Merge forward 3007.x into master #68296
Open
+7,677
−3,234
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When the minion's key is overwritten with bad data, log a useful message instead of traceback. Handle the error in a consistant way accross salt.minion, salt.channel.client, and salt.crypt.
Allows event to be handled after the salt-minion service has received a SIGTERM. Previously once the signal handler was entered, the ioloop would no longer run. If there are events on the minion event bus that needs processing, they would not be handled. Moves the MinionManager stop() functionality to an async function and allows the ioloop to run and clear any waiting events and returns to masters.
Adds test for calling MinionManager stop() to test new functionality to allow events to be processed as minion is stopping. Sets up a MinionManager instance with a running event bus, then calls the stop function and immeadiately sends a test message on the event bus and reads it back to check that works once the stop() function has been called. Then checks that the usual functions to destroy the minion etc have also been called.
Ignores warning from pylint about self.io_loop.add_callback() not being callable - it clearly is as stop_async gets called.
Sets up the short sock_dir path in the test. Previously setting it in conftest.py was breaking another test because I'd done it as a Path, not a string, but I want to avoid changin behaviour of other tests, so setting it locally to the test.
Modifies systemd_service.{restart,stop} to default to using
no_block=True when the service being stopped or restarted is the
salt-minion.
If you don't pass no_block, the minion blocks waiting for systemd to
restart the service, while systemd is waiting for the minion to exit.
Eventually, after systemd hits its timeout it will kill the salt minion
processes.
Behaviour for other services should remain the same and the functions
will still honour the value of no_block if passed as an argument.
Skips the test_operation_no_block_default test on Amazon Linux 2 as the CI conatiner for that distro doesn't have a complete systemd setup.
xsmile
reviewed
Sep 12, 2025
| # The problem with using -File is that any arguments that contain | ||
| # powershell commands themselves will not be evaluated | ||
| # See GitHub issue #56195 | ||
| new_cmd.append("-Command") |
There was a problem hiding this comment.
Using -Command makes using a list to pass args with cmd.script useless.
PowerShell script at C:\ProgramData\run space.ps1:
param (
[string]$a,
[string]$b
)
Write-Output "a: $a, b: $b"Some examples as follows, also with code injection. How to prepare cmd if the content is dynamic?
>>> import subprocess; cmd = ['C:\\ProgramData\\run space.ps1', 'foo bar', 'baz qux']; subprocess.Popen(['powershell.exe', '-NonInteractive', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', f'& {" ".join(cmd)}']).wait()
& : The term 'C:\ProgramData\run' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:3
+ & C:\ProgramData\run space.ps1 foo bar baz qux
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\ProgramData\run:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
>>> import subprocess; cmd = ['"C:\\ProgramData\\run space.ps1"', '"foo bar"', '"baz qux"']; subprocess.Popen(['powershell.exe', '-NonInteractive', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', f'& {" ".join(cmd)}']).wait()^L
a: foo bar, b: baz qux
>>> import subprocess; cmd = ['"C:\\ProgramData\\run space.ps1"', ';whoami;', '"baz qux"']; subprocess.Popen(['powershell.exe', '-NonInteractive', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command', f'& {" ".join(cmd)}']).wait()
a: , b:
win-rctdv32huff\administrator
baz qux
In contrast via -File with no need for escaping and quoting. They values are used as is without the possibility to run code.
>>> import subprocess; cmd = ['C:\\ProgramData\\run space.ps1', ';whoami;', 'baz qux']; subprocess.Popen(['powershell.exe', '-NonInteractive', '-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', *cmd]).wait()
a: ;whoami;, b: baz qux
xsmile
reviewed
Sep 12, 2025
salt/modules/cmdmod.py
Outdated
| @@ -293,42 +308,16 @@ def _prep_powershell_cmd(win_shell, cmd, encoded_cmd): | |||
| # We need to append $LASTEXITCODE here to return the actual exit code | |||
| # from the script. Otherwise, it will always return 1 on any non-zero | |||
| # exit code failure. Issue: #60884 | |||
| new_cmd.append(f'"& {cmd.strip()}; exit $LASTEXITCODE"') | |||
| new_cmd.append(f"& {{ {cmd.strip()}; exit $LASTEXITCODE }}") | |||
There was a problem hiding this comment.
exit $LASTEXITCODE forces the exit code to the one returned by an external program called by the PowerShell script, even if the script continues running and exits without errors.
Sample PowerShell script at C:\ProgramData\exit.ps1 - an external binary is called, the error is catched and the script continues exiting successfully.
& whoami.exe /invalidarg
if ($? -eq $False) {
Write-Warning 'Non-critical error, continuing'
}
$proc = Start-Process -FilePath whoami.exe -ArgumentList /? -Wait -PassThru
Write-Output "LASTEXITCODE: $LASTEXITCODE"Exit code 1 is returned by the command, but it should be 0.
>>> cmd = ['C:\ProgramData\exit.ps1']; proc = subprocess.Popen(['powershell.exe', '-Command', f'& {{ {" ".join(cmd).strip()}; exit $LASTEXITCODE }}']); proc.wait(); print(f'proc.returncode: {proc.returncode}')
WARNING: Non-critical error, continuing
LASTEXITCODE: 1
1
proc.returncode: 1
70936a3 to
6ebbc7a
Compare
…z/salt into dwoz-merge/master/3007.x-25-08-28
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This includes 3006.15 and 3007.7