Salt 3008.0 release notes¶

Remove commuity extensions from Salt codebase #65970

Remove deprecated module search path priority (features.enable_deprecated_module_search_path_priority) #66025

Remove the orchestration key from salt.runner and salt.wheel return data. #66151

Removed linode-python package dependency for retired Linode API v3 #68871

Removed legacy salt.transport.ipc module and unused PushChannel / PullChannel factories; local events use ipc_publish_client / ipc_publish_server (TCP transport). #69001

Deprecated the use of egrep in favor of grep -E #65608

Make sure every auth event has the 'act' key set #56200

Ansiblegate discover_playbooks was changed to find playbooks as either *.yml or *.yaml files #66048

re-work the aptpkg module to remove system libraries that onedir and virtualenvs do not have access. Streamline testing, and code use to needed libraries only. #66056

Made gpg modules respect user's GNUPGHOME if set in shell environment #66313

Made gpg.present attempt to refresh keys if they are expired #66314

Made x509_v2 the default x509 modules. Until they are removed in the next major release, you can still revert to the old modules by setting features: {x509_v2: false} in the configuration #66384

Included Salt extensions in Salt-SSH thin archive #66559

Add support for additional options in several mac_brew_pkg methods #66611

Make test_pip and test_fileserver tests compatible with venv execution #66703

Do not use ssl.PROTOCOL_TLS which has been #66767

deprecated in #66767

Python 3.10 will be removed in the future. #66767

Remove warning when running slsutil.renderer on non-SLS files #67067

PillarCache: reimplement using salt.cache #68030

fix minion data cache organization/move pillar and grains to dedicated cache banks #68030

salt.cache: allow cache.store() to set expires per key #68030

Provide token storage using the salt.cache interface #68039

Update packaged python from 3.10 to 3.11 #68148

Added ceph to the specialFSes to match on name for set_fstab #68207

Removed networkx module dependency by adding MultiDiGraph implementation to salt.utils.requisite to avoid extra dependencies. #68748

Expanded Thorium documentation with concrete examples and added unit coverage for the documented Thorium workflows. #68857

Add stub 3008.0 release notes (and template) so tools docs man and CI prepare-release can resolve the current-release doc target. Exclude doc/topics/proposals/*.md from Sphinx so stand-alone proposal files do not fail strict man builds. #68964

Fixed recursive prereq requisites to report recursive requisite error. #8210

Fixed erroneous recursive requisite error when a prereq is used in combination with onchanges_any. #47154

Fixed an infinite loop in requisite_any when a requisite state was not found. #50436

Fixed dependency resolution to not be quadratic. #59123

Fix regex cache exception during sort in sweep function #59437

Fixed requisites by parallel states on parallel states being evaluated synchronously (blocking state execution for other parallel states) #59959

Fix bug when specifying template_source using net.load_template #60515

firewalld: normalize new rich rules before comparing to old ones #61235

Fix regression that prevented salt-minion from running interval-based jobs on startup by default. #61964

Fixed performance when state_aggregate is enabled. #62439

Fixed issue with salt-ssh hanging due to non-exposed host key acceptance prompt #62782

Repaired zypper repositories being reconfigured without changes #63402

Fix calculation of SLS context vars when trailing dots on targetted state #63411

Put default optimization_order to LazyLoader to prevent possible fails on testing #65266

Fixed aggregation to correctly honor requisites. #65304

Fixed some instances of deprecated datetime.datetime.utcnow() #65604

Introduce pruning option in file.keyvalue #65631

fix 65703 by using OrderedDict instead of a index that breaks. . #65703

Simplify timezone.compare_zone to primarily rely get_zone() #65719

Handle regular expressions which do not not use grouping #65722

fix consul.acl_create rule creation #65788

Fix salt-cloud get_cloud_config_value for list objects #65789

Prevent exceptions with fileserver.update when called via state #65819

Fix granting of privileges on Postgres functions #65839

Made Salt Cloud Hetzner module detect image architecture from instance type #65888

Optimize async calls with using async wrapped method in thread only if io loop is already running #65983

salt.auth.pam: fallback to use running Python in case /usr/bin/python3 is not found #66035

