Salt 2016.11.0 Release Notes - Codename Carbon#
New Features#
Docker Introspection and Configuration#
Major additions have been made to the Docker support in 2016.11.0. The new addition allows Salt to be executed within a Docker container without a minion running or installed in the container. This allows states to be run inside a container, but also all of Salt's remote execution commands to be run inside docker containers as well. This makes container introspection simple and powerful. See the tutorial on using this new feature here:
Advanced Ceph Control#
Our friends over at SUSE have delivered a powerful new tool to make the deployment of Ceph storage systems using Salt very easy. These new Ceph tools allow for a storage system to be easily defined using the new ceph.quorum state.
Thorium Additions and Improvements#
The Thorium advanced reactor has undergone extensive testing and updates. These updates include many more Thorium states, a system for automating key management, the ability to use Thorium to easily replace old reactors and a great deal of stability and bug fixes.
State Rollback Using Snapper#
Rollback has been one of the most prevalent requests for Salt. We have researched it extensively and concluded that the only way to accomplish truly reliable rollback would be to execute it at the filesystem layer. To accomplish this we have introduced Snapper integration into Salt States.
Snapper is a tool which allows for simple and reliable snapshots of the filesystem to be made. With the new snapper_states option set to True in the minion config a snapshot will be made before and after every Salt State run.
These snapshots can be viewed, managed and rolled back to via the snapper execution module.
Preserve File Perms in File States#
This feature has been requested for years, the ability to set a flag and use the same file permissions for files deployed to a minion as the permissions set to the file on the master. Just set the keep_mode option on any file management state to True.
Ponies!#
We all agreed that cowsay was just not good enough, install the ponysay command and the new pony outputter will work. Fun for the whole family!
Additional Features#
Minions can run in stand-alone mode to use beacons and engines without having to connect to a master. (Thanks @adelcast!)
Added a
saltrunner to allow running salt modules via salt-run.salt-run salt.cmd test.ping # call functions with arguments and keyword arguments salt-run salt.cmd test.arg 1 2 3 a=1
Added SSL support to Cassandra CQL returner. SSL can be enabled by setting
ssl_optionsfor the returner. Also added support for specifyingprotocol_versionwhen establishing cluster connection.The
modeparameter in thefile.managedstate, and thefile_modeparameter in thefile.recursestate, can both now be set tokeepand the minion will keep the mode of the file from the Salt fileserver. This works only with files coming from sources prefixed withsalt://, or files local to the minion (i.e. those which are absolute paths, or are prefixed withfile://). For example:/etc/myapp/myapp.conf: file.managed: - source: salt://conf/myapp/myapp.conf - mode: keep /var/www/myapp: file.recurse: - source: salt://path/to/myapp - dir_mode: 755 - file_mode: keep
The
junosstate module is now available. It has all the functions that are present in thejunosexecution module.The
junosstate module is now available. It has all the functions that are present in thejunosexecution module.The minion data cache is a pluggable data store now. It's configurable with
cacheoption. Default islocalfs.User names in
client_aclsupport glob matching now.
New Top File Merging Strategy for States#
A new strategy called merge_all has been added to provide a new way of
merging top file matches when executing a highstate.
See the top_file_merging_strategy documentation for further
information.
In addition, the same merging strategy was not functioning as documented.
This has now been corrected. While this is technically a bugfix, we decided to
hold a change in top file merging until a feature release to minimize user
impact.
Improved Archive Extraction Support#
The archive.extracted state has been
overhauled. Notable changes include the following:
When enforcing ownership (with the
userand/orgrouparguments), theif_missingargument no longer has any connection to which path(s) have ownership enforced. Instead, the paths are determined using the either the newly-addedarchive.listfunction, or the newly-addedenforce_ownership_onargument.if_missingalso is no longer required to skip extraction, as Salt is now able to tell which paths would be present if the archive were extracted. It should, in most cases, only be necessary in cases where a semaphore file is used to conditionally skip extraction of the archive.Password-protected ZIP archives are now detected before extraction, and the state fails without attempting to extract the archive if no password was specified.
