What's new in Salt 3001 Sodium

This is an unofficial summary of new features in the Salt Sodium release. Due to time constraints, the post is not as detailed as I initially planned. If you want to read about other changes and deprecations, then go read the official release notes and the changelog.

As it often happens with major Salt releases, there are a couple of known issues in 3001. The standard advice is to test the new release as much as you can, but avoid upgrading your infra till the next point release.

What's new in Salt 3001 Sodium: Python 3, Developer-related changes, Performance, Cloud, Networking, SaltSSH, Grains, Saltcheck, Jinja, Vault, Certificates, Nifty tricks

• Python 3
• Packaging and dependencies
• Developer-related changes
• Performance
• Cloud
• Grains
• State system enhancements
• SaltSSH
• Saltcheck
• Jinja
• macOS
• Windows
• Vault
• Networking
• Gitfs
• Filesystems and partitions
• Files and directories
• Package managers
• Certificates
• Nifty tricks
• Other notable changes

Python 3

There are a couple of significant changes:

1. Python 2 is no longer supported. See SEP-5 and the Python 2 deprecation FAQ for more details.
2. The minimum supported Python version is 3.5. It defines the baseline Python features to use (e.g., you can’t use f-strings). Also, some features that depend on Py2-only modules will stop working. The exact Python version used depends on the OS and the packaging method. See SEP-20 for more details.
3. Python 3.8 and Ubuntu 20.04 LTS are finally supported!
4. To support older systems that do not ship with Python >= 3.5, Tiamat will be used to bundle Python 3 with Salt packages. This is going to be a beta test for all future packaging of Salt (see the daily builds and the resulting artifacts).
5. SaltSSH gained a new feature to manage Py2-only systems. See SEP-8 for more details.

If you haven’t switched your Salt install to Python 3, I have a handy guide available.

Packaging and dependencies

• The unmaintained PyCrypto library is no longer used. It was replaced by pycryptodomex in PR #56625 by Pedro Algarvio
• The minimally required boto3 version is 1.13.5. PR #57161 by Pedro Algarvio
• PyZMQ was upgraded to >= 17.0.0. PR #57548 by Bryce Larson
• pygit2 was upgraded to >= 1.2.0 for Py >= 3.8. PR #56905 by Pedro Algarvio
• psutil was upgraded to v5.6.6 because of CVE-2019-18874. PR #56363 by Pedro Algarvio
• enum34 is no longer required. PR #57108 by Pedro Algarvio

Unfortunately, the switch to Tornado >= 5 is still in progress and won’t happen until Salt Magnesium. So far, there is at least one change that prevents starting multiple ioloops in a single thread. You can track the progress here.

A couple of logs are properly rotated now:

• salt-api - PR #56274 by Rino Pascual
• salt-syndic - PR #57132 by David Murphy
• salt-proxy - PR #57354 by David Murphy

FreeBSD platform support became a bit closer to “officially blessed”:

• PR #57527 by Pedro Algarvio
• PR #57587 by Bryce Larson

Developer-related changes

There are a couple of changes that are important to Salt contributors:

Black 🖤

The Salt codebase and docs have been blackened! The intent was to spend less time fixing formatting issues in pull requests and instead focus more on tests and code quality. Also, say hello to double quotes everywhere (or write your own formatter to format the code back to your liking before editing it) 😬

The commit hashes were added to .git-blame-ignore-revs to simplify the git blame workflow.

See SEP-15 for more details. PRs #55765 by Wayne Werner and #57596 by Pedro Algarvio

Documentation

A couple of development-related pages were improved:

• PR Merge Requirements. PR #55862 by Megan Wilhite
• Release Process. PR #56126 by Megan Wilhite
• SSH Wrappers. This is a noteworthy addition to Salt development docs, that describes how to wrap execution modules to make them work over salt-ssh. PR #56790 by Christian McHugh
• Salt’s Test Suite. PR #57581 by Pedro Algarvio .

The documentation quality control process became a bit stricter:

• Sphinx was upgraded to 3.0.1. PR #56671 by Bryce Larson
• A template for new PRs has some nudges to document your code and add a changelog entry. PR #56485 by Sage the Rage
• The changelog is now managed by Towncrier. PR #56984 by Megan Wilhite
• A couple of documentation validation hooks have been added. PRs #55914 by Christian McHugh and #56727 by Pedro Algarvio .

The included checks are:

• Check that every module has associated documentation file
• Check that every doc page has associated module file
• Check that every module is listed in the index file
• Check if the module name stomps on a virtual doc page name
• Check that a module index is sorted
• Check for duplicates inside of a module index
• Check for stray module docs in index

Pytest & nox

The transition from the custom runtests.py runner to Pytest/nox started somewhere in 2017 and spanned a few releases. The majority of work was done after the Salt 2019.2.0 Fluorine release.

