Fix __resource__ injection in resource_modules loader and add tests

salt.loader.resource_modules was missing "__resource__" from its pack,
so LazyLoader never created a NamedLoaderContext for it and modules like
sshresource_state raised NameError when accessing __resource__["id"].
Added the sentinel entry so the loader wires __resource__ to
resource_ctxvar — the per-thread contextvar set by _thread_return before
each resource job executes.
Added a regression test (test_resource_modules_packs_resource_dunder)
and a full suite of unit and integration tests covering T@ targeting,
wildcard augmentation, resource_ctxvar thread isolation, and the
_resolve_resource_targets dispatch path. Fixed lint issues across the new
test files (blacklisted unittest.mock imports, f-string without
interpolation, unused import, broad exception catch).

Author: dwoz

docker/ssh-resource/Dockerfile

@@ -227,6 +227,18 @@
     tar --strip-components=1 -xf "$RELENV_TAR" -C "{THIN_DIR}"
 fi
 
+# BUG-WORKAROUND: salt-ssh relenv path never writes the minion config that
+# Single.__init__ builds in self.minion_config.  The non-relenv (salt-thin)
+# path embeds it in SSH_PY_SHIM via OPTIONS.config, which the Python shim
+# writes to thin_dir/minion.  The relenv shim has no equivalent, so salt-call
+# falls back to system defaults (/var/cache/salt, /var/log/salt) and fails for
+# any unprivileged user.  Writing it here replicates the salt-thin behaviour.
+# See: https://github.com/saltstack/salt (file as issue against salt-ssh relenv)
+mkdir -p "{THIN_DIR}/running_data/pki"
+cat > "{THIN_DIR}/minion" << 'SALT_MINION_CONF_EOF'
+__SALT_MINION_CONFIG__
+SALT_MINION_CONF_EOF
+
 # Check if Python binary is executable
 if [ ! -x "$SALT_CALL_BIN" ]; then
     echo "ERROR: salt-call binary not found or not executable at $SALT_CALL_BIN" >&2
@@ -1148,10 +1160,18 @@ def __init__(
             self.arch = arch.strip()
 
         if self.opts.get("relenv"):
-            kernel, os_arch = self.detect_os_arch()
-            self.thin = salt.utils.relenv.gen_relenv(
-                opts["cachedir"], kernel=kernel, os_arch=os_arch
-            )
+            if thin:
+                # Caller pre-resolved the relenv tarball path — skip the SSH
+                # round-trip that detect_os_arch() would otherwise make during
+                # __init__.  This is important when Single is created inside a
+                # minion job worker where every extra SSH connection adds latency
+                # and can cause hangs.
+                self.thin = thin
+            else:
+                kernel, os_arch = self.detect_os_arch()
+                self.thin = salt.utils.relenv.gen_relenv(
+                    opts["cachedir"], kernel=kernel, os_arch=os_arch
+                )
         else:
             self.thin = thin if thin else salt.utils.thin.thin_path(opts["cachedir"])
 
@@ -1597,7 +1617,11 @@ def _cmd_str(self):
             debug = "1"
 
         if self.opts.get("relenv"):
-            return SSH_SH_SHIM_RELENV.format(
+            # Use .replace() for minion_config — it is YAML flow-style and
+            # may contain literal { } which would break .format().  This
+            # mirrors how SSH_PY_SHIM injects OPTIONS.config on the non-relenv
+            # path (via SSH_PY_SHIM.replace("#%%OPTS", arg_str)).
+            shim = SSH_SH_SHIM_RELENV.format(
                 DEBUG=debug,
                 SUDO=sudo,
                 SUDO_USER=sudo_user or "",
@@ -1606,6 +1630,7 @@ def _cmd_str(self):
                 RSTR=RSTR,
                 ARGS=" ".join(self.argv),
             )
+            return shim.replace("__SALT_MINION_CONFIG__", self.minion_config)
 
