From 60431e342a852e274ffcf05a804504b261799bea Mon Sep 17 00:00:00 2001
From: Mike Place <mp@saltstack.com>
Date: Tue, 29 Dec 2015 15:22:03 -0700
Subject: [PATCH 1/8] Add documentation on debugging salt-ssh

Closes #27835
---
 doc/topics/ssh/index.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/doc/topics/ssh/index.rst b/doc/topics/ssh/index.rst
index c260168258db..82b49330646b 100644
--- a/doc/topics/ssh/index.rst
+++ b/doc/topics/ssh/index.rst
@@ -200,3 +200,16 @@ Boolean-style options should be specified in their YAML representation.
    be ``wipe_ssh`` and thus this is what should be configured in the
    ``Saltfile``.  Using the names of flags for this option, being ``wipe:
    true`` or ``w: true``, will not work.
+
+Debugging salt-ssh
+==================
+
+One common approach for debugging ``salt-ssh`` is to simply use the tarball that salt
+ships to the remote machine and call ``salt-call`` directly.
+
+To determine the location of ``salt-call``, simply run ``salt-ssh`` with the ``-ldebug``
+flag and look for a line containing the string, ``SALT_ARGV``. This contains the ``salt-call``
+command that ``salt-ssh`` attempted to execute.
+
+It is recommended that one modify this command a bit by removing the ``-l quiet``,
+``--metadata`` and ``--output json`` to get a better idea of what's going on on the target system.

From 8c29e2dd6ac7ac6cb9bd7a4345c67007cb304e45 Mon Sep 17 00:00:00 2001
From: Mike Place <mp@saltstack.com>
Date: Wed, 30 Dec 2015 12:00:33 -0700
Subject: [PATCH 2/8] Document that gitfs needs recent libs

Closes #29921
---
 doc/topics/tutorials/gitfs.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/doc/topics/tutorials/gitfs.rst b/doc/topics/tutorials/gitfs.rst
index 310bdb975e19..fc75a6a6eca5 100644
--- a/doc/topics/tutorials/gitfs.rst
+++ b/doc/topics/tutorials/gitfs.rst
@@ -29,6 +29,11 @@ If :conf_master:`gitfs_provider` is not configured, then Salt will prefer
 pygit2_ if a suitable version is available, followed by GitPython_ and
 Dulwich_.
 
+.. note::
+    It is recommended to always run the most recent version of any the below
+    dependencies. Certain features of gitfs may not be available without
+    the most recent version of the chosen library.
+
 .. _pygit2: https://github.com/libgit2/pygit2
 .. _Dulwich: https://www.samba.org/~jelmer/dulwich/
 .. _GitPython: https://github.com/gitpython-developers/GitPython

From 50533add40c0b016f57e5c6150f94b9d7f719189 Mon Sep 17 00:00:00 2001
From: Michele Preziuso <mpreziuso@kaosdynamics.com>
Date: Wed, 30 Dec 2015 19:27:32 +0000
Subject: [PATCH 3/8] Fixes terminology and adds more accurate details about
 the algorithms

Source: https://httpd.apache.org/docs/2.2/misc/password_encryptions.html.
---
 salt/modules/apache.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/modules/apache.py b/salt/modules/apache.py
index 45d9c12d10ce..d006f7156ba3 100644
--- a/salt/modules/apache.py
+++ b/salt/modules/apache.py
@@ -266,10 +266,10 @@ def useradd(pwfile, user, password, opts=''):
     .. code-block:: text
 
         n  Don't update file; display results on stdout.
-        m  Force MD5 encryption of the password (default).
-        d  Force CRYPT encryption of the password.
-        p  Do not encrypt the password (plaintext).
-        s  Force SHA encryption of the password.
+        m  Force MD5 hashing of the password (default).
+        d  Force CRYPT(3) hashing of the password.
+        p  Do not hash the password (plaintext).
+        s  Force SHA1 hashing of the password.
 
     CLI Examples:
 

From cfbfd58afecc6bab3f26157668d72ca510dd9cfa Mon Sep 17 00:00:00 2001
From: Zach Malone <zach.malone@clickbank.com>
Date: Wed, 30 Dec 2015 13:10:46 -0700
Subject: [PATCH 4/8] Noting that file_roots and "state tree" should both be
 avoided, because in some environments, the actual states show up another
 level down.  Adding notes about why this is undesirable.

---
 doc/topics/tutorials/pillar.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/topics/tutorials/pillar.rst b/doc/topics/tutorials/pillar.rst
index bce8487d308f..9611f04581d2 100644
--- a/doc/topics/tutorials/pillar.rst
+++ b/doc/topics/tutorials/pillar.rst
@@ -68,7 +68,8 @@ The default location for the pillar is in /srv/pillar.
 
     The pillar location can be configured via the `pillar_roots` option inside
     the master configuration file. It must not be in a subdirectory of the state
-    tree.
+    tree or file_roots. If the pillar is under file_roots, any pillar targeting
+    can be bypassed by minions.
 
