mirror of
https://github.com/saltstack/salt.git
synced 2025-04-16 09:40:20 +00:00
422302312a
* Redirect imports of ``salt.ext.six`` to ``six``
Fixes #60966
* Latest changelog update for 3004
* Handle signals and properly exit, instead of raising exceptions.
This was introduced in 26fcda5074
Fixes #60391
Fixes #60963
* Add test for #61003
* Fix #61003
Restored the previously shifted check for version_to_remove in
old[target]. This had been extracted along with the correctly extracted
double pkg_params[target] lookup, but that lost the `target in old`
guard.
Putting the check back here prevents KeyError when looking for a
non-existent target in `old`.
* Handle various architecture formats in aptpkg module
* Write file even if does not exist
* only run test on debian based platforms
* remove extra space for arch
* convert pathlib to string for pkgrepo test
* Use temporary files first then copy to sources files
* fixes saltstack/salt#59182 fix handling of duplicate keys in rest_cherrypy data
* added changelog
* remove log messages to prevent leaks of sensitive info
* Reverting changes in PR #60150. Updating installed and removed functions to return changes when test=True.
* Adding changelog.
* Add a test and fix for extra-filerefs
* Do not break master_tops for minion with version lower to 3003
* Add changelog file
* Add extra comment to clarify discussion
* Update changelog file
* Add deprecated changelog
* Assert that the command didn't finish
Refs https://github.com/saltstack/salt/pull/60972
* Always restore signals, even when exceptions occur
* Reset signal handlers before starting the process
* Make sure that the `ProcessManager` doesn't always ignore signals
* Provide valid default value for bootstrap_delay
* Update changelog for 3004
* Update changelog and release notes for 3004
* Add PR 61020 to changelog
* Change MD5 to SHA256 fingerprint for new github.com fingerprint
* Check only ssh-rsa encyption for set_known_host
* Use main branch for kitchen-docker project
* Add tests for validate_tgt
This function evolved over the years, but never had any tests. We're
adding tests now to cover the various cases:
- there are no valid minions (currently fails, should return False)
- there are target minions that aren't in valid minions (correctly
fails)
- target minions are a subset of valid minions (i.e. all of the target
minions are found in the valid minions -- there are no extras)
(correctly passes)
* Refactor
minions should be a subset of v_minions - the extra code was just
getting in the way. Also, this function evolved over time but the
docstring never kept up. Updated the docstring to more accurately
describe the function's behavior.
* Fix #60413
When using a syndic and user auth, it was possible for v_minions and
minions to be two empty sets, which returned True. This allowed the user
to still publish the function. The Syndic would get the published event
and apply it, even though it should have been rejected.
However, if there are no valid minions, then it doesn't matter what the
targets are -- there are not valid targets, so there's no reason to do
any further checks.
* Rename changelog to security
* add cve# to changelog
* Sign pillar data
* Add regression tests for CVE-2022-22934
* Add changelog for cve-2022-22934
* Provide users with a nice warning when something goes wrong
* Rename changelog file
* Fix wart in tests
* Return bool when using m2crypo
* Limit the amount of empty space while searching ifconfig output
* Update changelog/cve-2020-22937.security
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
* Prevent auth replays and sign replies
* Add tests for cve-2022-22935
* Add changelog for cve-2020-22935
* Fix typo
* Prevent replays of file server requests
* Add regresion tests for fileserver nonce
* Add changelog for cve-2022-22936
* Job replay mitigation
* Fix merge warts
* more test fixes
* Fix auth tests on windows
* Remove unwanted requirements change
* Clean up cruft
* update docs for 3004.1 release
* Fix warts in new minion auth
* Test fix
* Update release notes
* Remove cve from non cve worty issue
* Add serial to payload in publisher process
* Fix channel tests
Fix broken channel tests by populating an AES key and serial.
