Releases watchmaker 0.16.6

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.16.5
+current_version = 0.16.6
 commit = False
 tag = False
 tag_name = {new_version}

.gitlab-ci.yml

@@ -1,14 +1,10 @@
 image: ${IMAGE}
 
-before_script:
-  - sudo yum -y install python36 python36-libs python36-setuptools
-  - sudo python3.6 -m ensurepip --upgrade
-  - test -f /usr/bin/pip3 || sudo ln -sf /usr/local/bin/pip3 /usr/bin/pip3
-  - sudo pip3 install --upgrade -r requirements/docs.txt
-  - sudo pip3 install -e .
-
 pages:
   stage: deploy
+  before_script:
+    - pip3 install --upgrade -r requirements/docs.txt
+    - pip3 install -e .
   script:
     - sphinx-build -a -E -b html docs public
   artifacts:

.mergify.yml

@@ -0,0 +1,40 @@
+pull_request_rules:
+  - name: automatic approve dependabot pull requests
+    conditions:
+      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+      - status-success=continuous-integration/travis-ci/pr
+      - status-success=continuous-integration/appveyor/pr
+      - status-success=codecov/project
+      - status-success=codecov/patch
+    actions:
+      review:
+        type: APPROVE
+  # For salt-formula updates, trigger codebuild, merge on codebuild status
+  - name: write issue comment to start codebuild job
+    conditions:
+      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+      - label=submodules
+      - "#approved-reviews-by>=1"
+    actions:
+      comment:
+        message: go codebuild go
+
+  - name: automatic merge for dependabot pull requests
+    conditions:
+      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+      - label=submodules
+      - status-success=codebuild/pr
+      - "#approved-reviews-by>=1"
+    actions:
+      merge:
+        method: merge
+
+  # For regular dependabot pr, automatically merge on approve
+  - name: automatic merge for dependabot pull requests
+    conditions:
+      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+      - "#approved-reviews-by>=1"
+      - label!=submodules
+    actions:
+      merge:
+        method: merge

.travis.yml

@@ -39,11 +39,6 @@ before_script:
 after_failure:
   - more .tox/log/* | cat
   - more .tox/*/log/* | cat
-before_cache:
-  - rm -rf $HOME/.cache/pip/log
-cache:
-  directories:
-    - "$HOME/.cache/pip"
 notifications:
   email:
     on_success: never
@@ -67,7 +62,7 @@ jobs:
       env:
         - TOXENV=docs
     - stage: deploy
-      if: branch = develop OR tag is present
+      if: type != pull_request AND (branch = develop OR tag is present)
       python: 2.7
       install: pip install m2r
       script: echo "Deploying..."
@@ -90,7 +85,7 @@ jobs:
         on:
           tags: true
     - stage: deploy
-      if: branch in (env(RELEASE_BRANCH), develop) OR tag is present
+      if: type != pull_request AND (branch in (master, develop) OR tag is present)
       python: 3.6
       install:
         - echo "Install"
@@ -110,7 +105,7 @@ jobs:
           script: satsuki
           skip_cleanup: true
           on:
-            branch: $RELEASE_BRANCH
+            branch: master
         - provider: s3
           bucket: $RELEASE_BUCKET
           upload-dir: $S3_KEYFIX

CHANGELOG.md

@@ -1,5 +1,16 @@
 ## Changelog
 
+### 0.16.6
+
+**Commit Delta**: [Change from 0.16.5 release](https://github.com/plus3it/watchmaker/compare/0.16.5...0.16.6)
+
+**Released**: 2019.12.04
+
+**Summary**:
+
+*   Uses CDN URLs for watchmaker config and content, instead of direct S3 URLs
+*   Pins `backoff` dependency when running on Python 3.4 or earlier
+
 ### 0.16.5
 
 **Commit Delta**: [Change from 0.16.4 release](https://github.com/plus3it/watchmaker/compare/0.16.4...0.16.5)
@@ -298,7 +309,7 @@
 
 *   Provides standalone packages that bundle the Python runtime together with
     Watchmaker and its dependencies
-    - See <https://watchmaker.readthedocs.io/en/stable/installation.html>
+    - See <https://watchmaker.cloudarmor.io/en/stable/installation.html>
 *   ash-linux-formula
     -   (el7) Ensures packages are up-to-date
     -   (el7) Ensures firewalld is installed and running

MANIFEST.in

@@ -9,6 +9,7 @@ include .coveragerc
 include .editorconfig
 include .gitmodules
 include .pylintrc
+include .mergify.yml
 
 include AUTHORS.md
 include CHANGELOG.md

README.md

@@ -23,4 +23,4 @@ services.
 ## Documentation
 
 For more information on installing and using Watchmaker, go to
-<https://watchmaker.readthedocs.io>.
+<https://watchmaker.cloudarmor.io>.