By default, a single top-level directory is enforced, to guard against 'tar-bombs'. This enforcement can be disabled by setting
enforce_topleveltoFalse.The
tar_optionsandzip_optionsarguments have been deprecated in favor of a singleoptionsargument.The
archive_formatargument is now optional. The ending of thesourceargument is used to guess whether it is a tar, zip or rar file. If thearchive_formatcannot be guessed, then it will need to be specified, but in many cases it can now be omitted.Ownership enforcement is now performed irrespective of whether or not the archive needed to be extracted. This means that the state can be re-run after the archive has been fully extracted to repair changes to ownership.
A number of new arguments were also added. See the docs py:func:docs for the archive.extracted state <salt.states.archive.extracted> for more information.
Additionally, the following changes have been made to the archive execution module:
A new function (
archive.list) has been added. This function lists the files/directories in an archive file, and supports averboseargument that gives a more detailed breakdown of which paths are files, which are directories, and which paths are at the top level of the archive.A new function (
archive.is_encrypted) has been added. This function will returnTrueif the archive is a password-protected ZIP file,Falseif not. If the archive is not a ZIP file, an error will be raised.archive.cmd_unzipnow supports passing a password, bringing it to feature parity witharchive.unzip. Note that this is still not considered to be secure, andarchive.unzipis recommended for dealing with password-protected ZIP archives.The default value for the
extract_permsargument toarchive.unziphas been changed toTrue.
Improved Checksum Handling in file.managed, archive.extracted States#
When the source_hash argument for these states refers to a file containing
checksums, Salt now looks for checksums matching the name of the source URI, as
well as the file being managed. Prior releases only looked for checksums
matching the filename being managed. Additionally, a new argument
(source_hash_name) has been added, which allows the user to disambiguate
ambiguous matches when more than one matching checksum is found in the
source_hash file.
A more detailed explanation of this functionality can be found in the
file.managed documentation, in the
section for the new source_hash_name argument.
Note
This improved functionality is also available in the 2016.3 (Boron)
release cycle, starting with the 2016.3.5 release.
Config Changes#
The following default config values were changed:
gitfs_ssl_verify: Changed fromFalsetoTruegit_pillar_ssl_verify: Changed fromFalsetoTruewinrepo_ssl_verify: Changed fromFalsetoTrue
Grains Changes#
All core grains containing
VMWarehave been changed toVMware, which is the official capitalization. Additionally, all references toVMWarein the documentation have been changed toVMwareissue 30807. Environments using versions of Salt before and after Salt 2016.11.0 should employ case-insensitive grain matching on these grains.{% set on_vmware = grains['virtual'].lower() == 'vmware' %}
On Windows the
cpu_modelgrain has been changed to provide the actual cpu model name and not the cpu family.Old behavior:
root@master:~# salt 'testwin200' grains.item cpu_model testwin200: ---------- cpu_model: Intel64 Family 6 Model 58 Stepping 9, GenuineIntel
New behavior:
root@master:~# salt 'testwin200' grains.item cpu_model testwin200: ---------- cpu_model: Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz
Beacons Changes#
The
loadavgbeacon now outputs averages as integers instead of strings. (Via issue 31124.)
Runner Changes#
Runners can now call out to utility modules via
__utils__.ref:Utility modules <writing-utility-modules> (placed in
salt://_utils/) are now able to be synced to the master, making it easier to use them in custom runners. Asaltutil.sync_utilsfunction has been added to thesaltutil runnerto facilitate the syncing of utility modules to the master.
Pillar Changes#
Thanks to the new
saltutil.sync_utilsrunner, it is now easier to get ref:utility modules <writing-utility-modules> synced to the correct location on the Master so that they are available in execution modules called from Pillar SLS files.
Junos Module Changes#
The following new functionalities were added to the junos module
facts - Displays the facts gathered during the connection.
shutdown - Shut down or reboot a device running Junos OS.
install_config - Modify the configuration of a Junos device.
install_os - Install Junos OS software package.
zeroize - Remove all configuration information on the Routing Engines and reset all key values on a device.
file_copy - Copy file from proxy to the Junos device.
Network Automation: NAPALM#
Beginning with 2016.11.0, network automation is included by default in the core of Salt. It is based on a the NAPALM library and provides facilities to manage the configuration and retrieve data from network devices running widely used operating systems such: JunOS, IOS-XR, eOS, IOS, NX-OS etc.
