salt: upgrade to 2016.11

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>

5 files changed, 403 insertions, 60 deletions

diff --git a/meta-openstack/recipes-support/salt/files/cloud b/meta-openstack/recipes-support/salt/files/cloud
index 5bd28df..921cc04 100644
--- a/meta-openstack/recipes-support/salt/files/cloud
+++ b/meta-openstack/recipes-support/salt/files/cloud
@@ -1,4 +1,4 @@
-# This file should normally be installed at: /etc/salt/cloud 
+# This file should normally be installed at: /etc/salt/cloud
 
 
 ##########################################
@@ -44,7 +44,7 @@
 #log_level_logfile: info
 
 
-# The date and time format used in log messages. Allowed date/time formating
+# The date and time format used in log messages. Allowed date/time formatting
 # can be seen here:
 #
 #       http://docs.python.org/library/time.html#time.strftime
@@ -71,7 +71,7 @@
 #log_fmt_console: '%(colorlevel)s %(colormsg)s'
 #log_fmt_console: '[%(levelname)-8s] %(message)s'
 #
-#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'
+#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s'
 
 
 # Logger levels can be used to tweak specific loggers logging levels.
diff --git a/meta-openstack/recipes-support/salt/files/master b/meta-openstack/recipes-support/salt/files/master
index 821f5fc..4ecb160 100644
--- a/meta-openstack/recipes-support/salt/files/master
+++ b/meta-openstack/recipes-support/salt/files/master
@@ -39,12 +39,22 @@
 # key_logfile, pidfile:
 #root_dir: /
 
+# The path to the master's configuration file.
+#conf_file: /etc/salt/master
+
 # Directory used to store public key data:
 #pki_dir: /etc/salt/pki/master
 
+# Key cache. Increases master speed for large numbers of accepted
+# keys. Available options: 'sched'. (Updates on a fixed schedule.)
+# Note that enabling this feature means that minions will not be
+# available to target for up to the length of the maintanence loop
+# which by default is 60s.
+#key_cache: ''
+
 # Directory to store job and cache data:
 # This directory may contain sensitive data and should be protected accordingly.
-# 
+#
 #cachedir: /var/cache/salt/master
 
 # Directory for custom modules. This directory can contain subdirectories for
@@ -54,7 +64,7 @@
 
 # Directory for custom modules. This directory can contain subdirectories for
 # each of Salt's module types such as "runners", "output", "wheel", "modules",
-# "states", "returners", etc.
+# "states", "returners", "engines", etc.
 # Like 'extension_modules' but can take an array of paths
 #module_dirs: <no default>
 #   - /var/cache/salt/minion/extmods
@@ -65,6 +75,10 @@
 # Set the number of hours to keep old job information in the job cache:
 #keep_jobs: 24
 
+# The number of seconds to wait when the client is requesting information
+# about running jobs.
+#gather_job_timeout: 10
+
 # Set the default timeout for the salt command and api. The default is 5
 # seconds.
 #timeout: 5
@@ -77,6 +91,11 @@
 # Set the default outputter used by the salt command. The default is "nested".
 #output: nested
 
+# Set the default output file used by the salt command. Default is to output
+# to the CLI and not to a file. Functions the same way as the "--out-file"
+# CLI option, only sets this to a single file for all salt commands.
+#output_file: None
+
 # Return minions that timeout when running commands like test.ping
 #show_timeout: True
 
@@ -88,6 +107,12 @@
 # (true by default).
 # strip_colors: False
 
+# To display a summary of the number of minions targeted, the number of
+# minions returned, and the number of minions that did not return, set the
+# cli_summary value to True. (False by default.)
+#
+#cli_summary: False
+
 # Set the directory used to hold unix sockets:
 #sock_dir: /var/run/salt/master
 
