Implement Salt Resources foundation: targeting, loaders, dispatch, and SSH resource

Adds the complete core infrastructure for Salt Resources (SRN), allowing
resources to be targeted and executed against independently from the
managing minion, along with a full SSH resource implementation.

Targeting layer:
- T@ and M@ compound match engines (resource_match, managing_minion_match)
- CkMinions._check_resource_minions and _augment_with_resources so that
  glob targets like '*' automatically include managed resource IDs
- Master-side resource registration (_register_resources in AESFuncs) and
  minion-side _register_resources_with_master on connect

Loader layer:
- salt.loader.resource(): loads salt/resource/*.py, packs as __resource_funcs__
- salt.loader.resource_modules(opts, resource_type): isolated per-type
  execution-module loader with opts["resource_type"] injected; one instance
  per managed type per minion process (not per device)

Minion dispatch:
- gen_modules() initialises self.resource_funcs and self.resource_loaders
- _thread_return routes resource jobs to the per-type loader, injects
  __resource__ and per-resource __grains__ before each call
- Unknown functions for a resource type fail loudly instead of silently
  executing on the managing minion
- _execute_job_function accepts an optional functions= loader parameter
- JID deduplication bypassed for resource_job loads (shared parent JID)
- _NO_RESOURCE_FUNS prevents internal Salt plumbing from dispatching to
  resources

Dummy resource (example/test implementation):
- salt/resource/dummy.py: full dummy resource (ping, grains, services, pkgs)
- salt/modules/dummyresource_test.py: Pattern B execution module gating on
  opts["resource_type"] == "dummy", routes test.ping to dummy.ping()

SSH resource:
- salt/resource/ssh.py: SSH resource module using salt-ssh Shell transport
- salt/modules/sshresource_cmd.py: cmd.* surface for SSH resources
- salt/modules/sshresource_pkg.py: pkg.* surface for SSH resources
- salt/modules/sshresource_state.py: state.* surface for SSH resources
- salt/modules/sshresource_test.py: test.ping for SSH resources

Also adds salt/grains/resources.py, design documents, example loader
scripts, srv/ pillar configuration, and a Docker environment for testing.

Made-with: Cursor

Author: dwoz

doc/ref/grains/all/index.rst

@@ -19,4 +19,5 @@ grains modules
     opts
     package
     pending_reboot
+    resources
     rest_sample

doc/ref/grains/all/salt.grains.resources.rst

@@ -0,0 +1,5 @@
+salt.grains.resources
+=====================
+
+.. automodule:: salt.grains.resources
+    :members:

doc/ref/modules/all/index.rst

@@ -67,6 +67,7 @@ execution modules
     dpkg_lowpkg
     dummyproxy_pkg
     dummyproxy_service
+    dummyresource_test
     environ
     etcd_mod
     ethtool
@@ -215,6 +216,10 @@ execution modules
     ssh_pkg
     ssh_pki
     ssh_service
+    sshresource_cmd
+    sshresource_pkg
+    sshresource_state
+    sshresource_test
     state
     status
     supervisord

doc/ref/modules/all/salt.modules.dummyresource_test.rst

@@ -0,0 +1,6 @@
+salt.modules.dummyresource_test
+===============================
+
+.. automodule:: salt.modules.dummyresource_test
+    :members:
+    :undoc-members:

doc/ref/modules/all/salt.modules.sshresource_cmd.rst

@@ -0,0 +1,6 @@
+salt.modules.sshresource_cmd
+============================
+
+.. automodule:: salt.modules.sshresource_cmd
+    :members:
+    :undoc-members:

doc/ref/modules/all/salt.modules.sshresource_pkg.rst

@@ -0,0 +1,6 @@
+salt.modules.sshresource_pkg
+============================
+
+.. automodule:: salt.modules.sshresource_pkg
+    :members:
+    :undoc-members:

doc/ref/modules/all/salt.modules.sshresource_state.rst

@@ -0,0 +1,6 @@
+salt.modules.sshresource_state
+==============================
+
+.. automodule:: salt.modules.sshresource_state
+    :members:
+    :undoc-members:

doc/ref/modules/all/salt.modules.sshresource_test.rst

@@ -0,0 +1,6 @@
+salt.modules.sshresource_test
+=============================
+
+.. automodule:: salt.modules.sshresource_test
+    :members:
+    :undoc-members:

docker/ssh-resource/Dockerfile

@@ -0,0 +1,43 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update -qq && \
+    apt-get install -y --no-install-recommends \
+        openssh-server \
+        procps \
+        python3 \
+        sudo \
+        && \
+    rm -rf /var/lib/apt/lists/*
+
+# sshd requires /run/sshd to exist
+RUN mkdir -p /run/sshd
+
+# Create the salt user.  An unset password is treated as a locked account
+# by Debian sshd; setting the hash to '*' marks it as "no password" without
+# locking it so that key-based auth is permitted.
+RUN useradd -m -s /bin/bash salt && \
+    usermod -p '*' salt && \
+    mkdir -p /home/salt/.ssh && \
+    chmod 700 /home/salt/.ssh
+
+# Grant the salt user passwordless sudo so salt-thin can run pkg.install
+RUN echo "salt ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/salt && \
+    chmod 440 /etc/sudoers.d/salt
+
+# Inject the host public key as an authorised key
+ARG PUBKEY
+RUN echo "$PUBKEY" > /home/salt/.ssh/authorized_keys && \
+    chmod 600 /home/salt/.ssh/authorized_keys && \
+    chown -R salt:salt /home/salt/.ssh
+
+# Harden sshd: key-only auth, no root login, no PAM noise
+RUN sed -i \
+        -e 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' \
+        -e 's/^#\?PermitRootLogin.*/PermitRootLogin no/' \
+        -e 's/^#\?UsePAM.*/UsePAM no/' \
+        /etc/ssh/sshd_config && \
+    echo "AllowUsers salt" >> /etc/ssh/sshd_config
+
+EXPOSE 22
+
+CMD ["/usr/sbin/sshd", "-D", "-e"]