The connection is established via the NAPALM proxy.
In the current release, the following modules were included:
NAPALM grains- Select network devices based on their characteristicsNET execution module- Networking basic features
Cisco NXOS Proxy Minion#
Beginning with 2016.11.0, there is a proxy minion that can be used to configure nxos cisco devices over ssh.
Proxy MinionState Module
Cisco Network Services Orchestrator Proxy Minion#
Beginning with 2016.11.0, there is a proxy minion to use the Cisco Network Services Orchestrator as a proxy minion.
Proxy MinionExecution ModuleState Module
Junos Module Changes#
The following new functionalities were added to the junos module
facts - Displays the facts gathered during the connection.
shutdown - Shut down or reboot a device running Junos OS.
install_config - Modify the configuration of a Junos device.
install_os - Install Junos OS software package.
zeroize - Remove all configuration information on the Routing Engines and reset all key values on a device.
file_copy - Copy file from proxy to the Junos device.
Returner Changes#
Any returner which implements a save_load function is now required to accept a minions keyword argument. All returners which ship with Salt have been modified to do so.
Renderer Changes#
Added the ability to restrict allowed renderers. Two new config parameters,
renderer_whitelist and renderer_blacklist are
introduced for this purpose.
eAuth Changes#
External auth modules'
authmethod can return an ACL list for the given username instead ofTrue. This list should be in the same format as described in the eAuth documentation. It will be used for the user instead of one set in master config.Example of the
authmethod return that allows a user to execute functions in thetestandnetworkmodules on the minions that match theweb*target and allow access towheelandrunnermodules:[{"web*": ["test.*", "network.*"]}, "@wheel", "@runner"]
External auth is supported by salt-run and salt-key now. Note that master must be started to use them with eAuth.
External Module Packaging#
Modules may now be packaged via entry-points in setuptools. See external module packaging tutorial for more information.
Functionality Changes#
The
onfailrequisite now uses OR logic instead of AND logic. issue 22370The consul external pillar now strips leading and trailing whitespace. issue 31165
The win_system.py state is now case sensitive for computer names. Previously computer names set with a state were converted to all caps. If you have a state setting computer names with lower case letters in the name that has been applied, the computer name will be changed again to apply the case sensitive name.
The
mac_user.list_groupsfunction in themac_userexecution module now lists all groups for the specified user, including groups beginning with an underscore. In previous releases, groups beginning with an underscore were excluded from the list of groups.The
junos.call_rpcfunction in thejunosexecution module can now be used to call any valid rpc. Earlier it used to call only "get_software_information".A new option for minions called
master_trieshas been added. This specifies the number of times a minion should attempt to contact a master to attempt a connection. This allows better handling of occasional master downtime in a multi-master topology.The default hash_type is now sha256 instead of md5. You will need to make sure both your master and minion share the same hash_type.
Nodegroups consisting of a simple list of minion IDs can now also be declared as a yaml list. The below two examples are equivalent:
# Traditional way nodegroups: - group1: L@host1,host2,host3 # New way (optional) nodegroups: - group1: - host1 - host2 - host3
New Azure ARM Cloud Driver#
A new cloud driver has been added for Azure ARM, aka, the Azure Resource Manager. The older Azure driver is still required to work with the older Azure API. This new driver works with the newer ARM API, which is managed via the newer Azure Portal website.