@@ -106,7 +131,7 @@
 #minion_data_cache: True
 
 # Store all returns in the given returner.
-# Setting this option requires that any returner-specific configuration also 
+# Setting this option requires that any returner-specific configuration also
 # be set. See various returners in salt/returners for details on required
 # configuration values. (See also, event_return_queue below.)
 #
@@ -118,15 +143,15 @@
 # By default, events are not queued.
 #event_return_queue: 0
 
-# Only events returns matching tags in a whitelist
-# event_return_whitelist:
-#   - salt/master/a_tag
-#   - salt/master/another_tag
+# Only return events matching tags in a whitelist, supports glob matches.
+#event_return_whitelist:
+#  - salt/master/a_tag
+#  - salt/run/*/ret
 
-# Store all event returns _except_ the tags in a blacklist
-# event_return_blacklist:
-#   - salt/master/not_this_tag
-#   - salt/master/or_this_one
+# Store all event returns **except** the tags in a blacklist, supports globs.
+#event_return_blacklist:
+#  - salt/master/not_this_tag
+#  - salt/wheel/*/ret
 
 # Passing very large events can cause the minion to consume large amounts of
 # memory. This value tunes the maximum size of a message allowed onto the
@@ -145,12 +170,12 @@
 # the key rotation event as minions reconnect. Consider this carefully if this
 # salt master is managing a large number of minions.
 #
-# If disabled, it is recommended to handle this event by listening for the 
+# If disabled, it is recommended to handle this event by listening for the
 # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
 # ping_on_rotate: False
 
 # By default, the master deletes its cache of minion data when the key for that
-# minion is removed. To preserve the cache after key deletion, set 
+# minion is removed. To preserve the cache after key deletion, set
 # 'preserve_minion_cache' to True.
 #
 # WARNING: This may have security implications if compromised minions auth with
@@ -230,6 +255,14 @@
 # ZMQ high-water-mark for EventPublisher pub socket
 #event_publisher_pub_hwm: 10000
 
+# The master may allocate memory per-event and not
+# reclaim it.
+# To set a high-water mark for memory allocation, use
+# ipc_write_buffer to set a high-water mark for message
+# buffering.
+# Value: In bytes. Set to 'dynamic' to have Salt select
+# a value for you. Default is disabled.
+# ipc_write_buffer: 'dynamic'
 
 
 #####        Security settings       #####
@@ -244,7 +277,7 @@
 # public keys from the minions. Note that this is insecure.
 #auto_accept: False
 
-# Time in minutes that a incoming public key with a matching name found in
+# Time in minutes that an incoming public key with a matching name found in
 # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
 # are removed when the master checks the minion_autosign directory.
 # 0 equals no timeout
@@ -272,7 +305,7 @@
 # This setting should be treated with care since it opens up execution
 # capabilities to non root users. By default this capability is completely
 # disabled.
-#pulisher_acl:
+#publisher_acl:
 #  larry:
 #    - test.ping
 #    - network.*
@@ -283,6 +316,11 @@
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
+#
+# Check the list of configured users in client ACL against users on the
+# system and throw errors if they do not exist.
+#client_acl_verify: True
+#
 #publisher_acl_blacklist:
 #  users:
 #    - root
@@ -295,7 +333,7 @@
 # publisher_acl_blacklist instead.
 
 # Enforce publisher_acl & publisher_acl_blacklist when users have sudo
-# access to the salt command. 
+# access to the salt command.
 #
 #sudo_acl: False
 
@@ -308,6 +346,18 @@
 #
 # Time (in seconds) for a newly generated token to live. Default: 12 hours
 #token_expire: 43200
+#
+# Allow eauth users to specify the expiry time of the tokens they generate.
+# A boolean applies to all users or a dictionary of whitelisted eauth backends
+# and usernames may be given.
+# token_expire_user_override:
+#   pam:
+#     - fred
+#     - tom
+#   ldap:
+#     - gary
+#
+#token_expire_user_override: False
 
