saltstack · basepi · Jan 6, 2016 · Dec 29, 2015 · Dec 29, 2015 · Dec 30, 2015
diff --git a/conf/minion b/conf/minion
@@ -20,8 +20,12 @@
 # set to True, the order will be randomized instead. This can be helpful in distributing
 # the load of many minions executing salt-call requests, for example, from a cron job.
 # If only one master is listed, this setting is ignored and a warning will be logged.
+# NOTE: If master_type is set to failover, use master_shuffle instead.
 #random_master: False
 
+# Use if master_type is set to failover.
+#master_shuffle: False
+
 # Minions can connect to multiple masters simultaneously (all masters
 # are "hot"), or can be configured to failover if a master becomes
 # unavailable.  Multiple hot masters are configured by setting this

diff --git a/doc/ref/configuration/minion.rst b/doc/ref/configuration/minion.rst
@@ -125,14 +125,27 @@ to the next master in the list if it finds the existing one is dead.
 
 Default: ``False``
 
-If :conf_minion:`master` is a list of addresses, shuffle them before trying to
+If :conf_minion:`master` is a list of addresses and :conf_minion`master_type` is ``failover``, shuffle them before trying to
 connect to distribute the minions over all available masters. This uses
 Python's :func:`random.shuffle <python2:random.shuffle>` method.
 
 .. code-block:: yaml
 
     master_shuffle: True
 
+``random_master``
+------------------
+
+Default: ``False``
+
+If :conf_minion:`master` is a list of addresses, shuffle them before trying to
+connect to distribute the minions over all available masters. This uses
+Python's :func:`random.randint <python2:random.randint>` method.
+
+.. code-block:: yaml
+
+    random_master: True
+
 .. conf_minion:: retry_dns
 
 ``retry_dns``

diff --git a/doc/topics/ssh/index.rst b/doc/topics/ssh/index.rst
@@ -207,3 +207,16 @@ Boolean-style options should be specified in their YAML representation.
    be ``wipe_ssh`` and thus this is what should be configured in the
    ``Saltfile``.  Using the names of flags for this option, being ``wipe:
    True`` or ``w: True``, will not work.
+
+Debugging salt-ssh
+==================
+
+One common approach for debugging ``salt-ssh`` is to simply use the tarball that salt
+ships to the remote machine and call ``salt-call`` directly.
+
+To determine the location of ``salt-call``, simply run ``salt-ssh`` with the ``-ldebug``
+flag and look for a line containing the string, ``SALT_ARGV``. This contains the ``salt-call``
+command that ``salt-ssh`` attempted to execute.
+
+It is recommended that one modify this command a bit by removing the ``-l quiet``,
+``--metadata`` and ``--output json`` to get a better idea of what's going on on the target system.
diff --git a/doc/topics/tutorials/gitfs.rst b/doc/topics/tutorials/gitfs.rst
@@ -29,6 +29,11 @@ If :conf_master:`gitfs_provider` is not configured, then Salt will prefer
 pygit2_ if a suitable version is available, followed by GitPython_ and
 Dulwich_.
 
+.. note::
+    It is recommended to always run the most recent version of any the below
+    dependencies. Certain features of gitfs may not be available without
+    the most recent version of the chosen library.
+
 .. _pygit2: https://github.com/libgit2/pygit2
 .. _Dulwich: https://www.samba.org/~jelmer/dulwich/
 .. _GitPython: https://github.com/gitpython-developers/GitPython

diff --git a/doc/topics/tutorials/pillar.rst b/doc/topics/tutorials/pillar.rst
@@ -68,7 +68,8 @@ The default location for the pillar is in /srv/pillar.
 
     The pillar location can be configured via the `pillar_roots` option inside
     the master configuration file. It must not be in a subdirectory of the state
-    tree.
+    tree or file_roots. If the pillar is under file_roots, any pillar targeting
+    can be bypassed by minions.
 
 To start setting up the pillar, the /srv/pillar directory needs to be present:
 

diff --git a/salt/cloud/clouds/joyent.py b/salt/cloud/clouds/joyent.py
@@ -1079,7 +1079,7 @@ def query(action=None,
         text=True,
         status=True,
         headers=True,
-        verify=verify_ssl,
+        verify_ssl=verify_ssl,
         opts=__opts__,
     )
     log.debug(

diff --git a/salt/modules/apache.py b/salt/modules/apache.py
@@ -265,10 +265,10 @@ def useradd(pwfile, user, password, opts=''):
     .. code-block:: text
 
         n  Don't update file; display results on stdout.
-        m  Force MD5 encryption of the password (default).
-        d  Force CRYPT encryption of the password.
-        p  Do not encrypt the password (plaintext).
-        s  Force SHA encryption of the password.
+        m  Force MD5 hashing of the password (default).
+        d  Force CRYPT(3) hashing of the password.
+        p  Do not hash the password (plaintext).
+        s  Force SHA1 hashing of the password.
 
     CLI Examples:
 

diff --git a/salt/modules/shadow.py b/salt/modules/shadow.py
@@ -142,6 +142,12 @@ def gen_password(password, crypt_salt=None, algorithm='sha512'):
 
     Generate hashed password
 
+    .. note::
+
+        When called this function is called directly via remote-execution,
+        the password argument may be displayed in the system's process list.
+        This may be a security risk on certain systems.
+
     password
         Plaintext password to be hashed.
 

diff --git a/salt/states/user.py b/salt/states/user.py
@@ -121,7 +121,7 @@ def _changes(name,
     if _group_changes(lusr['groups'], wanted_groups, remove_groups):
         change['groups'] = wanted_groups
     if home:
-        if lusr['home'] != home and createhome:
+        if lusr['home'] != home:
             change['home'] = home
     if createhome:
         newhome = home if home else lusr['home']