As far as I know, the switch to Pytest didn’t happen in Salt Sodium, and both runtests and pytest will be running for some time. However, the amount of changes is quite impressive (see these PRs by Pedro Algarvio ).

For more info, read the Salt’s Test Suite web page that describes the new nox workflow. Also check out the Pytest - a journey of three years blog post.

Pre-commit hooks

A couple of pre-commit hooks were added to automate the manual steps:

Below is a little cheat sheet on how to start using these new tools.

Bootstrap the development environment:

mkvirtualenv -p $(which python3.7) salt
setvirtualenvproject
hash -r
pip install nox
pip install pre-commit
pre-commit install-hooks

A couple of useful nox commands:

• nox --list-sessions
• nox -e 'pytest-zeromq-3(coverage=False)'
• nox -e lint
• nox -e lint-salt
• nox -e lint-tests

Documentation commands:

• nox -e invoke -- docs.check - check the docs
• nox -e 'docs-html(compress=False, clean=False)' - build the docs

Run the pre-commit hook manually (only check staged files):

• pre-commit run - run all the hooks
• pre-commit run isort - sort the imports
• pre-commit run black - run black
• pre-commit run lint-salt - lint the salt code
• pre-commit run lint-tests - lint the tests
• pre-commit run check-docs - check the docs

It is also possible to run the pre-commit hook on arbitrary files:

• pre-commit run --file <filename>
• pre-commit run --files $(git diff --name-only master...yourbranch)

Run a specific test:

• nox -r -e 'pytest-zeromq-3(coverage=False)' -- tests/pytests/unit/states/test_test.py
• nox -r -e "pytest-3.7(coverage=False)" -- tests/pytests/unit/states/test_ini_manage.py
• SKIP_REQUIREMENTS_INSTALL=1 nox -r -e 'pytest-zeromq-3(coverage=False)' -- tests/pytests/unit/states/test_test.py - faster, because it doesn’t try to install the requirements (the assumption is that they are already installed, otherwise the command will fail)
• EXTRA_REQUIREMENTS_INSTALL="ipdb ipython" nox -r -e 'pytest-zeromq-3(coverage=False)' -- tests/pytests/unit/states/test_test.py - install debugging tools before running the tests

Faster commits:

• git commit --no-verify - skip all hooks
• SKIP=pip-tools-compile git commit - skip the pip compile hook that fails on Windows

Performance

salt-call --local speedup

This one-line fix results in almost 3-fold performance increase (its author reports even more significant speedup):

# BEFORE:
% time sudo salt-call --local test.ping
local:
    True

real    0m2.961s
user    0m2.733s
sys     0m0.201s


# AFTER:
% time sudo salt-call --local test.ping
local:
    True

real    0m1.022s
user    0m0.756s
sys     0m0.197s

PR #57062 by Ivan Babrou and PR #57172 by Erik Johnson

esxi grain optimization

According to the PR, this short fix shaves ³⁄₄ of a test.ping duration on Windows, by making the vsphere module import conditional.

PR #57579 by Markus

Async minion ping on key rotation

When the ping_on_rotate master option is set to true, the master will ping all connected minions to trigger a key refresh. This change avoids blocking the master Maintenance process when doing so.

PR #56791 by @pengyao

Lazily list available states

This change significantly improves the state.apply performance when using GitFS and a lot of branches. This is particularly useful when top_file_merging_strategy=same, and there are many environments.

PR #54468 by Mathieu Parent

Salt Master subprocess niceness

A couple of new settings to set niceness of various salt-master processes. It could be useful under high load to ensure that critical parts of Salt aren’t resource-starved. The settings are available only on POSIX platforms and set to None by default:

• req_server_niceness
• pub_server_niceness
• fileserver_update_niceness
• maintenance_niceness
• mworker_niceness
• mworker_queue_niceness
• event_return_niceness
• event_publisher_niceness
• reactor_niceness

PR #57365 by Matt Phillips

Reactor leader

In multi-master hot-hot environments, all events are streamed to all masters for a given minion. This introduces the problem of a reactor being executed on each hot master, regardless of if the reaction is idempotent or not. This patch adds a simple is_leader runtime flag (True by default) that can be controlled via the reactor runner (or emitting the equivalent event to toggle) whether a reactor in hot-standby mode should be reacting to events coming into the bus. This provides a simple integration point for an external leader election tool, such as consul-template.

To query the flag, run the salt-run reactor.is_leader command. To change it run the salt-run reactor.set_leader True or salt-run reactor.set_leader False command.

