saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #13570 from felskrone/sign_master_keys

Browse source 
Sign the masters pub-key
This commit is contained in:
Thomas S Hatch 2014-06-30 15:04:23 -06:00
commit eda36a01a3
23 changed files with 97675 additions and 88123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
debian/salt-api.manpages vendored
View file

@ -1,2 +1,2 @@
doc/man/salt-api.1
doc/man/salt-api.7
#doc/man/salt-api.7

2
debian/salt-master.service vendored
View file

@ -3,7 +3,7 @@ Description=The Salt Master Server
After=syslog.target network.target
[Service]
Type=simple
Type=notify
ExecStart=/usr/bin/salt-master
[Install]

3
debian/salt-master.upstart vendored
View file

@ -11,5 +11,8 @@ script
# Read configuration variable file if it is present
[ -f /etc/default/$UPSTART_JOB ] && . /etc/default/$UPSTART_JOB
# Activate the virtualenv if defined
[ -f $SALT_USE_VIRTUALENV/bin/activate ] && . $SALT_USE_VIRTUALENV/bin/activate
exec salt-master
end script

3
debian/salt-minion.upstart vendored
View file

@ -16,5 +16,8 @@ script
# Read configuration variable file if it is present
[ -f /etc/default/$UPSTART_JOB ] && . /etc/default/$UPSTART_JOB
# Activate the virtualenv if defined
[ -f $SALT_USE_VIRTUALENV/bin/activate ] && . $SALT_USE_VIRTUALENV/bin/activate
exec salt-minion
end script

5
debian/salt-syndic.upstart vendored
View file

@ -9,5 +9,8 @@ script
# Read configuration variable file if it is present
[ -f /etc/default/$UPSTART_JOB ] && . /etc/default/$UPSTART_JOB
# Activate the virtualenv if defined
[ -f $SALT_USE_VIRTUALENV/bin/activate ] && . $SALT_USE_VIRTUALENV/bin/activate
exec salt-syndic
end script
end script

15
doc/man/salt-api.1
View file

@ -1,8 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-API" "1" "April 05, 2014" "0.8.3" "salt-api"
.TH "SALT-API" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-api \- salt-api
salt-api \- salt-api Command
.
.nr rst2man-indent-level 0
.
@ -30,19 +28,17 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
Start interfaces used to remotely connect to the salt master
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-api
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
The Salt API system manages network api connectors for the Salt Master
@ -65,6 +61,7 @@ Specify an alternative location for the salt master configuration file.
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2012, Thomas S. Hatch
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

39
doc/man/salt-call.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CALL" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-CALL" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-call \- salt-call Documentation
.
@ -30,17 +28,15 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-call [options]
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
The salt\-call command is used to run module functions locally on a minion
@ -66,7 +62,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -112,20 +108,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBinfo\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBinfo\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/minion\&.
Log file path. Default: /var/log/salt/minion.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBinfo\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBinfo\fP.
.UNINDENT
.SS Output Options
.INDENT 0.0
@ -146,16 +142,12 @@ data.
If an outputter is used that does not support the data passed into it, then
Salt will fall back on the \fBpprint\fP outputter and display the return data
using the Python \fBpprint\fP standard library module.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
.IP Note
If using \fB\-\-out=json\fP, you will probably want \fB\-\-static\fP as well.
Without the static option, you will get a JSON string for each minion.
This is due to using an iterative outputter. So if you want to feed it
to a JSON parser, use \fB\-\-static\fP as well.
.UNINDENT
.UNINDENT
.RE
.UNINDENT
.INDENT 0.0
.TP
@ -178,6 +170,12 @@ Disable all colored output
.TP
.B \-\-force\-color
Force colored output
.IP Note
When using colored output the color codes are as follows:
.sp
\fBgreen\fP denotes success, \fBred\fP denotes failure, \fBblue\fP denotes
changes and success and \fByellow\fP denotes a expected future change in configuration.
.RE
.UNINDENT
.SH SEE ALSO
.sp
@ -187,6 +185,7 @@ Force colored output
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

