Added parameters new to 2016.03 (or simply missing in the existing config).

7 年前 · edce95f949
--- a/salt/files/master.d/f_defaults.conf
+++ b/salt/files/master.d/f_defaults.conf
@@ -1,5 +1,5 @@
 # This file managed by Salt, do not edit by hand!!
 # Based on salt version 2015.8.7 default config
 # Based on salt version 2016.11 default config
 {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%}
 {% set cfg_salt = pillar.get('salt', {}) -%}
 {% set cfg_master = cfg_salt.get('master', {}) -%}
@@ -62,9 +62,23 @@
 # key_logfile, pidfile:
 {{ get_config('root_dir', '/') }}

 # The path to the master's configuration file.
 {{ get_config('conf_file', '/etc/salt/master') }}

 # Directory used to store public key data:
 {{ get_config('pki_dir', '/etc/salt/pki/master') }}

 # Key cache. Increases master speed for large numbers of accepted
 # keys. Available options: 'sched'. (Updates on a fixed schedule.)
 # Note that enabling this feature means that minions will not be
 # available to target for up to the length of the maintanence loop
 # which by default is 60s.
 {%- if cfg_minion['key_cache'] in cfg_master %}
 {{ get_config('key_cache', '') }}
 {% else %}
 #key_cache: ''
 {% endif %}

 # Directory to store job and cache data:
 # This directory may contain sensitive data and should be protected accordingly.
 #
@@ -77,7 +91,7 @@

 # Directory for custom modules. This directory can contain subdirectories for
 # each of Salt's module types such as "runners", "output", "wheel", "modules",
 # "states", "returners", etc.
 # "states", "returners", "engines", etc.
 # Like 'extension_modules' but can take an array of paths
 {% if 'module_dirs' in cfg_master -%}
 {%- do default_keys.append('module_dirs') %}
@@ -101,6 +115,10 @@ module_dirs:
 # Set the number of hours to keep old job information in the job cache:
 {{ get_config('keep_jobs', '24') }}

 # The number of seconds to wait when the client is requesting information
 # about running jobs.
 {{ get_config('gather_job_timeout', '10') }}

 # Set the default timeout for the salt command and api. The default is 5
 # seconds.
 {{ get_config('timeout', '5') }}
@@ -113,6 +131,11 @@ module_dirs:
 # Set the default outputter used by the salt command. The default is "nested".
 {{ get_config('output', 'nested') }}

 # Set the default output file used by the salt command. Default is to output
 # to the CLI and not to a file. Functions the same way as the "--out-file"
 # CLI option, only sets this to a single file for all salt commands.
 {{ get_config('output_file', 'None') }}

 # Return minions that timeout when running commands like test.ping
 {{ get_config('show_timeout', 'True') }}

@@ -124,6 +147,12 @@ module_dirs:
 # (true by default).
 {{ get_config('strip_colors', 'False') }}

 # To display a summary of the number of minions targeted, the number of
 # minions returned, and the number of minions that did not return, set the
 # cli_summary value to True. (False by default.)
 #
 {{ get_config('cli_summary', 'False') }}

 # Set the directory used to hold unix sockets:
 {{ get_config('sock_dir', '/var/run/salt/master') }}

@@ -138,9 +167,21 @@ module_dirs:
 # the jobs system and is not generally recommended.
 {{ get_config('job_cache', 'True') }}

 # Cache minion grains and pillar data in the cachedir.
 # Cache minion grains, pillar and mine data via the cache subsystem in the
 # cachedir or a database.
 {{ get_config('minion_data_cache', 'True') }}

 # Cache subsystem module to use for minion data cache.
 {{ get_config('cache', 'localfs') }}
 # Enables a fast in-memory cache booster and sets the expiration time.
 {{ get_config('memcache_expire_seconds', '0') }}
 # Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts).
 {{ get_config('memcache_max_items', '1024') }}
 # Each time a cache storage got full cleanup all the expired items not just the oldest one.
 {{ get_config('memcache_full_cleanup', 'False') }}
 # Enable collecting the memcache stats and log it on `debug` log level.
 {{ get_config('memcache_debug', 'False') }}

