Merge pull request saltstack#33508 from rallytime/merge-2016.3

[2016.3] Merge forward from 2015.8 to 2016.3

conf/minion

@@ -377,6 +377,10 @@
 #include:
 #  - /etc/salt/extra_config
 #  - /etc/roles/webserver
+
+# The syndic minion can verify that it is talking to the correct master via the
+# key fingerprint of the higher-level master with the "syndic_finger" config.
+#syndic_finger: ''
 #
 #
 #

doc/ref/configuration/master.rst

@@ -2236,6 +2236,26 @@ configuration is the same as :conf_master:`file_roots`:
       prod:
         - /srv/pillar/prod
 
+.. conf_master:: pillar_opts
+
+``pillar_opts``
+---------------
+
+Default: ``False``
+
+The ``pillar_opts`` option adds the master configuration file data to a dict in
+the pillar called ``master``. This can be used to set simple configurations in
+the master config file that can then be used on minions.
+
+Note that setting this option to ``True`` means the master config file will be
+included in all minion's pillars. While this makes global configuration of services
+and systems easy, it may not be desired if sensitive data is stored in the master
+configuration.
+
+.. code-block:: yaml
+
+    pillar_opts: False
+
 .. _master-configuration-ext-pillar:
 
 .. conf_master:: ext_pillar

doc/ref/configuration/minion.rst

@@ -909,6 +909,20 @@ what you are doing! Transports are explained in :ref:`Salt Transports
 
     transport: zeromq
 
+.. conf_minion:: syndic_finger
+
+``syndic_finger``
+-----------------
+
+Default: ``''``
+
+The key fingerprint of the higher-level master for the syndic to verify it is
+talking to the intended master.
+
+.. code-block:: yaml
+
+    syndic_finger: 'ab:30:65:2a:d6:9e:20:4f:d8:b2:f3:a7:d4:65:50:10'
+
 
 Minion Module Management
 ========================

doc/topics/troubleshooting/yaml_idiosyncrasies.rst

@@ -341,3 +341,13 @@ string with quotes:
     ValueError: month must be in 1..12
     >>> yaml.safe_load('"4017-16-20"')
     '4017-16-20'
+
+
+Keys Limited to 1024 Characters
+===============================
+
+Simple keys are limited to a single line and cannot be longer that 1024 characters.
+This is a limitation from PyYaml, as seen in a comment in `PyYAML's code`_, and
+applies to anything parsed by YAML in Salt.
+
+.. _PyYAML's code: http://pyyaml.org/browser/pyyaml/trunk/lib/yaml/scanner.py#L91

doc/topics/tutorials/standalone_minion.rst

@@ -17,6 +17,20 @@ things:
     Otherwise, it will attempt to connect to a master and fail. The salt-call
     command stands on its own and does not need the salt-minion daemon.
 
+
+Minion Configuration
+--------------------
+
+Throughout this document there are several references to setting different
+options to configure a masterless Minion. Salt Minions are easy to configure
+via a configuration file that is located, by default, in ``/etc/salt/minion``.
+Note, however, that on FreeBSD systems, the minion configuration file is located
+in ``/usr/local/etc/salt/minion``.
+
+You can learn more about minion configuration options in the
+:ref:`Configuring the Salt Minion <configuration-salt-minion>` docs.
+
+
 Telling Salt Call to Run Masterless
 ===================================
 
@@ -39,7 +53,6 @@ Now the salt-call command will not look for a master and will assume that the
 local system has all of the file and pillar resources.
 