 # Allow minions to push files to the master. This is disabled by default, for
 # security purposes.
@@ -344,6 +394,10 @@
 #ssh_minion_opts:
 #  gpg_keydir: /root/gpg
 
+# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
+# authentication with minions
+#ssh_use_home_key: False
+
 #####    Master Module Management    #####
 ##########################################
 # Manage how master side modules are loaded.
@@ -455,7 +509,7 @@
 # When using multiple environments, each with their own top file, the
 # default behaviour is an unordered merge. To prevent top files from
 # being merged together and instead to only use the top file from the
-# requested environment, set this value to 'same'. 
+# requested environment, set this value to 'same'.
 #top_file_merging_strategy: merge
 
 # To specify the order in which environments are merged, set the ordering
@@ -469,12 +523,15 @@
 #default_top: base
 
 # The hash_type is the hash to use when discovering the hash of a file on
-# the master server. The default is md5, but sha1, sha224, sha256, sha384
+# the master server. The default is md5 but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
-# Prior to changing this value, the master should be stopped and all Salt 
+# WARNING: While md5 is also supported, do not use it due to the high chance
+# of possible collisions and thus security breach.
+#
+# Prior to changing this value, the master should be stopped and all Salt
 # caches should be cleared.
-#hash_type: md5
+#hash_type: sha256
 
 # The buffer size in the file server can be adjusted here:
 #file_buffer_size: 1048576
@@ -540,10 +597,37 @@
 
 # Git File Server Backend Configuration
 #
-# Gitfs can be provided by one of two python modules: GitPython or pygit2. If
-# using pygit2, both libgit2 and git must also be installed.
-#gitfs_provider: gitpython
-#
+# Optional parameter used to specify the provider to be used for gitfs. Must
+# be one of the following: pygit2, gitpython, or dulwich. If unset, then each
+# will be tried in that same order, and the first one with a compatible
+# version installed will be the provider that is used.
+#gitfs_provider: pygit2
+
+# Along with gitfs_password, is used to authenticate to HTTPS remotes.
+# gitfs_user: ''
+
+# Along with gitfs_user, is used to authenticate to HTTPS remotes.
+# This parameter is not required if the repository does not use authentication.
+#gitfs_password: ''
+
+# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
+# This parameter enables authentication over HTTP. Enable this at your own risk.
+#gitfs_insecure_auth: False
+
+# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
+# authenticate to SSH remotes. This parameter (or its per-remote counterpart)
+# is required for SSH remotes.
+#gitfs_pubkey: ''
+
+# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
+# authenticate to SSH remotes. This parameter (or its per-remote counterpart)
+# is required for SSH remotes.
+#gitfs_privkey: ''
+
+# This parameter is optional, required only when the SSH key being used to
+# authenticate is protected by a passphrase.
+#gitfs_passphrase: ''
+
 # When using the git fileserver backend at least one git remote needs to be
 # defined. The user running the salt master will need read access to the repo.
 #
@@ -551,7 +635,7 @@
 # and the first repo to have the file will return it.
 # When using the git backend branches and tags are translated into salt
 # environments.
-# Note:  file:// repos will be treated as a remote, so refs you want used must
+# Note: file:// repos will be treated as a remote, so refs you want used must
 # exist in that repo as *local* refs.
 #gitfs_remotes:
 #  - git://github.com/saltstack/salt-states.git
@@ -610,10 +694,10 @@
 #pillar_safe_render_error: True
 
 # The pillar_source_merging_strategy option allows you to configure merging strategy
-# between different sources. It accepts four values: recurse, aggregate, overwrite,
-# or smart. Recurse will merge recursively mapping of data. Aggregate instructs
-# aggregation of elements between sources that use the #!yamlex renderer. Overwrite
-# will verwrite elements according the order in which they are processed. This is
+# between different sources. It accepts five values: none, recurse, aggregate, overwrite,
+# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data.
+# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite
+# will overwrite elements according the order in which they are processed. This is
 # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
 # on the "renderer" setting and is the default value.
 #pillar_source_merging_strategy: smart
@@ -621,6 +705,107 @@
 # Recursively merge lists by aggregating them instead of replacing them.
 #pillar_merge_lists: False
 