37
doc/man/salt-cloud.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CLOUD" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-CLOUD" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-cloud \- Salt Cloud Command
.
@ -30,11 +28,11 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
Provision virtual machines in the cloud with Salt
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
@ -45,8 +43,6 @@ salt\-cloud \-p PROFILE NAME
salt\-cloud \-p PROFILE NAME1 NAME2 NAME3 NAME4 NAME5 NAME6
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
Salt Cloud is the system used to provision virtual machines on various public
@ -182,76 +178,52 @@ Disable all colored output.
.SH EXAMPLES
.sp
To create 4 VMs named web1, web2, db1 and db2 from specified profiles:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-p fedora_rackspace web1 web2 db1 db2
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
To read in a map file and create all VMs specified therein:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-m /path/to/cloud.map
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
To read in a map file and create all VMs specified therein in parallel:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-m /path/to/cloud.map \-P
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
To delete any VMs specified in the map file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-m /path/to/cloud.map \-d
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
To delete any VMs NOT specified in the map file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-m /path/to/cloud.map \-H
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
To display the status of all VMs specified in the map file:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-cloud \-m /path/to/cloud.map \-Q
.ft P
.fi
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fIsalt\-cloud(7)\fP
@ -261,6 +233,7 @@ salt\-cloud \-m /path/to/cloud.map \-Q
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

25
doc/man/salt-cp.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-CP" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-CP" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-cp \- salt-cp Documentation
.
@ -30,11 +28,11 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
Copy a file to a set of systems
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
@ -45,8 +43,6 @@ salt\-cp \-E \(aq.*\(aq [ options ] SOURCE DEST
salt\-cp \-G \(aqos:Arch.*\(aq [ options ] SOURCE DEST
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
Salt copy copies a local file out to all of the Salt minions matched by the
@ -72,7 +68,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -88,20 +84,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/master\&.
Log file path. Default: /var/log/salt/master.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SS Target Selection
.INDENT 0.0
@ -158,6 +154,7 @@ file.
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

31
doc/man/salt-key.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-KEY" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-KEY" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-key \- salt-key Documentation
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.SH SYNOPSIS
.sp
salt\-key [ options ]
@ -58,7 +58,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -76,14 +76,14 @@ Logging options which override any settings defined on the configuration files.
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/minion\&.
Log file path. Default: /var/log/salt/minion.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SS Output Options
.INDENT 0.0
@ -104,16 +104,12 @@ data.
If an outputter is used that does not support the data passed into it, then
Salt will fall back on the \fBpprint\fP outputter and display the return data
using the Python \fBpprint\fP standard library module.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
.IP Note
If using \fB\-\-out=json\fP, you will probably want \fB\-\-static\fP as well.
Without the static option, you will get a JSON string for each minion.
This is due to using an iterative outputter. So if you want to feed it
to a JSON parser, use \fB\-\-static\fP as well.
.UNINDENT
.UNINDENT
.RE
.UNINDENT
.INDENT 0.0
.TP
@ -136,6 +132,12 @@ Disable all colored output
.TP
.B \-\-force\-color
Force colored output
.IP Note
When using colored output the color codes are as follows:
.sp
\fBgreen\fP denotes success, \fBred\fP denotes failure, \fBblue\fP denotes
changes and success and \fByellow\fP denotes a expected future change in configuration.
.RE
.UNINDENT
.SS Actions
.INDENT 0.0
@ -236,6 +238,7 @@ default is 2048.
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

23
doc/man/salt-master.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MASTER" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-MASTER" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-master \- salt-master Documentation
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
The Salt master daemon, used to control the Salt minions
.SH SYNOPSIS
@ -59,7 +59,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -74,7 +74,7 @@ Run salt\-master as a daemon
.INDENT 0.0
.TP
.B \-\-pid\-file PIDFILE
Specify the location of the pidfile. Default: /var/run/salt\-master\&.pid
Specify the location of the pidfile. Default: /var/run/salt\-master.pid
.UNINDENT
.SS Logging Options
.sp
@ -83,20 +83,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/master\&.
Log file path. Default: /var/log/salt/master.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SH SEE ALSO
.sp
@ -106,6 +106,7 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

23
doc/man/salt-minion.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-MINION" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-MINION" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-minion \- salt-minion Documentation
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
The Salt minion daemon, receives commands from a remote Salt master.
.SH SYNOPSIS
@ -60,7 +60,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -75,7 +75,7 @@ Run salt\-minion as a daemon
.INDENT 0.0
.TP
.B \-\-pid\-file PIDFILE
Specify the location of the pidfile. Default: /var/run/salt\-minion\&.pid
Specify the location of the pidfile. Default: /var/run/salt\-minion.pid
.UNINDENT
.SS Logging Options
.sp
@ -84,20 +84,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/minion\&.
Log file path. Default: /var/log/salt/minion.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SH SEE ALSO
.sp
@ -107,6 +107,7 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