azure-pipelines.yml

@@ -129,7 +129,7 @@ jobs:
             sourceFolder: $(deployStage)\standalone\dist\
         - task: S3Upload@1
           displayName: upload standalone binaries to s3 (release)
-          condition: eq(variables['build.sourceBranch'], 'refs/tags/*')
+          condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')
           inputs:
             awsCredentials: dev-lab
             targetFolder: $(keyPrefix)
@@ -145,4 +145,4 @@ jobs:
             python -m pip install -r $(deployStage)\$(deployArtifactName)\deploy.txt
             satsuki
           displayName: deploy to github with satsuki
-          condition: eq(variables['build.sourceBranch'], 'refs/tags/*')
+          condition: startsWith(variables['build.sourceBranch'], 'refs/tags/')

docs/conf.py

@@ -365,6 +365,6 @@
 linkcheck_ignore = [
     r'https://github.com/plus3it/watchmaker/compare/(\d+\.){3}\.(\.\d+){3}',
     r'https://github.com/plus3it/watchmaker/compare/(\d+\.){3}\.(\.x){3}',
-    r'https://s3.amazonaws.com/watchmaker/releases/(.*)$',
+    r'https://watchmaker.cloudarmor.io/releases/(.*)$',
     r'https://docs\.saltstack\.com/en/latest/ref/modules/all/[a-z\.]*#[a-z\.]*'
 ]

docs/configuration.md

@@ -156,7 +156,7 @@ all:
       computer_name: None
       environment: None
       ou_path: None
-      salt_content: https://s3.amazonaws.com/watchmaker/salt-content.zip
+      salt_content: None
       salt_states: Highstate
       user_formulas:
         # To add extra formulas, specify them as a map of
@@ -177,16 +177,16 @@ linux:
             - redhat
             - centos
           el_version: 6
-          url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el6.repo
+          url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el6.repo
         - dist: amazon
           el_version: 6
-          url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-amzn.repo
+          url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-amzn.repo
         #SaltEL7:
         - dist:
             - redhat
             - centos
           el_version: 7
-          url: https://s3.amazonaws.com/watchmaker/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el7.repo
+          url: https://watchmaker.cloudarmor.io/yum.defs/saltstack/salt/2016.11.9/salt-reposync-el7.repo
   - salt:
       salt_debug_log: None
       install_method: yum
@@ -197,7 +197,7 @@ linux:
 windows:
   - salt:
       salt_debug_log: None
-      installer_url: https://s3.amazonaws.com/watchmaker/repo/saltstack/salt/windows/Salt-Minion-2016.11.6-AMD64-Setup.exe
+      installer_url: https://watchmaker.cloudarmor.io/repo/saltstack/salt/windows/Salt-Minion-2016.11.6-AMD64-Setup.exe
 ```
 
 [0]: https://yaml.org/spec/1.2/spec.html

docs/faq.md

@@ -70,7 +70,7 @@ present, the value is passed directly to the `exclude` option of the
 To use this option with watchmaker from the command line, pass the argument
 `--exclude-states <sls_glob>`. For example:
 
-```
+```shell
 # Exclude the state "foo" with an exact match
 watchmaker --exclude-states foo
 
@@ -91,7 +91,7 @@ using the `-c|--config-dir` argument:
 
 For example:
 
-```
+```shell
 # -c|--config-dir
 salt-call -c /opt/watchmaker/salt state.show_top
 ```
@@ -131,7 +131,7 @@ In order to install pip in Python 2.6, you can get it from:
 Once a Python 2.6-compatible ``pip`` version is installed, you can install
 compatible versions of the other packages like this:
 