+# Set this option to 'True' to force a 'KeyError' to be raised whenever an
+# attempt to retrieve a named value from pillar fails. When this option is set
+# to 'False', the failed attempt returns an empty string. Default is 'False'.
+#pillar_raise_on_missing: False
+
+# Git External Pillar (git_pillar) Configuration Options
+#
+# Specify the provider to be used for git_pillar. Must be either pygit2 or
+# gitpython. If unset, then both will be tried in that same order, and the
+# first one with a compatible version installed will be the provider that
+# is used.
+#git_pillar_provider: pygit2
+
+# If the desired branch matches this value, and the environment is omitted
+# from the git_pillar configuration, then the environment for that git_pillar
+# remote will be base.
+#git_pillar_base: master
+
+# If the branch is omitted from a git_pillar remote, then this branch will
+# be used instead
+#git_pillar_branch: master
+
+# Environment to use for git_pillar remotes. This is normally derived from
+# the branch/tag (or from a per-remote env parameter), but if set this will
+# override the process of deriving the env from the branch/tag name.
+#git_pillar_env: ''
+
+# Path relative to the root of the repository where the git_pillar top file
+# and SLS files are located.
+#git_pillar_root: ''
+
+# Specifies whether or not to ignore SSL certificate errors when contacting
+# the remote repository.
+#git_pillar_ssl_verify: False
+
+# When set to False, if there is an update/checkout lock for a git_pillar
+# remote and the pid written to it is not running on the master, the lock
+# file will be automatically cleared and a new lock will be obtained.
+#git_pillar_global_lock: True
+
+# Git External Pillar Authentication Options
+#
+# Along with git_pillar_password, is used to authenticate to HTTPS remotes.
+#git_pillar_user: ''
+
+# Along with git_pillar_user, is used to authenticate to HTTPS remotes.
+# This parameter is not required if the repository does not use authentication.
+#git_pillar_password: ''
+
+# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
+# This parameter enables authentication over HTTP.
+#git_pillar_insecure_auth: False
+
+# Along with git_pillar_privkey (and optionally git_pillar_passphrase),
+# is used to authenticate to SSH remotes.
+#git_pillar_pubkey: ''
+
+# Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
+# is used to authenticate to SSH remotes.
+#git_pillar_privkey: ''
+
+# This parameter is optional, required only when the SSH key being used
+# to authenticate is protected by a passphrase.
+#git_pillar_passphrase: ''
+
+# A master can cache pillars locally to bypass the expense of having to render them
+# for each minion on every request. This feature should only be enabled in cases
+# where pillar rendering time is known to be unsatisfactory and any attendant security
+# concerns about storing pillars in a master cache have been addressed.
+#
+# When enabling this feature, be certain to read through the additional ``pillar_cache_*``
+# configuration options to fully understand the tunable parameters and their implications.
+#
+# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars.
+# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
+#pillar_cache: False
+
+# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
+# of time, in seconds, before the cache is considered invalid by a master and a fresh
+# pillar is recompiled and stored.
+#pillar_cache_ttl: 3600
+
+# If and only if a master has set `pillar_cache: True`, one of several storage providers
+# can be utililzed.
+#
+# `disk`: The default storage backend. This caches rendered pillars to the master cache.
+#         Rendered pillars are serialized and deserialized as msgpack structures for speed.
+#         Note that pillars are stored UNENCRYPTED. Ensure that the master cache
+#         has permissions set appropriately. (Same defaults are provided.)
+#
+# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python
+#         in-memory data structure for maximal performance. There are several caveats,
+#         however. First, because each master worker contains its own in-memory cache,
+#         there is no guarantee of cache consistency between minion requests. This
+#         works best in situations where the pillar rarely if ever changes. Secondly,
+#         and perhaps more importantly, this means that unencrypted pillars will
+#         be accessible to any process which can examine the memory of the ``salt-master``!
+#         This may represent a substantial security risk.
+#
+#pillar_cache_backend: disk
+
 
