(release-3008.0)=

Salt 3008.0 release notes

Salt Resources

Salt 3008.0 introduces Salt Resources — a first-class targeting primitive for things a minion manages on behalf of the master, like SSH hosts, virtual appliances, API endpoints, or any other "remote thing" that can't or shouldn't run a minion of its own.

A managing minion can manage many resources of many types. Each resource is addressable by id, by type, or by per-resource grains — the same targeting forms (-G, -L, -C, glob, list) work identically against resources and minions.

Highlights:

• New compound targeting engine T@<type>[:<id>] selects resources by type, by full SRN, or both. Grain targeting (-G, G@) and PCRE grain targeting (-P, P@) augment matches with per-resource grain dicts the master cached at registration time.

• The master keeps an mmap-backed registry of which minion manages which resource (salt.utils.resource_registry). Lookups and inserts are O(1); the registry survives master restarts.

• A managing minion builds a per-resource execution and state loader keyed by resource type. Per-type modules live under salt/resources/<type>/{modules,states,grains}/ (or under any Salt extension's saltext/<ext>/resources/<type>/ tree), with override files winning their slot by directory order. Standard Salt modules fill any slot a resource type doesn't override.

• Merge-mode state.apply/state.highstate/state.sls against resource targets folds per-resource state results into one combined block on the managing minion, prefixed by resource id, matching how any other minion looks to the master.

• New escape-hatch dunder __minion__ gives per-resource execution and state modules explicit access to the managing minion's loader when they need to do something on the host.

• New operator runners: salt-run resource.list_grains, salt-run resource.show_grains, salt-run resource.refresh.

• New salt-call flags -r/--resources, --tgt, and --tgt-type make resource dispatch available from masterless and local troubleshooting workflows.

Two reference resource types ship with Salt: dummy (filesystem-backed, for tests and tutorials) and ssh (over the salt-ssh transport). Extension authors can ship their own resource types via a standard salt.loader entry point — no core changes required.

See the Salt Resources documentation for the conceptual overview, the tutorial for a 10-minute walk-through, and the authoring guide for shipping your own resource type.

Changelog

Removed

• Remove commuity extensions from Salt codebase #65970

• Remove deprecated module search path priority (features.enable_deprecated_module_search_path_priority) #66025

• Remove the orchestration key from salt.runner and salt.wheel return data. #66151

• Removed linode-python package dependency for retired Linode API v3 #68871

• Removed legacy salt.transport.ipc module and unused PushChannel / PullChannel factories; local events use ipc_publish_client / ipc_publish_server (TCP transport). #69001

Deprecated

• Deprecated the use of egrep in favor of grep -E #65608

Changed

• Make sure every auth event has the 'act' key set #56200

• Ansiblegate discover_playbooks was changed to find playbooks as either *.yml or *.yaml files #66048

• re-work the aptpkg module to remove system libraries that onedir and virtualenvs do not have access. Streamline testing, and code use to needed libraries only. #66056

• Made gpg modules respect user's GNUPGHOME if set in shell environment #66313

• Made gpg.present attempt to refresh keys if they are expired #66314

• Made x509_v2 the default x509 modules. Until they are removed in the next major release, you can still revert to the old modules by setting features: {x509_v2: false} in the configuration #66384

• Included Salt extensions in Salt-SSH thin archive #66559

• Add support for additional options in several mac_brew_pkg methods #66611

• Make test_pip and test_fileserver tests compatible with venv execution #66703

• Do not use ssl.PROTOCOL_TLS which has been #66767

• deprecated in #66767

• Python 3.10 will be removed in the future. #66767

• Remove warning when running slsutil.renderer on non-SLS files #67067

• PillarCache: reimplement using salt.cache #68030

• fix minion data cache organization/move pillar and grains to dedicated cache banks #68030

• salt.cache: allow cache.store() to set expires per key #68030

• Provide token storage using the salt.cache interface #68039

• Update packaged python from 3.10 to 3.11 #68148

• Added ceph to the specialFSes to match on name for set_fstab #68207

• Removed networkx module dependency by adding MultiDiGraph implementation to salt.utils.requisite to avoid extra dependencies. #68748