Unfortunately, the feature didn’t work for me:

% sudo salt-run reactor.is_leader

event:
    ----------
    _stamp:
        2020-06-02T10:22:42.528292
    key:
        REDACTED
suffix:
    salt/reactors/manage/is_leader

Passed invalid arguments: 'NoneType' object is not subscriptable

Usage:

    Return whether the running reactor is acting as a leader (responding to events).

    CLI Example:

    .. code-block:: bash

        salt-run reactor.is_leader

PR #56856 by Matt Phillips

Parallel slots

Not exactly a performance improvement, but now slots are actually expanded and parallelized with parallel: true.

PR #56221 by Max Arnold

Faster fqdns grain

Gate the fqdns grain behind the enable_fqdns_grains setting (true by default, except for Windows) and calculate its values in parallel. This helps to reduce or completely avoid blocking other core grains.

As a side effect, the time to run the fast subset of tests on Windows went down from ~4 hours to ~50 minutes!

PRs #55581 by Pablo Suárez Hernández , #57576 by Shane Lee

Faster grain.setval

Add refresh_pillar kwarg (true by default) to grains.setval and grains.setvals functions. By setting it to false, you can skip the pillar refresh.

PR #56573 by @jtraub91

Reactor queue overflow warning

This is a minor change, but it will help you notice that the reactor TaskPool queue is full. The reactor_worker_threads and reactor_worker_hwm settings could be used to remediate that.

PR #56787 by @geekinutah

GPG renderer cache

A master can cache GPG data locally to bypass the expense of having to render them for each minion on every request. This feature should only be enabled in cases where pillar rendering time is known to be unsatisfactory, and any attendant security concerns about storing decrypted GPG data in a master cache have been addressed. The caching process is controlled with the following settings:

• gpg_cache - False by default
• gpg_cache_ttl - 86400
• gpg_cache_backend - disk

PR #55772 by Mathieu Parent

Cloud

Kubeadm module

An initial version of the kubeadm execution module has the following functions:

• join_params
• version
• token_create
• token_delete
• token_generate
• token_list
• alpha_certs_renew
• alpha_kubeconfig_user
• alpha_kubelet_config_download
• alpha_kubelet_config_enable_dynamic
• alpha_selfhosting_pivot
• config_images_list
• config_images_pull
• config_migrate
• config_print_init_defaults
• config_print_join_defaults
• config_upload_from_file
• config_upload_from_flags
• config_view
• init
• join
• reset

There are many missing functions, see the various TODOs in the source code if you want to help.

PR #53345 by Alberto Planas

Helm support

A new module and state to manage Helm. Requires Helm-CLI v3.0.

Execution module functions:

• completion
• create
• dependency_build
• dependency_list
• dependency_update
• env
• get_all
• get_hooks
• get_manifest
• get_notes
• get_values
• help
• history
• install
• lint
• list
• package
• plugin_install
• plugin_list
• plugin_uninstall
• plugin_update
• pull
• repo_add
• repo_index
• repo_list
• repo_remove
• repo_update
• repo_manage
• rollback
• search_hub
• search_repo
• show_all
• show_chart
• show_readme
• show_values
• status
• template
• test
• uninstall
• upgrade
• verify
• version

States:

• repo_managed
• repo_updated
• release_present
• release_absent

PR #56081 by Grumpy

Virt changes

• Allow defining serial devices on virtual machines. PR #57024 by Kenn Leth Hansen
• Enable volume support in virt module and state. Now virt.running, virt.purge, etc. can also handle volume disk images. This allows RBD, iSCSI, etc. volumes in VMs. PR #56666 by Cedric Bosdonnat
• Allow creating or updating VMs with no network interface (or disk); add a virt.all_capabilities call to get all host and domain capabilities at once. PR #57010 by Cedric Bosdonnat
• Add defined, network_defined, and pool_defined states; add test flag to virt.update execution function. PR #55814 by Cedric Bosdonnat
• Add bhyve hypervisor support; add ZFS compatibility for cloning/creating ZFS volumes when using bhyve as a hypervisor. PR #56882 by Jeroen Schutrup
• Allow to specify the efi parameter so that UEFI firmware can be auto-selected. PR #57396 by Guoqing Li
• Allow booting VMs with UEFI. PR #56613 by Guoqing Li
• Various pool build fixes. PR #57374 by Cedric Bosdonnat
• Various disk fixes. PR #57350 by Cedric Bosdonnat

