Salt 2015.8.0 Release Notes - Codename Beryllium

The 2015.8.0 feature release of Salt contains several major new features. As usual the release notes are not exhaustive and primarily include the most notable additions and improvements. Hundreds of bugs have been fixed and many modules have been substantially updated and added.

New SaltStack Installation Repositories

SaltStack now provides installation repositories for several platforms, with more to come. For instructions, see:

Send Event on State Completion

A fire_event global state keyword argument was added that allows any state to send an event upon completion. Useful for custom progress bars and checking in on long state runs. See fire_event.

ZeroMQ socket monitoring

If zmq_monitor is enabled, log all ZMQ events for socket monitoring purposes. Verbose, but useful.

SPM (Salt Package Manager)

Allows Salt formulas to be packaged for ease of deployment. See spm.


The spm executable was not included in the Debian or Ubuntu packages for the 2015.8.0 or the 2015.8.1 releases. This executable will be included in an upcoming release. As a workaround, copy the SPM script from the salt library installation into /usr/local/bin or your local equivalent.

Specify a Single Environment for Top Files

A new default_top option was added to load the state top file from a single, specific environment, rather than merging top data across all environments. Additionally, new top_file_merge_strategy and env_order options were added for more control over top file merging. See The Top File.

Tornado TCP Transport

Implemented a pure-TCP transport, in addition to ZeroMQ and RAET. The new transport uses Tornado, which allows Salt to use a standardized set of libraries for asynchronous behavior, which should greatly improve reliability and performance.


Tornado is considered expiremental in this release. The following known issues were being investigated at the time of release:

  • TCP tests show performance degredation over time (issue 26051)

  • TCP transport stacktrace on windows minion: Future exception was never retrieved (issue 25718)

  • [freebsd] TCP transport not working in 2015.8.0rc3 (issue 26364)

Proxy Minion Enhancements

Proxy Minions have undergone a significant overhaul in 2015.8, see Proxy Minion Enhancements.


Salt engines are long-running, external processes that leverage Salt. See Salt Engines.

Core Changes

  • Add system version info to versions_report, which appears in both salt --versions-report and salt '*' test.versions_report. Also added is an alias test.versions to test.versions_report. (issue 21906)

  • Add colorized console logging support. This is activated by using %(colorlevel)s, %(colorname)s, %(colorprocess)s, %(colormsg)s in log_fmt_console in the config file for any of salt-master, salt-minion, and salt-cloud.

Git Pillar

The git external pillar has been rewritten to bring it up to feature parity with gitfs. Support for pygit2 has been added, bringing with it the ability to access authenticated repositories.

Using the new features will require updates to the git ext_pillar configuration, further details can be found in the pillar.git_pillar docs.

Salt Cloud Improvements

  • Pricing data from several cloud providers (GCE, DigitalOcean, SoftLayer_HW, EC2)

  • All cloud providers now use standardized bootstrapping code.

  • Modified the Linode Salt Cloud driver to use Linode's native API instead of depending on apache-libcloud or linode-python.

Salt Cloud Changes

  • Changed the default behavior of rename_on_destroy to be set to True in the EC2 and AWS drivers.

  • Changed the default behavior of the EC2 and AWS drivers to always check for duplicate names of VMs before trying to create a new VM. Will now throw an error similarly to other salt-cloud drivers when trying to create a VM of the same name, even if the VM is in the terminated state.

  • When querying for VMs in, the number of VMs to include in a page was changed from 20 (default) to 200 to reduce the number of API calls to Digital Ocean.Ocean.

State and Execution Module Improvements

  • New and improved Docker state and execution modules (state and execution module).

  • OpenStack Glance API V2 execution module

  • Amazon VPC state module

  • RallyDev execution module

  • BambooHR execution module

  • Stormpath execution, state modules

  • Remove unused argument timeout in jboss7.status.

  • Deprecate enabled argument in pkgrepo.managed in favor of disabled.

  • Archive module changes: In the archive.tar and archive.cmd_unzip module functions, remove the arbitrary prefixing of the options string with -. An options string beginning with a --long-option, would have uncharacteristically needed its first - removed under the former scheme. Also, tar will parse its options differently if short options are used with or without a preceding -, so it is better to not confuse the user into thinking they're using the non- - format, when really they are using the with- - format.

  • Added __states__ to state modules, for cross-calling states. This enables using existing states when writing custom states. See cross calling states.

Windows Improvements

  • Enhanced the windows minion silent installation with command line parameters to configure the salt master and minion name.

  • Improved user management with additional capabilities in the user module for Windows.

  • Improved patch management with a new module for managing windows updates (win_wua).

  • Turned on multi-processing by default for windows in minion configuration.

Windows Software Repo Changes

A next-generation (ng) windows software repo is available for 2015.8.0 and later minions. When using this new repository, the repo cache is compiled on the Salt Minion, which enables pillar, grains and other things to be available during compilation time.