 #####          Syndic settings       #####
 ##########################################
@@ -649,6 +834,12 @@
 # LOG file of the syndic daemon:
 #syndic_log_file: syndic.log
 
+# The behaviour of the multi-syndic when connection to a master of masters failed.
+# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
+# will be iterated in random order. If ``ordered`` is specified, the configured
+# order will be used.
+#syndic_failover: random
+
 
 #####      Peer Publish settings     #####
 ##########################################
@@ -738,7 +929,7 @@
 # If using 'log_granular_levels' this must be set to the highest desired level.
 #log_level_logfile: warning
 
-# The date and time format used in log messages. Allowed date/time formating
+# The date and time format used in log messages. Allowed date/time formatting
 # can be seen here: http://docs.python.org/library/time.html#time.strftime
 #log_datefmt: '%H:%M:%S'
 #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
@@ -760,7 +951,7 @@
 #log_fmt_console: '%(colorlevel)s %(colormsg)s'
 #log_fmt_console: '[%(levelname)-8s] %(message)s'
 #
-#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'
+#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s'
 
 # This can be used to control logging levels more specificically.  This
 # example sets the main salt library at the 'warning' level, but sets
@@ -774,11 +965,18 @@
 
 #####         Node Groups           ######
 ##########################################
-# Node groups allow for logical groupings of minion nodes. A group consists of a group
-# name and a compound target.
+# Node groups allow for logical groupings of minion nodes. A group consists of
+# a group name and a compound target. Nodgroups can reference other nodegroups
+# with 'N@' classifier. Ensure that you do not have circular references.
+#
 #nodegroups:
-#  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
+#  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
 #  group2: 'G@os:Debian and foo.domain.com'
+#  group3: 'G@os:Debian and N@group1'
+#  group4:
+#    - 'G@foo:bar'
+#    - 'or'
+#    - 'G@foo:baz'
 
 
 #####     Range Cluster settings     #####
@@ -824,3 +1022,13 @@
 ############################################
 # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
 #event_match_type: startswith
+
+# Save runner returns to the job cache
+#runner_returns: True
+
+# Permanently include any available Python 3rd party modules into Salt Thin
+# when they are generated for Salt-SSH or other purposes.
+# The modules should be named by the names they are actually imported inside the Python.
+# The value of the parameters can be either one module or a comma separated list of them.
+#thin_extra_mods: foo,bar
+
diff --git a/meta-openstack/recipes-support/salt/files/minion b/meta-openstack/recipes-support/salt/files/minion
index bd97c43..ad7a374 100644
--- a/meta-openstack/recipes-support/salt/files/minion
+++ b/meta-openstack/recipes-support/salt/files/minion
@@ -38,6 +38,8 @@
 # value to "str".  Failover masters can be requested by setting
 # to "failover".  MAKE SURE TO SET master_alive_interval if you are
 # using failover.
+# Setting master_type to 'disable' let's you have a running minion (with engines and
+# beacons) without a master connection
 # master_type: str
 
 # Poll interval in seconds for checking if the master is still there.  Only
@@ -46,6 +48,16 @@
 # of TCP connections, such as load balancers.)
 # master_alive_interval: 30
 
+# If the minion is in multi-master mode and the master_type configuration option
+# is set to "failover", this setting can be set to "True" to force the minion
+# to fail back to the first master in the list if the first master is back online.
+#master_failback: False
+
+# If the minion is in multi-master mode, the "master_type" configuration is set to
+# "failover", and the "master_failback" option is enabled, the master failback
+# interval can be set to ping the top master with this interval, in seconds.
+#master_failback_interval: 0
+
 # Set whether the minion should connect to the master via IPv6:
 #ipv6: False
 