• Expanded Thorium documentation with concrete examples and added unit coverage for the documented Thorium workflows. #68857

• Add stub 3008.0 release notes (and template) so tools docs man and CI prepare-release can resolve the current-release doc target. Exclude doc/topics/proposals/*.md from Sphinx so stand-alone proposal files do not fail strict man builds. #68964

Fixed

• Fixed recursive prereq requisites to report recursive requisite error. #8210

• Fixed erroneous recursive requisite error when a prereq is used in combination with onchanges_any. #47154

• Fixed an infinite loop in requisite_any when a requisite state was not found. #50436

• Refactoring the redis code obsoletes this issue as return values are either decoded directly or passed to salt.payload for parsing. #54734

• Fixed OSError: The operation completed successfully raised by CreateProcessWithTokenW on Windows when the underlying advapi32 call fails. The error code is now read from ctypes.get_last_error() (the ctypes-saved slot) instead of win32api.GetLastError() (the live Windows slot, which may be reset to 0 before it is read). #57848

• Fixed dependency resolution to not be quadratic. #59123

• Fix regex cache exception during sort in sweep function #59437

• Fixed requisites by parallel states on parallel states being evaluated synchronously (blocking state execution for other parallel states) #59959

• Fix bug when specifying template_source using net.load_template #60515

• During the redis refactor the documentation was updated to reference the Redis Cluster pip package. #60899, #66193

• firewalld: normalize new rich rules before comparing to old ones #61235

• Fix regression that prevented salt-minion from running interval-based jobs on startup by default. #61964

• Fixed performance when state_aggregate is enabled. #62439

• Fixed LGPO get_policy_info incorrectly returning a "multiple policies" error when duplicate ADMX policy definitions (e.g. TerminalServer.admx and TerminalServer-Server.admx) resolve to the same full path. #62732

• Fixed issue with salt-ssh hanging due to non-exposed host key acceptance prompt #62782

• Repaired zypper repositories being reconfigured without changes #63402

• Fix calculation of SLS context vars when trailing dots on targetted state #63411

• Catch StrictUndefined in salt jinja custom filters. #64915

• Put default optimization_order to LazyLoader to prevent possible fails on testing #65266

• Fixed aggregation to correctly honor requisites. #65304

• Fixed some instances of deprecated datetime.datetime.utcnow() #65604

• Introduce pruning option in file.keyvalue #65631

• fix 65703 by using OrderedDict instead of a index that breaks. . #65703

• Simplify timezone.compare_zone to primarily rely get_zone() #65719

• Handle regular expressions which do not not use grouping #65722

• fix consul.acl_create rule creation #65788

• Fix salt-cloud get_cloud_config_value for list objects #65789

• Prevent exceptions with fileserver.update when called via state #65819

• Fix granting of privileges on Postgres functions #65839

• Made Salt Cloud Hetzner module detect image architecture from instance type #65888

• Optimize async calls with using async wrapped method in thread only if io loop is already running #65983

• salt.auth.pam: fallback to use running Python in case /usr/bin/python3 is not found #66035

• Fix file.is_link hangs on paths that are hung mounts #66096

• Fix file.managed and file.serialize default tmp_dir to relative path #66098

• Make win_timezone recognize Qyzylorda timezone #66176

• Remove firing useless events with JID as a tag #66279

• Made gpg modules create GNUPGHOME if it does not exist #66312

• Fixed an issue where conflicting top level keys in the static grains file #66445

• (usually /etc/salt/grains) would break all grains states, and prevent static #66445

• grains from being loaded. #66445

• Fixed beacon delete not calling the beacon's close function, causing resource #66449

• leaks (e.g. inotify file descriptors) and CPU spin after deleting beacons at #66449

• runtime via beacons.delete. Also fixed inotify file descriptor leak during #66449

• beacon refresh when the Beacon instance is replaced. #66449

• Fixed a regression where setting ipv6: true in the minion configuration #66603

• caused the minion to fail to start on Windows. Three IPC socket paths in the #66603

• TCP transport hardcoded AF_INET or 127.0.0.1 regardless of the IPv6 #66603

• setting: the IPC publish server/client addresses in salt.transport.base, #66603