Other cloud changes

• Azure Blob ext_pillar. PR #55493 by @Ajnbro
• Add a returner to send highstate stats to the AppOptics Metrics platform. PR #56662 by Peter N
• Fix broken scaleway module. PR #56709 by Robert Schmidt and Erik Johnson
• Enable the Salt Cloud Google Compute Engine module to provision accelerator cards (GPUs) when creating an instance on GCE. #56704 by @jp-harvey and Erik Johnson
• Allow to enable/disable termination protection for AWS EC2 instances. PR #56703 by @AmitChotaliya and Erik Johnson
• Add function shutdown_host to VMware cloud. PR #56711 by @HenriWahl and Erik Johnson
• Add the Docker logout function to remove the saved authentication details for one or more configured repositories. PR #56439 by Alexander Graul
• Allow OpenStack driver to attach multiple networks. PR #56961 by Mark Hyde
• For the saltify cloud provider, use minion name as ssh_host. PR #56712 by @amendlik and Erik Johnson

Grains

• This is a backward-incompatible change that is caused by a Py3-related issue (#46595) and affects how the server_id grain is calculated (it is an integer value that is derived from the FQDN of a machine). PR #57415 by David Hilton . It supersedes an earlier PRs #48812, #49383, and #49585 by Bo Maryniuk . IMO, those were better because the backward-incompatible change was gated behind a feature flag.
• The new kernelparams Linux grain that parses /proc/cmdline and returns a list of [key, value] pairs (the format supports duplicate keys, but isn’t very convenient for Jinja lookups). PR #56839 by Krzysztof Pawłowski
• Support AMD GPU vendor detection for the gpus grain. PR #56837 by Michael Kuron
• Add systempath grain. PR #56370 by Erik Johnson
• Sets a default osrelease grain for MS Hyper-V 2019 because a year isn’t provided in system information. PR #56991 by @xeacott
• Improved Solaris zone detection for the virtual and virtual_subtype grains. PR #55491 by Clint Allen
• Make it possible for the master to be in a different region than the minion and still fetch ec2 pillars. This requires the use_grain: true configuration to be set, and will fall back to the master’s region if there is no region grain. PR #56802 by @carsonoid
• Fix grain.delkey and grains.delval for nested keys. PR #57235 by David Guest

State system enhancements

Unless/onlyif/creates requisite unification

The ability to use execution modules in unless/onlyif requisites (introduced in Salt Neon) has been enhanced. Now it also works within the following states:

• cmd
• docker_container
• git
• macpackage

This change also introduces global creates requisite (previously was only available within the cmd state):

Contrived creates example:
  file.touch:
    - name: /path/to/file
    - creates: /path/to/file

PRs #55974 and #56381 by Christian McHugh

onfail_all requisite

The onfail_all requisite uses AND logic when multiple states are referenced (unlike the onfail_any that uses OR):

test_site_a:
  cmd.run:
    - name: ping -c1 10.0.0.1

test_site_b:
  cmd.run:
    - name: ping -c1 10.0.0.2

notify_site_down:
  hipchat.send_message:
    - room_id: 123456
    - message: "Both primary and backup sites are down!"
  - onfail_all:
    - cmd: test_site_a
    - cmd: test_site_b

In this contrived example, notify_site_down will run when both 10.0.0.1 and 10.0.0.2 fail to respond to ping.

PR #56831 by Matt Phillips

Ability to disable requisites

This is a new minion config option to disable certain kinds of state requisites:

disabled_requisites:
  - require
  - require_in

It is hard to come up with any use-case for this feature and the PR is not very verbose (Adding the ability to disable requisites during state runs). If the feature was more granular and it was possible to disable specific state IDs, then it potentially could be used to disable certain parts of upstream formulas.

My only guess is that right now, it may be used to unit-test some complex states in isolation. However, the only unit test in Salt Sodium that uses this option is the one that checks the feature itself…

PR #56815 by Gareth J. Greenaway

state.test function

The state.test function as an alias to state.apply test=True. It is easier to type and is less susceptible to typos.

PR #56298 by Ryan Addessi

SaltSSH

• Add new ssh_pre_flight roster and —-pre-flight CLI option. This will allow a user to run a script before other salt-ssh commands are run. The script will only run if the thin_dir does not exist. A primary use-case is to install Python 3 on hosts that do not have it. PR #56488 by Megan Wilhite
• Add auto_detect feature to ssh_ext_alternatives. This new auto_detect option needs to be set to True in your ssh_ext_alternatives configuration. Salt-ssh will attempt to auto-detect the file paths required for the default dependencies to include in the thin. You can also set the py_bin option to set the python binary to be used to auto-detect the dependencies (otherwise, it will attempt to use the major Python version set in py-version). PR #56894 by Megan Wilhite
• A new salt-ssh roster option set_path allows you to set the path environment variable used to run the salt-ssh command on the target minion. PR #56627 by Megan Wilhite
• Support the previously ignored pillar argument state.sls_id function. PR #53348 by Kirill Goncharov