@@ -60,11 +72,15 @@
 # The user to run salt.
 #user: root
 
-# Setting sudo_user will cause salt to run all execution modules under an sudo
-# to the user given in sudo_user.  The user under which the salt minion process
-# itself runs will still be that provided in the user config above, but all
-# execution modules run by the minion will be rerouted through sudo.
-#sudo_user: saltdev
+# The user to run salt remote execution commands as via sudo. If this option is
+# enabled then sudo will be used to change the active user executing the remote
+# command. If enabled the user will need to be allowed access via the sudoers
+# file for the user that the salt minion is configured to run as. The most
+# common option would be to use the root user. If this option is set the user
+# option should also be set to a non-root user. If migrating from a root minion
+# to a non root minion the minion cache should be cleared and the minion pki
+# directory will need to be changed to the ownership of the new user.
+#sudo_user: root
 
 # Specify the location of the daemon process ID file.
 #pidfile: /var/run/salt-minion.pid
@@ -73,6 +89,9 @@
 # sock_dir, pidfile.
 #root_dir: /
 
+# The path to the minion's configuration file.
+#conf_file: /etc/salt/minion
+
 # The directory to store the pki information in
 #pki_dir: /etc/salt/pki/minion
 
@@ -83,6 +102,13 @@
 # clusters.
 #id:
 
+# Cache the minion id to a file when the minion's id is not statically defined
+# in the minion config. Defaults to "True". This setting prevents potential
+# problems when automatic minion id resolution changes, which can cause the
+# minion to lose connection with the master. To turn off minion id caching,
+# set this config to ``False``.
+#minion_id_caching: True
+
 # Append a domain to a hostname in the event that it does not exist.  This is
 # useful for systems where socket.getfqdn() does not actually result in a
 # FQDN (for instance, Solaris).
@@ -103,6 +129,13 @@
 # This data may contain sensitive data and should be protected accordingly.
 #cachedir: /var/cache/salt/minion
 
+# Append minion_id to these directories.  Helps with
+# multiple proxies and minions running on the same machine.
+# Allowed elements in the list: pki_dir, cachedir, extension_modules
+# Normally not needed unless running several proxies and/or minions on the same machine
+# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
+#append_minionid_config_dirs:
+
 # Verify and set permissions on configuration directories at startup.
 #verify_env: True
 
@@ -171,6 +204,20 @@
 # authenticate.
 #auth_tries: 7
 
+# The number of attempts to connect to a master before giving up.
+# Set this to -1 for unlimited attempts. This allows for a master to have
+# downtime and the minion to reconnect to it later when it comes back up.
+# In 'failover' mode, it is the number of attempts for each set of masters.
+# In this mode, it will cycle through the list of masters for each attempt.
+#
+# This is different than auth_tries because auth_tries attempts to
+# retry auth attempts with a single master. auth_tries is under the
+# assumption that you can connect to the master but not gain
+# authorization from it. master_tries will still cycle through all
+# the masters in a given try, so it is appropriate if you expect
+# occasional downtime from the master(s).
+#master_tries: 1
+
 # If authentication fails due to SaltReqTimeoutError during a ping_interval,
 # cause sub minion process to restart.
 #auth_safemode: False
@@ -249,10 +296,17 @@
 #
 #
 # The loop_interval sets how long in seconds the minion will wait between
-# evaluating the scheduler and running cleanup tasks. This defaults to a
-# sane 60 seconds, but if the minion scheduler needs to be evaluated more
-# often lower this value
-#loop_interval: 60
+# evaluating the scheduler and running cleanup tasks.  This defaults to 1
+# second on the minion scheduler.
+#loop_interval: 1
+
+# Some installations choose to start all job returns in a cache or a returner
+# and forgo sending the results back to a master. In this workflow, jobs
+# are most often executed with --async from the Salt CLI and then results
+# are evaluated by examining job caches on the minions or any configured returners.
+# WARNING: Setting this to False will **disable** returns back to the master.
+#pub_ret: True
+
 