27
doc/man/salt-run.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-RUN" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-RUN" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-run \- salt-run Documentation
.
@ -30,22 +28,20 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
Execute a Salt runner
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
salt\-run RUNNER
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
salt\-run is the frontend command for executing \fBSalt Runners\fP\&.
salt\-run is the frontend command for executing \fBSalt Runners\fP.
Salt runners are simple modules used to execute convenience functions on the
master
.SH OPTIONS
@ -69,7 +65,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -91,20 +87,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/master\&.
Log file path. Default: /var/log/salt/master.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SH SEE ALSO
.sp
@ -114,6 +110,7 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

59
doc/man/salt-ssh.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SSH" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-SSH" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-ssh \- salt-ssh Documentation
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
@ -49,12 +49,26 @@ Execute a raw shell command.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-roster\-file
.B \-\-priv
Specify the SSH private key file to be used for authentication.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-roster
Define which roster system to use, this defines if a database backend,
scanner, or custom roster system is used. Default is the flat file roster.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-roster\-file
Define an alternative location for the default roster file location. The
default roster file is called \fBroster\fP and is found in the same directory
as the master config file.
.sp
New in version 2014.1.0: (Hydrogen)
.UNINDENT
.INDENT 0.0
.TP
.B \-\-refresh, \-\-refresh\-cache
Force a refresh of the master side data cache of the target\(aqs data. This
is needed if a target\(aqs grains have been changed and the auto refresh
@ -70,8 +84,14 @@ is 25.
.UNINDENT
.INDENT 0.0
.TP
.B \-i, \-\-ignore\-host\-keys
Ignore the ssh host keys which by default are honored and connections
would ask for approval.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-passwd
Set te default password to attempt to use when authenticating.
Set the default password to attempt to use when authenticating.
.UNINDENT
.INDENT 0.0
.TP
@ -100,7 +120,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.SS Target Selection
.INDENT 0.0
@ -156,20 +176,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/ssh\&.
Log file path. Default: /var/log/salt/ssh.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SS Output Options
.INDENT 0.0
@ -190,16 +210,12 @@ data.
If an outputter is used that does not support the data passed into it, then
Salt will fall back on the \fBpprint\fP outputter and display the return data
using the Python \fBpprint\fP standard library module.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
.IP Note
If using \fB\-\-out=json\fP, you will probably want \fB\-\-static\fP as well.
Without the static option, you will get a JSON string for each minion.
This is due to using an iterative outputter. So if you want to feed it
to a JSON parser, use \fB\-\-static\fP as well.
.UNINDENT
.UNINDENT
.RE
.UNINDENT
.INDENT 0.0
.TP
@ -222,6 +238,12 @@ Disable all colored output
.TP
.B \-\-force\-color
Force colored output
.IP Note
When using colored output the color codes are as follows:
.sp
\fBgreen\fP denotes success, \fBred\fP denotes failure, \fBblue\fP denotes
changes and success and \fByellow\fP denotes a expected future change in configuration.
.RE
.UNINDENT
.SH SEE ALSO
.sp
@ -231,6 +253,7 @@ Force colored output
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

23
doc/man/salt-syndic.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT-SYNDIC" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT-SYNDIC" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt-syndic \- salt-syndic Documentation
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.sp
The Salt syndic daemon, a special minion that passes through commands from a
higher master
@ -61,7 +61,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -76,7 +76,7 @@ Run salt\-syndic as a daemon
.INDENT 0.0
.TP
.B \-\-pid\-file PIDFILE
Specify the location of the pidfile. Default: /var/run/salt\-syndic\&.pid
Specify the location of the pidfile. Default: /var/run/salt\-syndic.pid
.UNINDENT
.SS Logging Options
.sp
@ -85,20 +85,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/master\&.
Log file path. Default: /var/log/salt/master.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SH SEE ALSO
.sp
@ -108,6 +108,7 @@ Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