 # Store all returns in the given returner.
 # Setting this option requires that any returner-specific configuration also
 # be set. See various returners in salt/returners for details on required
@@ -153,7 +194,7 @@ module_dirs:
 # By default, events are not queued.
 {{ get_config('event_return_queue', '0') }}

 # Only events returns matching tags in a whitelist
 # Only return events matching tags in a whitelist, supports glob matches.
 {% if 'event_return_whitelist' in cfg_master -%}
 {%- do default_keys.append('event_return_whitelist') %}
 event_return_whitelist:
@@ -166,12 +207,12 @@ event_return_whitelist:
  - {{ event_return }}
  {%- endfor -%}
 {% else -%}
 # event_return_whitelist:
 #   - salt/master/a_tag
 #   - salt/master/another_tag
 #event_return_whitelist:
 #  - salt/master/a_tag
 #  - salt/run/*/ret
 {% endif %}

 # Store all event returns _except_ the tags in a blacklist
 # Store all event returns **except** the tags in a blacklist supports globs.
 {% if 'event_return_blacklist' in cfg_master -%}
 {%- do default_keys.append('event_return_blacklist') %}
 event_return_blacklist:
@@ -184,9 +225,9 @@ event_return_blacklist:
  - {{ event_return }}
  {%- endfor -%}
 {% else -%}
 # event_return_blacklist:
 #   - salt/master/not_this_tag
 #   - salt/master/or_this_one
 #event_return_blacklist:
 #  - salt/master/not_this_tag
 #  - salt/wheel/*/ret
 {% endif %}

 # Passing very large events can cause the minion to consume large amounts of
@@ -270,6 +311,9 @@ event_return_blacklist:
 # Set the ZeroMQ high water marks
 # http://api.zeromq.org/3-2:zmq-setsockopt

 # The listen queue size / backlog
 {{ get_config('zmq_backlog', '1000') }}

 # The publisher interface ZeroMQPubServerChannel
 {{ get_config('pub_hwm', '1000') }}

@@ -291,6 +335,19 @@ event_return_blacklist:
 # ZMQ high-water-mark for EventPublisher pub socket
 {{ get_config('event_publisher_pub_hwm', '10000') }}

 # The master may allocate memory per-event and not
 # reclaim it.
 # To set a high-water mark for memory allocation, use
 # ipc_write_buffer to set a high-water mark for message
 # buffering.
 # Value: In bytes. Set to 'dynamic' to have Salt select
 # a value for you. Default is disabled.
 {%- if 'ipc_write_buffer' in cfg_master %}
 {{ get_config('ipc_write_buffer', 'dynamic') }}
 {%- else %}
 # ipc_write_buffer: 'dynamic'
 {%- endif %}


 #####        Security settings       #####
 ##########################################
@@ -304,7 +361,7 @@ event_return_blacklist:
 # public keys from the minions. Note that this is insecure.
 {{ get_config('auto_accept', 'False') }}

 # Time in minutes that a incoming public key with a matching name found in
 # Time in minutes that an incoming public key with a matching name found in
 # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
 # are removed when the master checks the minion_autosign directory.
 # 0 equals no timeout
@@ -371,6 +428,7 @@ publisher_acl:
 #  larry:
 #    - test.ping
 #    - network.*
 #
 {%- endif %}

 # Blacklist any of the following users or modules
@@ -378,6 +436,12 @@ publisher_acl:
 # This example would blacklist all non sudo users, including root from
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
 #
 # Check the list of configured users in client ACL against users on the
 # system and throw errors if they do not exist.
 {{ get_config('client_acl_verify', 'True') }}
 #
 {% if 'publisher_acl_blacklist' in cfg_master %}
 {%- do default_keys.append('publisher_acl_blacklist') %}
 publisher_acl_blacklist:
@@ -428,6 +492,10 @@ publisher_acl_blacklist:
 #  modules:
 #    - cmd
 {% endif %}
 #
 # WARNING: client_acl and client_acl_blacklist options are deprecated and will
 # be removed in the future releases. Use publisher_acl and
 # publisher_acl_blacklist instead.

