Juju 3.6 (LTS)ยถ

April 2039: expected end of security fix support

1 May 2026: expected end of bug fix support

Note

Juju 3.6 series is LTS

๐Ÿ”ธ Juju 3.6.12ยถ

๐Ÿ—“๏ธ 26 Nov 2025

โš™๏ธ Features:

Support for importing and attaching storage to Kubernetes unitsยถ

A common use case for Kubernetes is to restore a volume from a backup and attach it to a unit. This feature allows that use case to be supported by providing support for:

  • importing a k8s persistent volume into the Juju model as a storage instance

  • attaching the imported storage instance to an existing unit

  • attaching the imported storage instance to a new unit

The Juju commands for importing and attaching storage work as for vm (non-k8s) models. To import a persistent volume: juju import-filesystem kubernetes <pv-name> <storage-name> The imported storage instance can be attached to a unit using the --attach-storage option for deploy or add-unit: juju deploy postgresql-k8s --trust --attach-storage <storage-name>/<N> juju add-unit postgresql-k8s --attach-storage <storage-name>/<N>

where <storage-name> is the name of the storage defined by the charm and <N> is the ordinal of the storage instance created by the juju import-filesystem command.

Vault secrets backend mount pathยถ

Vault secret backends now support a mount path. If specified, the final path to access secrets for a model will be <mount-path>/<mode-name>-<model-shortuuid>. The mount path is specified using the mount-path secret backend config option.

JAAS - service account loginยถ

For JAAS, a service account login method is added using env vars. If the env vars JUJU_CLIENT_ID and JUJU_CLIENT_SECRET are present, they will take precedence over all other login providers.

๐Ÿ› ๏ธ Fixes:

File handle leaksยถ

The default behaviour of the Go HTTP client is to keep all idle connections forever. For Juju controllers involved with cross-model relations where thereโ€™s a degree of network instability (resulting in worker restarts), this can lead to a large number of idle connections which are never closed. The end result is that the controller accumulates an ever-increasing number of open file handles, eventually causing the controller jujud agent to crash. The fixes below address this issue.

Secretsยถ

A few secrets issues are fixed:

  • updating a secret rotation policy would fail.

  • if a k8s secret resource was deleted manually, attempting to delete the secret revision from Juju would fail.

  • reading the content of a secret by label from within the same hook where an update was made would return inconsistent results in --refresh were used.

Openstackยถ

When removing units, the relevant network interfaces on all running instances were removed, instead of interfaces on just the instance on which the unit was running.

๐Ÿ”ธ Juju 3.6.11ยถ

๐Ÿ—“๏ธ 21 Oct 2025

This is a bug fix release primarily to address 2 regressions in the 3.6.10 release. As such, the 3.6.10 release is revoked.

The release notes below document the entire change set from 3.6.9.

As well as the regression fixes, the 3.6.11 release also contains updates to the secrets backend to improve the performance of dealing with 1000s of secret revisions.

For a detailed list of every commit in this release, refer to the Github 3.6.11 Release Notes .

โš™๏ธ Features:

New Google Cloud provider functionalityยถ

The Google Cloud provider gains support for various features already available on other clouds like AWS or Azure. Specifically, the following features are now available:

VPC selection
Use the vpc-id model config value to select the name of the VPC to use for that model. This is supplied when the model is added:
juju add-model mymodel --config vpc-id=myvpc
or at bootstrap for the controller model:
juju bootstrap google mycontroller --config vpc-id=myvpc

For a VPC to be used when bootstrapping, there must be a firewall ruling allowing SSH traffic.

Spaces support and subnet placement
Compute instances can now be provisioned such that space constraints and subnet placement can be used. Subnet placement can use either the subnet name or subnet CIDR.
eg
juju deploy mycharm --constraints="spaces=aspace" juju deploy mycharm --constraints="subnet=asubnet" juju deploy mycharm --constraints="subnet=10.142.0.0/16"

ssh-allow model config
The ssh-allow model config value is now supported. When specified, a firewall rule is created to control ingress to the ssh port.
eg
juju model-config ssh-allow="192.168.0.0/24"

Service account credentials
Similar to using instance roles on AWS or managed identities on Azure, itโ€™s now possible to use service accounts to confer permissions to Juju controllers such that a credential secret is not required. The service account to be used must have the following scopes:

  • https://www.googleapis.com/auth/compute

  • https://www.googleapis.com/auth/devstorage.full_control

If you are not on a jump host, you must bootstrap using a standard credential and specify the service account like so:
juju bootstrap google mycontroller --bootstrap-constraints="instance-role=mydevname@2@developer.gserviceaccount.com"

If you are on a jump host, you can set up a credential using juju add-credential google. Select credential type service-account and enter the service account email. Then bootstrap as normal:
juju bootstrap google mycontroller

Constrains with image-id
The use of the image-id constraint value is now supported.
eg
juju deploy mycharm --constraints="image-id=someimageid"

Preview: support for --attach-storage on Kubernetes modelsยถ

For this release, a feature flag needs to be used as the feature is in preview. On the client machine used to run the Juju CLI, simply:
export JUJU_DEV_FEATURE_FLAGS=k8s-attach-storage

The primary use case this feature is designed to solve is to provide the ability to re-use volumes that have been restored from a backup and attach them to units when deploying or scaling. The basic steps follow the usual import and attach workflow supported already on other clouds:

  1. Import the PV into the Juju model to create a detached storage instance.

  2. Use the imported storage with the --attach-storage option for deploy or add-unit.
    eg

juju import-filesystem kubernetes <mypvname>
# See the resulting detached storage instance.
juju status --storage
juju deploy postgresql-k8s --trust --attach-storage <storagename>

Note that if the PV to be imported still has a reference to a PVC, the --force option is needed when importing since the existing claim reference will be removed.

Removal of charm metricsยถ

Charm metrics are no longer supported. This means that the collect-metrics and meter-status-changed hooks will no longer fire and the add-metrics hook command becomes a no-op. In addition, the Juju CLI commands metrics, collect=metrics, and set-meter-status are removed.

Documentation improvementsยถ

Many documentation improvements have been done for this release. Highlights include:

  • better support for diagrams in dark mode

  • visual enhancements to tips and notes

  • removal of command aliases from CLI doc to reduce clutter

  • hook and storage reference doc improvements

  • add missing model configuration attributes

๐Ÿ› ๏ธ Fixes:

Juju infrastructureยถ

The commits below fix a regression in 3.6.10 which could in some circumstances cause a deadlock when closing a web socket connection.

Secretsยถ

The commits below contain a fix to ensure obsolete secret revisions are purged from unit state, preventing unbounded growth when individual revisions are purged. Thereโ€™s also a fix to secret deletion to prevent removal of secret revisions partially matching the one asked for. Included as well are various performance improvements to better handle 1000s of secret revisions.

Juju refresh commandยถ

In some cases, the juju refresh command could panic.

Openstackยถ

The 3.6.9 release introduced a regression when running on Openstack clouds where security groups are disabled.

Google cloudยถ

Specifying non-default disk storage using storage pools is fixed. Using images configured for pro support is fixed.

Kubernetesยถ

The mutating web hook created a misnamed label on pods which cause a regression when deploying certain charms.

Destroying a kubernetes controller could sometimes result in an error.

Deletion of applications deployed using sidecar charms now also deletes any Kubernetes resources created directly by the charm and not managed by Juju. These include:

  • custom resource definitions

  • config maps

  • deployments, daemonsets

  • etc

Adding multiple secrets simultaneously could result in an error and this has been fixed. Fixes for issues scaling applications:

  • fix logic to only consider units >= target scale for removal, preventing inappropriate scaling during scale-up scenarios.

  • only initiate scaling when all excess units (>= target) are dead. The credential-get hook command now works on Kubernetes models for trusted applications the same way as for VM models.

LXDยถ

When a model is deleted, any LXD profiles created for the model and its applications are now removed. The profile naming scheme has been updated to include a reference to the model UUID as well as name to ensure profiles are fully disambiguated. Upon upgrade to this Juju version, existing profiles are renamed as needed.

The new profile names are of the form:
juju-<model>-<shortid> or juju-<model>-<shortid>-<app>-<rev>

๐Ÿฅณ New Contributors:

๐Ÿ”ธ Juju 3.6.9ยถ

๐Ÿ—“๏ธ 20 Aug 2025

โš™๏ธ Features:

New cloud regionsยถ

Increased secret content sizeยถ

The secret content size limit has been increased from 8KiB to 1MiB.