Fix file.is_link hangs on paths that are hung mounts #66096

Fix file.managed and file.serialize default tmp_dir to relative path #66098

Make win_timezone recognize Qyzylorda timezone #66176

Remove firing useless events with JID as a tag #66279

Made gpg modules create GNUPGHOME if it does not exist #66312

Fixed an issue where conflicting top level keys in the static grains file #66445

(usually /etc/salt/grains) would break all grains states, and prevent static #66445

grains from being loaded. #66445

Fixed beacon delete not calling the beacon's close function, causing resource #66449

leaks (e.g. inotify file descriptors) and CPU spin after deleting beacons at #66449

runtime via beacons.delete. Also fixed inotify file descriptor leak during #66449

beacon refresh when the Beacon instance is replaced. #66449

Make "status.diskusage" more robust and prevent crashes when stats cannot be obtained #66646

Use --cachedir parameter for setting extension_modules with salt-call. #66742

Don't schedule __master_alive jobs if master_alive_interval is not specified #66757

Make x509 module compatible with cryptography module newer than 43.0.0 #66818

Fixed Python 3.13 compatibility regarding urllib.parse module #66898

make salt.channel.server.handle_message codepath more defensive #66909

Fix the installation of pip modules with special characters in the module name #66988

Repaired mount.fstab_present always returning pending changes #67065

dictupdate.update: throw a TypeError when trying to merge a list with a mapping when merge_lists=True. #67092

Remove usage of spwd #67119

Fixed order chunks not handling a state with both require and order first or last #67120

Fixed pkg.install in test mode would not detect FreeBSD packages installed by their origin name #67126

Fix virtual grains for VMs running on Nutanix AHV #67180

Fixed creating relative directory symlinks on Windows, ensured listing targets of symlinks in file_roots always produces POSIX-style paths #67766

Avoid loading salt.utils.crypt module instead of crypt if it's missing in Python as it was deprecated and removed in Python 3.13. #67797

Fixed docstring error in salt/modules/file.py that misnamed an option "user" when it should have been "owner". #67911

salt.key: check_minion_cache performance optimization #68030

when a file is managed, and the same file is cleaned, an incorrect message is displayed saying "removed: Removed due to clean" when the file isn't actually removed. Now the correct message is returned. #68052

log_beacon - remove verbose minion log output #68055

Fix that the state saltmod.state can be used on a masterless minion with salt-ssh like saltmod.function currently does. #68116

Fixed ssh_known_hosts.present failure when ssh host keys changed #68132

grains.disks: fix exception with incompatible output of Get-PhysicalDisk #68184

Made osfinger report major&minor version for NixOS #68230

Fix tests failing on AlmaLinux 10 and other clones #68246

Speedup wheel key.finger call by removing redundant processing calls. #68251

Fixed cp.cache_file when using Tornado > 6.4 #68328

Fixed multiline powershell -Command { } blocks failing with "Missing closing #68397

'}'" when used in a cmd.run state on Windows. Salt now collapses embedded #68397

newlines and re-encodes the script block as -EncodedCommand, ensuring correct #68397

execution and suppressing CLIXML noise from stderr. #68397

Stop mutating locals, which is unsupported in Py >=3.13 #68445

Add blockdev state module back in to core #68465

#68465

Adds the blockdev state module back into the core Salt repo as it is critical functionality that shouldn't have been pulled out in the module migration #68465

Adds mdadm and lvm grains modules back in to core. #68470

#68470

Restores the modules that had been removed as part of the community module #68470

migration. They are core bits of functionality and the associated execution and #68470

states modules had not been removed. #68470

Fixed grains.list_present state to correctly handle multiple calls within the same state run. #68520

Fixed salt.utils.platform to properly handle __salt_system_encoding__ when synced as an extension module. #68520

Improved network.traceroute parsing to be more robust across different traceroute versions. #68520

Added retry logic to saltutil.wheel integration test to improve reliability in CI. #68520

Improved architecture detection in salt-ssh to better support ARM64 platforms. #68520

Fixed salt-ssh extension module syncing to avoid accidentally bundling core Salt modules and to correctly load wrapper modules. #68520

Ensured salt-ssh relenv tests skip gracefully if the relenv tarball is unavailable in the test environment. #68520

Fixed mine.get runner to correctly handle master's ID when ACLs are enabled. #68520

