(release-3006.3)=

Salt 3006.3 release notes

Changelog

Removed

• Fedora 36 support was removed because it reached EOL #64315

• Handle deprecation warnings:

  • Switch to FullArgSpec since Py 3.11 no longer has ArgSpec, deprecated since Py 3.0

  • Stop using the deprecated cgi module

  • Stop using the deprecated pipes module

  • Stop using the deprecated imp module #64553

Changed

• Replace libnacl with PyNaCl #64372

• Don't hardcode the python version on the Salt Package tests and on the pkg/debian/salt-cloud.postinst file #64553

• Some more deprecated code fixes:

  • Stop using the deprecated locale.getdefaultlocale() function

  • Stop accessing deprecated attributes

  • pathlib.Path.__enter__() usage is deprecated and not required, a no-op #64565

• Bump to pyyaml==6.0.1 due to https://github.com/yaml/pyyaml/issues/601 and address lint issues #64657

Fixed

• Fix for assume role when used salt-cloud to create aws ec2. #52501

• fixes aptpkg module by checking for blank comps. #58667

• wheel.file_roots.find is now able to find files in subdirectories of the roots. #59800

• pkg.latest no longer fails when multiple versions are reported to be installed (e.g. updating the kernel) #60931

• Do not update the credentials dictionary in utils/aws.py while iterating over it, and use the correct delete functionality #61049

• fixed runner not having a proper exit code when runner modules throw an exception. #61173

• pip.list_all_versions now works with index_url and extra_index_url #61610

• speed up file.recurse by using prefix with cp.list_master_dir and remove an un-needed loop. #61998

• Preserve test=True condition while running sub states. #62590

• Job returns are only sent to originating master #62834

• Fixes an issue with failing subsequent state runs with the lgpo state module. The lgpo.get_polcy function now returns all boolean settings. #63296

• Fix SELinux get policy with trailing whitespace #63336

• Fixes an issue with boolean settings not being reported after being set. The lgpo.get_polcy function now returns all boolean settings. #63473

• Ensure body is returned when salt.utils.http returns something other than 200 with tornado backend. #63557

• Allow long running pillar and file client requests to finish using request_channel_timeout and request_channel_tries minion config. #63824

• Fix state_queue type checking to allow int values #64122

• Call global logger when catching pip.list exceptions in states.pip.installed Rename global logger log to logger inside pip_state #64169

• Fixes permissions created by the Debian and RPM packages for the salt user.

  The salt user created by the Debian and RPM packages to run the salt-master process, was previously given ownership of various directories in a way which compromised the benefits of running the salt-master process as a non-root user.

  This fix sets the salt user to only have write access to those files and directories required for the salt-master process to run. #64193

• Fix user.present state when groups is unset to ensure the groups are unchanged, as documented. #64211

• Fixes issue with MasterMinion class loading configuration from `/etc/salt/minion.d/*.conf.

  The MasterMinion class (used for running orchestraions on master and other functionality) was incorrectly loading configuration from /etc/salt/minion.d/*.conf, when it should only load configuration from /etc/salt/master and /etc/salt/master.d/*.conf. #64219

• Fixed issue in mac_user.enable_auto_login that caused the user's keychain to be reset at each boot #64226

• Fixed KeyError in logs when running a state that fails. #64231

• Fixed x509_v2 create_private_key/create_crl unknown kwargs: __pub_fun... #64232

• remove the hard coded python version in error. #64237

• salt-pip now properly errors out when being called from a non onedir environment. #64249

• Ensure we return an error when adding the key fails in the pkgrepo state for debian hosts. #64253

• Fixed file client private attribute reference on SaltMakoTemplateLookup #64280

• Fix pkgrepo.absent failures on apt-based systems when repo either a) contains a trailing slash, or b) there is an arch mismatch. #64286

• Fix detection of Salt codename by "salt_version" execution module #64306

• Ensure selinux values are handled lowercase #64318

• Remove the clr.AddReference, it is causing an Illegal characters in path exception #64339

• Update pkg.group_installed state to support repo options #64348

• Fix salt user login shell path in Debian packages #64377

• Allow for multiple user's keys presented when authenticating, for example: root, salt, etc. #64398