measure_loader.py

@@ -0,0 +1,198 @@
+"""
+Measures the memory footprint of Salt loader instances.
+
+Quantifies the cost of the "one loader per resource type" approach so we can
+make an informed decision about the loader architecture for Salt Resources.
+
+Usage::
+
+    python measure_loader.py
+
+The script measures:
+  1. A full minion_mods loader (baseline — what every minion pays today)
+  2. A proxy loader (salt/proxy/*.py only)
+  3. N additional minion_mods-equivalent loaders to simulate N resource types
+     sharing the same process (like deltaproxy or the proposed resource model)
+"""
+
+import gc
+import os
+import sys
+import tracemalloc
+
+import psutil
+
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+import salt.config
+import salt.loader
+import salt.loader.lazy
+
+MINION_CONFIG = os.path.join(os.path.dirname(__file__), "etc", "salt", "minion")
+
+_proc = psutil.Process()
+
+
+def rss_mb():
+    return _proc.memory_info().rss / 1024 / 1024
+
+
+def _force_load(loader):
+    """Force the lazy loader to fully populate its _dict."""
+    loader._load_all()
+    return loader
+
+
+def measure(label, loader_fn):
+    """
+    Build a loader, force-load all modules, and report memory cost.
+
+    Returns the loader so callers can keep it alive (simulating a long-running
+    minion process that holds all loaders simultaneously).
+    """
+    gc.collect()
+    rss_before = rss_mb()
+
+    tracemalloc.start()
+    snapshot_before = tracemalloc.take_snapshot()
+
+    loader = _force_load(loader_fn())
+
+    snapshot_after = tracemalloc.take_snapshot()
+    tracemalloc.stop()
+
+    gc.collect()
+    rss_after = rss_mb()
+
+    stats = snapshot_after.compare_to(snapshot_before, "lineno")
+    py_heap_kb = sum(s.size_diff for s in stats) / 1024
+
+    n_funcs = len(loader._dict)
+
+    print(f"\n  {label}")
+    print(f"    functions loaded : {n_funcs:>6}")
+    print(f"    python heap delta: {py_heap_kb:>8.0f} KB  ({py_heap_kb/1024:.1f} MB)")
+    print(f"    RSS delta        : {rss_after - rss_before:>8.1f} MB")
+
+    return loader
+
+
+def main():
+    print("Loading minion config from:", MINION_CONFIG)
+    opts = salt.config.minion_config(MINION_CONFIG)
+
+    # Each loader gets a unique loaded_base_name so Python's sys.modules cache
+    # does not let them share module objects — this reflects what would happen
+    # in a real minion process with separate per-type loaders.
+    def make_opts(label, extra=None):
+        o = dict(opts)
+        o["loaded_base_name"] = f"salt.loaded.{label}"
+        if extra:
+            o.update(extra)
+        return o
+
+    # ------------------------------------------------------------------ #
+    print("\n" + "=" * 60)
+    print("BASELINE — single loader, as every minion runs today")
+    print("=" * 60)
+
+    gc.collect()
+    rss_start = rss_mb()
+    print(f"\n  Process RSS at start: {rss_start:.1f} MB")
+
+    utils = salt.loader.utils(make_opts("utils"))
+
+    live_loaders = []
+
+    l = measure(
+        "minion_mods (full, baseline)",
+        lambda: salt.loader.minion_mods(make_opts("baseline"), utils=utils),
+    )
+    live_loaders.append(l)
+
+    # ------------------------------------------------------------------ #
+    print("\n" + "=" * 60)
+    print("PROXY LOADER — salt/proxy/*.py only")
+    print("=" * 60)
+
+    l = measure(
+        "proxy loader",
+        lambda: salt.loader.proxy(make_opts("proxy")),
+    )
+    live_loaders.append(l)
+
+    # ------------------------------------------------------------------ #
+    print("\n" + "=" * 60)
+    print("RESOURCE-TYPE LOADERS — one per type, held simultaneously")
+    print("(simulates a minion managing N distinct resource types)")
+    print("=" * 60)
+
+    # Simulate resource-type-specific loaders.  For now these use the same
+    # module dirs as minion_mods but with resource_type in opts (as the final
+    # design would, allowing __virtual__ to gate on it).  This gives an upper
+    # bound on per-type cost — real resource-type loaders would load fewer
+    # modules once __resourceenabled__ filtering is in place.
+    resource_types = ["dummy", "ssh", "vcf_host", "vcf_vm", "kubernetes"]
+    cumulative_rss = rss_mb()
+
+    for i, rtype in enumerate(resource_types, 1):
+        tag = f"resource_{rtype}"
+        extra = {"resource_type": rtype}
+        l = measure(
+            f"resource-type loader #{i}: '{rtype}'",
+            lambda t=tag, e=extra: salt.loader.minion_mods(
+                make_opts(t, e), utils=utils
+            ),
+        )
+        live_loaders.append(l)
+
+    # ------------------------------------------------------------------ #
+    print("\n" + "=" * 60)
+    print("DELTAPROXY — one full loader per device (same type)")
+    print("(simulates managing N devices of a single proxy type)")
+    print("=" * 60)
+
+    rss_before_dp = rss_mb()
+    delta_devices = 20
+
+    for i in range(1, delta_devices + 1):
+        tag = f"deltaproxy_device_{i}"
+        l = measure(
+            f"deltaproxy device loader #{i}",
+            lambda t=tag: salt.loader.minion_mods(make_opts(t), utils=utils),
+        )
+        live_loaders.append(l)
+
+    rss_after_dp = rss_mb()
+    dp_cost = rss_after_dp - rss_before_dp
+    print(f"\n  {delta_devices} device loaders RSS cost : {dp_cost:.1f} MB")
+    print(f"  Per-device RSS cost          : {dp_cost / delta_devices:.1f} MB")
+    print(f"  Projected cost at 1,000 devs : {dp_cost / delta_devices * 1000:.0f} MB")
+
+    # ------------------------------------------------------------------ #
+    print("\n" + "=" * 60)
+    print("SUMMARY")
+    print("=" * 60)
+
+    gc.collect()
+    rss_end = rss_mb()
+    total_loaders = len(live_loaders)
+
+    print(f"\n  Loaders alive simultaneously : {total_loaders}")
+    print(f"  Process RSS at start         : {rss_start:.1f} MB")
+    print(f"  Process RSS now              : {rss_end:.1f} MB")
+    print(f"  Total RSS growth             : {rss_end - rss_start:.1f} MB")
+    print()
+    print("  Resources (per type):")
+    print(f"    5 types  : ~{5 * dp_cost / delta_devices:.0f} MB extra")
+    print(f"    20 types : ~{20 * dp_cost / delta_devices:.0f} MB extra")
+    print()
+    print("  Deltaproxy (per device, same type):")
+    print(f"    100 devs :  ~{dp_cost / delta_devices * 100:.0f} MB extra")
+    print(f"    1,000 devs: ~{dp_cost / delta_devices * 1000:.0f} MB extra")
+    print(f"    5,000 devs: ~{dp_cost / delta_devices * 5000:.0f} MB extra")
+    print()
+
+
+if __name__ == "__main__":
+    main()