51
doc/man/salt.1
View file

@ -1,6 +1,4 @@
.\" Man page generated from reStructuredText.
.
.TH "SALT" "1" "January 02, 2014" "2014.1.0" "Salt"
.TH "SALT" "1" "June 25, 2014" "2014.1.0-8653-gc447bd0" "Salt"
.SH NAME
salt \- salt
.
@ -30,6 +28,8 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.\" Man page generated from reStructeredText.
.
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
@ -39,7 +39,7 @@ salt \-E \(aq.*\(aq [ options ] sys.doc cmd
.sp
salt \-G \(aqos:Arch.*\(aq [ options ] test.ping
.sp
salt \-C \fI\%\(aqG@os\fP:Arch.* and webserv* or \fI\%G@kernel\fP:FreeBSD\(aq [ options ] test.ping
salt \-C \fI\%'G@os\fP:Arch.* and webserv* or \fI\%G@kernel\fP:FreeBSD\(aq [ options ] test.ping
.UNINDENT
.UNINDENT
.SH DESCRIPTION
@ -68,7 +68,7 @@ Show the help message and exit
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
The location of the Salt configuration directory. This directory contains
the configuration files for Salt master and minions. The default location
on most systems is \fB/etc/salt\fP\&.
on most systems is \fB/etc/salt\fP.
.UNINDENT
.INDENT 0.0
.TP
@ -95,7 +95,6 @@ the started execution and complete.
.TP
.B \-\-state\-output=STATE_OUTPUT
New in version 0.17.
.sp
Override the configured state_output value for minion output. Default:
full
@ -115,6 +114,12 @@ print out extra data like the job id.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-show\-timeout
Instead of only showing the return data from the online minions this option
also prints the names of the minions which could not be reached.
.UNINDENT
.INDENT 0.0
.TP
.B \-b BATCH, \-\-batch\-size=BATCH
Instead of executing on all targeted minions at once, execute on a
progressive set of minions. This option takes an argument in the form of
@ -160,20 +165,20 @@ Logging options which override any settings defined on the configuration files.
.TP
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=LOG_FILE
Log file path. Default: /var/log/salt/master\&.
Log file path. Default: /var/log/salt/master.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
\fBwarning\fP\&.
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP. Default:
\fBwarning\fP.
.UNINDENT
.SS Target Selection
.INDENT 0.0
@ -226,18 +231,13 @@ file.
.TP
.B \-C, \-\-compound
Utilize many target definitions to make the call very granular. This option
takes a group of targets separated by \fBand\fP or \fBor\fP\&. The default matcher is a
takes a group of targets separated by \fBand\fP or \fBor\fP. The default matcher is a
glob as usual. If something other than a glob is used, preface it with the
letter denoting the type; example: \(aqwebserv* and \fI\%G@os\fP:Debian or \fI\%E@db*\fP\(aq
Make sure that the compound target is encapsulated in quotes.
.UNINDENT
.INDENT 0.0
.TP
.B \-X, \-\-exsel
Instead of using shell globs, use the return code of a function.
.UNINDENT
.INDENT 0.0
.TP
.B \-I, \-\-pillar
Instead of using shell globs to evaluate the target, use a pillar value to
identify targets. The syntax for the target is the pillar key followed by
@ -267,16 +267,12 @@ data.
If an outputter is used that does not support the data passed into it, then
Salt will fall back on the \fBpprint\fP outputter and display the return data
using the Python \fBpprint\fP standard library module.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
.IP Note
If using \fB\-\-out=json\fP, you will probably want \fB\-\-static\fP as well.
Without the static option, you will get a JSON string for each minion.
This is due to using an iterative outputter. So if you want to feed it
to a JSON parser, use \fB\-\-static\fP as well.
.UNINDENT
.UNINDENT
.RE
.UNINDENT
.INDENT 0.0
.TP
@ -299,6 +295,12 @@ Disable all colored output
.TP
.B \-\-force\-color
Force colored output
.IP Note
When using colored output the color codes are as follows:
.sp
\fBgreen\fP denotes success, \fBred\fP denotes failure, \fBblue\fP denotes
changes and success and \fByellow\fP denotes a expected future change in configuration.
.RE
.UNINDENT
.SH SEE ALSO
.sp
@ -308,6 +310,7 @@ Force colored output
.SH AUTHOR
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
.SH COPYRIGHT
2013 SaltStack, Inc.
2014 SaltStack, Inc.
.\" Generated by docutils manpage writer.
.\"
.

