.line"
  • PR #30190: (jacobhammons) Updated doc site banners
  • PR #30180: (jfindlay) modules.x509._dec2hex: add fmt index for 2.6 compat
  • PR #30179: (terminalmage) Backport #26962 to 2015.8 branch
  • PR #29693: (abednarik) Handle missing source file in ssh_auth.
  • PR #30155: (rallytime) Update boto_secgroup and boto_iam_role docs to only use region OR profile
  • PR #30158: (rallytime) Move _option(value) calls to __salt__['config.option'] in boto utils
  • PR #30160: (dmurphy18) Fix parsing disk usage for line with no number and AIX values in Kilos
  • PR #30162: (rallytime) Update list_present and append grains state function docs to be more clear.
  • PR #30163: (rallytime) Add warning about using "=" in file.line function
  • PR #30164: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #30168: (abednarik) Fix incorrect file permissions in file.line
  • PR #30154: (Oro) Fix file serialize on windows
  • PR #30144: (rallytime) Added generic ESXCLI command ability to ESXi Proxy Minion
  • PR #30142: (terminalmage) Fix dockerng.push, and allow for multiple images
  • PR #30075: (joejulian) Convert glusterfs module to use xml
  • PR #30129: (optix2000) Clean up _uptodate() in git state
  • PR #30139: (rallytime) Back-port #29589 to 2015.8
  • PR #30124: (abednarik) Update regex to detect ip alias in OpenBSD.
  • PR #30133: (stanislavb) Fix typo in gpgkey URL
  • PR #30126: (stanislavb) Log S3 API error message
  • PR #30128: (oeuftete) Log retryable transport errors as warnings
  • PR #30096: (cachedout) Add rm_special to crontab module
  • PR #30106: (techhat) Ensure last dir
  • PR #30101: (gtmanfred) fix bug where nova driver exits with no adminPass
  • PR #30090: (techhat) Add argument to isdir()
  • PR #30094: (rallytime) Fix doc formatting for cloud.create example in module.py state
  • PR #30095: (rallytime) Add the list_nodes_select function to linode driver
  • PR #30082: (abednarik) Fixed saltversioninfo grain return
  • PR #30084: (rallytime) Back-port #29987 to 2015.8
  • PR #30071: (rallytime) Merge branch '2015.5' into '2015.8'
  • PR #30067: (ryan-lane) Pass in kwargs to boto_secgroup.convert_to_group_ids explicitly
  • PR #30069: (techhat) Ensure that pki_dir exists
  • PR #30064: (rallytime) Add Syndic documentation to miscellaneous Salt Cloud config options
  • PR #30049: (rallytime) Add some more unit tests for the vsphere execution module
  • PR #30060: (rallytime) Back-port #27104 to 2015.8
  • PR #30048: (jacobhammons) Remove internal APIs from rest_cherrypy docs.
  • PR #30043: (rallytime) Be explicit about importing from salt.utils.jinja to avoid circular imports
  • PR #30038: (rallytime) Back-port #30017 to 2015.8
  • PR #30036: (rallytime) Back-port #29995 to 2015.8
  • PR #30035: (rallytime) Back-port #29895 to 2015.8
  • PR #30034: (rallytime) Back-port #29893 to 2015.8
  • PR #30033: (rallytime) Back-port #29876 to 2015.8
  • PR #30029: (terminalmage) git.latest: Fix handling of nonexistent branches
  • PR #30016: (anlutro) Properly normalize locales in locale.gen_locale
  • PR #30015: (anlutro) locale module: don't escape the slash in \n
  • PR #30022: (gqgunhed) Two minor typos fixed
  • PR #30026: (anlutro) states.at: fix wrong variable being used
  • PR #29966: (multani) Fix bigip state/module documentation + serializers documentation
  • PR #29904: (twangboy) Improvements to osx packaging scripts
  • PR #29950: (multani) boto_iam: fix deletion of IAM users when using delete_keys=true
  • PR #29937: (multani) Fix states.boto_iam group users
  • PR #29934: (multani) Fix state.boto_iam virtual name
  • PR #29943: (cachedout) Check args correctly in boto_rds
  • PR #29924: (gqgunhed) fixed: uptime now working on non-US Windows
  • PR #29883: (serge-p) fix for nfs mounts in _active_mounts_openbsd()
  • PR #29894: (techhat) Support Saltfile in SPM
  • PR #29856: (rallytime) Added some initial unit tests for the salt.modules.vsphere.py file
  • PR #29855: (rallytime) Back-port #29740 to 2015.8
  • PR #29890: (multani) Various documentation fixes
  • PR #29850: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #29811: (anlutro) influxdb: add retention policy module functions
  • PR #29814: (basepi) [2015.8][Windows] Fix multi-master on windows
  • PR #29819: (rallytime) Add esxi module and state to docs build
  • PR #29832: (jleimbach) Fixed typo in order to use the keyboard module for RHEL without systemd
  • PR #29803: (rallytime) Add vSphere module to doc ref module tree
  • PR #29767: (abednarik) Hosts file update in mod_hostname.