 # Enforce publisher_acl & publisher_acl_blacklist when users have sudo
 # access to the salt command.
@@ -455,6 +523,18 @@ external_auth:

 # Time (in seconds) for a newly generated token to live. Default: 12 hours
 {{ get_config('token_expire', '43200') }}
 #
 # Allow eauth users to specify the expiry time of the tokens they generate.
 # A boolean applies to all users or a dictionary of whitelisted eauth backends
 # and usernames may be given.
 # token_expire_user_override:
 #   pam:
 #     - fred
 #     - tom
 #   ldap:
 #     - gary
 #
 #token_expire_user_override: False

 # Allow minions to push files to the master. This is disabled by default, for
 # security purposes.
@@ -479,6 +559,15 @@ external_auth:
 # will cause minion to throw an exception and drop the message.
 {{ get_config('sign_pub_message', 'False') }}

 # Use TLS/SSL encrypted connection between master and minion.
 # Can be set to a dictionary containing keyword arguments corresponding to Python's
 # 'ssl.wrap_socket' method.
 # Default is None.
 #ssl:
 #    keyfile: <path_to_keyfile>
 #    certfile: <path_to_certfile>
 #    ssl_version: PROTOCOL_TLSv1_2

 # Sign the master auth-replies with a cryptographic signature of the masters public key.
 # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
 {{ get_config('master_sign_pubkey', 'False') }}
@@ -570,6 +659,27 @@ external_auth:
 # Pass in an alternative location for the salt-ssh roster file
 {{ get_config('roster_file', '/etc/salt/roster') }}

 # Define locations for roster files so they can be chosen when using Salt API.
 # An administrator can place roster files into these locations. Then when
 # calling Salt API, parameter 'roster_file' should contain a relative path to
 # these locations. That is, "roster_file=/foo/roster" will be resolved as
 # "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure
 # custom rosters through the Salt API.
 #
 {%- if 'rosters' in cfg_master %}
 rosters:
  {% for name in cfg_master['rosters'] -%}
  - {{ name }}
  {% endfor -%}
 {%- else %}
 #rosters:
 # - /etc/salt/roster.d
 # - /opt/salt/some/more/rosters
 {%- endif %}

 # The log file of the salt-ssh command:
 {{ get_config('ssh_log_file', '/var/log/salt/ssh') }}

 # Pass in minion option overrides that will be inserted into the SHIM for
 # salt-ssh calls. The local minion config is not used for salt-ssh. Can be
 # overridden on a per-minion basis in the roster (`minion_opts`)
@@ -577,6 +687,10 @@ external_auth:
 #  gpg_keydir: /root/gpg
 {{ get_config('ssh_minion_opts', '{}') }}

 # Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
 # authentication with minions
 {{ get_config('ssh_use_home_key', 'False') }}

 #####    Master Module Management    #####
 ##########################################
 # Manage how master side modules are loaded.
@@ -636,7 +750,7 @@ master_tops:
 # (block, not variable tag!). Defaults to False, corresponds to the Jinja
 # environment init variable "trim_blocks".
 {{ get_config('jinja_trim_blocks', 'False') }}

 #
 # If this is set to True leading spaces and tabs are stripped from the start
 # of a line to a block. Defaults to False, corresponds to the Jinja
 # environment init variable "lstrip_blocks".
@@ -709,6 +823,7 @@ master_tops:
 #file_roots:
 #  base:
 #    - /srv/salt
 #
 {%- endif %}

 # When using multiple environments, each with their own top file, the
@@ -728,9 +843,12 @@ master_tops:
 {{ get_config('default_top', 'base') }}

 # The hash_type is the hash to use when discovering the hash of a file on
 # the master server. The default is md5, but sha1, sha224, sha256, sha384
 # the master server. The default is md5 but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
 # WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
 # of possible collisions and thus security breach.
 #
 # Prior to changing this value, the master should be stopped and all Salt
 # caches should be cleared.
 {{ get_config('hash_type', 'md5') }}
@@ -870,7 +988,7 @@ fileserver_backend:
 # and the first repo to have the file will return it.
 # When using the git backend branches and tags are translated into salt
 # environments.
 # Note:  file:// repos will be treated as a remote, so refs you want used must
 # Note: file:// repos will be treated as a remote, so refs you want used must
 # exist in that repo as *local* refs.
 {% if 'gitfs_remotes' in cfg_master -%}
 {%- do default_keys.append('gitfs_remotes') %}
@@ -1006,6 +1124,7 @@ pillar_roots:
 #pillar_roots:
 #  base:
 #    - /srv/pillar
 #
 {%- endif %}