185069
doc/man/salt.7
View file

File diff suppressed because it is too large Load diff

13
salt/config.py
View file

@ -58,6 +58,12 @@ VALID_OPTS = {
'master_finger': str,
'master_shuffle': bool,
'master_alive_interval': int,
'master_sign_key_name': str,
'master_sign_pubkey': bool,
'verify_master_pubkey_sign': bool,
'always_verify_signature': bool,
'master_pubkey_signature': str,
'master_use_pubkey_signature': bool,
'syndic_finger': str,
'user': str,
'root_dir': str,
@ -252,6 +258,9 @@ DEFAULT_MINION_OPTS = {
'master_finger': '',
'master_shuffle': False,
'master_alive_interval': 0,
'verify_master_pubkey_sign': False,
'always_verify_signature': False,
'master_sign_key_name': 'master_sign',
'syndic_finger': '',
'user': 'root',
'root_dir': salt.syspaths.ROOT_DIR,
@ -512,6 +521,10 @@ DEFAULT_MASTER_OPTS = {
'queue_dirs': [],
'cli_summary': False,
'max_minions': 0,
'master_sign_key_name': 'master_sign',
'master_sign_pubkey': False,
'master_pubkey_signature': 'master_pubkey_signature',
'master_use_pubkey_signature': False,
}
# ----- Salt Cloud Configuration Defaults ----------------------------------->