         thin_code_digest, thin_sum = salt.utils.thin.thin_sum(cachedir, "sha1")
         arg_str = '''

salt/client/ssh/__init__.py

@@ -570,6 +570,11 @@ def resource_modules(
             "__utils__": utils,
             "__resource_funcs__": resource_funcs,
             "__opts__": resource_opts,
+            # Empty sentinel so LazyLoader creates a NamedLoaderContext for
+            # __resource__ on every loaded module.  The NamedLoaderContext
+            # reads from resource_ctxvar, which _thread_return sets per-call
+            # before dispatching — giving each resource job its own identity.
+            "__resource__": {},
         },
         extra_module_dirs=utils.module_dirs if utils else None,
         loaded_base_name=loaded_base_name,

salt/loader/__init__.py

@@ -19,6 +19,14 @@
 
 loader_ctxvar = contextvars.ContextVar(DEFAULT_CTX_VAR)
 
+# Per-call resource context.  Set via resource_ctxvar.set() in
+# _thread_return before executing the job.  contextvars are per-thread: each
+# new thread inherits a copy of the parent's context, and set() only mutates
+# the current thread's copy.  LazyLoader.run() calls copy_context() fresh on
+# every invocation, so the snapshot it passes to _last_context.run() already
+# contains the value we set here — completely isolated from other threads.
+resource_ctxvar = contextvars.ContextVar("__resource__", default={})
+
 
 @contextlib.contextmanager
 def loader_context(loader):
@@ -68,6 +76,13 @@ def value(self):
         """
         The value of the current for this context
         """
+        # __resource__ is served from resource_ctxvar, which is set
+        # per-thread in _thread_return before the job function executes.
+        # LazyLoader.run() snapshots the thread context via copy_context()
+        # on every call, so each _run_as invocation sees the value that was
+        # current when the function was invoked — no pack mutation needed.
+        if self.name == "__resource__":
+            return resource_ctxvar.get()
         loader = self.loader()
         if loader is None:
             return self.default

salt/loader/context.py

@@ -32,3 +32,10 @@ def match(tgt, opts=None, minion_id=None):
     :param str minion_id: The minion ID to evaluate; defaults to ``opts["id"]``.
     :rtype: bool
     """
+    if opts is None:
+        opts = __opts__  # pylint: disable=undefined-variable
+    if minion_id is None:
+        minion_id = opts.get("id", "")
+    result = minion_id == tgt
+    log.debug("managing_minion_match: M@%s => %s (id=%s)", tgt, result, minion_id)
+    return result

salt/matchers/managing_minion_match.py

@@ -483,20 +483,32 @@ def gen_modules(self, initial_load=False, context=None):
             context=context,
         )
         self.resource_funcs.pack["__salt__"] = self.functions
-        self.resource_loaders = {}
+        # Build resource_loaders into a local dict before assigning to
+        # self.resource_loaders.  Without this, the previous pattern:
+        #
+        #   self.resource_loaders = {}          ← exposes empty dict
+        #   for ...: self.resource_loaders[t] = …
+        #
+        # creates a window where a concurrent thread (multiprocessing: False)
+        # calling gen_modules() can read resource_loaders.get(type) == None
+        # and fail with "No resource loader available".  A single dict
+        # assignment is atomic in CPython, so the old loaders remain visible
+        # until the new complete set is ready.
+        _new_resource_loaders = {}
         for resource_type in self.opts.get("resources", {}):
             rtype_base = (
                 f"{self.opts.get('loaded_base_name', 'salt.loaded.int')}"
                 f".resource.{resource_type}"
             )
-            self.resource_loaders[resource_type] = salt.loader.resource_modules(
+            _new_resource_loaders[resource_type] = salt.loader.resource_modules(
                 self.opts,
                 resource_type,
                 resource_funcs=self.resource_funcs,
                 utils=self.utils,
                 context=context,
                 loaded_base_name=rtype_base,
             )
+        self.resource_loaders = _new_resource_loaders
 
         # Call init() on each resource type so that __context__ is populated
         # before any per-resource operations (grains, ping, etc.) are dispatched.
@@ -544,12 +556,19 @@ def _discover_resources(self):
         ``discover(opts)``; the return value is a dict of
         ``{resource_type: [resource_id, ...]}``.
 