  • PR #29772: (terminalmage) pygit2: skip submodules when traversing tree
  • PR #29765: (gtmanfred) allow nova driver to be boot from volume
  • PR #29773: (l2ol33rt) Append missing wget in debian installation guide
  • PR #29800: (rallytime) Back-port #29769 to 2015.8
  • PR #29775: (paulnivin) Change listen requisite resolution from name to ID declaration
  • PR #29754: (rallytime) Back-port #29719 to 2015.8
  • PR #29713: (The-Loeki) Pillar-based cloud providers still forcing use of deprecated 'provider'
  • PR #29729: (rallytime) Further clarifications on "unless" and "onlyif" requisites.
  • PR #29737: (akissa) fix pillar sqlite3 documentation examples
  • PR #29743: (akissa) fix pillar sqlite not honouring config options
  • PR #29723: (rallytime) Clarify db_user and db_password kwargs for postgres_user.present state function
  • PR #29722: (rallytime) Link "stateful" kwargs to definition of what "stateful" means for cmd state.
  • PR #29724: (rallytime) Add examples of using multiple matching levels to Pillar docs
  • PR #29726: (cachedout) Disable some boto tests per resolution of moto issue
  • PR #29708: (lagesag) Fix test=True for file.directory with recurse ignore_files/ignore_dirs.
  • PR #29642: (cachedout) Correctly restart deamonized minions on failure
  • PR #29599: (cachedout) Clean up minion shutdown
  • PR #29675: (clinta) allow returning all refs
  • PR #29683: (rallytime) Catch more specific error to pass the error message through elegantly.
  • PR #29687: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #29681: (clinta) fix bare/mirror in git.latest
  • PR #29644: (rallytime) Fixed a couple more ESXi proxy minion bugs
  • PR #29645: (rallytime) Back-port #29558 to 2015.8
  • PR #29632: (jfindlay) reduce severity of tls module __virtual__ logging
  • PR #29606: (abednarik) Fixed duplicate mtu entry in RedHat 7 network configuration.
  • PR #29613: (rallytime) Various ESXi Proxy Minion Bug Fixes
  • PR #29628: (DmitryKuzmenko) Don't create io_loop before fork
  • PR #29609: (basepi) [2015.8][salt-ssh] Add ability to set salt-ssh command umask in roster
  • PR #29603: (basepi) Fix orchestration failure-checking
  • PR #29597: (terminalmage) dockerng: Prevent exception when API response contains empty dictionary
  • PR #29596: (rallytime) Back-port #29587 to 2015.8
  • PR #29588: (rallytime) Added ESXi Proxy Minion Tutorial
  • PR #29572: (gtmanfred) [nova] use old discover_extensions if available
  • PR #29545: (terminalmage) git.latest: init submodules if not yet initialized
  • PR #29548: (rallytime) Back-port #29449 to 2015.8
  • PR #29547: (rallytime) Refactored ESXCLI-based functions to accept a list of esxi_hosts
  • PR #29563: (anlutro) Fix a call to deprecated method in python-influxdb
  • PR #29565: (bdrung) Fix typos and missing release note
  • PR #29540: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #29499: (rallytime) Initial commit of ESXi Proxy Minion
  • PR #29526: (jfindlay) 2015.8.2 notes: add note about not being released
  • PR #29531: (jfindlay) grains.core: handle undefined variable
  • PR #29538: (basepi) [2015.8] [salt-ssh] Remove umask around actual execution for salt-ssh
  • PR #29505: (rallytime) Update boto_rds state docs to include funky yaml syntax for "tags" option.