New Modules#
Beacons#
salt.beacons.avahi_announcesalt.beacons.bonjour_announcesalt.beacons.haproxy
Clouds#
salt.cloud.clouds.azurearm
Engines#
salt.engines.hipchatsalt.engines.http_logstash
Modules#
salt.modules.boto_cloudwatch_eventsalt.modules.cephsalt.modules.influx08salt.modules.inspectlib.entitiessalt.modules.inspectlib.fsdbsalt.modules.inspectlib.kiwiprocsalt.modules.inspectorsalt.modules.libcloud_dnssalt.modules.openstack_mngsalt.modules.servicenowsalt.modules.testinframodsalt.modules.xbpspkg
Outputters#
salt.output.pony
Pillar#
salt.pillar.csvpillarsalt.pillar.http_jsonsalt.pillar.makostack
Returners#
salt.returners.zabbix_return
Runners#
salt.runners.smartos_vmadmsalt.runners.vistara
SDB#
States#
salt.states.boto_cloudwatch_eventsalt.states.csfsalt.states.ethtoolsalt.states.influxdb08_databasesalt.states.influxdb08_usersalt.states.libcloud_dnssalt.states.snappersalt.states.testinframod
Thorium#
Deprecations#
General Deprecations#
envtosaltenvAll occurrences of
envand some occurrences of__env__marked for deprecation in Salt 2016.11.0 have been removed. The new way to use the salt environment setting is with a variable calledsaltenv:def fcn(msg="", env="base", refresh=True, saltenv="base", **kwargs): ...
has been changed to
def fcn(msg="", refresh=True, saltenv="base", **kwargs): ...
If
env(or__env__) is supplied as a keyword argument to a function that also accepts arbitrary keyword arguments, then a new warning informs the user thatenvis no longer used if it is found. This new warning will be removed in Salt 2017.7.0.def fcn(msg="", refresh=True, saltenv="base", **kwargs): ...
# will result in a warning log message fcn(msg="add more salt", env="prod", refresh=False)
If
env(or__env__) is supplied as a keyword argument to a function that does not accept arbitrary keyword arguments, then python will issue an error.def fcn(msg="", refresh=True, saltenv="base"): ...
# will result in a python TypeError fcn(msg="add more salt", env="prod", refresh=False)
If
env(or__env__) is supplied as a positional argument to a function, then undefined behavior will occur, as the removal ofenvand__env__from the function's argument list changes the function's signature.def fcn(msg="", refresh=True, saltenv="base"): ...
# will result in refresh evaluating to True and saltenv likely not being a string at all fcn("add more salt", "prod", False)
Deprecations in
minion.py:The
salt.minion.parse_args_and_kwargsfunction has been removed. Please use thesalt.minion.load_args_and_kwargsfunction instead.
Cloud Deprecations#
The
vspherecloud driver has been removed. Please use thevmwarecloud driver instead.The
private_ipoption in thelinodecloud driver is deprecated and has been removed. Use theassign_private_ipoption instead.The
create_dns_recordanddelete_dns_recordfunctions are deprecated and have been removed from thedigital_oceandriver. Use thepost_dns_recordfunction instead.
Execution Module Deprecations#
The
blockdevexecution module had four functions removed:dump
tune
resize2fs
wipe
The
diskmodule should be used instead with the same function names.The
boto_vpcexecution module had two functions removed,boto_vpc.associate_new_dhcp_options_to_vpcandboto_vpc.associate_new_network_acl_to_subnetin favor of more concise function names,boto_vpc.create_dhcp_optionsandboto_vpc.create_network_acl, respectively.The
dataexecution module hadgetvalandgetvalsfunctions removed in favor of one function,get, which combines the functionality of the removed functions.File module deprecations:
The
contains_regex_multilinefunction was removed. Usefile.searchinstead.Additional command line options for
file.grepshould be passed one at a time. Please do not pass more than one in a single argument.
The
lxcexecution module has the following changes:The
run_cmdfunction was removed. Uselxc.runinstead.The
nicargument was removed from thelxc.initfunction. Usenetwork_profileinstead.The
cloneargument was removed from thelxc.initfunction. Useclone_frominstead.passwords passed to the
lxc.initfunction will be assumed to be hashed, unlesspassword_encrypted=False.The
restartargument forlxc.startwas removed. Uselxc.restartinstead.The old style of defining lxc containers has been removed. Please use keys under which LXC profiles should be configured such as
lxc.container_profile.profile_name.
The
envandactivatekeyword arguments have been removed from theinstallfunction in thepipexecution module. The use ofbin_envreplaces both of these options.regexecution moduleFunctions in the
regexecution module had misleading and confusing names for dealing with the Windows registry. They failed to clearly differentiate between hives, keys, and name/value pairs. Keys were treated like value names. There was no way to delete a key.New functions were added in 2015.5 to properly work with the registry. They also made it possible to edit key default values as well as delete an entire key tree recursively. With the new functions in place, the following functions have been deprecated:
read_key
set_key
create_key
delete_key
Use the following functions instead:
for
read_keyuseread_valuefor
set_keyuseset_valuefor
create_keyuseset_valuewith novnameand novdatafor
delete_keyusedelete_key_recursive. To delete a value, usedelete_value.