+        If pillar does not specify any resources, any resources already
+        present in ``opts["resources"]`` (e.g. set directly in the minion
+        config file) are preserved as-is.  This supports testing and simple
+        deployments where pillar-driven discovery is not needed.
+
         Called from :meth:`gen_modules` after pillar is compiled and before
         the per-type execution-module loaders are created.
         """
         pillar_resources = self.opts.get("pillar", {}).get("resources", {})
         if not pillar_resources:
-            return {}
+            # No pillar resources — preserve whatever is already in opts
+            # (set directly in the minion config or from a previous discovery).
+            return {k: list(v) for k, v in self.opts.get("resources", {}).items()}
 
         # A minimal resource loader is sufficient here — discover() only reads
         # from the opts dict passed to it and does not need other dunders.
@@ -2656,13 +2675,15 @@ def _thread_return(cls, minion_instance, opts, data):
                     )
                     ret["retcode"] = salt.defaults.exitcodes.EX_GENERIC
                 else:
-                    # Inject per-call resource context into the type loader
-                    # AND into resource_funcs so that resource module
-                    # functions like dummy.ping() can read __resource__.
-                    functions_to_use.pack["__resource__"] = resource_target
-                    minion_instance.resource_funcs.pack["__resource__"] = (
-                        resource_target
-                    )
+                    # Set the per-call resource context via resource_ctxvar.
+                    # contextvars are per-thread, so this value is invisible
+                    # to other threads.  LazyLoader.run() calls copy_context()
+                    # fresh on every invocation, capturing this value in the
+                    # snapshot before _run_as executes — fully isolated from
+                    # concurrent resource jobs sharing the same loader object.
+                    import salt.loader.context as _loader_ctx
+
+                    _loader_ctx.resource_ctxvar.set(resource_target)
                     grains_fn = f"{resource_type}.grains"
                     if grains_fn in minion_instance.resource_funcs:
                         functions_to_use.pack["__grains__"] = (

salt/minion.py

@@ -402,23 +402,52 @@ def refresh_grains(**kwargs):
 
 def refresh_resources():
     """
-    Trigger resource discovery on this minion and report the current set of
-    managed resources back to the Master, which updates the Resource Registry.
+    Re-register this minion's managed resources with the master.
 
-    Each resource type module's ``discover()`` function is called to enumerate
-    the resources the minion manages.  The results are sent to the Master,
-    which updates the ``resources`` cache bank for each resource.  Resources
-    no longer present in the discovery result are removed from the Registry.
-
-    This is the resource analogue of ``saltutil.refresh_grains`` — it should
-    be called whenever the set of resources a minion manages may have changed.
+    Sends the current ``opts["resources"]`` to the master so that the master's
+    ``minion_resources`` cache bank is up-to-date.  This is the resource
+    analogue of ``saltutil.refresh_grains`` — call it whenever the set of
+    resources a minion manages may have changed, or after a minion restart to
+    ensure the master's targeting cache reflects the current state.
 
     CLI Example:
 