 {% if 'ext_pillar' in cfg_master %}
@@ -1048,6 +1167,18 @@ ext_pillar:
 # ext_pillar.
 {{ get_config('ext_pillar_first', 'False') }}

 # The external pillars permitted to be used on-demand using pillar.ext
 {%- if 'on_demand_ext_pillar' in cfg_master %}
 on_demand_ext_pillar:
  {% for name in cfg_master['on_demand_ext_pillar'] -%}
  - {{ name }}
  {% endfor -%}
 {%- else %}
 #on_demand_ext_pillar:
 #  - libvirt
 #  - virtkey
 {%- endif %}

 # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
 # errors when contacting the pillar gitfs backend. You might want to set this to
 # false if you're using a git backend that uses a self-signed certificate but
@@ -1068,16 +1199,21 @@ ext_pillar:
 {{ get_config('pillar_safe_render_error', 'True') }}

 # The pillar_source_merging_strategy option allows you to configure merging strategy
 # between different sources. It accepts four values: recurse, aggregate, overwrite,
 # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
 # aggregation of elements between sources that use the #!yamlex renderer. Overwrite
 # will verwrite elements according the order in which they are processed. This is
 # between different sources. It accepts five values: none, recurse, aggregate, overwrite,
 # or smart. None will not do any merging at all. Recurse will merge recursively mapping of data.
 # Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite
 # will overwrite elements according the order in which they are processed. This is
 # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
 # on the "renderer" setting and is the default value.
 {{ get_config('pillar_source_merging_strategy', 'smart') }}

 # Recursively merge lists by aggregating them instead of replacing them.
 {{ get_config('pillar_merge_lists', False) }}
 {{ get_config('pillar_merge_lists', 'False') }}

 # Set this option to 'True' to force a 'KeyError' to be raised whenever an
 # attempt to retrieve a named value from pillar fails. When this option is set
 # to 'False', the failed attempt returns an empty string. Default is 'False'.
 {{ get_config('pillar_raise_on_missing', 'False') }}

 # Git External Pillar (git_pillar) Configuration Options
 #
@@ -1139,6 +1275,43 @@ ext_pillar:
 # to authenticate is protected by a passphrase.
 {{ get_config('git_pillar_passphrase', '') }}

 # A master can cache pillars locally to bypass the expense of having to render them
 # for each minion on every request. This feature should only be enabled in cases
 # where pillar rendering time is known to be unsatisfactory and any attendant security
 # concerns about storing pillars in a master cache have been addressed.
 #
 # When enabling this feature, be certain to read through the additional ``pillar_cache_*``
 # configuration options to fully understand the tunable parameters and their implications.
 #
 # Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars.
 # See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
 {{ get_config('pillar_cache', 'False') }}

 # If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
 # of time, in seconds, before the cache is considered invalid by a master and a fresh
 # pillar is recompiled and stored.
 {{ get_config('pillar_cache_ttl', '3600') }}

 # If and only if a master has set `pillar_cache: True`, one of several storage providers
 # can be utililzed.
 #
 # `disk`: The default storage backend. This caches rendered pillars to the master cache.
 #         Rendered pillars are serialized and deserialized as msgpack structures for speed.
 #         Note that pillars are stored UNENCRYPTED. Ensure that the master cache
 #         has permissions set appropriately. (Same defaults are provided.)
 #
 # memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python
 #         in-memory data structure for maximal performance. There are several caveats,
 #         however. First, because each master worker contains its own in-memory cache,
 #         there is no guarantee of cache consistency between minion requests. This
 #         works best in situations where the pillar rarely if ever changes. Secondly,
 #         and perhaps more importantly, this means that unencrypted pillars will
 #         be accessible to any process which can examine the memory of the ``salt-master``!
 #         This may represent a substantial security risk.
 #
 {{ get_config('pillar_cache_backend', 'disk') }}


 #####          Syndic settings       #####
 ##########################################
 # The Salt syndic is used to pass commands through a master from a higher
@@ -1155,7 +1328,7 @@ ext_pillar:

 # If this master will be running a salt syndic daemon, syndic_master tells
 # this master where to receive commands from.
 {{ get_config('syndic_master', 'masterofmaster') }}
 {{ get_config('syndic_master', 'masterofmasters') }}