Other featuresยถ

๐Ÿ› ๏ธ Fixes:

Openstackยถ

The Openstack Neutron API endpoint was incurring excessive calls due to an inefficient query strategy.
SEV flavors are deprioritised when using constraints to choose a flavor as they are not yet modelled.

Azureยถ

LXDยถ

The LXD provider now supports zone constraints.
There are also storage fixes for deploying a charm with multiple storage requirements.

Kubernetesยถ

The memory request and limit has been reduced for the charm container and no longer uses the same (possibly large) value that may have been required for the workload.
The default image repository is now ghcr rather than docker.

Storageยถ

A long occurring intermittent storage bug was fixed where sometimes storage would not be registred as attached and charms would hang and not run the storage attached hook.

FAN networkingยถ

If the container networking method is set to โ€œlocalโ€ or โ€œproviderโ€, do not set up FAN networking.

Mitigate possible connection leakยถ

The worker to monitor and update external controller API addreses for cross model relations could needlessly and constantly bounce due to incorrect detection of address changes. This would cause HTTP connections to churn, possibly contributing to observed connection / file handle leaks.

Other fixesยถ

๐Ÿฅณ New Contributors:

๐Ÿ”ธ Juju 3.6.8ยถ

๐Ÿ—“๏ธ 7 Jul 2025

๐Ÿ› ๏ธ Fixes:

โš™๏ธ Features:

๐Ÿ—’๏ธ Docs:

๐Ÿ”ธ Juju 3.6.7ยถ

๐Ÿ—“๏ธ 9 Jun 2025

๐Ÿ› ๏ธ Fixes:

๐Ÿฅณ New Contributors:

๐Ÿ”ธ Juju 3.6.6ยถ

๐Ÿ—“๏ธ 29 May 2025 โš™๏ธ Features:

  • feat(secrets): handle NotFound errors in secret backend during RemoveUserSecrets by @ca-scribner in #19169

  • feat: open firewall ports for SSH server proxy by @kian99 in #19180

  • feat(ssh): public key authentication for ssh server by @SimoneDutto in #18974

  • feat: sshtunneler package by @kian99 in #19285

  • feat: transaction op logging by @manadart in #19762

๐Ÿ› ๏ธ Fixes:

  • fix: always create K8s unit virtual host key by @kian99 in #19503

  • fix: model defaults validation by @manadart in #19462

  • fix: detailed health errors for probe by @jameinel in #19670

  • fix: broken enable-ha on azure due to a panic caused by a nil pointer by @wallyworld in #19695

  • fix: ssh-tunneler worker failure on k8s provider by @kian99 in #19729

  • fix: warn on dropped error by @MggMuggins in #19532

๐Ÿฅณ New Contributors:

  • @matthew-hagemann made their first contribution in #19436

  • @abbiesims made their first contribution in #19575

  • @MggMuggins made their first contribution in #19532

๐Ÿ”ธ Juju 3.6.5ยถ

๐Ÿ—“๏ธ 14 Apr 2025 โš™๏ธ Features:

  • feat(ssh-server-worker): add feature flag for ssh jump server by @SimoneDutto in #19364

  • feat: add facade to resolve virtual hostname by @SimoneDutto in #18995

  • feat: retrieve unit host keys by @ale8k in #18973

  • feat(state): add state method for ssh connection requests by @SimoneDutto in #19212

  • feat(state): add cleanup for expired ssh connection requests by @SimoneDutto in #19239

  • feat(sshworker): add max concurrent connections to ssh server by @SimoneDutto in #19236

  • feat(ssh-conn-req-facades): add controller and client facade to interact with ssh conn requests by @SimoneDutto in #19301

  • feat(ssh-server-worker): set unit hostkey for target host by @SimoneDutto in #19299

๐Ÿ› ๏ธ Fixes:

  • fix(apiserver): avoid splitting untrusted data by @jub0bs in #18971

  • fix(charmhub): resolve misleading output for info by @leyao-daily in #19084

  • fix: login to jaas controller by @kian99 in #19136

  • fix: avoid restart loop of ssh server worker by @kian99 in #19152

  • fix(bootstrap): support instance-role when bootstrapping by @xtrusia in #19204

  • fix: facade restriction for โ€œsshserverโ€ facade by @ale8k in #19220

  • fix(applicationoffer): fix authorization check for list/show offers by @alesstimec in #19287