* Windows test fix
* windows tests plz work
Co-authored-by: Pedro Algarvio <pedro@algarvio.me>
Co-authored-by: ScriptAutomate <derek@icanteven.io>
Co-authored-by: Wayne Werner <wwerner@vmware.com>
Co-authored-by: Megan Wilhite <mwilhite@vmware.com>
Co-authored-by: nicholasmhughes <nicholasmhughes@gmail.com>
Co-authored-by: Gareth J. Greenaway <gareth@saltstack.com>
Co-authored-by: Pablo Suárez Hernández <psuarezhernandez@suse.com>
Co-authored-by: Alyssa Rock <arock@saltstack.com>
Co-authored-by: krionbsd <krion@FreeBSD.org>
Co-authored-by: Megan Wilhite <megan.wilhite@gmail.com>
Co-authored-by: Frode Gundersen <frogunder@gmail.com>
Co-authored-by: MKLeb <calebb@vmware.com>
368 lines
9.5 KiB
Groff
368 lines
9.5 KiB
Groff
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "SALT-SSH" "1" "Feb 16, 2022" "3004.1" "Salt"
|
|
.SH NAME
|
|
salt-ssh \- salt-ssh Documentation
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
salt\-ssh \(aq*\(aq [ options ] sys.doc
|
|
|
|
salt\-ssh \-E \(aq.*\(aq [ options ] sys.doc cmd
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH DESCRIPTION
|
|
.sp
|
|
Salt SSH allows for salt routines to be executed using only SSH for transport
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-version
|
|
Print the version of Salt that is running.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-versions\-report
|
|
Show program\(aqs dependencies and version number, and then exit
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-h, \-\-help
|
|
Show the help message and exit
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-c CONFIG_DIR, \-\-config\-dir=CONFIG_dir
|
|
The location of the Salt configuration directory. This directory contains
|
|
the configuration files for Salt master and minions. The default location
|
|
on most systems is \fB/etc/salt\fP\&.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-hard\-crash
|
|
Raise any original exception rather than exiting gracefully. Default: False.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-r, \-\-raw, \-\-raw\-shell
|
|
Execute a raw shell command.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-roster
|
|
Define which roster system to use, this defines if a database backend,
|
|
scanner, or custom roster system is used. Default is the flat file roster.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-roster\-file
|
|
Define an alternative location for the default roster file location. The
|
|
default roster file is called \fBroster\fP and is found in the same directory
|
|
as the master config file.
|
|
.sp
|
|
New in version 2014.1.0.
|
|
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-refresh, \-\-refresh\-cache
|
|
Force a refresh of the master side data cache of the target\(aqs data. This
|
|
is needed if a target\(aqs grains have been changed and the auto refresh
|
|
timeframe has not been reached.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-max\-procs
|
|
Set the number of concurrent minions to communicate with. This value
|
|
defines how many processes are opened up at a time to manage connections,
|
|
the more running process the faster communication should be, default
|
|
is 25.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-extra\-filerefs=EXTRA_FILEREFS
|
|
Pass in extra files to include in the state tarball.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-min\-extra\-modules=MIN_EXTRA_MODS
|
|
One or comma\-separated list of extra Python modulesto be included
|
|
into Minimal Salt.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-thin\-extra\-modules=THIN_EXTRA_MODS
|
|
One or comma\-separated list of extra Python modulesto be included
|
|
into Thin Salt.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-v, \-\-verbose
|
|
Turn on command verbosity, display jid.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-s, \-\-static
|
|
Return the data from minions as a group after they all return.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-w, \-\-wipe
|
|
Remove the deployment of the salt files when done executing.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-W, \-\-rand\-thin\-dir
|
|
Select a random temp dir to deploy on the remote system. The dir
|
|
will be cleaned after the execution.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-t, \-\-regen\-thin, \-\-thin
|
|
Trigger a thin tarball regeneration. This is needed if custom
|
|
grains/modules/states have been added or updated.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-python2\-bin=PYTHON2_BIN
|
|
Path to a python2 binary which has salt installed.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-python3\-bin=PYTHON3_BIN
|
|
Path to a python3 binary which has salt installed.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-jid=JID
|
|
Pass a JID to be used instead of generating one.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-pre\-flight
|
|
Run the ssh_pre_flight script defined in the roster.
|
|
By default this script will only run if the thin dir
|
|
does not exist on the target minion. This option will
|
|
force the script to run regardless of the thin dir
|
|
existing or not.
|
|
.UNINDENT
|
|
.SS Authentication Options
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-priv=SSH_PRIV
|
|
Specify the SSH private key file to be used for authentication.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-priv\-passwd=SSH_PRIV_PASSWD
|
|
Specify the SSH private key file\(aqs passphrase if need be.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-i, \-\-ignore\-host\-keys
|
|
By default ssh host keys are honored and connections will ask for
|
|
approval. Use this option to disable StrictHostKeyChecking.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-no\-host\-keys
|
|
Fully ignores ssh host keys which by default are honored and connections
|
|
would ask for approval. Useful if the host key of a remote server has
|
|
changed and would still error with \-\-ignore\-host\-keys.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-user=SSH_USER
|
|
Set the default user to attempt to use when authenticating.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-passwd
|
|
Set the default password to attempt to use when authenticating.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-askpass
|
|
Interactively ask for the SSH password with no echo \- avoids password
|
|
in process args and stored in history.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-key\-deploy
|
|
Set this flag to attempt to deploy the authorized ssh key with all
|
|
minions. This combined with \-\-passwd can make initial deployment of keys
|
|
very fast and easy.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-identities\-only
|
|
Use the only authentication identity files configured in the ssh_config
|
|
files. See IdentitiesOnly flag in man ssh_config.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-sudo
|
|
Run command via sudo.