• Fixed an issue with lgpo_reg where existing entries for the same key in Registry.pol were being overwritten in subsequent runs if the value name in the subesequent run was contained in the existing value name. For example, a key named SetUpdateNotificationLevel would be overwritten by a subsequent run attempting to set UpdateNotificationLevel #64401

• Add search for %ProgramData%\Chocolatey\choco.exe to determine if Chocolatey is installed or not #64427

• Fix regression for user.present on handling groups with dupe GIDs #64430

• Fix inconsistent use of args in ssh_auth.managed #64442

• Ensure we raise an error when the name argument is invalid in pkgrepo.managed state for systems using apt. #64451

• Fix file.symlink will not replace/update existing symlink #64477

• Fixed salt-ssh state.* commands returning retcode 0 when state/pillar rendering fails #64514

• Fix pkg.install when using a port in the url. #64516

• win_pkg Fixes an issue runing pkg.install with version=latest where the new installer would not be cached if there was already an installer present with the same name. #64519

• Added a test:full label in the salt repository, which, when selected, will force a full test run. #64539

• Syndic's async_req_channel uses the asynchornous version of request channel #64552

• Ensure runners properly save information to job cache. #64570

• Added salt.ufw to salt-master install on Debian and Ubuntu #64572

• Added support for Chocolatey 2.0.0+ while maintaining support for older versions #64622

• Updated semanage fcontext to use --modify if context already exists when adding context #64625

• Preserve request client socket between requests. #64627

• Show user friendly message when pillars timeout #64651

• File client timeouts durring jobs show user friendly errors instead of tracbacks #64653

• SaltClientError does not log a traceback on minions, we expect these to happen so a user friendly log is shown. #64729

• Look in location salt is running from, this accounts for running from an unpacked onedir file that has not been installed. #64877

• Preserve credentials on spawning platforms, minions no longer re-authenticate with every job when using multiprocessing=True. #64914

• Fixed uninstaller to not remove the salt directory by default. This allows the extras-3.## folder to persist so salt-pip dependencies are not wiped out during an upgrade. #64957

• fix msteams by adding the missing header that Microsoft is now enforcing. #64973

• Fix env and improve cache cleaning see more info at pull #65017. #65002

• Better error message on inconsistent decoded payload #65020

• Handle permissions access error when calling lsb_release with the salt user #65024

• Allow schedule state module to update schedule when the minion is offline. #65033

• Fixed creation of wildcard DNS in SAN in x509_v2 #65072

• The macOS installer no longer removes the extras directory #65073

Added

• Added a script to automate setting up a 2nd minion in a user context on Windows #64439

• Several fixes to the CI workflow:

  • Don't override the on Jinja block on the ci.yaml template. This enables reacting to labels getting added/removed to/from pull requests.

  • Switch to using tools and re-use the event payload available instead of querying the GH API again to get the pull request labels

  • Concentrate test selection by labels to a single place

  • Enable code coverage on pull-requests by setting the test:coverage label #64547

Security

• Upgrade to cryptography==41.0.3(and therefor pyopenssl==23.2.0 due to https://github.com/advisories/GHSA-jm77-qphf-c4w8)

  This only really impacts pip installs of Salt and the windows onedir since the linux and macos onedir build every package dependency from source, not from pre-existing wheels.

  Also resolves the following cryptography advisories:

  Due to:

  • https://github.com/advisories/GHSA-5cpq-8wj7-hf2v

  • https://github.com/advisories/GHSA-x4qr-2fvf-3mr5

  • https://github.com/advisories/GHSA-w7pp-m8wf-vj6r #64595

• Bump to aiohttp==3.8.5 due to https://github.com/advisories/GHSA-45c4-8wx5-qw6w #64687

• Bump to certifi==2023.07.22 due to https://github.com/advisories/GHSA-xqr8-7jwr-rhp7 #64718

• Upgrade relenv to 0.13.2 and Python to 3.10.12

  Addresses multiple CVEs in Python's dependencies: https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-12 #64719

• Update to gitpython>=3.1.32 due to https://github.com/advisories/GHSA-pr76-5cm5-w9cj #64988