Saltcheck

Multiple Saltcheck assertions

Allow Saltcheck tests to specify multiple assertions against the output of a single module_and_function call. The assertion, expected_return, assertion_section, and assertion_section_delimiter keys can be placed in a list under an assertions key.

multiple checks on complicated output:
  module_and_function: network.netstat
  assertions:
    - assertion: assertEqual
      assertion_section: "0:program"
      expected_return: "systemd-resolve"
    - assertion: assertEqual
      assertion_section: "0:proto"
      expected_return: "udp"
  output_details: True
  print_result: True

PR #56101 by Christian McHugh

Parallel Saltcheck tests

Saltchecks tests will be run in parallel by adding saltcheck_parallel: True in minion config. Setting this value to an integer will set the maximum parallel processes. Otherwise, the number of processes will be the minimum between the number of CPUs or the number of tests.

PR #56097 by Christian McHugh

Jinja

IP filtering by network

The filter_by_network Jinja filter returns the list of IPs filtered by the network list.

{% set networks = ['192.168.0.0/24', 'fe80::/64'] %}
{{ grains['ip_interfaces'] | filter_by_networks(networks) }}
{{ grains['ipv6'] | filter_by_networks(networks) }}
{{ grains['ipv4'] | filter_by_networks(networks) }}

PR #56394 by Alexander Graul

method_call filter

Another interesting Jinja filter allows you to call object methods. Using it directly is not very practical. However, in combination with the map filter it enables some cool tricks without resorting to Jinja loops:

# method_call.sls
{% set hostnames = [
  'web01.example.com',
  'db01.example.com'
] %}

{% set names = hostnames |
  map('method_call', 'split', '.', 1) |
  map('method_call', '__getitem__', 0) |
  list
%}

{% do salt.log.warning(names) %}

% sudo salt-call state.apply method_call -l warning

[WARNING ] ['web01', 'db01']

PR #56765 by @zer0def

Other Jinja changes

• Respect argline passed into Jinja renderer. This could be used when one GPG-encrypts an SLS file and uses the GPG renderer to decrypt prior to rendering the Jinja. PR #55126 by Erik Johnson
• Work around an upstream bug in Jinja2<2.11 indent filter. PR #56860 by Erik Johnson

macOS

• The new plist serializer allows you to manage plist files using the file.serialized state by specifying formatter: plist. It can work with both XML and binary plists (add serializer_opts: [fmt: FMT_BINARY] for the latter). PR #56954 by Wesley Whetstone
• Make mac_softwareupdate.list_available work on macOS Catalina, and add the ability to filter updates by the new “shut down” action. PR #56191 by Shea Craig
• Add hold and unhold functions to mac_brew_pkg. PR #55978 by Gareth J. Greenaway

Windows

• A couple of MSI improvements. PRs #57068, #56352 and a bunch of other changes by Markus
• Add win_wua.installed function to win_wua module. The function will return a list of updates that apply to the current build of Windows. PR #56637 by Shane Lee
• Add the ability to install Chocolatey by specifying a source (offline), and the chocolatey.unbootstrap function to uninstall it. Also, add a couple of salt.utils.win_dotnet functions for working with versions: dotnet.versions, dotnet.versions_list, dotnet.versions_details, dotnet.version_at_least. PR #56818 by Shane Lee
• Add system.set_domain_workgroup to win_system. PR #56792 by @arizvisa
• Add the pending_reboot grain on Windows that indicates that the system is pending a reboot. PR #56489 by Shane Lee

Vault

• Allow generation of longer-lived vault tokens, and cache this information on the minion. Also, cache the vault secret backend version to save a network trip on each secret lookup. The single-use token is still the default, but master or minion configuration options allow generating longer-lived tokens (by uses or ttl). Should anyone desire to clear the minion’s token/metadata cache file, the new vault.clear_token_cache execution function can be used for that. PR #57066 by Christian McHugh and Rocky
• Add default argument to vault.read_secret and vault.list_secrets. When the path or path/key combination is not found, an exception will be raised, unless a default is provided. PR #56311 by Erik Johnson
• Make vault execution and SDB modules compatible with Key Value Store Version 2.0. Also, add vault.destroy_secret. PR #55842 by Rocky and Christian McHugh
• Fix broken sdb.get_or_set_hash. PR #54199 by Jason Woods

Networking

Cisco NX-OS

Huge NX-OS patchset:

• Combine nxos.py and nxos_api.py workflows into the single nxos namespace, enable all of the functions to work across the NXOS SSH Proxy Minion, NXOS NX-API HTTP/HTTPS Proxy Minion, and NXOS Guestshell Hosted Native Minion over Unix Domain Socket (UDS)
• A new execution and state modules to upgrade/downgrade the software on Cisco NX-OS devices
• Cisco Nexus Salt Minion Installation and Configuration Guide

PR #54931 by Mike Wiebe , @tstoner , Nicole Thomas , and David Hilton

Junos

Many bugfixes in Junos-related components:

• PR #55824 by @rsmekala
• PR #57399 by Nitin Kr
• PR #57389 by David Murphy

Other networking changes

• Major debian_ip refactoring. PR #56353 by Michael Lustfield
• NAPALM net.py and bgp.py fixes. PR #55421 by aegiacometti
• Add ARPCHECK to the template for RHEL7/8 networking. PR #57114 by Wayne Werner and #56801 by @scornelissen85
• Add the ability to add hwaddr and macaddr to the network config for Redhat based systems. PR #56917 by Shane Lee
• Make the salt.modules.pf (the OpenBSD packet filter) compatible with FreeBSD. PR #56759 by Brad Ackerman
• Add ip_networks and ip_networks6 functions to get minion’s networks. Additionally, the interface arg to both new functions supports multiple interfaces and globbing. This additional functionality has also been added to the ip_addrs and ip_addrs6 functions. PR #53100 by Erik Johnson

Gitfs

• Support annotated tags in the pygit2 git provider. PR #56481 by Alexander Fischer
• Add a fallback branch (global or per-remote) to gitfs and git_pillar, when no matching branch is found. PR #56647 by Mathieu Parent
• Allow using a repo name instead of the full URL when running salt-run git_pillar.update. PR #56605 by Mathieu Parent

Filesystems and partitions

• Add BTRFS and XFS as supported fstypes in the parted module. PR #55209 by Jochen Breuer
• Add fat as a valid filesystem in the parted module (useful for Fedora and RHEL). PR #57193 by @fignew and Erik Johnson
• New btrfs state module: subvolume_created, subvolume_deleted, and properties states. PR #52699 by Alberto Planas
• Add new DRBD monitor function (drbd.status) that uses drbdadm, deprecate the old method of drbd-overview. PR #56768 by @nick-wang

Files and directories

• Add SELinux support to file.managed. PR #55922 by Christian McHugh
• Suppress file.directory state’s output by adding new silent recurse option (useful for large directories). PR #54976 by Christian McHugh
• Support include/exclude patterns in file.recurse. PR #54552 by Christian McHugh
• Add **kwargs to file.rename to fix prereq. PR #56981 by @edusperoni
• Various fixes in archive.extracted state. PRs #55975 and #56042 by Proskurin Kirill

Package managers

• Properly support test mode in the opkg backend. PR #56769 by @JD-Robertson
• Refresh __salt__ dunder on pip state changes (i.e., pip states no longer require a reload_modules: True). PR #56867 by Erik Johnson
• Call pip binary without -m flag when using bundled Salt installs. PR #56988 by @xeacott
• Add fromrepo target for FreeBSD pkg.upgrade to be able to use different repositories. PR #57358 by Kirill Ponomarev
• Add fetchonly (aka -F) to pkg.upgrade module. PR #57371 by Kirill Ponomarev
• Various fixes and improvements across different package backends. PR #54954 by Alberto Planas
• Add setting for forcing refresh in Zypper (force flag for pkg.refresh_db or zypper.refreshdb_force pillar key). PR #56419 by Alexander Graul
• Use dpkg-query for listing packages instead of dpkg -L. PR #52606 by Benjamin Drung
• Documentation for how platform-specific pkg state args are handled. PR #56865 by Erik Johnson

Certificates

• Rewrite x509.certificate_managed to be easier to use (fix test=True, better error handling, append_certs validation, managed_private_key option removal, more informative state output). PR #52935 by Glynn Forrest
• Make it possible to issue certificates with custom validity dates using the Salt x509 support by specifying the not_before and not_after attributes to new certificates. PR #53149 by J. Eduardo
• Add tls.validate function to validate a certificate against a given CA/CRL; add optional digest argument to tls.revoke_cert and tls.create_empty_crl functions. PR #56850 by Wayne Werner

Nifty tricks

API call to fetch the master public key

The goal of this feature is to simplify programmatic minion bootstrapping/pre-seeding without hardcoding a master public key. The new wheel.key.master_key_str function can return an existing pubkey through the python API or netapi.

