saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Correct TCP transport documentation regarding master-side filtering

Browse source
This commit is contained in:
Lukas Raska 2022-11-28 18:52:11 +01:00
parent d9d8627164
commit 95ccd20826
No known key found for this signature in database
GPG key ID: F1B7995A140ECFF3
2 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelog/63120.fixed Normal file
View file

@ -0,0 +1 @@
TCP transport documentation now contains proper master/minion-side filtering information

14
doc/topics/transports/tcp.rst
View file

@ -46,7 +46,7 @@ The TCP transport allows for the master/minion communication to be optionally
wrapped in a TLS connection. Enabling this is simple, the master and minion need
to be using the tcp connection, then the `ssl` option is enabled. The `ssl`
option is passed as a dict and corresponds to the options passed to the
Python `ssl.wrap_socket <https://docs.python.org/3/library/ssl.html#ssl.wrap_socket>`
Python `ssl.wrap_socket <https://docs.python.org/3/library/ssl.html#ssl.wrap_socket>`_
function.
A simple setup looks like this, on the Salt Master add the `ssl` option to the
@ -58,6 +58,7 @@ master configuration file:
keyfile: <path_to_keyfile>
certfile: <path_to_certfile>
ssl_version: PROTOCOL_TLSv1_2
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
The minimal `ssl` option in the minion configuration file looks like this:
@ -75,7 +76,8 @@ Specific options can be sent to the minion also, as defined in the Python
While setting the ssl_version is not required, we recommend it. Some older
versions of python do not support the latest TLS protocol and if this is
the case for your version of python we strongly recommend upgrading your
version of Python.
version of Python. Ciphers specification might be omitted, but strongly
recommended as otherwise all available ciphers will be enabled.
Crypto
@ -90,7 +92,13 @@ the remote end interprets as a one-way send.
.. note::
As of today we send all publishes to all minions and rely on minion-side filtering.
As of Salt `2016.3.0 <https://github.com/saltstack/salt/commit/1a395ed7a3e72eac87e81dfa072be9cf049453d3>`_, publishes using ``list`` targeting are sent only to relevant minions and not broadcasted.
As of Salt `3005 <https://github.com/saltstack/salt/commit/9db1af7147f7e6176e5f226cfedf1654ca038ec1>`_, publishes using ``pcre`` and ``glob`` targeting are also sent only to relevant minions and not broadcasted. Other targeting types are always sent to all minions and rely on minion-side filtering.
.. note::
Salt CLI defaults to ``glob`` targeting type, so in order to target specific minions without broadcast, you need to use `-L` option, such as ``salt -L my.minion test.ping``, for masters before 3005.
Request Server and Client