 # The grains can be merged, instead of overridden, using this option.
 # This allows custom grains to defined different subvalues of a dictionary
@@ -286,6 +340,26 @@
 # is not enabled.
 # grains_cache_expiration: 300
 
+# Determines whether or not the salt minion should run scheduled mine updates.
+# Defaults to "True". Set to "False" to disable the scheduled mine updates
+# (this essentially just does not add the mine update function to the minion's
+# scheduler).
+#mine_enabled: True
+
+# Determines whether or not scheduled mine updates should be accompanied by a job
+# return for the job cache. Defaults to "False". Set to "True" to include job
+# returns in the job cache for mine updates.
+#mine_return_job: False
+
+# Example functions that can be run via the mine facility
+# NO mine functions are established by default.
+# Note these can be defined in the minion's pillar as well.
+#mine_functions:
+#  test.ping: []
+#  network.ip_addrs:
+#    interface: eth0
+#    cidr: '10.0.0.0/8'
+
 # Windows platforms lack posix IPC and must rely on slower TCP based inter-
 # process communications. Set ipc_mode to 'tcp' on such systems
 #ipc_mode: ipc
@@ -319,16 +393,33 @@
 #include:
 #  - /etc/salt/extra_config
 #  - /etc/roles/webserver
+
+# The syndic minion can verify that it is talking to the correct master via the
+# key fingerprint of the higher-level master with the "syndic_finger" config.
+#syndic_finger: ''
 #
 #
 #
 #####   Minion module management     #####
 ##########################################
 # Disable specific modules. This allows the admin to limit the level of
-# access the master has to the minion.
-#disable_modules: [cmd,test]
+# access the master has to the minion.  The default here is the empty list,
+# below is an example of how this needs to be formatted in the config file
+#disable_modules:
+#  - cmdmod
+#  - test
 #disable_returners: []
-#
+
+# This is the reverse of disable_modules.  The default, like disable_modules, is the empty list,
+# but if this option is set to *anything* then *only* those modules will load.
+# Note that this is a very large hammer and it can be quite difficult to keep the minion working
+# the way you think it should since Salt uses many modules internally itself.  At a bare minimum
+# you need the following enabled or else the minion won't start.
+#whitelist_modules:
+#  - cmdmod
+#  - test
+#  - config
+
 # Modules can be loaded from arbitrary paths. This enables the easy deployment
 # of third party modules. Modules for returners and minions can be loaded.
 # Specify a list of extra directories to search for minion modules and
@@ -389,6 +480,15 @@
 # environments is to isolate via the top file.
 #environment: None
 #
+# Isolates the pillar environment on the minion side. This functions the same
+# as the environment setting, but for pillar instead of states.
+#pillarenv: None
+#
+# Set this option to 'True' to force a 'KeyError' to be raised whenever an
+# attempt to retrieve a named value from pillar fails. When this option is set
+# to 'False', the failed attempt returns an empty string. Default is 'False'.
+#pillar_raise_on_missing: False
+#
 # If using the local file directory, then the state top file name needs to be
 # defined, by default this is top.sls.
 #state_top: top.sls
@@ -448,6 +548,18 @@
 #  base:
 #    - /srv/salt
 
+# Uncomment the line below if you do not want the file_server to follow
+# symlinks when walking the filesystem tree. This is set to True
+# by default. Currently this only applies to the default roots
+# fileserver_backend.
+#fileserver_followsymlinks: False
+#
+# Uncomment the line below if you do not want symlinks to be
+# treated as the files they are pointing to. By default this is set to
+# False. By uncommenting the line below, any detected symlink while listing
+# files on the Master will not be returned to the Minion.
+#fileserver_ignoresymlinks: True
+#
 # By default, the Salt fileserver recurses fully into all defined environments
 # to attempt to find files. To limit this behavior so that the fileserver only
 # traverses directories with SLS files and special Salt directories like _modules,
@@ -456,13 +568,19 @@
 # is False.
 #fileserver_limit_traversal: False
 