-```
+```shell
 pip install --upgrade "pip<10" "wheel<0.30.0" "setuptools<37"
 ```
 

docs/findings/el7.md

@@ -13,7 +13,7 @@
 
 The "stock" `/etc/ssh/sshd_config` file typically contains a commented-out line for the `LogLevel` parameter similar to the following:
 
-~~~
+```shell
 [...elided...]
 
 #SyslogFacility AUTH
@@ -23,19 +23,19 @@ SyslogFacility AUTHPRIV
 # Authentication:
 
 [...elided...]
-~~~
+```
 
 When the vendor includes a commented-out parameter-value in the configuration-file, it signifies that the paramter is set to the value shown on the commented out line. This can be further confirmed by consulting the associated manual page (see: |sshdconfig|_):
 
-~~~
+```shell
      LogLevel
              Gives the verbosity level that is used when logging messages from
              sshd(8).  The possible values are: QUIET, FATAL, ERROR, INFO,
              VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.  The default is INFO.
              DEBUG and DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify
              higher levels of debugging output.  Logging with a DEBUG level
              violates the privacy of users and is not recommended.
-~~~
+```
 
 Note: _If it is desired to alter from the default_, it is typically recommended to change to `VERBOSE` — particularly if key-based logins are in use. This setting will cause the SSH daemon to record the fingerprints of presented-keys.
 
@@ -64,17 +64,17 @@ Some scanners implement an "intentional fail" for this audit-item. This is desig
 
 This automation has the underlying assumption that all RPM-managed SUID files — be it by the OS vendor or the provider of the software _hosted by_ the OS — is implicitly authorized. A  way to quickly-verify compliance with this assumption is to execute:
 
-~~~bash
+```bash
 for SUID in $( find / -user root -perm -4000 -print 2> /dev/null )
 do
    printf "%s: " "${SUID}"
    rpm --qf '%{name}\t%{vendor}\n' -qf "$SUID"
 done | awk '{printf("%-40s\t%-12s\t%s\n",$1,$2,$3)}'
-~~~
+```
 
 Executing the above will output a list similar to:
 
-~~~
+```bash
 /usr/bin/passwd:                                passwd          CentOS
 /usr/bin/pkexec:                                polkit          CentOS
 /usr/bin/crontab:                               cronie          CentOS
@@ -92,7 +92,7 @@ Executing the above will output a list similar to:
 /usr/sbin/unix_chkpwd:                          pam             CentOS
 /usr/lib/polkit-1/polkit-agent-helper-1:        polkit          CentOS
 /usr/libexec/dbus-1/dbus-daemon-launch-helper:  dbus            CentOS
-~~~
+```
 
 If any listed files are not displayed as being from the OS-vendor (typically "CentOS" or "RedHat") or the vendor of the hosted application, investigate further to determine if the file meets site-specific authorization-criteria.
 
@@ -106,10 +106,10 @@ Third-party security scanners will frequently call out missing filesystem mount
 
 This is a scan error — most likely due to an improperly-formatted search-expression. The watchmaker utilities set the `noexec` Option for `/dev/shm` Pseudo-Filesystem in the `/etc/fstab` configuration file. This can be verified with the following commands.
 
-~~~
+```bash
 grep -E '\s\/dev\/shm\s.*noexec' /proc/mounts
 grep -E '\s\/dev\/shm\s.*noexec' /etc/fstab
-~~~
+```
 
 The above verifies that the mounted `/dev/shm` has the desired mount-option set and that the setting will persist after a reboot.
 
@@ -121,10 +121,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil
 
 To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:
 
-~~~
+```bash
 grep -E '\s\/tmp\s.*nodev' /proc/mounts
 grep nodev /etc/systemd/system/tmp.mount.d/options.conf
-~~~
+```
 
 The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.
 
@@ -136,10 +136,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil
 
 To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:
 
-~~~
+```bash
 grep -E '\s\/tmp\s.*noexec' /proc/mounts
 grep noexec /etc/systemd/system/tmp.mount.d/options.conf
-~~~
+```
 
 The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.
 
@@ -151,10 +151,10 @@ Because scanners typically assume that `/tmp` will be a standard, disk-based fil
 
 To properly verify that Watchmaker has applied the required mount-option to the systemd-managed `/tmp` mount:
 
-~~~
+```bash
 grep -E '\s\/tmp\s.*nosuid' /proc/mounts
 grep nosuid /etc/systemd/system/tmp.mount.d/options.conf
-~~~
+```
 
 The above verifies that the mounted `/tmp` has the desired mount-option set and that the setting will persist after a reboot.
 

docs/installation.md

@@ -81,29 +81,29 @@ Linux.
         and corresponding SHA256 hashes. To access versions on S3, construct a
         URL using these examples for version 0.9.7:
 
-        *   https://s3.amazonaws.com/watchmaker/releases/0.9.7/watchmaker-0.9.7-standalone-linux-x86_64
-        *   https://s3.amazonaws.com/watchmaker/releases/0.9.7/watchmaker-0.9.7-standalone-windows-amd64.exe
+        *   https://watchmaker.cloudarmor.io/releases/0.9.7/watchmaker-0.9.7-standalone-linux-x86_64
+        *   https://watchmaker.cloudarmor.io/releases/0.9.7/watchmaker-0.9.7-standalone-windows-amd64.exe
 
     *   Links to the latest versions of Watchmaker and SHA hashes on S3 are:
 
-        *   https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-linux-x86_64
-        *   https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-sha256-linux-x86_64.json
-        *   https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-windows-amd64.exe
-        *   https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-sha256-windows-amd64.json
+        *   https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-linux-x86_64
+        *   https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-sha256-linux-x86_64.json
+        *   https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-windows-amd64.exe
+        *   https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-sha256-windows-amd64.json
 
     *   From PowerShell, the Windows package can be downloaded
         as follows:
 
         ```ps1con
-        PS C:\wam> $url = "https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-windows-amd64.exe"
+        PS C:\wam> $url = "https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-windows-amd64.exe"
         PS C:\wam> (New-Object System.Net.WebClient).DownloadFile($url, "watchmaker.exe")
         ```
 
     *   From the command line, the Linux package can be downloaded
         as follows:
 
         ```console
-        # curl -so watchmaker https://s3.amazonaws.com/watchmaker/releases/latest/watchmaker-latest-standalone-linux-x86_64
+        # curl -so watchmaker https://watchmaker.cloudarmor.io/releases/latest/watchmaker-latest-standalone-linux-x86_64
         ```
 
     *   For the latest package, the version of Watchmaker can be determined by