  • PR #29513: (bdrung) Drop obsolete syslog.target from systemd services
  • PR #29500: (rallytime) Back-port #29467 to 2015.8
  • PR #29463: (abednarik) Add **kwargs to debconf.set.
  • PR #29399: (jfindlay) modules.status: add human_readable option to uptime
  • PR #29433: (cro) Files for building .pkg files for MacOS X
  • PR #29455: (jfindlay) modules.nova.__init__: do not return None
  • PR #29454: (jfindlay) rh_service module __virtual__ return error messages
  • PR #29476: (tbaker57) Doc fix - route_table_present needs subnet_names (not subnets) as a key
  • PR #29487: (rallytime) Back-port #29450 to 2015.8
  • PR #29441: (rallytime) Make sure docs line up with blade_idrac function specs
  • PR #29440: (rallytime) Back-port #28925 to 2015.8
  • PR #29435: (galet) Grains return wrong OS version and other OS related values for Oracle Linux
  • PR #29430: (rall0r) Fix host.present state limitation
  • PR #29417: (jacobhammons) Repo install updates
  • PR #29402: (techhat) Add rate limiting to linode
  • PR #29400: (twangboy) Fix #19332
  • PR #29398: (cachedout) Lint 29288
  • PR #29331: (DmitryKuzmenko) Bugfix - #29116 raet dns error
  • PR #29390: (jacobhammons) updated version numbers in documentation
  • PR #29381: (nmadhok) No need to deepcopy since six.iterkeys() creates a copy
  • PR #29349: (cro) Fix mis-setting chassis names
  • PR #29334: (rallytime) Back-port #29237 to 2015.8
  • PR #29300: (ticosax) [dockerng] Add support for volume management in dockerng
  • PR #29218: (clan) check service enable state in test mode
  • PR #29315: (jfindlay) dev tutorial doc: fix markup errors
  • PR #29317: (basepi) [2015.8] Merge forward from 2015.5 to 2015.8
  • PR #29240: (clan) handle acl_type [[d]efault:][user|group|mask|other]
  • PR #29305: (lorengordon) Add 'file' as a source_hash proto
  • PR #29272: (jfindlay) win_status module: handle 12 hour time in uptime
  • PR #29289: (terminalmage) file.managed: Allow local file sources to use source_hash
  • PR #29264: (anlutro) Prevent ssh_auth.absent from running when test=True
  • PR #29277: (terminalmage) Update git_pillar runner to support new git ext_pillar config schema
  • PR #29283: (cachedout) Single-quotes and use format
  • PR #29139: (thomaso-mirodin) [salt-ssh] Add a range roster and range targeting options for the flat roster
  • PR #29282: (cachedout) dev docs: add development tutorial
  • PR #28994: (timcharper) add support to s3 for aws role assumption
  • PR #29278: (techhat) Add verify_log to SPM
  • PR #29067: (jacksontj) Fix infinite recursion in state compiler for prereq of SLSs
  • PR #29207: (jfindlay) do not shadow ret function argument
  • PR #29215: (rallytime) Back-port #29192 to 2015.8
  • PR #29217: (clan) show duration only if state_output_profile is False
  • PR #29221: (ticosax) [dokcerng] Docu network mode
  • PR #29269: (jfindlay) win_status module: fix function names in docs
  • PR #29213: (rallytime) Move _wait_for_task func from vmware cloud to vmware utils
  • PR #29271: (techhat) Pass full path for digest (SPM)
  • PR #29244: (isbm) List products consistently across all SLES systems
  • PR #29255: (garethgreenaway) fixes to consul module
  • PR #29208: (whytewolf) Glance more profile errors
  • PR #29200: (jfindlay) mount state: unmount by device is optional
  • PR #29205: (trevor-h) Fixes #29187 - using winrm on EC2
  • PR #29170: (cachedout) Migrate pydsl tests to integration test suite
  • PR #29198: (jfindlay) rh_ip module: only set the mtu once
  • PR #29135: (jfindlay) ssh_known_hosts.present state: catch not found exc
  • PR #29196: (s0undt3ch) We need novaclient imported to compare versions
  • PR #29059: (terminalmage) Work around upstream pygit2 bug
  • PR #29112: (eliasp) Prevent backtrace (KeyError) in ssh_known_hosts.present state
  • PR #29178: (whytewolf) Profile not being passed to keystone.endpoint_get in _auth. so if a p…