 # This is the 'ret_port' of the MasterOfMaster:
 {{ get_config('syndic_master_port', '4506') }}
@@ -1164,11 +1337,22 @@ ext_pillar:
 {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}

 # LOG file of the syndic daemon:
 {{ get_config('syndic_log_file', 'syndic.log') }}
 {{ get_config('syndic_log_file', '/var/log/salt/syndic') }}

 # The user under which the salt syndic will run.
 {{ get_config('syndic_user', 'root') }}

 # The behaviour of the multi-syndic when connection to a master of masters failed.
 # Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
 # will be iterated in random order. If ``ordered`` is specified, the configured
 # order will be used.
 {{ get_config('syndic_failover', 'random') }}

 # The number of seconds for the salt client to wait for additional syndics to
 # check in with their lists of expected minions before giving up.
 {{ get_config('syndic_wait', '5') }}


 #####      Peer Publish settings     #####
 ##########################################
 # Salt minions can send commands to other minions, but only if the minion is
@@ -1358,11 +1542,18 @@ log_granular_levels:

 #####         Node Groups           ######
 ##########################################
 # Node groups allow for logical groupings of minion nodes. A group consists of a group
 # name and a compound target.
 # Node groups allow for logical groupings of minion nodes. A group consists of
 # a group name and a compound target. Nodgroups can reference other nodegroups
 # with 'N@' classifier. Ensure that you do not have circular references.
 #
 #nodegroups:
 #  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
 #  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
 #  group2: 'G@os:Debian and foo.domain.com'
 #  group3: 'G@os:Debian and N@group1'
 #  group4:
 #    - 'G@foo:bar'
 #    - 'or'
 #    - 'G@foo:baz'
 {%- if 'nodegroups' in cfg_master %}
 {%- do default_keys.append('nodegroups') %}
 nodegroups:
@@ -1473,11 +1664,24 @@ win_gitrepos:
 {{ get_config('return', '')}}


 ######     Miscellaneous settings     ######
 ######    Miscellaneous  settings     ######
 ############################################
 # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
 {{ get_config('event_match_type', 'startswith') }}

 # Save runner returns to the job cache
 {{ get_config('runner_returns', 'True') }}

 # Permanently include any available Python 3rd party modules into Salt Thin
 # when they are generated for Salt-SSH or other purposes.
 # The modules should be named by the names they are actually imported inside the Python.
 # The value of the parameters can be either one module or a comma separated list of them.
 {%- if 'thin_extra_mods' in cfg_master %}
 {{ get_config('thin_extra_mods', '') }}
 {%- else %}
 #thin_extra_mods: foo,bar
 {%- endif %}

 {%- if 'halite' in cfg_master %}
 {%- do default_keys.append('halite') %}
 #####             Halite             #####
--- a/salt/files/minion.d/f_defaults.conf
+++ b/salt/files/minion.d/f_defaults.conf
@@ -1,5 +1,5 @@
 # This file managed by Salt, do not edit by hand!!
 #  Based on salt version 2015.8.7 default config
 #  Based on salt version 2016.11 default config
 #
 {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons'] -%}
 {% set cfg_salt = pillar.get('salt', {}) -%}
@@ -84,6 +84,8 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
 # value to "str".  Failover masters can be requested by setting
 # to "failover".  MAKE SURE TO SET master_alive_interval if you are
 # using failover.
 # Setting master_type to 'disable' let's you have a running minion (with engines and
 # beacons) without a master connection
 {{ get_config('master_type', 'str') }}

 # verify_master_pubkey_sign
@@ -95,6 +97,16 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
 # of TCP connections, such as load balancers.)
 {{ get_config('master_alive_interval', '30') }}

 # If the minion is in multi-master mode and the master_type configuration option
 # is set to "failover", this setting can be set to "True" to force the minion
 # to fail back to the first master in the list if the first master is back online.
 {{ get_config('master_fallback', 'False') }}

 # If the minion is in multi-master mode, the "master_type" configuration is set to
 # "failover", and the "master_failback" option is enabled, the master failback
 # interval can be set to ping the top master with this interval, in seconds.
 {{ get_config('master_fallback_interval', '0') }}