Fixed win_useradd.get_user_sid to correctly handle non-string input. #68520

Improved reliability of state.running integration test for salt-ssh. #68520

Fixed high CPU usage in minion asynchronous authentication loop when masters are unreachable. #68520

Added support for running Salt tools using python -m tools. #68520

Adds alias state module back in to core. #68574

#68574

Restores the module that had been removed as part of the #68574

community module migration. The associated execution module #68574

had not been migrated. #68574

Fixed mongodb tops module authentication to be compatible with pymongo v4+ by passing credentials directly to MongoClient instead of using the deprecated authenticate() method #68659

Improved the rejected authentication warning message to include the minion ID, #68671

making it easier for administrators to identify which minions need upgrading. #68671

This PR fixes a bug where corrupted grains cache files cause unhandled #68678

SaltDeserializationError exceptions, resulting in CRITICAL errors. #68678

The fix adds proper exception handling to gracefully recover from corrupted #68678

cache by regenerating grains. #68678

Fix ansible.playbooks extra_vars quoting to prevent passing broken variables to ansible-playbook. #68787

Make x86_64_v2 to be handled properly with salt.modules.yumpkg module as a possible package architecture. #68789

Make salt-ssh work without issues using domain\user notation for remote user with SSH. #68790

Fixed source package builds (DEB/RPM) failing with LookupError: hatchling is already being built by adding hatchling to the --only-binary allow-list so pip uses its universal wheel instead of attempting a circular source build. #68858

Use a 30 second salt CLI timeout in the reauth scenario tests so Windows CI does not time out on test.ping after master/minion restart (default was often 5s). #68924

Fix logging in potentially dead process in reap_stray_processes fixture #68927

Fixed a regression in win_pkg where msiexec install flags containing #68950

Windows-style quoting (e.g. MYPROPERTY="C:\some file.txt") were #68950

mangled into "MYPROPERTY=C:\some file.txt" causing msiexec to hang. #68950

Restored the pre-regression behaviour where shlex_split is not applied #68950

to command strings on Windows, preserving Windows-style argument quoting #68950

when the command is passed directly to CreateProcess. #68950

Fix dynamic version discovery on a new release branch before the first v<major>* tag exists: git describe still anchored on the previous line (e.g. v3007.13) is lifted to the unreleased codename baseline (e.g. 3008.0) while keeping the commit offset and SHA. #68964

Remove deprecations. #68985

• salt/auth/pki.py (removed) #68985

• salt/features.py (removed) #68985

• salt/modules/nxos.py (modified) #68985

Fixed on the 3008.x release line: Salt NetAPI rest_tornado header parsing without cgi.parse_header (removed in Python 3.13). Integration salt_minion / salt_sub_minion fixtures now call saltutil.sync_all with saltenv=base to avoid long master round-trips from top-file environment discovery during Windows CI. Salt factories use a 120 second daemon start timeout when ONEDIR_TESTRUN is set so Windows onedir runs match CI and avoid flaky minion start event waits. #69014

Added proxy option to gitfs, git_pillar and winrepo for specifying a proxy server used to connect to git repositories #30990

Added support for limiting the number of parallel states executing at the same time via state_max_parallel #49301

Added metalink to mod_repo in yumpkg and documented in pkgrepo state #58931

Added ssl and verify_ssl arguments to mongodb module and states. #59927

Added two new options, win_delay_start and win_install_dir, to pass to #61318

the Windows installer in salt-cloud #61318

Add context aware change handling for file state module #63328

Added the ability to access already compiled pillar data during the pillar rendering process via the __pillar__ global in templates and matchers. #64043

Allow salt-call arguments --file-root, --pillar-root and --states-dir to be specified multiple times #64486

Adds documentation notes to clarify that Salt's file module only supports numeric mode specifications and does not support symbolic modes. #64624

Added management of SSH keys and certificates #65197

Add option (auth_events_autosign_grains) to add autosign_grains to auth events #65426

Enable "KeepAlive" probes for Salt SSH executions #65488

Add ability to show diff for new files in file.managed #65546

Added Virtuozzo Linux to Redhat os_family #65600

Pillar dunder is now available in extension modules during pillar render. #65724

Added x509_v2 SSH wrapper module. In addition to the regular calls, it provides a function for statefully managing remote certificates, even when access to the event bus is required #65728