The
hash_hostnameoption was removed from thesalt.modules.sshexecution module. Thehash_known_hostsoption should be used instead.The
human_readableoption was removed from theuptimefunction in thestatusexecution module. The function was also updated in 2015.8.9 to return a more complete offering of uptime information, formatted as an easy-to-read dictionary. This updated function replaces the need for thehuman_readableoption.The
persistkwarg was removed from thewin_useraddexecution module. This option is no longer supported for Windows.persistis only supported as part of user management in UNIX/Linux.The
zpool_listfunction in thezpoolexecution module was removed. Uselistinstead.
Outputter Module Deprecations#
The
compactoutputter has been removed. Setstate_verbosetoFalseinstead.
Runner Module Deprecations#
The
grains.cacherunner no longer acceptsoutputterorminionas keyword arguments. Users will need to specify an outputter using the--outoption.tgtis replacing theminionkwarg.The
fileserverrunner no longer accepts theoutputterkeyword argument. Users will need to specify an outputter using the--outoption.The
jobsrunner no longer accepts theoutputterkeyword argument. Users will need to specify an outputter using the--outoption.virtrunner module:The
hyperkwarg was removed from theinit,list, andqueryfunctions. Use thehostoption instead.The
next_hyperfunction was removed. Use thenext_hostfunction instead.The
hyper_infofunction was removed. Use thehost_infofunction instead.
State Module Deprecations#
The
envandactivatekeyword arguments were removed from theinstalledfunction in thepipstate module. The use ofbin_envreplaces both of these options.regstate moduleThe
regstate module was modified to work with the new functions in the execution module. Some logic was left in thereg.presentand thereg.absentfunctions to handle existing state files that used the final key in the name as the value name. That logic has been removed so you now must specify value name (vname) and, if needed, value data (vdata).For example, a state file that adds the version value/data pair to the Software\Salt key in the HKEY_LOCAL_MACHINE hive used to look like this:
HKEY_LOCAL_MACHINE\\Software\\Salt\\version: reg.present: - value: 2016.3.1
Now it should look like this:
HKEY_LOCAL_MACHINE\\Software\\Salt reg.present: - vname: version - vdata: 2016.3.1
A state file for removing the same value added above would have looked like this:
HKEY_LOCAL_MACHINE\\Software\\Salt\\version: reg.absent:
Now it should look like this:
HKEY_LOCAL_MACHINE\\Software\\Salt reg.absent: - vname: version
This new structure is important as it allows salt to deal with key default values which was not possible before. If vname is not passed, salt will work with the default value for that hivekey.
Additionally, since you could only delete a value from a the state module, a new function (
key_absent) has been added to allow you to delete a registry key and all subkeys and name/value pairs recursively. It uses the newdelete_key_recursivefunction.For additional information see the documentation for the
regexecution and state modules.lxcstate module: The following functions were removed from thelxcstate module:created: replaced by thepresentstate.started: replaced by therunningstate.cloned: replaced by thepresentstate. Use theclone_fromargument to set the name of the clone source.
The
hash_hostnameoption was removed from thesalt.states.ssh_known_hostsstate. Thehash_known_hostsoption should be used instead.The
alwayskwarg used in thebuiltfunction of thepkgbuildstate module was removed. Useforceinstead.
Utils Module Deprecations#
The use of
jid_dirandjid_loadwere removed from thesalt.utils.jid.jid_dirfunctionality for job_cache management was moved to thelocal_cachereturner.jid_loaddata is now retrieved from themaster_job_cache.ip_in_subnetfunction insalt.utils.network.pyhas been removed. Use thein_subnetfunction instead.The
iamutils module had two functions removed:salt.utils.iam.get_iam_regionandsalt.utils.iam.get_iam_metadatain favor of the aws utils functionssalt.utils.aws.get_region_from_metadataandsalt.utils.aws.creds, respectively.