PR #56550 by @alexz71

file.keyvalue state

The state was announced at SaltConf18 and is intended to work with default configuration files, which have the defaults commented out (not all defaults might be in there, though). It can be used instead of a more low-level file.replace, file.append, file.blockreplace, and file.line states to:

• uncomment default lines
• remove superfluous ones
• match either (or both) the key or value part of a setting case-insensitively
• append or prepend a key/value setting

sshd_config_harden:
  file.keyvalue:
    - name: /etc/ssh/sshd_config
    - key_values:
        permitrootlogin: 'without-password'
        LoginGraceTime: '1m'
        DisableForwarding: 'yes'
    - separator: ' '
    - uncomment: '# '
    - key_ignore_case: True
    - append_if_not_found: True

PR #56770 by Mattijs

Support extra modules in sys.path

Salt can sync custom utils modules like any other module types (modules, states, etc.). However, salt.utils are often imported directly (instead of using the __utils__ dunder), and this prevents overriding them with custom versions. This improvement makes custom utils importable.

PR #53167 by Alberto Planas

Relative pillar includes

Sometimes it takes seven years to fix an issue. Now it is finally possible to use relative pillar includes (state files supported them since 0.16.0):

# foo/bar/init.sls
# Dot notation will include foo/bar/base.sls instead of base.sls

include:
  - .base

Unfortunately, multiple dots aren’t supported in pillars (in state files it is possible to use include: - ..base).

PR #56851 by Wayne Werner

Synchronous pillar refresh

This feature adds an async parameter to the saltutil.refresh_pillar function (on a par with the saltutil.refresh_modules). When set to False, it will block a minion until a /salt/minion/minion_pillar_complete event is received:

% sudo salt minion1 saltutil.refresh_modules async=False

minion1:
    True

It is not yet possible to specify this argument for the saltutil state functions, so in order to use it in a state file you still have to resort to module.run.

PR #56881 by Alexander Fischer

File banner

Have you ever put the “DO NOT EDIT THIS FILE BY HAND” header into a file managed by Salt? Well, there’s a feature for that:

% sudo salt minion1 slsutil.banner
minion1:
    ########################################################################
    #                                                                      #
    #              THIS FILE IS MANAGED BY SALT - DO NOT EDIT              #
    #                                                                      #
    # The contents of this file are managed by Salt. Any changes to this   #
    # file may be overwritten automatically and without warning            #
    ########################################################################


% sudo salt minion1 slsutil.banner width=64 commentchar='//'
minion1:
    //############################################################//
    //                                                            //
    //         THIS FILE IS MANAGED BY SALT - DO NOT EDIT         //
    //                                                            //
    // The contents of this file are managed by Salt. Any changes //
    // to this file may be overwritten automatically and without  //
    // warning                                                    //
    //############################################################//

% sudo salt minion1 slsutil.renderer default_renderer=jinja \
  string="{{ salt['slsutil.banner'](width=32) }}"
minion1:
    ################################
    #                              #
    # THIS FILE IS MANAGED BY SALT #
    #        - DO NOT EDIT         #
    #                              #
    # The contents of this file    #
    # are managed by Salt. Any     #
    # changes to this file may be  #
    # overwritten automatically    #
    # and without warning          #
    ################################

% sudo salt minion1 slsutil.renderer default_renderer=jinja \
  string="{{ salt['slsutil.banner'](text=salt['http.query']\
  ('https://salt.tips/whats-new-in-salt-sodium/pirate-flag.txt')['body'], width=47) }}"
minion1:
    ###############################################
    #                                             #
    #  THIS FILE IS MANAGED BY SALT - DO NOT EDIT #
    #                                             #
    # ........................................... #
    # .                                         . #
    # .         ___                             . #
    # .         \_/                             . #
    # .          |._                            . #
    # .          |'."-._.-""--.-"-.__.-'/       . #
    # .          |  \       .-.        (        . #
    # .          |   |     (@.@)        )       . #
    # .          |   |   '=.|m|.='     /        . #
    # .     jgs  |  /    .='`"``=.    /         . #
    # .          |.'                 (          . #
    # .          |.-"-.__.-""-.__.-"-.)         . #
    # .          |                              . #
    # .          |                              . #
    # .          |                              . #
    # .                                         . #
    # ........................................... #
    ###############################################

PR #56761 by @amendlik

boolstr helper function

A small helper to simplify converting boolean values to strings (useful in templated configs):

% sudo salt-call slsutil.renderer default_renderer=jinja \
  string="{{ salt['slsutil.boolstr'](True, 'yes', 'no') }}"

local:
    yes

The last two arguments are optional ('true' and 'false' by default).

PR #56761 by @amendlik

baredoc module

The existing sys.doc function is unable to return modules and functions that do not have their dependencies installed. The new baredoc module can show all the execution and state module functions that exist. It returns a dictionary keyed by module and function name, where each entry contains a list of arguments that the function can take. The module is also able to show state/module docstrings.