• the TCPPuller server socket, and the _TCPPubServerPublisher client #66603

• socket. On Windows, mixing an AF_INET6 socket with the IPv4 loopback #66603

• address (or vice-versa) is rejected by the OS. All three paths now use #66603

• ::1 with AF_INET6 when ipv6: true is set, and 127.0.0.1 #66603

• with AF_INET otherwise. #66603

• Make "status.diskusage" more robust and prevent crashes when stats cannot be obtained #66646

• Use --cachedir parameter for setting extension_modules with salt-call. #66742

• Don't schedule __master_alive jobs if master_alive_interval is not specified #66757

• Make x509 module compatible with cryptography module newer than 43.0.0 #66818

• Fixed Python 3.13 compatibility regarding urllib.parse module #66898

• make salt.channel.server.handle_message codepath more defensive #66909

• Fix the installation of pip modules with special characters in the module name #66988

• Repaired mount.fstab_present always returning pending changes #67065

• dictupdate.update: throw a TypeError when trying to merge a list with a mapping when merge_lists=True. #67092

• Remove usage of spwd #67119

• Fixed order chunks not handling a state with both require and order first or last #67120

• Fixed pkg.install in test mode would not detect FreeBSD packages installed by their origin name #67126

• Fix virtual grains for VMs running on Nutanix AHV #67180

• The redis refactor fixed the incorrect handling of the cache.list function. #67250

• Fixed creating relative directory symlinks on Windows, ensured listing targets of symlinks in file_roots always produces POSIX-style paths #67766

• Avoid loading salt.utils.crypt module instead of crypt if it's missing in Python as it was deprecated and removed in Python 3.13. #67797

• Fixed docstring error in salt/modules/file.py that misnamed an option "user" when it should have been "owner". #67911

• salt.key: check_minion_cache performance optimization #68030

• when a file is managed, and the same file is cleaned, an incorrect message is displayed saying "removed: Removed due to clean" when the file isn't actually removed. Now the correct message is returned. #68052

• log_beacon - remove verbose minion log output #68055

• Fix that the state saltmod.state can be used on a masterless minion with salt-ssh like saltmod.function currently does. #68116

• Fixed ssh_known_hosts.present failure when ssh host keys changed #68132

• grains.disks: fix exception with incompatible output of Get-PhysicalDisk #68184

• Made osfinger report major&minor version for NixOS #68230

• Fix tests failing on AlmaLinux 10 and other clones #68246

• Speedup wheel key.finger call by removing redundant processing calls. #68251

• Fixed cp.cache_file when using Tornado > 6.4 #68328

• Stop mutating locals, which is unsupported in Py >=3.13 #68445

• Add blockdev state module back in to core #68465

• #68465

• Adds the blockdev state module back into the core Salt repo as it is critical functionality that shouldn't have been pulled out in the module migration #68465

• Adds mdadm and lvm grains modules back in to core. #68470

• #68470

• Restores the modules that had been removed as part of the community module #68470

• migration. They are core bits of functionality and the associated execution and #68470

• states modules had not been removed. #68470

• Fixed grains.list_present state to correctly handle multiple calls within the same state run. #68520

• Fixed salt.utils.platform to properly handle __salt_system_encoding__ when synced as an extension module. #68520

• Improved network.traceroute parsing to be more robust across different traceroute versions. #68520

• Added retry logic to saltutil.wheel integration test to improve reliability in CI. #68520

• Improved architecture detection in salt-ssh to better support ARM64 platforms. #68520

• Fixed salt-ssh extension module syncing to avoid accidentally bundling core Salt modules and to correctly load wrapper modules. #68520

• Ensured salt-ssh relenv tests skip gracefully if the relenv tarball is unavailable in the test environment. #68520

• Fixed mine.get runner to correctly handle master's ID when ACLs are enabled. #68520

• Fixed win_useradd.get_user_sid to correctly handle non-string input. #68520

• Improved reliability of state.running integration test for salt-ssh. #68520

• Fixed high CPU usage in minion asynchronous authentication loop when masters are unreachable. #68520

• Added support for running Salt tools using python -m tools. #68520

• Adds alias state module back in to core. #68574

• #68574

• Restores the module that had been removed as part of the #68574

• community module migration. The associated execution module #68574

• had not been migrated. #68574

• Fixed mongodb tops module authentication to be compatible with pymongo v4+ by passing credentials directly to MongoClient instead of using the deprecated authenticate() method #68659

