The 2015.5.0 feature release of Salt is focused on hardening Salt and mostly on improving existing systems. A few major additions are present, primarily the new Beacon system. Most enhancements have been focused around improving existing features and interfaces.
As usual the release notes are not exhaustive and primarily include the most notable additions and improvements. Hundreds of bugs have been fixed and many modules have been substantially updated and added.
In order to fix potential shell injection vulnerabilities in salt modules,
a change has been made to the various
cmd module functions. These
functions now default to
python_shell=False, which means that the
commands will not be sent to an actual shell.
The largest side effect of this change is that "shellisms", such as pipes,
will not work by default. The modules shipped with salt have been audited
to fix any issues that might have arisen from this change. Additionally,
cmd state module has been unaffected, and use of
jinja is also unaffected.
cmd.run calls on the CLI will also allow
However, custom execution modules which use shellisms in
will break, unless you pass
python_shell=True to these calls.
As a temporary workaround, you can set
cmd_safe: False in your minion
and master configs. This will revert the default, but is also less secure,
as it will allow shell injection vulnerabilities to be written in custom
code. We recommend you only set this setting for as long as it takes to
resolve these issues in your custom code, then remove the override.
Starting in this version of salt,
pillar_opts defaults to False instead
of True. This means that master opts will not be present in minion pillar,
and as a result,
config.get calls will not include master opts.
We recommend pillar is used for configuration options which need to make it to the minion.
The beacon system allows the minion to hook into system processes and
continually translate external events into the salt event bus. The primary
example of this is the
inotify beacon. This beacon uses
inotify to watch configured files or directories on the minion for changes,
creation, deletion etc.
This allows for the changes to be sent up to the master where the reactor can respond to changes.
It is now possible to run the minion as a non-root user and for the minion to execute commands via sudo. Simply add sudo_user: root to the minion config, run the minion as a non-root user and grant that user sudo rights to execute salt-call.
The Lazy Loader is a significant overhaul of Salt's module loader system. The Lazy Loader will lazily load modules on access instead of all on start. In addition to a major performance improvement, this "sandboxes" modules so a bad/broken import of a single module will only affect jobs that require accessing the broken module. (:issue: 20274)
The eauth system for LDAP has been extended to support Microsoft Active Directory out of the box. This includes Active Directory and LDAP group support for eauth.
The LXC systems have been overhauled to be more consistent and to fix many bugs.
This overhaul makes using LXC with Salt much easier and substantially improves the underlying capabilities of Salt's LXC integration.
Additional configuration options and command line flags have been added to configure the scan roster on the fly
Added support for
Added support for
Added support for
The new Windows installer changes how Salt is installed on Windows. The old installer used bbfreeze to create an isolated python environment to execute in. This made adding modules and python libraries difficult. The new installer sets up a more flexible python environment making it easy to manage the python install and add python modules.
Instead of frozen packages, a full python implementation resides in the bin
C:\salt\bin). By executing pip or easy_install from within the
Scripts directory (
C:\salt\bin\Scripts) you can install any additional
python modules you may need for your custom environment.
The .exe's that once resided at the root of the salt directory (
have been replaced by .bat files and should function the same way as the .exe's
in previous versions.
The new Windows Installer will not replace the minion config file and key if
they already exist on the target system. Only the salt program files will be
C:\salt\var will remain unchanged.
The hard dependency on the requests library has been removed. Requests is still required by a number of cloud modules but is no longer required for normal Salt operations.
This removal fixes issues that were introduced with requests and salt-ssh, as well as issues users experienced from the many different packaging methods used by requests package maintainers.
While Salt does not YET run on Python 3 it has been updated to INSTALL on Python 3, taking us one step closer. What remains is getting the test suite to the point where it can run on Python 3 so that we can verify compatibility.
The RAET support continues to improve. RAET now supports multi-master and many bugs and performance issues have been fixed. RAET is much closer to being a first class citizen.
A number of functions have been added to the RPM-based package managers to detect and diff files that are modified from the original package installs. This can be found in the new pkg.modified functions.
Fix an infinite recursion problem for runner/wheel reactor jobs by passing a "user" (Reactor) to all jobs that the reactor starts. The reactor skips all events created by that username -- thereby only reacting to events not caused by itself. Because of this, runner and wheel executions from the runner will have user "Reactor" in the job cache.
SDB driver for etcd. (:issue: 22043)
only_upgrade argument to apt-based
pkg.install to only install a
package version if the package is already installed. (Great for security
Joyent now requires a
keyname to be specified in the provider
configuration. This change was necessitated upstream by the 7.0+ API.
args argument to
cmd.script_retcode to match
cmd module. (:issue: 21122)
Fixed bug where TCP keepalive was not being sent on the defined interval on the return port (4506) from minion to master. (:issue: 21465)
LocalClient may now optionally raise SaltClientError exceptions. If using this class directly, checking for and handling this exception is recommended. (:issue: 21501)
The SAuth object is now a singleton, meaning authentication state is global (per master) on each minion. This reduces sign-ins of minions from 3->1 per startup.
Nested outputter has been optimized, it is now much faster.
Extensive fileserver backend updates.
parameter keyword argument from
runas parameter from the following
pip` execution module
upgrade. Please migrate to
runas parameter from the following
pip state module
uptodate . Please migrate to
quiet option from all functions in
cmdmod execution module.
parameter argument from
eselect.set_ state. Please migrate to
salt_events table schema has changed to include an additional field
master_id to distinguish between events flowing into a database
from multiple masters. If
event_return is enabled in the master config,
the database schema must first be updated to add the
This alteration can be accomplished as follows:
ALTER TABLE salt_events ADD master_id VARCHAR(255) NOT NULL;
In multi-master mode, a minion may become temporarily unresponsive if modules or pillars are refreshed at the same time that one or more masters are down. This can be worked around by setting 'auth_timeout' and 'auth_tries' down to shorter periods.