% sudo salt minion1 baredoc.list_states saltutil

minion1:
    ----------
    saltutil:
        |_
          ----------
          sync_all:
              ----------
              kwargs:
                  kwargs
              name:
                  None
        |_
          ----------
          sync_beacons:
              ----------
              kwargs:
                  kwargs
              name:
                  None
...

sudo salt minion1 baredoc.list_modules test names_only=true
minion1:
    ----------
    test:
        - missing_func
        - attr_call
        - module_report
        - echo
        - ping
        - sleep
        - rand_sleep
        - version
...

% sudo salt minion1 baredoc.module_docs test.ping

minion1:
    ----------
    test.ping:
        Used to make sure the minion is up and responding. Not an ICMP ping.

        Returns ``True``.

        CLI Example:

            salt '*' test.ping

The module is already used by the VSCode SaltStack plugin to provide state autocompletion. So far it looks like the plugin has the most comprehensive state autocompletion feature amongst other editors:

The original PR #52044 was submitted by C. R. Oldham . Later it was significantly refactored and improved by Christian McHugh by utilizing a more robust ast parser in PRs #56685 and #56902.

CAVEAT: the module doesn’t show function aliases that use salt.utils.functools.alias_function, for example docker.cp or saltutil.sync_outputters.

Other notable changes

• New toml renderer that leverages the existing toml serializer. Also, update the serializer from pytoml to the supported toml library. PR #56615 by Christian McHugh
• devinfo is a new module designed to get hardware information. It provides an API to access the output of hwinfo, and a set of functions to filter udev information. PR #54267 by Alberto Planas
• The new pkg_resources.version_compare function exposes the functionality from salt.utils.versions.compare, allowing it to be used in places like Jinja templates. PR #56678 by Erik Johnson
• Update the various test.succeed_with* and test.fail_with* states to use comment when passed. PR #56626 by Gareth J. Greenaway
• Add usergroup argument to user.present state, that will create and add the user to a new primary group of the same name (Linux only). PR #56782 by @boltronics
• Add merge and merge_lists options to match.filter_by. PR #56816 by Oleg Lipovchenko
• PostgreSQL: advanced initdb options support in postgres_cluster.present. PR #56797 by Vincas Dargis
• Add ignore to sysctl state and module. PR #55719 by Christian McHugh
• Search for and return a single cron line (salt.modules.cron.get_entry). PR #54985 by Christian McHugh
• Add service.firstboot to call systemd-firstboot to configure basic settings of the system (like locale, keymap, timezone, etc.). PR #53443 by Alberto Planas
• Extend the Saltclass external pillar and master_tops to allow globbing when including classes. PR #56758 by Alexander Werner
• New supervisord.status_bool method that could be used via onlyif with slots to only do something with a process if it is available and in the expected state. PR #57049 by Proskurin Kirill
• Fix compound matches with nodegroups. PR #56592 by Ken Crowell
• The ability to use a regex pattern to match processes with ps.pgrep (via the optional pattern_is_regex flag). PR #56690 by Nicholas Hughes
• Allow the minion to read its files from the local filesystem instead of asking for them from the master, but still get commands from the master. To enable this functionality set file_client=local and use_master_when_local=True in the minion config. PR #56612 by C. R. Oldham
• Update the check_password function for newer RabbitMQ versions. PR #56193 by @11chrisadams11
• Better support comments in MySQL files. PR #54371 by Christian McHugh
• Update the pdbedit module for the Debian version. PR #57141 by Jorge Schrauwen
• Ensure errors are returned for missing pillars. PR #57208 by @lnattrass
• Support comments in the host module and state. PR #56614 by Gareth J. Greenaway
• In case a minion does not return before a timeout, the job ID is printed on the screen, exactly as after pressing Ctrl+C (but without having to). PR #56793 by @elisaparolo
• Add the cp.cache_dest function that returns the expected cache path for a file. PR #56785 by @terminalmage
• Add the ability to pass a timeout to beacons. PR #56848 by Shane Lee
• Fix several bugs in the slack_webhook returner. PR #55968 by Carlos D. Álvaro
• Rename salt/utils/docker/ to salt/utils/dockermod/. This avoids a nasty module shadowing problem during the loading of the utils modules, where import docker imports salt.utils.docker instead. PR #56857 by Erik Johnson
• This is a simple means to keep track of jobs executed through Async and Sync mixin clients (runners). The purpose of this is to better understand what is running on a master. As a result, this opens the possibilities of understanding when it is safe to apply new configurations and restart the master service without disrupting current executions. PR #56440 by @austinpapp