See the Windows Software Repository documentation for more information.

Changes to legacy Windows repository

If you have pre 2015.8 Windows minions connecting to your 2015.8 Salt master, you can continue to use the legacy Windows repository for these Salt minions.

If you were previously using this repository and have customized settings, be aware that several config options have been renamed to make their naming more consistent.

See the Windows Software Repository documentation for more information.

Win System Module

The unit of the timeout parameter in the system.halt, system.poweroff, system.reboot, and system.shutdown functions has been changed from seconds to minutes in order to be consistent with the linux timeout setting. (issue 24411) Optionally, the unit can be reverted to seconds by specifying in_seconds=True.

Other Improvements

  • Sanitize sensitive fields in http.query

  • Allow authorization to be read from Django and eauth

  • Add templating to SMTP returner

  • New REST module for SDB

  • Added rest_timeout config option and timeout argument to jobs api call

  • Provide config options for Raet lane and road buffer count. (Useful for BSD kernels)

  • Implemented ZeroMQ socket monitor for master and minion

  • Add end time to master job cache for jobs (optional, off by default)

  • Tornado is now the default backend for http.request

  • Support pillarenv selection as it's done for saltenv

  • salt was updated to use python-crypto version 2.6.1, which removes the dependency on python-m2crypto.


  • The Salt Cloud driver was removed in favor of the driver as DigitalOcean has removed support for APIv1. The was renamed to and supports DigitalOcean's APIv2.

  • The Salt Cloud driver has been deprecated in favor of the driver.

  • The Salt Cloud driver has been deprecated in favor of the driver.

  • The use of provider in Salt Cloud provider files to define cloud drivers has been deprecated in favor of using driver. Both terms will work until the 2017.7.0 release of Salt. Example provider file:

  key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn'
  private_key: /etc/salt/my_test_key.pem
  keyname: my_test_key
  securitygroup: default
  driver: ec2
  • The use of lock has been deprecated and from salt.utils.fopen. salt.utils.flopen should be used instead.

  • The following args have been deprecated from the rabbitmq_vhost.present state: user, owner, conf, write, read, and runas.

  • The use of runas has been deprecated from the rabbitmq_vhost.absent state.

  • Support for output in mine.get was removed. --out should be used instead.

  • The use of delim was removed from the following functions in the match execution module: pillar_pcre, pillar, grain_pcre,

Security Fixes

CVE-2015-6918 - Git modules leaking HTTPS auth credentials to debug log

Updated the Git state and execution modules to no longer display HTTPS basic authentication credentials in loglevel debug output on the Salt master. These credentials are now replaced with REDACTED in the debug output. Thanks to Andreas Stieger <> for bringing this to our attention.

Major Bug Fixes

  • Fixed minion failover to next master on DNS errors (issue 21082)

  • Fixed memory consumption in SaltEvents (issue 25557)

  • Don't lookup outside system path in which() util (issue 24085)

  • Fixed broken jobs rest api call (issue 23408)

  • Fixed stale grains data using in modules (issue 24073)

  • Added ssh_identities_only config flag for ssh-agent configured environments (issue 24096)

  • Fixed "object has no attribute" errors for Raet transport (issue 21640)

  • Flush event returners before master exit (issue 22814)

  • Fix CommandExecutionError in grains generation with lspci missing (issue 23342)

  • Fix salt-ssh against CentOS 7 when python-zmq not installed (issue 23503)

  • Fix salt-ssh issues related to out-of-date six module (issue 20949)

  • Fix salt-ssh thin generation after previous run was interrupted (issue 24376)

  • Use proper line endings on Windows with "file.managed" w/contents (issue 25675)

  • Fixed broken comment/uncomment functions in (issue 24620)

  • Fixed problem with unicode when changing computer description (issue 12255)

  • Fixed problem with chocolatey module not loading (issue 25717)

  • Fixed problem adding users to groups with spaces in the name (issue 25144)

  • Fixed problem adding full name to user account (issue 25206)

  • Fixed gem module stack trace (issue 21041)

  • Fixed problem with file.managed when test=True (issue 20441)

  • Fixed problem with powershell hanging while waiting for user input (issue 13943)

  • Fixed problem where the salt-minion service would not consistently start (issue 25272)

  • Fixed problem where pkg.refresh_db would return True even when winrepo.p was not found (issue 18919)

  • Could someone please provide end to end example for Proxy Minion with REST (issue 25500)

  • Proxy minions stopped working between 2014.7 and 2015.5 (issue 25053)

  • Proxy minion documentation includes outdated code sample (issue 24018)

  • Proxy Minion documentation missing grains example (issue 18273)

  • Improve process management in proxy minion (issue 12024)

  • Proxy minion never comes up with message ' I am XXX and I am not supposed to start any proxies.' (issue 25908)

  • Fixed an issue that caused an exception when using Salt mine from pillar. (issue 11509)