 # Set whether the minion should connect to the master via IPv6:
 {{ get_config('ipv6', 'False') }}

@@ -109,10 +121,14 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
 # The user to run salt.
 {{ get_config('user', 'root') }}

 # Setting sudo_user will cause salt to run all execution modules under an sudo
 # to the user given in sudo_user.  The user under which the salt minion process
 # itself runs will still be that provided in the user config above, but all
 # execution modules run by the minion will be rerouted through sudo.
 # The user to run salt remote execution commands as via sudo. If this option is
 # enabled then sudo will be used to change the active user executing the remote
 # command. If enabled the user will need to be allowed access via the sudoers
 # file for the user that the salt minion is configured to run as. The most
 # common option would be to use the root user. If this option is set the user
 # option should also be set to a non-root user. If migrating from a root minion
 # to a non root minion the minion cache should be cleared and the minion pki
 # directory will need to be changed to the ownership of the new user.
 {{ get_config('sudo_user', 'saltdev') }}

 # Specify the location of the daemon process ID file.
@@ -122,6 +138,9 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
 # sock_dir, pidfile.
 {{ get_config('root_dir', '/') }}

 # The path to the minion's configuration file.
 {{ get_config('conf_file', '/etc/salt/minion') }}

 # The directory to store the pki information in
 {{ get_config('pki_dir', '/etc/salt/pki/minion') }}

@@ -137,6 +156,13 @@ id: {{ cfg_minion['id'] }}
 #id:
 {%- endif %}

 # Cache the minion id to a file when the minion's id is not statically defined
 # in the minion config. Defaults to "True". This setting prevents potential
 # problems when automatic minion id resolution changes, which can cause the
 # minion to lose connection with the master. To turn off minion id caching,
 # set this config to ``False``.
 {{ get_config('minion_id_caching', 'True') }}

 # Append a domain to a hostname in the event that it does not exist.  This is
 # useful for systems where socket.getfqdn() does not actually result in a
 # FQDN (for instance, Solaris).
@@ -158,6 +184,20 @@ id: {{ cfg_minion['id'] }}
 # This data may contain sensitive data and should be protected accordingly.
 {{ get_config('cachedir', '/var/cache/salt/minion') }}

 # Append minion_id to these directories.  Helps with
 # multiple proxies and minions running on the same machine.
 # Allowed elements in the list: pki_dir, cachedir, extension_modules
 # Normally not needed unless running several proxies and/or minions on the same machine
 # Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
 {% if 'append_minionid_config_dirs' in cfg_minion -%}
 append_minionid_config_dirs:
  {% for dir in cfg_minion['append_minionid_config_dirs'] -%}
  - {{ dir }}
  {% endfor -%}
 {%- else %}
 #append_minionid_config_dirs:
 {%- endif %}

 # Verify and set permissions on configuration directories at startup.
 {{ get_config('verify_env', 'True') }}

@@ -226,6 +266,20 @@ id: {{ cfg_minion['id'] }}
 # authenticate.
 {{ get_config('auth_tries', '7') }}

 # The number of attempts to connect to a master before giving up.
 # Set this to -1 for unlimited attempts. This allows for a master to have
 # downtime and the minion to reconnect to it later when it comes back up.
 # In 'failover' mode, it is the number of attempts for each set of masters.
 # In this mode, it will cycle through the list of masters for each attempt.
 #
 # This is different than auth_tries because auth_tries attempts to
 # retry auth attempts with a single master. auth_tries is under the
 # assumption that you can connect to the master but not gain
 # authorization from it. master_tries will still cycle through all
 # the masters in a given try, so it is appropriate if you expect
 # occasional downtime from the master(s).
 {{ get_config('master_tries', '1') }}

 # If authentication fails due to SaltReqTimeoutError during a ping_interval,
 # cause sub minion process to restart.
 {{ get_config('auth_safemode', 'False') }}
@@ -312,10 +366,23 @@ mine_functions:
 {{ get_config('recon_randomize', 'False') }}

 # The loop_interval sets how long in seconds the minion will wait between
 # evaluating the scheduler and running cleanup tasks. This defaults to a
 # sane 60 seconds, but if the minion scheduler needs to be evaluated more
 # often lower this value
 {{ get_config('loop_interval', '60') }}
 # evaluating the scheduler and running cleanup tasks.  This defaults to 1
 # second on the minion scheduler.
 {{ get_config('loop_interval', '1') }}