229
salt/crypt.py
View file

@ -14,6 +14,7 @@ import shutil
import hashlib
import logging
import traceback
import binascii
# Import third party libs
try:
@ -146,26 +147,59 @@ class MasterKeys(dict):
'''
The Master Keys class is used to manage the public key pair used for
authentication by the master.
It also generates a signing key-pair if enabled with master_sign_key_name.
'''
def __init__(self, opts):
super(MasterKeys, self).__init__()
self.opts = opts
self.pub_path = os.path.join(self.opts['pki_dir'], 'master.pub')
self.rsa_path = os.path.join(self.opts['pki_dir'], 'master.pem')
self.key = self.__get_keys()
self.token = self.__gen_token()
self.pub_signature = None
def __get_keys(self):
# set names for the signing key-pairs
if opts['master_sign_pubkey']:
# if only the signature is available, use that
if opts['master_use_pubkey_signature']:
self.sig_path = os.path.join(self.opts['pki_dir'],
opts['master_pubkey_signature'])
if os.path.isfile(self.sig_path):
self.pub_signature = salt.utils.fopen(self.sig_path).read()
log.info('Read {0}\'s signature from {1}'
''.format(os.path.basename(self.pub_path),
self.opts['master_pubkey_signature']))
else:
log.error('Signing the master.pub key with a signature is enabled '
'but no signature file found at the default location '
'{0}'.format(self.sig_path))
sys.exit(1)
# create a new signing key-pair to sign the masters
# auth-replies when a minion tries to connect
else:
self.pub_sign_path = os.path.join(self.opts['pki_dir'],
opts['master_sign_key_name'] + '.pub')
self.rsa_sign_path = os.path.join(self.opts['pki_dir'],
opts['master_sign_key_name'] + '.pem')
self.sign_key = self.__get_keys(name=opts['master_sign_key_name'])
def __get_keys(self, name='master'):
'''
Returns a key objects for the master
Returns a key object for a key in the pki-dir
'''
if os.path.exists(self.rsa_path):
key = RSA.load_key(self.rsa_path)
log.debug('Loaded master key: {0}'.format(self.rsa_path))
path = os.path.join(self.opts['pki_dir'],
name + '.pem')
if os.path.exists(path):
key = RSA.load_key(path)
log.debug('Loaded {0} key: {1}'.format(name, path))
else:
log.info('Generating keys: {0}'.format(self.opts['pki_dir']))
log.info('Generating {0} keys: {1}'.format(name, self.opts['pki_dir']))
gen_keys(self.opts['pki_dir'],
'master',
name,
self.opts['keysize'],
self.opts.get('user'))
key = RSA.load_key(self.rsa_path)
@ -177,15 +211,30 @@ class MasterKeys(dict):
'''
return self.key.private_encrypt('salty bacon', 5)
def get_pub_str(self):
def get_pub_str(self, name='master'):
'''
Return the string representation of the public key
Return the string representation of a public key
in the pki-directory
'''
if not os.path.isfile(self.pub_path):
path = os.path.join(self.opts['pki_dir'],
name + '.pub')
if not os.path.isfile(path):
key = self.__get_keys()
key.save_pub_key(self.pub_path)
return salt.utils.fopen(self.pub_path, 'r').read()
key.save_pub_key(path)
return salt.utils.fopen(path, 'r').read()
def get_mkey_paths(self):
return self.pub_path, self.rsa_path
def get_sign_paths(self):
return self.pub_sign_path, self.rsa_sign_path
def pubkey_signature(self):
'''
returns the base64 encoded signature from the signature file
or None if the master has its own signing keys
'''
return self.pub_signature
class Auth(object):
'''
@ -296,6 +345,38 @@ class Auth(object):
return key_str, ''
return '', ''
def verify_pubkey_sig(self, message, sig):
'''
wraps the verify_signature method so we have
additional checks and return a bool
'''
if self.opts['master_sign_key_name']:
path = os.path.join(self.opts['pki_dir'],
self.opts['master_sign_key_name'] + '.pub')
if os.path.isfile(path):
res = verify_signature(path,
message,
binascii.a2b_base64(sig))
else:
log.error('Verification public key {0} does not exist. You '
'need to copy it from the master to the minions '
'pki directory'.format(os.path.basename(path)))
return False
if res:
log.debug('Successfully verified signature of master '
'public key with verification public key '
'{0}'.format(self.opts['master_sign_key_name'] + '.pub'))
return True
else:
log.debug('Failed to verify signature of public key')
return False
else:
log.error('Failed to verify the signature of the message because '
'the verification key-pairs name is not defined. Please '
'make sure, master_sign_key_name is defined.')
return False
def verify_master(self, payload):
'''
Verify that the master is the same one that was previously accepted.
@ -303,30 +384,112 @@ class Auth(object):
m_pub_fn = os.path.join(self.opts['pki_dir'], self.mpub)
if os.path.isfile(m_pub_fn) and not self.opts['open_mode']:
local_master_pub = salt.utils.fopen(m_pub_fn).read()
if payload['pub_key'] != local_master_pub:
# This is not the last master we connected to
log.error('The master key has changed, the salt master could '
'have been subverted, verify salt master\'s public '
'key')
return ''
try:
aes, token = self.decrypt_aes(payload)
if token != self.token:
log.error(
'The master failed to decrypt the random minion token'
)
if payload['pub_key'] != local_master_pub:
# if we receive a new pubkey from the master, try to verify
# its signature if the payload contains one
if self.opts['verify_master_pubkey_sign']:
try:
if self.verify_pubkey_sig(payload['pub_key'],
payload['pub_sig']):
log.info('Received signed and verified master pubkey '
'from master {0}'.format(self.opts['master']))
m_pub_fn = os.path.join(self.opts['pki_dir'], self.mpub)
salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
aes, token = self.decrypt_aes(payload, False)
return aes
else:
log.error('Received signed master pubkey from master {0} '
'but signature verification failed!'.format(self.opts['master']))
return ''
except Exception:
log.error('Received a new master key from master {0} without the public '
'keys signature'.format(self.opts['master']))
log.error('Either disable verifying the master public on the minion or '
'enable the signing of the public key on the master')
return ''
# a reply _with_ the pubkeys signature without having it
# verified by the minion shall never be accepted
elif 'pub_sig' in payload:
log.error('Received reply with the pubkeys signature, but rejecting pubkey '
'because signature verification (verify_master_pubkey_sign) is not enabled.')
return ''
except Exception:
log.error(
'The master failed to decrypt the random minion token'
)
return ''
return aes
else:
# This is not the last master we connected to
log.error('The master key has changed, the salt master could '
'have been subverted, verify salt master\'s public '
'key')
return ''
# make sure, master and minion both sign and verify and that it fails,
# if either side does not sign (master) or does not verify (minion)
if 'pub_sig' in payload:
if not self.opts['verify_master_pubkey_sign']:
log.error('The masters public has been verified, but the public signature sent by '
'the master is not being verified on the minion. Either enable signature '
'verification on the minion or disable signing the public on the master!')
return ''
else:
# verify the signature of the pubkey even if it has
# not changed compared with the one we already have
if self.opts['always_verify_signature']:
if self.verify_pubkey_sig(payload['pub_key'],
payload['pub_sig']):
log.info('Received signed and verified master pubkey '
'from master {0}'.format(self.opts['master']))
try:
aes, token = self.decrypt_aes(payload)
if token != self.token:
log.error(
'The master failed to decrypt the random minion token'
)
return ''
except Exception:
log.error(
'The master failed to decrypt the random minion token'
)
return ''
return aes
else:
log.error('The masters public could not be verified. Is the '
'verification pubkey {0} up to date?'
''.format(self.opts['master_sign_key_name'] + '.pub'))
return ''
else:
if self.opts['verify_master_pubkey_sign']:
log.error('Master public key signature verification is enabled, but the masters '
'reply does not contain any signature. Either enable signing the public '
'key on the master or disable signature verification on the minion.')
return ''
else:
salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
aes, token = self.decrypt_aes(payload, False)
return aes
# verify the masters pubkey signature if the minion
# has not received any masters pubkey before
if self.opts['verify_master_pubkey_sign']:
if 'pub_sig' in payload:
if self.verify_pubkey_sig(payload['pub_key'],
payload['pub_sig']):
log.info('Received signed and verified master pubkey '
'from master {0}'.format(self.opts['master']))
m_pub_fn = os.path.join(self.opts['pki_dir'], self.mpub)
salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
aes, token = self.decrypt_aes(payload, False)
return aes
else:
log.error('Failed to accept the masters public key because no '
'verifiable signature was found in the reply')
log.error('Either disable verifying the master public on the minion or '
'enable the signing of the public key on the master')
return ''
# the minion has not received any masters pubkey yet, write
# the newly received pubkey to minion_master.pub
else:
salt.utils.fopen(m_pub_fn, 'w+').write(payload['pub_key'])
aes, token = self.decrypt_aes(payload, False)
return aes
def sign_in(self, timeout=60, safe=True, tries=1):
'''