 To start setting up the pillar, the /srv/pillar directory needs to be present:
 
@@ -326,4 +327,4 @@ information about an infrastructure is stored in a separate location.
 Reference information on pillar and the external pillar interface can be found
 in the Salt documentation:
 
-:doc:`Pillar </topics/pillar/index>`
\ No newline at end of file
+:doc:`Pillar </topics/pillar/index>`

From 58aec884ef31b9f210988f6ead3f303e90322b1b Mon Sep 17 00:00:00 2001
From: Mike Place <mp@saltstack.com>
Date: Wed, 30 Dec 2015 15:03:23 -0700
Subject: [PATCH 5/8] Note concern about cleartext password in docs for
 shadow.gen_password

Closes #28120
---
 salt/modules/shadow.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/salt/modules/shadow.py b/salt/modules/shadow.py
index 113213ffd3e4..97731f322076 100644
--- a/salt/modules/shadow.py
+++ b/salt/modules/shadow.py
@@ -142,6 +142,12 @@ def gen_password(password, crypt_salt=None, algorithm='sha512'):
 
     Generate hashed password
 
+    .. note::
+
+        When called this function is called directly via remote-execution,
+        the password argument may be displayed in the system's process list.
+        This may be a security risk on certain systems.
+
     password
         Plaintext password to be hashed.
 

From e1c08cb2698ccfda3f1a9fabac7c5ae435e4a95f Mon Sep 17 00:00:00 2001
From: Mark Kimball <mark.kimball@chghealthcare.com>
Date: Thu, 31 Dec 2015 13:27:40 -0700
Subject: [PATCH 6/8] Fixed flag sent to salt.utils.http in order for
 verify_ssl to work appropriately.

---
 salt/cloud/clouds/joyent.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/cloud/clouds/joyent.py b/salt/cloud/clouds/joyent.py
index db4c3f7ee6ec..63af922ef52e 100644
--- a/salt/cloud/clouds/joyent.py
+++ b/salt/cloud/clouds/joyent.py
@@ -1069,7 +1069,7 @@ def query(action=None,
         text=True,
         status=True,
         headers=True,
-        verify=verify_ssl,
+        verify_ssl=verify_ssl,
         opts=__opts__,
     )
     log.debug(

From 56544a77f63bedbfcf43177dbfa8ad2c68d44847 Mon Sep 17 00:00:00 2001
From: abednarik <alejandro.bednarik@gmail.com>
Date: Sat, 2 Jan 2016 18:18:16 -0300
Subject: [PATCH 7/8] Update user home event when createhome is set to False

Removed cretehome from if statement since home should be updated even when createhome is set
to False.

Fixes #29633.
---
 salt/states/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/states/user.py b/salt/states/user.py
index 570ecfa9a6d0..4e3d6ef2c69d 100644
--- a/salt/states/user.py
+++ b/salt/states/user.py
@@ -117,7 +117,7 @@ def _changes(name,
     if _group_changes(lusr['groups'], wanted_groups, remove_groups):
         change['groups'] = wanted_groups
     if home:
-        if lusr['home'] != home and createhome:
+        if lusr['home'] != home:
             change['home'] = home
     if createhome:
         newhome = home if home else lusr['home']

From 01dbf385ef3090c9bea74a68f4b5d16aef97422d Mon Sep 17 00:00:00 2001
From: Jered Sutton <jered.sutton@gmail.com>
Date: Sat, 2 Jan 2016 23:21:51 -0600
Subject: [PATCH 8/8] Adding random_master to reference and updating
 master_shuffle. Adding master_shuffle to the minion example config file as it
 is needed for multi-master PKI.

---
 conf/minion                      |  4 ++++
 doc/ref/configuration/minion.rst | 15 ++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/conf/minion b/conf/minion
index a049d7794ea1..c0ee67f238d9 100644
--- a/conf/minion
+++ b/conf/minion
@@ -20,8 +20,12 @@
 # set to True, the order will be randomized instead. This can be helpful in distributing
 # the load of many minions executing salt-call requests, for example, from a cron job.
 # If only one master is listed, this setting is ignored and a warning will be logged.
+# NOTE: If master_type is set to failover, use master_shuffle instead.
 #random_master: False
 
+# Use if master_type is set to failover.
+#master_shuffle: False
+
 # Minions can connect to multiple masters simultaneously (all masters
 # are "hot"), or can be configured to failover if a master becomes
 # unavailable.  Multiple hot masters are configured by setting this
diff --git a/doc/ref/configuration/minion.rst b/doc/ref/configuration/minion.rst
index 42646097bcf8..31a22a871eba 100644
--- a/doc/ref/configuration/minion.rst
+++ b/doc/ref/configuration/minion.rst
@@ -125,7 +125,7 @@ to the next master in the list if it finds the existing one is dead.
 
 Default: ``False``
 
-If :conf_minion:`master` is a list of addresses, shuffle them before trying to
+If :conf_minion:`master` is a list of addresses and :conf_minion`master_type` is ``failover``, shuffle them before trying to
 connect to distribute the minions over all available masters. This uses
 Python's :func:`random.shuffle <python2:random.shuffle>` method.
 
@@ -133,6 +133,19 @@ Python's :func:`random.shuffle <python2:random.shuffle>` method.
 
     master_shuffle: True
 
+``random_master``
+------------------
+
+Default: ``False``
+
+If :conf_minion:`master` is a list of addresses, shuffle them before trying to
+connect to distribute the minions over all available masters. This uses
+Python's :func:`random.randint <python2:random.randint>` method.
+
+.. code-block:: yaml
+
+    random_master: True
+
 .. conf_minion:: retry_dns
 
 ``retry_dns``