 # Some installations choose to start all job returns in a cache or a returner
 # and forgo sending the results back to a master. In this workflow, jobs
 # are most often executed with --async from the Salt CLI and then results
 # are evaluated by examining job caches on the minions or any configured returners.
 # WARNING: Setting this to False will **disable** returns back to the master.
 {{ get_config('pub_ret', 'True') }}


 # The grains can be merged, instead of overridden, using this option.
 # This allows custom grains to defined different subvalues of a dictionary
 # grain. By default this feature is disabled, to enable set grains_deep_merge
 # to ``True``.
 {{ get_config('grains_deep_merge', 'False') }}

 # The grains_refresh_every setting allows for a minion to periodically check
 # its grains to see if they have changed and, if so, to inform the master
@@ -332,12 +399,37 @@ mine_functions:
 # Cache grains on the minion. Default is False.
 {{ get_config('grains_cache', 'False') }}

 # Cache rendered pillar data on the minion. Default is False.
 # This may cause 'cachedir'/pillar to contain sensitive data that should be
 # protected accordingly.
 {{ get_config('minion_pillar_cache', 'False') }}

 # Grains cache expiration, in seconds. If the cache file is older than this
 # number of seconds then the grains cache will be dumped and fully re-populated
 # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
 # is not enabled.
 {{ get_config('grains_cache_expiration', '300') }}

 # Determines whether or not the salt minion should run scheduled mine updates.
 # Defaults to "True". Set to "False" to disable the scheduled mine updates
 # (this essentially just does not add the mine update function to the minion's
 # scheduler).
 {{ get_config('mine_enabled', 'True') }}

 # Determines whether or not scheduled mine updates should be accompanied by a job
 # return for the job cache. Defaults to "False". Set to "True" to include job
 # returns in the job cache for mine updates.
 {{ get_config('mine_return_job', 'False') }}

 # Example functions that can be run via the mine facility
 # NO mine functions are established by default.
 # Note these can be defined in the minion's pillar as well.
 #mine_functions:
 #  test.ping: []
 #  network.ip_addrs:
 #    interface: eth0
 #    cidr: '10.0.0.0/8'

 # Windows platforms lack posix IPC and must rely on slower TCP based inter-
 # process communications. Set ipc_mode to 'tcp' on such systems
 {{ get_config('ipc_mode', 'ipc') }}
@@ -386,13 +478,34 @@ mine_functions:
    {%- endif -%}
 {% endif %}

 # The syndic minion can verify that it is talking to the correct master via the
 # key fingerprint of the higher-level master with the "syndic_finger" config.
 {{ get_config('syndic_finger', '') }}


 #####   Minion module management     #####
 ##########################################
 # Disable specific modules. This allows the admin to limit the level of
 # access the master has to the minion.
 {{ get_config('disable_modules', '[cmd,test]') }}
 # access the master has to the minion.  The default here is the empty list,
 # below is an example of how this needs to be formatted in the config file
 #disable_modules:
 #  - cmdmod
 #  - test
 #disable_returners: []
 {{ get_config('disable_modules', '[]') }}
 {{ get_config('disable_returners', '[]') }}

 # This is the reverse of disable_modules.  The default, like disable_modules, is the empty list,
 # but if this option is set to *anything* then *only* those modules will load.
 # Note that this is a very large hammer and it can be quite difficult to keep the minion working
 # the way you think it should since Salt uses many modules internally itself.  At a bare minimum
 # you need the following enabled or else the minion won't start.
 #whitelist_modules:
 #  - cmdmod
 #  - test
 #  - config
 {{ get_config('whitelist_modules', '[]') }}

 # Modules can be loaded from arbitrary paths. This enables the easy deployment
 # of third party modules. Modules for returners and minions can be loaded.
 # Specify a list of extra directories to search for minion modules and
@@ -452,7 +565,16 @@ mine_functions:
 # by statically setting it. Remember that the recommended way to manage
 # environments is to isolate via the top file.
 {{ get_config('environment', 'None') }}