 
-
 Running States Masterless
 =========================
 
@@ -81,6 +94,7 @@ it unnecessary to change the configuration file:
 
     salt-call state.apply --local
 
+
 External Pillars
 ================
 

pkg/suse/salt-minion

@@ -55,7 +55,7 @@ RETVAL=0
 start() {
     echo -n $"Starting salt-minion daemon: "
     if [ -f $SUSE_RELEASE ]; then
-        startproc -f -p /var/run/$SERVICE.pid $SALTMINION -d $MINION_ARGS
+        startproc -p /var/run/$SERVICE.pid $SALTMINION -d $MINION_ARGS
         rc_status -v
     elif [ -e $DEBIAN_VERSION ]; then
         if [ -f $LOCKFILE ]; then

salt/auth/pam.py

@@ -117,6 +117,10 @@ class PamConv(Structure):
     PAM_AUTHENTICATE.restype = c_int
     PAM_AUTHENTICATE.argtypes = [PamHandle, c_int]
 
+    PAM_ACCT_MGMT = LIBPAM.pam_acct_mgmt
+    PAM_ACCT_MGMT.restype = c_int
+    PAM_ACCT_MGMT.argtypes = [PamHandle, c_int]
+
     PAM_END = LIBPAM.pam_end
     PAM_END.restype = c_int
     PAM_END.argtypes = [PamHandle, c_int]
@@ -171,6 +175,8 @@ def my_conv(n_messages, messages, p_response, app_data):
         return False
 
     retval = PAM_AUTHENTICATE(handle, 0)
+    if retval == 0:
+        PAM_ACCT_MGMT(handle, 0)
     PAM_END(handle, 0)
     return retval == 0
 

salt/beacons/diskusage.py

@@ -68,8 +68,7 @@ def beacon(config):
 
     '''
     ret = []
-    for diskusage in config:
-        mount = diskusage.keys()[0]
+    for mount in config:
 
         try:
             _current_usage = psutil.disk_usage(mount)
@@ -79,7 +78,7 @@ def beacon(config):
             continue
 
         current_usage = _current_usage.percent
-        monitor_usage = diskusage[mount]
+        monitor_usage = config[mount]
         if '%' in monitor_usage:
             monitor_usage = re.sub('%', '', monitor_usage)
         monitor_usage = float(monitor_usage)

salt/modules/etcd_mod.py

@@ -4,8 +4,11 @@
 
 :depends:  - python-etcd
 
-In order to use an etcd server, a profile should be created in the master
-configuration file:
+Configuration
+-------------
+
+To work with an etcd server you must configure an etcd profile. The etcd config
+can be set in either the Salt Minion configuration file or in pillar:
 
 .. code-block:: yaml
 
@@ -21,6 +24,17 @@
 
     etcd.host: 127.0.0.1
     etcd.port: 4001
+
+.. note::
+
+    The etcd configuration can also be set in the Salt Master config file,
+    but in order to use any etcd configurations defined in the Salt Master
+    config, the :conf_master:`pillar_opts` must be set to ``True``.
+
+    Be aware that setting ``pillar_opts`` to ``True`` has security implications
+    as this makes all master configuration settings available in all minion's
+    pillars.
+
 '''
 from __future__ import absolute_import
 

salt/modules/glance.py

@@ -448,6 +448,12 @@ def image_schema(profile=None):
     '''
     Returns names and descriptions of the schema "image"'s
     properties for this profile's instance of glance
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' glance.image_schema
     '''
     return schema_get('image', profile)
 
@@ -459,6 +465,13 @@ def image_update(id=None, name=None, profile=None, **kwargs):  # pylint: disable
     - min_ram (in MB)
     - protected (bool)
     - visibility ('public' or 'private')
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' glance.image_update id=c2eb2eb0-53e1-4a80-b990-8ec887eae7df
+        salt '*' glance.image_update name=f16-jeos
     '''
     if id:
         image = image_show(id=id, profile=profile)
@@ -512,6 +525,12 @@ def schema_get(name, profile=None):
       - images
       - member
       - members
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' glance.schema_get name=f16-jeos
     '''
     g_client = _auth(profile)
     pformat = pprint.PrettyPrinter(indent=4).pformat

salt/modules/nova.py

@@ -562,6 +562,12 @@ def list_(profile=None):
     '''
     To maintain the feel of the nova command line, this function simply calls
     the server_list function.
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' nova.list
     '''
     return server_list(profile=profile)
 

salt/modules/postgres.py

@@ -346,6 +346,27 @@ def psql_query(query, user=None, host=None, port=None, maintenance_db=None,
     WITH updated AS (UPDATE pg_authid SET rolconnlimit = 2000 WHERE
     rolname = 'rolename' RETURNING rolconnlimit) SELECT * FROM updated;
 