• Improved the rejected authentication warning message to include the minion ID, #68671

• making it easier for administrators to identify which minions need upgrading. #68671

• This PR fixes a bug where corrupted grains cache files cause unhandled #68678

• SaltDeserializationError exceptions, resulting in CRITICAL errors. #68678

• The fix adds proper exception handling to gracefully recover from corrupted #68678

• cache by regenerating grains. #68678

• Fix ansible.playbooks extra_vars quoting to prevent passing broken variables to ansible-playbook. #68787

• Make x86_64_v2 to be handled properly with salt.modules.yumpkg module as a possible package architecture. #68789

• Make salt-ssh work without issues using domain\user notation for remote user with SSH. #68790

• Fixed source package builds (DEB/RPM) failing with LookupError: hatchling is already being built by adding hatchling to the --only-binary allow-list so pip uses its universal wheel instead of attempting a circular source build. #68858

• Use a 30 second salt CLI timeout in the reauth scenario tests so Windows CI does not time out on test.ping after master/minion restart (default was often 5s). #68924

• Fix logging in potentially dead process in reap_stray_processes fixture #68927

• Fix dynamic version discovery on a new release branch before the first v<major>* tag exists: git describe still anchored on the previous line (e.g. v3007.13) is lifted to the unreleased codename baseline (e.g. 3008.0) while keeping the commit offset and SHA. #68964

• Remove deprecations. #68985

• • salt/auth/pki.py (removed) #68985

• • salt/features.py (removed) #68985

• • salt/modules/nxos.py (modified) #68985

• debpkg include 0/1 as valid options when parsing bool values in deb822 #68996

• Drain cancelled tasks on PublishClient close so the TCP transport no longer prints [ERROR ] Task was destroyed but it is pending! at the end of every salt command. #68998

• Upgrade packaged python to 3.14 #69014

• LoadAuth.get_tok now distinguishes between corrupt token blobs (removed from the store) and transient backend errors such as Redis connection drops or NFS hangs (token kept, request treated as not-authenticated). Previously a single backend hiccup could log every authenticated user out by deleting valid tokens. #69073

• Fix pip install -e salt #69101

• • Relenv 0.22.11 #69129

• • Update python 3.14 to 3.14.5 #69129

• • Update sqlite to 3.53.1.0 (CVE-2025-70873) #69129

• • Update expat to 2.8.1 (CVE-2026-41080 and CVE-2026-45186) #69129

• Fix master crash when presence_events: True is set on Python 3.14 by skipping the shared secrets dict during iter_transport_opts deepcopy. #69146

• Fixed lgpo_reg.value_absent failing when the Registry.pol entry was already absent but the registry value still existed. lgpo_reg.delete_value was returning early before reaching the registry cleanup code, causing the state to see no changes and report failure. The registry value is now removed regardless of whether the pol entry was present. #69203

• Fixed !!binary YAML tag failing with "Incorrect padding" when base64 padding characters are omitted. Salt's YAML loader now tolerates unpadded base64 values, restoring behavior that worked on Salt 3006 (Python 3.10). #69207

• Fixed the yaml Jinja filter returning NULL when applied to Pillar #69218

• lists or dicts. Pillar containers are wrapped in MaskedDict / #69218

• MaskedList for repr redaction; representers are now registered so the #69218

• YAML dumper serializes them as their underlying list / dict. #69218

Added

• Added proxy option to gitfs, git_pillar and winrepo for specifying a proxy server used to connect to git repositories #30990

• Added shadow.verify_password to salt.modules.win_shadow, which #41347

• validates a Windows user's password via LogonUser with #41347

• LOGON32_LOGON_NETWORK (Microsoft's recommended approach per #41347

• KB180548 <https://support.microsoft.com/en-us/help/180548>_) without #41347

• creating an interactive session. If the check causes an account lockout, #41347

• the account is automatically unlocked. Updated user.present on Windows #41347

• to use shadow.verify_password so the password is only changed when it #41347

• differs from the current value, matching the idempotent behaviour on other #41347