-# The hash_type is the hash to use when discovering the hash of a file in
+# The hash_type is the hash to use when discovering the hash of a file on
 # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
+# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
+# of possible collisions and thus security breach.
+#
+# WARNING: While md5 is also supported, do not use it due to the high chance
+# of possible collisions and thus security breach.
+#
 # Warning: Prior to changing this value, the minion should be stopped and all
 # Salt caches should be cleared.
-#hash_type: md5
+#hash_type: sha256
 
 # The Salt pillar is searched for locally if file_client is set to local. If
 # this is the case, and pillar data is defined, then the pillar_roots need to
@@ -470,6 +588,10 @@
 #pillar_roots:
 #  base:
 #    - /srv/pillar
+
+# Set a hard-limit on the size of the files that can be pushed to the master.
+# It will be interpreted as megabytes. Default: 100
+#file_recv_max_size: 100
 #
 #
 ######        Security settings       #####
@@ -508,7 +630,7 @@
 
 # Fingerprint of the master public key to validate the identity of your Salt master
 # before the initial key exchange. The master fingerprint can be found by running
-# "salt-key -F master" on the Salt master.
+# "salt-key -f master.pub" on the Salt master.
 #master_finger: ''
 
 
@@ -548,7 +670,7 @@
 # Default: 'warning'
 #log_level_logfile:
 
-# The date and time format used in log messages. Allowed date/time formating
+# The date and time format used in log messages. Allowed date/time formatting
 # can be seen here: http://docs.python.org/library/time.html#time.strftime
 #log_datefmt: '%H:%M:%S'
 #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S'
@@ -570,7 +692,7 @@
 #log_fmt_console: '%(colorlevel)s %(colormsg)s'
 #log_fmt_console: '[%(levelname)-8s] %(message)s'
 #
-#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'
+#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s'
 
 # This can be used to control logging levels more specificically.  This
 # example sets the main salt library at the 'warning' level, but sets
diff --git a/meta-openstack/recipes-support/salt/files/salt-common.logrotate b/meta-openstack/recipes-support/salt/files/salt-common.logrotate
index dcfd268..3cd0023 100644
--- a/meta-openstack/recipes-support/salt/files/salt-common.logrotate
+++ b/meta-openstack/recipes-support/salt/files/salt-common.logrotate
@@ -1,7 +1,20 @@
-/var/log/salt/master
-/var/log/salt/minion
-/var/log/salt/*.log
-{
+/var/log/salt/master {
+        weekly
+        missingok
+        rotate 7
+        compress
+        notifempty
+}
+
+/var/log/salt/minion {
+        weekly
+        missingok
+        rotate 7
+        compress
+        notifempty
+}
+
+/var/log/salt/key {
         weekly
         missingok
         rotate 7
diff --git a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb
index 7024f42..ba1def7 100644
--- a/meta-openstack/recipes-support/salt/salt_2016.3.0.bb
+++ b/meta-openstack/recipes-support/salt/salt_2016.11.0.bb
@@ -28,8 +28,8 @@ SRC_URI = "https://files.pythonhosted.org/packages/source/s/${SRCNAME}/${SRCNAME
            file://roster \
 "
 
-SRC_URI[md5sum] = "8ed82cfb3f9b1764a035edbdacf0fea9"
-SRC_URI[sha256sum] = "e316dd103b7faeaa97820197e4d0d7d358519f0ca2a6dcb1d9b718eea801ed30"
+SRC_URI[md5sum] = "eced07a652cc6a31870fc098d5325a9c"
+SRC_URI[sha256sum] = "b516285926ee95cedc64ecddab05d14422b7c8819c9f6d046a431c41d608e6bc"
 
 S = "${WORKDIR}/${SRCNAME}-${PV}"