     .. code-block:: bash
 
         salt '*' saltutil.refresh_resources
     """
+    resources = __opts__.get("resources", {})
+    if not resources:
+        return True
+
+    masters = []
+    if "master_uri_list" in __opts__:
+        masters.extend(__opts__["master_uri_list"])
+    else:
+        masters.append(__opts__["master_uri"])
+
+    from salt.exceptions import SaltReqTimeoutError
+
+    for master in masters:
+        with salt.channel.client.ReqChannel.factory(
+            __opts__, master_uri=master
+        ) as channel:
+            load = {
+                "cmd": "_register_resources",
+                "id": __opts__["id"],
+                "resources": resources,
+                "tok": channel.auth.gen_token(b"salt"),
+            }
+            try:
+                channel.send(load, timeout=60)
+                log.debug(
+                    "refresh_resources: registered %s with master %s",
+                    list(resources),
+                    master,
+                )
+            except SaltReqTimeoutError:
+                log.warning("refresh_resources: timed out contacting master %s", master)
+    return True
 
 
 def sync_grains(

salt/modules/saltutil.py

@@ -24,6 +24,7 @@
 
 import logging
 import os
+import uuid
 
 import salt.client.ssh
 import salt.client.ssh.shell
@@ -32,6 +33,7 @@
 import salt.defaults.exitcodes
 import salt.fileclient
 import salt.utils.hashutils
+import salt.utils.network
 import salt.utils.state
 from salt.client.ssh.wrapper.state import (
     _cleanup_slsmod_low_data,
@@ -72,6 +74,12 @@ def _host_cfg():
     )  # pylint: disable=undefined-variable
 
 
+def _relenv_path():
+    """Return the local path of our pre-built custom relenv tarball."""
+    cachedir = __opts__.get("cachedir", "")  # pylint: disable=undefined-variable
+    return os.path.join(cachedir, "relenv", "linux", "x86_64", "salt-relenv.tar.xz")
+
+
 def _target_opts():
     """
     Build a copy of ``__opts__`` suitable for ``SSHHighState`` and ``Single``.
@@ -97,6 +105,7 @@ def _target_opts():
     )
     if "known_hosts_file" in cfg:
         opts["known_hosts_file"] = cfg["known_hosts_file"]
+    opts["relenv"] = True
     return opts
 
 
@@ -121,23 +130,31 @@ def _connection_kwargs():
     }
 
 
-def _seed_thin_dir(opts):
+def _thin_dir():
     """
-    Create a throw-away ``Single`` to force ``opts["thin_dir"]`` to be set.
+    Return the remote working directory for the salt-thin bundle.
 
-    ``Single.__init__`` computes ``thin_dir`` from the remote user and the
-    local FQDN and writes it back into opts in-place.  We need that value
-    before building the ``state.pkg`` command string.
+    Mirrors the logic in ``salt.resource.ssh._thin_dir``: uses the per-host
+    ``thin_dir`` config key when set, otherwise builds a path under ``/tmp/``
+    (always world-writable) to avoid ``/var/tmp/`` which may be root-only.
     """
-    resource_id = _resource_id()
-    dummy = salt.client.ssh.Single(
-        opts,
-        ["test.ping"],
-        resource_id,
-        **_connection_kwargs(),
-    )
-    # thin_dir is now written to opts["thin_dir"] as a side-effect
-    return dummy.thin_dir
+    cfg = _host_cfg()
+    if "thin_dir" in cfg:
+        return cfg["thin_dir"]
+    fqdn_uuid = uuid.uuid3(uuid.NAMESPACE_DNS, salt.utils.network.get_fqhostname()).hex[
+        :6
+    ]
+    return "/tmp/.{}_{}_salt".format(cfg.get("user", "root"), fqdn_uuid)
+
+
+def _seed_thin_dir(opts):
+    """
+    Compute ``thin_dir`` and write it into *opts* so that ``SSHHighState``
+    and ``prep_trans_tar`` use a consistent, writable path.
+    """
+    thin = _thin_dir()
+    opts["thin_dir"] = thin
+    return thin
 
 
 def _get_initial_pillar(opts):
@@ -407,6 +424,8 @@ def _exec_state_pkg(opts, trans_tar, test):
             opts,
             cmd,
             _resource_id(),
+            thin=_relenv_path(),
+            thin_dir=opts["thin_dir"],
             **_connection_kwargs(),
         )
         single.shell.send(trans_tar, "{}/salt_state.tgz".format(opts["thin_dir"]))