• platforms. #41347

• Added support for limiting the number of parallel states executing at the same time via state_max_parallel #49301

• Added metalink to mod_repo in yumpkg and documented in pkgrepo state #58931

• Add 'show_changes' arg for file.append and file.prepend states to hide output #59329

• Added ssl and verify_ssl arguments to mongodb module and states. #59927

• Added two new options, win_delay_start and win_install_dir, to pass to #61318

• the Windows installer in salt-cloud #61318

• Add context aware change handling for file state module #63328

• Added the ability to access already compiled pillar data during the pillar rendering process via the __pillar__ global in templates and matchers. #64043

• Allow salt-call arguments --file-root, --pillar-root and --states-dir to be specified multiple times #64486

• Adds documentation notes to clarify that Salt's file module only supports numeric mode specifications and does not support symbolic modes. #64624

• Added management of SSH keys and certificates #65197

• Add option (auth_events_autosign_grains) to add autosign_grains to auth events #65426

• Added use_os_truststore configuration option (default False) that instructs Salt to use the native operating system certificate store (Windows Certificate Store, macOS Keychain, or Linux system trust) for SSL/TLS verification instead of the bundled certifi CA bundle. Requires the truststore package (Python 3.10+). Also adds the ca_truststore grain that reports which store is active (certifi or os). #65439

• Enable "KeepAlive" probes for Salt SSH executions #65488

• Add ability to show diff for new files in file.managed #65546

• Added Virtuozzo Linux to Redhat os_family #65600

• Pillar dunder is now available in extension modules during pillar render. #65724

• Added x509_v2 SSH wrapper module. In addition to the regular calls, it provides a function for statefully managing remote certificates, even when access to the event bus is required #65728

• Introduce fibre_channel_host grain #65750

• Make salt-run jobs.master return runner jobs that are currently running on a master. #66007

• Added file and plaintext sources to gpg.present, allowed to skip keyserver queries #66173

• added pkg.which to aptpkg, for finding which package installed a file. #66201

• Allow pre-connection scripts to be run on host before any ssh commands #66210

• Added port, tls, username and password to the smtp configuration of the highstate returner. #66251

• Improve macOS defaults support #66466

• Added support for specifying different signature verification backends in file.managed/archive.extracted #66527

• Added an asymmetric execution module for signing/verifying data using raw asymmetric algorithms #66528

• Added support in service Beacon for only fire matching configured running state #66809

• Add --relenv Option to salt-ssh for Using a Onedir Bundled Salt+Python #66877

• Add support for state.sls_exists when using salt-ssh #66894

• Add detection for OS grains when running in AlmaLinux Kitten #66991

• Added a merge option to file.recurse, which merges subpaths from all existing sources before managing the directory. Handy when using different saltenvs or the TOFS pattern. #67072

• Add _auth calls to the master stats #67746

• Added possibility to load data from multiple inventories with ansible.targets. #67776

• Detect openEuler as RedHat family OS. #67796

• refactored server-side PKI to support cache interface #67799

• optimization: check_compound_minions: defer _pki_minions fetch #67799

• refactor: push salt.utils.minions bits into salt.key / optimize matching #67799

• Add deb822 apt source format support to aptpkg module #67956

• Add subsystem filter to "udev.exportdb" execution module function #68047

• Implement SL Micro 6.2 detection to fill the grains with proper values. #68247

• Added booleans argument to selinux.booleans #68323

• Added mod_aggregate to selinux to combine boolean #68323

• Added some type hints to selinux module and made some minor changes to improve readability and performance slightly #68323

• Add support for minion_id in log formats #68410

• #68410

• Adds support for including %(minion_id)s in log formats. Where id is available log messages on the master will have that data added to allow easier correlation of messages to minions. #68410

• Added feature parity for relenv and thin dir with salt-ssh. All salt-ssh tests pass with both thin dir and relenv. #68531

• Added tunable worker pools: partition the master's MWorkers into named pools #68532

• and route specific commands (for example _auth) to dedicated pools so a #68532

• slow workload cannot starve time-critical traffic. Controlled by the new #68532