+    query
+        The query string.
+
+    user
+        Database username, if different from config or default.
+
+    host
+        Database host, if different from config or default.
+
+    port
+        Database port, if different from the config or default.
+
+    maintenance_db
+        The database to run the query against.
+
+    password
+        User password, if different from the config or default.
+
+    runas
+        User to run the command as.
+
     CLI Example:
 
     .. code-block:: bash

salt/modules/rpm.py

@@ -606,3 +606,29 @@ def version_cmp(ver1, ver2):
         log.warning("Failed to compare version '{0}' to '{1}' using RPM: {2}".format(ver1, ver2, exc))
 
     return salt.utils.version_cmp(ver1, ver2)
+
+
+def checksum(*paths):
+    '''
+    Return if the signature of a RPM file is valid.
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' lowpkg.checksum /path/to/package1.rpm
+        salt '*' lowpkg.checksum /path/to/package1.rpm /path/to/package2.rpm
+    '''
+    ret = dict()
+
+    if not paths:
+        raise CommandExecutionError("No package files has been specified.")
+
+    for package_file in paths:
+        ret[package_file] = (bool(__salt__['file.file_exists'](package_file)) and
+                            not __salt__['cmd.retcode'](["rpm", "-K", "--quiet", package_file],
+                                                        ignore_retcode=True,
+                                                        output_loglevel='trace',
+                                                        python_shell=False))
+
+    return ret

salt/modules/saltutil.py

@@ -52,7 +52,7 @@
 import salt.utils.url
 import salt.wheel
 from salt.exceptions import (
-    SaltReqTimeoutError, SaltRenderError, CommandExecutionError
+    SaltReqTimeoutError, SaltRenderError, CommandExecutionError, SaltInvocationError
 )
 
 __proxyenabled__ = ['*']
@@ -1046,25 +1046,55 @@ def runner(_fun, **kwargs):
     return rclient.cmd(_fun, kwarg=kwargs)
 
 
-def wheel(_fun, **kwargs):
+def wheel(_fun, *args, **kwargs):
     '''
     Execute a wheel module (this function must be run on the master)
 
     .. versionadded:: 2014.7.0
 
     name
         The name of the function to run
+
+    args
+        Any positional arguments to pass to the wheel function. A common example
+        of this would be the ``match`` arg needed for key functions.
+
+        .. versionadded:: v2015.8.11
+
     kwargs
         Any keyword arguments to pass to the wheel function
 
     CLI Example:
 
     .. code-block:: bash
 
-        salt '*' saltutil.wheel key.accept match=jerry
+        salt '*' saltutil.wheel key.accept jerry
     '''
-    wclient = salt.wheel.WheelClient(__opts__)
-    return wclient.cmd(_fun, kwarg=kwargs)
+    if __opts__['__role'] == 'minion':
+        master_config = os.path.join(os.path.dirname(__opts__['conf_file']),
+                                     'master')
+        master_opts = salt.config.client_config(master_config)
+        wheel_client = salt.wheel.WheelClient(master_opts)
+    else:
+        wheel_client = salt.wheel.WheelClient(__opts__)
+
+    # The WheelClient cmd needs args, kwargs, and pub_data separated out from
+    # the "normal" kwargs structure, which at this point contains __pub_x keys.
+    pub_data = {}
+    valid_kwargs = {}
+    for key, val in six.iteritems(kwargs):
+        if key.startswith('__'):
+            pub_data[key] = val
+        else:
+            valid_kwargs[key] = val
+
+    try:
+        ret = wheel_client.cmd(_fun, arg=args, pub_data=pub_data, kwarg=valid_kwargs)
+    except SaltInvocationError:
+        raise CommandExecutionError('This command can only be executed on a minion '
+                                    'that is located on the master.')
+
+    return ret
 
 
 # this is the only way I could figure out how to get the REAL file_roots