 #
 # Isolates the pillar environment on the minion side. This functions the same
 # as the environment setting, but for pillar instead of states.
 {{ get_config('pillarenv', 'None') }}
 #
 # Set this option to 'True' to force a 'KeyError' to be raised whenever an
 # attempt to retrieve a named value from pillar fails. When this option is set
 # to 'False', the failed attempt returns an empty string. Default is 'False'.
 {{ get_config('pillar_raise_on_missing', 'False') }}
 #
 # If using the local file directory, then the state top file name needs to be
 # defined, by default this is top.sls.
 {{ get_config('state_top', 'top.sls') }}
@@ -526,17 +648,17 @@ file_client: local
 #    - /srv/salt
 {%- endif %}


 # File Server Backend
 # Uncomment the line below if you do not want the file_server to follow
 # symlinks when walking the filesystem tree. This is set to True
 # by default. Currently this only applies to the default roots
 # fileserver_backend.
 {{ get_config('fileserver_followsymlinks', 'True') }}
 #
 # Salt supports a modular fileserver backend system, this system allows
 # the salt minion to link directly to third party systems to gather and
 # manage the files available to minions. Multiple backends can be
 # configured and will be searched for the requested file in the order in which
 # they are defined here. The default setting only enables the standard backend
 # "roots" which uses the "file_roots" option.
 #fileserver_backend:
 #  - roots
 # Uncomment the line below if you do not want symlinks to be
 # treated as the files they are pointing to. By default this is set to
 # False. By uncommenting the line below, any detected symlink while listing
 # files on the Master will not be returned to the Minion.
 {{ get_config('fileserver_ignoresymlinks', 'False') }}
 #
 # To use multiple backends list them in the order they are searched:
 #fileserver_backend:
@@ -558,10 +680,13 @@ fileserver_backend:
 # is False.
 {{ get_config('fileserver_limit_traversal', 'False') }}

 # The hash_type is the hash to use when discovering the hash of a file in
 # The hash_type is the hash to use when discovering the hash of a file on
 # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
 # WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
 # of possible collisions and thus security breach.
 #
 # Warning: Prior to changing this value, the minion should be stopped and all
 # Salt caches should be cleared.
 {{ get_config('hash_type', 'md5') }}
@@ -687,6 +812,10 @@ pillar_roots:
 #    - /srv/pillar
 {%- endif %}

 # Set a hard-limit on the size of the files that can be pushed to the master.
 # It will be interpreted as megabytes. Default: 100
 {{ get_config('file_recv_max_size', '100') }}

 {% if 'ext_pillar' in cfg_minion %}
 {%- do default_keys.append('ext_pillar') %}
 ext_pillar:
@@ -858,11 +987,24 @@ ext_pillar:
 # "salt-key -F master" on the Salt master.
 {{ get_config('master_finger', "''") }}

 # Use TLS/SSL encrypted connection between master and minion.
 # Can be set to a dictionary containing keyword arguments corresponding to Python's
 # 'ssl.wrap_socket' method.
 # Default is None.
 #ssl:
 #    keyfile: <path_to_keyfile>
 #    certfile: <path_to_certfile>
 #    ssl_version: PROTOCOL_TLSv1_2


 ######         Thread settings        #####
 ###########################################
 # Disable multiprocessing support, by default when a minion receives a
 # publication a new process is spawned and the command is executed therein.
 #
 # WARNING: Disabling multiprocessing may result in substantial slowdowns
 # when processing large pillars. See https://github.com/saltstack/salt/issues/38758
 # for a full explanation.
 {{ get_config('multiprocessing', 'True') }}


@@ -1024,8 +1166,24 @@ ext_pillar:

 ######      Returner  settings        ######
 ############################################
 # Which returner(s) will be used for minion's result:
 # Default Minion returners. Can be a comma delimited string or a list:
 #
 #return: mysql
 #
 #return: mysql,slack,redis
 #
 #return:
 #  - mysql
 #  - hipchat
 #  - slack
 {%- if 'return' in cfg_minion and cfg_minion['return'] is not string %}
 return:
  {% for name in cfg_minion['return'] -%}
  - {{ name }}
  {% endfor -%}
 {%- else %}
 {{ get_config('return', '') }}
 {%- endif %}

 ######    Miscellaneous  settings     ######
 ############################################