• worker_pools and worker_pools_enabled master settings; see the "Tunable #68532

• Worker Pools" topic guide for details. Existing worker_threads #68532

• configurations remain fully backward compatible. #68532

• Added TLS encryption optimization via disable_aes_with_tls config option that eliminates redundant AES encryption when TLS with mutual authentication is active, improving performance while maintaining security through certificate identity verification. #68536

• utils.dictdiffer: support diffing of dicts in lists #68726

• Add support for nix package manager. #68752

• Added a centralized, declarative system for managing Salt's optional dependencies and their version-specific requirements in salt/utils/versions.py. #68894

• Pillar data is now wrapped in SafeDict/SafeList with Pydantic SecretStr/SecretBytes for safer logging and output; optional state no_log and automatic redaction of pillar literals in state returns and minion job logs. #68907

• Added a fast memory-mapped cache backend (salt.cache.mmap_cache): #68936

• an O(1) hash-table store with a segmented heap, durable and multi-process #68936

• safe, usable as a drop-in for localfs via the cache master setting. #68936

• A specialised variant (salt.cache.mmap_key) replaces linear pki_dir #68936

• scans for the master's minion-key store; select it with #68936

• keys.cache_driver: mmap_key. Migrate existing data with #68936

• salt-run cache.migrate and salt-run pki.migrate_to_mmap. #68936

• Batch mode now uses a single JID for the entire batch run instead of generating #68941

• a separate JID per batch iteration. This enables unified job tracking via #68941

• salt-run jobs.lookup_jid and consistent --show-jid output across all #68941

• batch slices. The job cache merges minion lists from each iteration so that #68941

• get_load returns the complete set of targeted minions. #68941

• Added OpenTelemetry distributed-tracing support across all Salt #68999

• inter-process hops (network and IPC). When tracing.enabled is true in the #68999

• master/minion config, salt emits W3C-TraceContext-propagated spans via an #68999

• OTLP exporter, covering the CLI, channel layer, master workers, minion #68999

• command execution, event bus, reactor, syndic forwarding, salt-ssh, and #68999

• salt-api. Trace context travels inside the AES-encrypted Salt envelope so #68999

• it remains opaque on the wire. Tracing is opt-in and a complete no-op when #68999

• disabled. #68999

• Added a per-job start_event opt-in (CLI flag --start-event) that asks #69019

• targeted minions to fire a salt/job/<jid>/start/<minion_id> event the #69019

• moment they accept the published job, before the function runs. The payload #69019

• mirrors the master's salt/job/<jid>/new event minus the function #69019

• arguments, letting orchestrators confirm reachability without waiting for #69019

• the full return. #69019

• Added state.graph and state.graph_highstate execution modules and runners to generate a DOT representation of the state dependency graph. #69091

• Migrate Salt documentation to the PyData Sphinx theme. This update modernizes the documentation UI, improves navigation with a persistent sidebar tree, and fixes issues with embedded video playback. #69185

• Added OpenTelemetry metrics support alongside the existing tracing #69200

• integration. When metrics.enabled is true in the master/minion #69200

• config, salt daemons emit counters (salt.jobs.published, #69200

• salt.jobs.completed, salt.auth.attempts, salt.events.fired, #69200

• salt.returners.calls), histograms (salt.job.duration, #69200

• salt.minion.exec.duration), and observable gauges #69200

• (salt.master.connected_minions.count, #69200

• salt.master.workers.queue.depth, salt.process.open_fds) via #69200

• OTLP push or a Prometheus pull endpoint. Metrics are opt-in and a #69200

• complete no-op when disabled. See doc/topics/metrics/index.rst #69200

• for the full configuration surface and instrument inventory. #69200

• Restore the pillarstack ext_pillar module (salt.pillar.stack) that was #69201

• removed when community extensions were purged. The module is reinstated as a #69201

• core ext_pillar so existing PillarStack-based pillar trees continue to work on #69201

• 3008.x. #69201

• Added lgpo_reg.get_rsop_value to query the Resultant Set of Policy (RSoP) for a registry key/value and detect whether it is managed by a Domain Group Policy Object. The lgpo_reg module functions set_value, disable_value, and delete_value now log a warning when a Domain GPO is detected for the target value. The lgpo_reg state functions value_present, value_disabled, and value_absent append the same warning to the state comment so it is visible in state output. #69205