18
salt/master.py
View file

@ -50,6 +50,7 @@ import salt.utils.gzip_util
from salt.utils.debug import enable_sigusr1_handler, enable_sigusr2_handler, inspect_stack
from salt.exceptions import MasterExit
from salt.utils.event import tagify
import binascii
# Import halite libs
try:
@ -1966,6 +1967,23 @@ class ClearFuncs(object):
'pub_key': self.master_key.get_pub_str(),
'publish_port': self.opts['publish_port'],
}
# sign the masters pubkey (if enabled) before it is
# send to the minion that was just authenticated
if self.opts['master_sign_pubkey']:
# append the pre-computed signature to the auth-reply
if self.master_key.pubkey_signature():
log.debug('Adding pubkey signature to auth-reply')
log.debug(self.master_key.pubkey_signature())
ret.update({'pub_sig': self.master_key.pubkey_signature()})
else:
# the master has its own signing-keypair, compute the master.pub's
# signature and append that to the auth-reply
log.debug("Signing master public key before sending")
pub_sign = salt.crypt.sign_message(self.master_key.get_sign_paths()[1],
ret['pub_key'])
ret.update({'pub_sig': binascii.b2a_base64(pub_sign)})
if self.opts['auth_mode'] >= 2:
if 'token' in load:
try:

73
salt/minion.py
View file

@ -617,7 +617,8 @@ class Minion(MinionBase):
'seconds': opts['master_alive_interval'],
'jid_include': True,
'maxrunning': 1,
'args': [True]
'kwargs': {'master_ip': self.opts['master'],
'connected': True}
}
})
@ -721,8 +722,10 @@ class Minion(MinionBase):
opts.update(resolve_dns(opts))
super(Minion, self).__init__(opts)
# make a backup of the master list for later use
self.opts['master_list'] = local_masters
# on first run, update self.opts with the whole master list
# to enable a minion to re-use old masters if they get fixed
if not 'master_list' in self.opts:
self.opts['master_list'] = local_masters
try:
if self.authenticate(timeout, safe) != 'full':
@ -735,10 +738,12 @@ class Minion(MinionBase):
continue
if not conn:
self.connected = False
msg = ('No master could be reached or all masters denied '
'the minions connection attempt.')
log.error(msg)
else:
self.connected = True
return opts['master']
# single master sign in
@ -746,11 +751,13 @@ class Minion(MinionBase):
opts.update(resolve_dns(opts))
super(Minion, self).__init__(opts)
if self.authenticate(timeout, safe) == 'full':
self.connected = False
msg = ('master {0} rejected the minions connection because too '
'many minions are already connected.'.format(opts['master']))
log.error(msg)
sys.exit(salt.exitcodes.EX_GENERIC)
else:
self.connected = True
return opts['master']
def _prep_mod_opts(self):
@ -1523,7 +1530,7 @@ class Minion(MinionBase):
ping_interval = self.opts.get('ping_interval', 0) * 60
ping_at = None
self.connected = True
while self._running is True:
loop_interval = self.process_schedule(self, loop_interval)
try:
@ -1561,26 +1568,58 @@ class Minion(MinionBase):
log.debug('Forwarding master event tag={tag}'.format(tag=data['tag']))
self._fire_master(data['data'], data['tag'], data['events'], data['pretag'])
elif package.startswith('__master_disconnected'):
# handle this event only once. otherwise it will polute the log
if self.connected:
log.info('Connection to master {0} lost'.format(self.opts['master']))
if self.opts['master_type'] == 'failover':
log.info('Trying to tune in to next master from master-list')
self.eval_master(opts=self.opts,
failed=True)
# modify the __master_alive job to only fire,
# once the connection was re-established
# we are not connected anymore
self.connected = False
# modify the scheduled job to fire only on reconnect
schedule = {
'function': 'status.master',
'seconds': self.opts['master_alive_interval'],
'jid_include': True,
'maxrunning': 2,
'kwargs': {'connected': False}
'kwargs': {'master_ip': self.opts['master'],
'connected': False}
}
self.schedule.modify_job(name='__master_alive',
schedule=schedule)
self.connected = False
log.info('Connection to master {0} lost'.format(self.opts['master']))
if self.opts['master_type'] == 'failover':
log.info('Trying to tune in to next master from master-list')
# if eval_master finds a new master for us, self.connected
# will be True again on successfull master authentication
self.opts['master'] = self.eval_master(opts=self.opts,
failed=True)
if self.connected:
log.info('Re-initialising subsystems for new '
'master {0}'.format(self.opts['master']))
# re-init the subsystems to work with the new master
del self.socket
del self.context
del self.poller
self._init_context_and_poller()
self.socket = self.context.socket(zmq.SUB)
self._set_reconnect_ivl()
self._setsockopts()
self.socket.connect(self.master_pub)
self.poller.register(self.socket, zmq.POLLIN)
self.poller.register(self.epull_sock, zmq.POLLIN)
self._fire_master_minion_start()
log.info('Minion is ready to receive requests!')
# update scheduled job to run with the new master addr
schedule = {
'function': 'status.master',
'seconds': self.opts['master_alive_interval'],
'jid_include': True,
'maxrunning': 2,
'kwargs': {'master_ip': self.opts['master'],
'connected': True}
}
self.schedule.modify_job(name='__master_alive',
schedule=schedule)
elif package.startswith('__master_connected'):
# handle this event only once. otherwise it will polute the log
@ -1594,12 +1633,12 @@ class Minion(MinionBase):
'seconds': self.opts['master_alive_interval'],
'jid_include': True,
'maxrunning': 2,
'kwargs': {'connected': True}
'kwargs': {'master_ip': self.opts['master'],
'connected': True}
}
self.schedule.modify_job(name='__master_alive',
schedule=schedule)
self.connected = True
self.epub_sock.send(package)
except Exception:
log.debug('Exception while handling events', exc_info=True)

11
salt/modules/status.py
View file

@ -545,7 +545,7 @@ def version():
return ret
def master(connected=True):
def master(master_ip=None, connected=True):
'''
.. versionadded:: Helium
@ -558,15 +558,14 @@ def master(connected=True):
salt '*' status.master
'''
ip = __salt__['config.option']('master')
port = int(__salt__['config.option']('publish_port'))
ips = _remote_port_tcp(port)
if connected:
if ip not in ips:
if master_ip not in ips:
event = salt.utils.event.get_event('minion', opts=__opts__, listen=False)
event.fire_event({'master': ip}, '__master_disconnected')
event.fire_event({'master': master_ip}, '__master_disconnected')
else:
if ip in ips:
if master_ip in ips:
event = salt.utils.event.get_event('minion', opts=__opts__, listen=False)
event.fire_event({'master': ip}, '__master_connected')
event.fire_event({'master': master_ip}, '__master_connected')

17
salt/transport/__init__.py
View file

@ -12,6 +12,10 @@ from collections import defaultdict
import salt.payload
import salt.auth
import salt.utils
import logging
log = logging.getLogger(__name__)
try:
from raet import raeting
from raet.road.stacking import RoadStack
@ -24,6 +28,9 @@ except ImportError:
class Channel(object):
'''
Factory class to create communication-channels for different transport
'''
@staticmethod
def factory(opts, **kwargs):
# Default to ZeroMQ for now
@ -139,7 +146,17 @@ class ZeroMQChannel(Channel):
@property
def sreq(self):
key = self.sreq_key
if key not in ZeroMQChannel.sreq_cache:
# remove all cached sreqs to the old master to prevent
# zeromq from reconnecting to old masters automagically
if self.opts['master_type'] == 'failover':
for check_key in self.sreq_cache.keys():
if self.opts['master_uri'] != check_key[0]:
del self.sreq_cache[check_key]
log.debug('Removed obsolete sreq-object from '
'sreq_cache for master {0}'.format(check_key[0]))
ZeroMQChannel.sreq_cache[key] = salt.payload.SREQ(self.master_uri)
return ZeroMQChannel.sreq_cache[key]