|
|
.UNINDENT
|
|
.SS Scan Roster Options
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-scan\-ports=SSH_SCAN_PORTS
|
|
Comma\-separated list of ports to scan in the scan roster.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-scan\-timeout=SSH_SCAN_TIMEOUT
|
|
Scanning socket timeout for the scan roster.
|
|
.UNINDENT
|
|
.SS Logging Options
|
|
.sp
|
|
Logging options which override any settings defined on the configuration files.
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-l LOG_LEVEL, \-\-log\-level=LOG_LEVEL
|
|
Console logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
|
|
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
|
|
\fBwarning\fP\&.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-log\-file=LOG_FILE
|
|
Log file path. Default: /var/log/salt/ssh\&.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-log\-file\-level=LOG_LEVEL_LOGFILE
|
|
Logfile logging log level. One of \fBall\fP, \fBgarbage\fP, \fBtrace\fP,
|
|
\fBdebug\fP, \fBinfo\fP, \fBwarning\fP, \fBerror\fP, \fBquiet\fP\&. Default:
|
|
\fBwarning\fP\&.
|
|
.UNINDENT
|
|
.SS Target Selection
|
|
.sp
|
|
The default matching that Salt utilizes is shell\-style globbing around the
|
|
minion id. See \fI\%https://docs.python.org/3/library/fnmatch.html#module\-fnmatch\fP\&.
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-E, \-\-pcre
|
|
The target expression will be interpreted as a PCRE regular expression
|
|
rather than a shell glob.
|
|
.UNINDENT
|
|
.SS Output Options
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-out
|
|
Pass in an alternative outputter to display the return of data. This
|
|
outputter can be any of the available outputters:
|
|
.INDENT 7.0
|
|
.INDENT 3.5
|
|
\fBhighstate\fP, \fBjson\fP, \fBkey\fP, \fBoverstatestage\fP, \fBpprint\fP, \fBraw\fP, \fBtxt\fP, \fByaml\fP, and many others\&.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Some outputters are formatted only for data returned from specific functions.
|
|
If an outputter is used that does not support the data passed into it, then
|
|
Salt will fall back on the \fBpprint\fP outputter and display the return data
|
|
using the Python \fBpprint\fP standard library module.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-out\-indent OUTPUT_INDENT, \-\-output\-indent OUTPUT_INDENT
|
|
Print the output indented by the provided value in spaces. Negative values
|
|
disable indentation. Only applicable in outputters that support
|
|
indentation.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-out\-file=OUTPUT_FILE, \-\-output\-file=OUTPUT_FILE
|
|
Write the output to the specified file.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-out\-file\-append, \-\-output\-file\-append
|
|
Append the output to the specified file.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-no\-color
|
|
Disable all colored output
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-force\-color
|
|
Force colored output
|
|
.sp
|
|
\fBNOTE:\fP
|
|
.INDENT 7.0
|
|
.INDENT 3.5
|
|
When using colored output the color codes are as follows:
|
|
.sp
|
|
\fBgreen\fP denotes success, \fBred\fP denotes failure, \fBblue\fP denotes
|
|
changes and success and \fByellow\fP denotes a expected future change in configuration.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-state\-output=STATE_OUTPUT, \-\-state_output=STATE_OUTPUT
|
|
Override the configured state_output value for minion
|
|
output. One of \(aqfull\(aq, \(aqterse\(aq, \(aqmixed\(aq, \(aqchanges\(aq or
|
|
\(aqfilter\(aq. Default: \(aqnone\(aq.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-\-state\-verbose=STATE_VERBOSE, \-\-state_verbose=STATE_VERBOSE
|
|
Override the configured state_verbose value for minion
|
|
output. Set to True or False. Default: none.
|
|
.UNINDENT
|
|
.sp
|
|
\fBNOTE:\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
If using \fB\-\-out=json\fP, you will probably want \fB\-\-static\fP as well.
|
|
Without the static option, you will get a separate JSON string per minion
|
|
which makes JSON output invalid as a whole.
|
|
This is due to using an iterative outputter. So if you want to feed it
|
|
to a JSON parser, use \fB\-\-static\fP as well.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBsalt(7)\fP
|
|
\fBsalt\-master(1)\fP
|
|
\fBsalt\-minion(1)\fP
|
|
.SH AUTHOR
|
|
Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file
|
|
.\" Generated by docutils manpage writer.
|
|
.
|