Introduce fibre_channel_host grain #65750

Make salt-run jobs.master return runner jobs that are currently running on a master. #66007

Added file and plaintext sources to gpg.present, allowed to skip keyserver queries #66173

added pkg.which to aptpkg, for finding which package installed a file. #66201

Allow pre-connection scripts to be run on host before any ssh commands #66210

Added port, tls, username and password to the smtp configuration of the highstate returner. #66251

Improve macOS defaults support #66466

Added support for specifying different signature verification backends in file.managed/archive.extracted #66527

Added an asymmetric execution module for signing/verifying data using raw asymmetric algorithms #66528

Added support in service Beacon for only fire matching configured running state #66809

Add --relenv Option to salt-ssh for Using a Onedir Bundled Salt+Python #66877

Add support for state.sls_exists when using salt-ssh #66894

Add detection for OS grains when running in AlmaLinux Kitten #66991

Added a merge option to file.recurse, which merges subpaths from all existing sources before managing the directory. Handy when using different saltenvs or the TOFS pattern. #67072

Add _auth calls to the master stats #67746

Added possibility to load data from multiple inventories with ansible.targets. #67776

Detect openEuler as RedHat family OS. #67796

refactored server-side PKI to support cache interface #67799

optimization: check_compound_minions: defer _pki_minions fetch #67799

refactor: push salt.utils.minions bits into salt.key / optimize matching #67799

Add deb822 apt source format support to aptpkg module #67956

Add subsystem filter to "udev.exportdb" execution module function #68047

Implement SL Micro 6.2 detection to fill the grains with proper values. #68247

Added booleans argument to selinux.booleans #68323

Added mod_aggregate to selinux to combine boolean #68323

Added some type hints to selinux module and made some minor changes to improve readability and performance slightly #68323

Add support for minion_id in log formats #68410

#68410

Adds support for including %(minion_id)s in log formats. Where id is available log messages on the master will have that data added to allow easier correlation of messages to minions. #68410

Added feature parity for relenv and thin dir with salt-ssh. All salt-ssh tests pass with both thin dir and relenv. #68531

Added tunable worker pools: partition the master's MWorkers into named pools #68532

and route specific commands (for example _auth) to dedicated pools so a #68532

slow workload cannot starve time-critical traffic. Controlled by the new #68532

worker_pools and worker_pools_enabled master settings; see the "Tunable #68532

Worker Pools" topic guide for details. Existing worker_threads #68532

configurations remain fully backward compatible. #68532

Added TLS encryption optimization via disable_aes_with_tls config option that eliminates redundant AES encryption when TLS with mutual authentication is active, improving performance while maintaining security through certificate identity verification. #68536

utils.dictdiffer: support diffing of dicts in lists #68726

Add support for nix package manager. #68752

Added a centralized, declarative system for managing Salt's optional dependencies and their version-specific requirements in salt/utils/versions.py. #68894

Added a fast memory-mapped cache backend (salt.cache.mmap_cache): #68936

an O(1) hash-table store with a segmented heap, durable and multi-process #68936

safe, usable as a drop-in for localfs via the cache master setting. #68936

The minion public-key index (salt.cache.mmap_key / #68936

salt.utils.pki.PkiIndex) is built on it; it replaces linear pki_dir #68936

scans for large fleets and is opt-in via pki_index_enabled. Migrate #68936

existing keys with salt-run pki.migrate_to_mmap. #68936

Batch mode now uses a single JID for the entire batch run instead of generating #68941

a separate JID per batch iteration. This enables unified job tracking via #68941

salt-run jobs.lookup_jid and consistent --show-jid output across all #68941

batch slices. The job cache merges minion lists from each iteration so that #68941

get_load returns the complete set of targeted minions. #68941

Added a per-job start_event opt-in (CLI flag --start-event) that asks #69019

targeted minions to fire a salt/job/<jid>/start/<minion_id> event the #69019

moment they accept the published job, before the function runs. The payload #69019

mirrors the master's salt/job/<jid>/new event minus the function #69019

arguments, letting orchestrators confirm reachability without waiting for #69019

the full return. #69019