  • fix: split model migration status message by @SimonRichardson in #19255

  • fix: update to use ctrl state & return public key in ssh wire format base64 std encoded by @ale8k in #19324

  • fix: prevent retry of a successful phase by @SimonRichardson in #19257

  • fix: close possible leak in ext controller worker by @wallyworld in #19311

  • fix: revert pull request #19287 by @SimoneDutto in #19395

  • fix: k8s cloud reuse across controllers by @hpidcock in #19298

๐Ÿฅณ New Contributors:

  • @sinanawad made their first contribution in #19179

  • @ahmad-can made their first contribution in #18784

  • @pamudithaA made their first contribution in #19155

  • @vlad-apostol made their first contribution in #19261

  • @alexdlukens made their first contribution in #19390

๐Ÿ”ธ Juju 3.6.4ยถ

๐Ÿ—“๏ธ 11 Mar 2025 โš™๏ธ Features:

  • feat(security): add SECURITY.md for reporting security issues by @anvial in #18245

  • feat(charmhub): add revision support for info command by @leyao-daily in #18676

  • feat: add virtual host keys to state by @kian99 in #18829

  • feat: add support for trust token based authentication on remote LXD by @nvinuesa in #18626

  • feat: virtual host keys upgrade step by @kian99 in #18941

  • feat: ssh server facade and plug in by @ale8k in #19019

๐Ÿ› ๏ธ Fixes:

  • fix: replicaset update after removing a primary controller in HA by @nvinuesa in #18965

  • fix: container resource export by @Aflynn50 in #18898

  • fix(state/charm.go): fix for AddCharmMetadata buildTxn by @alesstimec in #18990

  • fix(apiserver): avoid splitting untrusted data by @jub0bs in #18970

  • fix(shallow-copy-addrs): fix shallow copy before shuffle by @SimoneDutto in #19017

  • fix: avoid error when change for a Pebble notice has been pruned by @benhoyt in #18981

  • fix: get model info authorization by @alesstimec in #18959

  • fix: change jaas snap mount path by @kian99 in #19062

  • fix: install aws cli and creds for tests needing aws ec2 cli by @wallyworld in #19072

  • fix: login after logout with OIDC by @kian99 in #19079

  • fix: worker leaking in TestManfioldStart of the SSH server worker by @ale8k in #19102

๐Ÿฅณ New Contributors:

  • @network-charles made their first contribution in #19063

  • @andogq made their first contribution in #19023

๐Ÿ”ธ Juju 3.6.3ยถ

๐Ÿ—“๏ธ 27 Feb 2025 โš™๏ธ Features:

  • feat(secrets): add support for using besoke k8s secret backends by @wallyworld in #18599

  • feat(secrets): add token refresh support to k8s secret backend by @wallyworld in #18639

  • chore: bump Pebble version to v1.18.0 by @james-garner-canonical in #18752

  • feat: log MAAS device removals by @manadart in #18705

  • feat: debug log when we can not find an image by @SimonRichardson in #18666

  • feat(config): ssh server configuration options by @ale8k in #18701

  • feat: add hostname parsing by @kian99 in #18821

  • feat(sshserver worker): adds a base skeleton ssh server worker by @ale8k in #18627

๐Ÿ› ๏ธ Fixes:

  • fix: juju debug-log โ€“replay and โ€“no-tail by @CodingCookieRookie in #18601

  • fix: dangling state trackers by @SimonRichardson in #18611

  • fix: close state pool item on release by @SimonRichardson in #18614

  • fix(bootstrap): fix bootstrap mirror bug on noble by @jack-w-shaw in #18659

  • fix: remove server side constraints by @CodingCookieRookie in #18674

  • fix: support older agents with new k8s secet backend config by @wallyworld in #18623

  • fix: google model destruction when missing model firewall by @hpidcock in #18536

  • fix: change String method of intValue to display value not pointer by @CodingCookieRookie in #18683

  • fix: panic in debug-log by @jack-w-shaw in #18688

  • fix(jaasbakery): fix RefreshDischargeURL by @ale8k in #18563

  • fix(ci): fix relation departing unit test on aws by @nvinuesa in #18715

  • fix(tests): add workaround for checking output of discourse-k8s charm action by @anvial in #18718

  • fix(simpleconnector): fix connect() method of simple connector to handle DialOptions by @ale8k in #18358

  • fix: allow setting provisioning info for dying machine by @manadart in #18500

  • fix: disambiguate k8s artefacts used for juju secrets by @wallyworld in #18675

  • fix: backport azure image lookup fix by @anvial in #18745

  • fix: cleanup k8s secret artefacts on model deletion by @wallyworld in #18673

  • fix: find azure address prefix from new api result; by @ycliuhw in #18776

  • fix: add recent introduced aws regions to update public clouds by @CodingCookieRookie in #18774

  • fix: reflecting watcher in error handling by @hpidcock in #18791

  • fix: upgrade go version to 1.23.6 to address GO-2025-3447 vuln by @nvinuesa in #18832

  • fix: correctly handle path segments in controller URL by @kian99 in #18703

  • fix: allow authorized external users to add clouds by @alesstimec in #18858

  • fix: use after release by @SimonRichardson in #18868

  • fix: parse corrected spelling of gratuitous-arp in Netplan by @manadart in #18918

  • fix: correct case of JSON/YAML field name for FilesystemInfo.Attachments by @benhoyt in #18931

  • fix(applicationoffers): handle permission validation correctly by @gfouillet in #18928

  • fix: ensure โ€˜app.kubernetes.io/name โ€™ label is set for user secrets by @wallyworld in #18950

  • fix: GetModelInfo method by @alesstimec in #18922

  • fix: copy mgo session when bulk deleting secrets by @wallyworld in #18953

๐Ÿฅณ New Contributors:

  • @lengau made their first contribution in #18670

  • @rthill91 made their first contribution in #18656

  • @samuelallan72 made their first contribution in #18365

  • @YanisaHS made their first contribution in #18903

๐Ÿ”ธ Juju 3.6.2ยถ

๐Ÿ—“๏ธ 21 Jan 2025 โš™๏ธ Features:

  • feat: add relation-model-get hook command by @wallyworld in #18444

๐Ÿ› ๏ธ Fixes:

  • fix: poor error message validating constraints by @CodingCookieRookie in #18447

  • fix: do not set provider addresses for manually provisioned machines by @manadart in #18535

  • fix: juju ssh enforcing port 22 by @CodingCookieRookie in #18520

  • fix: improve error messages for register โ€“replace by @wallyworld in #18513

  • fix: cater for leadership change during secret drain by @wallyworld in #18556

๐Ÿ”ธ Juju 3.6.1ยถ

๐Ÿ—“๏ธ 11 Dec 2024 โš™๏ธ Features:

  • feat: bump pebble version to v1.17.0 by @benhoyt in #18462

  • feat(cmd-register): prevent replacing existing controller if logged in by @ca-scribner in #18079

  • feat: remove upgradesteps API client by @manadart in #18374

  • feat: do not require upgradesteps API for migrations by @manadart in #18387

๐Ÿ› ๏ธ Fixes:

  • fix: do not fail probes during controller outage by @hpidcock in #18468

  • fix: allow refresh --base to pivot a charm by @jameinel in #18215

  • fix: fix bootstrap issue on k8s snap by @wallyworld in #18366

  • fix: azure panic by @jack-w-shaw in #18345 #18346 #18371

  • fix: qualify azure role definition with subscription by @wallyworld in #18438

  • fix(ha): ignore virtual IP CIDR/32 by @gfouillet in #18297

  • fix(logforwarder): add Close method to LogStream interface by @gfouillet in #18278

  • fix(state): add assertion on the number of relations when adding relations by @alesstimec in #18288

  • fix: fallback to env config when no base set by @SimonRichardson in #18355

  • fix(login): use nil instead of empty user tag for NewLegacyLoginProvider by @gfouillet in #18290

  • fix(ec2): remove auto assigned public IP when constraint is false by @nvinuesa in #18432

๐Ÿ”ธ Juju 3.6.0ยถ

๐Ÿ—“๏ธ 26 Nov 2024 โš™๏ธ Features:

  • Rootless charms on k8s

  • Azure managed identities

  • Idempotent Secrets

  • The default base was bumped up to noble 24.04

๐Ÿ› ๏ธ Fixes: See the full list in these milestone pages: