Juju 4.0.1

🗓️ 22 Jan 2026

🎯 Highlights

• Migration/import reliability work continues: more of the end-to-end plumbing lands (activation, rollback safety, and import ordering fixes).

• Controller destruction is safer and clearer: better behavior when the controller still hosts models.

• Vault secrets are easier to integrate: mount-path support reduces “works only with my Vault layout” friction.

• More helpful operational visibility: richer status/cluster visibility and more resilient debug tooling.

⚠️ Breaking changes

• Kubernetes attach-storage feature flag removed: --attach-storage works on Kubernetes models without needing a feature flag. feat: remove k8s attach storage feature flag

🚀 Features (key changes)

This is a patch release focused on reliability and usability improvements. There is no new major functionality. Key changes include:

• Model import becomes “transactional” at the end: importing a model now activates it only at the final step, treating activation as the commit point across multiple import transactions. This reduces “half-imported model” states. feat: activate model on import step finale

• Import/migration gains stronger rollback tooling: adds tooling to inspect database tables inside a transaction before rollback, making foreign-key failures debuggable (SQLite errors can be extremely vague otherwise). feat: add tooling to view tables within transaction before rollback

• Controller destruction: hosted-model handling is explicit: Juju now prompts/handles controller destruction workflows more safely when hosted models exist (instead of treating “controller model only” and “hosted models present” the same way). feat: destroy controller hosted models

• Secrets + Vault: mount-path support: Vault-backed secrets can be configured with an explicit Vault mount path, so Juju can fit into pre-existing Vault mount layouts cleanly. feat(secrets): add support for vault mount path

• Operational visibility: cluster details in status: juju status can surface cluster-level details, improving “at a glance” understanding of controller health/topology. feat: output cluster details in status

Full ist list of changes: https://github.com/juju/juju/releases/tag/v4.0.1

🛠️ Fixes

🔐 Secrets and secret backends

Secrets had correctness gaps that operators hit quickly. Delete operations failed if the external secret was already gone. Rotate policy updates didn’t always stick. Label + refresh paths could return the wrong value.

Listing also needed to help humans. If output lacks backend name or revision context, operators can’t audit or debug. And when Kubernetes tunnelling and Vault mount paths interact, Juju must keep behavior consistent instead of “works here, fails there.”

• fix: handle case where external secret not found on delete

• fix(secretbackend): support complex config values

• fix: ensure secret rotate policy can be updated

• fix: ensure secret-get with label and refresh returns the right value

• fix: k8s tunneller context and vault mount path compatibility

• fix(secretbackend): immutability for built-in backends

• fix(secrets): rotate policy handling

• fix(secret): support filtering secrets by label

• fix(secret): allows several units having the same label for owned secret

• fix(secret): updates a secret while passing the label

• fix: k8s missing secret backend value for k8s and external vault

🧭 Migration/import correctness

Import breaks hard when steps run in the wrong order. CMR models exposed this immediately: relations tried to load before remote applications existed, and the database rejected the write.

Legacy data also tripped migrations. Juju 4 drops fan networking, but Juju 3 can still export fan addresses. We need import to handle those leftovers instead of blocking migrations on old artifacts.

• fix: issue prevening model migration to 3.x, bump dependencies

• fix: handle loopback addresses without subnet UUID in import

• fix(import): generate and include NetNodeUUID when creating machines

• fix(operation): finalize migration

• fix: relations must be imported after CMRs

• fix: import machine with left over fan addr

🧱 Controller, API, and lifecycle safety

Operators hit controller flows that should never feel fragile: login, kill-controller, destroy-controller. In 4.0.0, some of these failed in edge cases like empty credentials or live hosted models, and the errors didn’t always help. HA made this worse. Connections break; Juju should reconnect cleanly and keep going, not restart workers in a way that loses the address it needs to recover.

• fix: login to controllers

• fix: api remote caller reconnect on broken

• fix: show a helpful error message when destroying a controller with live models

• fix: persist controller node agent version

• fix: handle empty credential for kill-controller

🔎 Status/history/logging

Juju leaked or held idle connections too long and could run out of file descriptors. It also logged only RPC-upgraded requests, which left gaps for other endpoints that operators care about.

Status history also needed to stay accurate. CAAS status entries missed timestamps, some “newest entry” behavior didn’t behave as expected, and application status history sometimes recorded under the wrong key—which breaks tools like status-log.

• fix: timeout idle fds

• fix: log all API requests not just RPC ones

• fix(status): return the newest entry in GetStatusHistory

• fix: application status history record

• fix: show-status-log for applications

• fix: set Since field on statuses on caas provisioning

🌐 Networking, ports, firewalling, MAAS

Provider integrations can cause damage when they misbehave. On OpenStack, Juju risked deleting the wrong ports because it filtered too broadly. On MAAS, Juju treated volumes as MAAS-provisioned even when they weren’t, and tag validation didn’t always run depending on input shape.

Kubernetes firewaller logic also had sharp edges. It hid “not found” errors and didn’t shut down cleanly when apps disappeared, which led to unstable worker behavior and harder debugging.

• fix: filter ports by server

• fix: caasfirewaller implementation issues in 4.0

• fix: tighten permissions on netplan config files

• fix: overriding managed-by label

• fix: MAAS storage provisioning

📦 Resources, constraints, Charmhub interactions

Some failures came from “looks fine until deploy fails.” Space constraints broke because prepared statement caching collided on struct names, and expensive prepare calls inside transactions hurt both performance and stability.

Resource handling also needed to match real use. Juju should accept legitimate empty resources, record resource IDs correctly, and block uploads when the model isn’t in the right importing state. Mount path fixes belong here too: Juju must consult the right container mount definitions and mount workloads in the right place.

• fix: use sqlair Preparer for space constraints

• fix: consume offer should take the offer name from offer url

• fix(resources): allows empty resources

• fix(resources): prevent resource upload when model is not importing

• fix: relation incompatible bases issue

• fix: charmhub request not using latest base track on error

• fix: consult charm container volume mounts for the correct mount path

• fix(modelconfig): coerce provider-specific config attributes from DB

🧰 Build/test/tooling correctness

CI and safety checks should fail loudly and clearly when something breaks—and stay quiet when things are fine. Some integration tests failed without useful output, which slowed triage. Some watcher tests flaked under load due to timing assumptions.

• fix: target specific build tags

• fix: task logs watcher test flakyness

• fix(charmrevisionner): refresh timer incorrectly reset on model-config change

• fix: obsolete rev watcher and consumed secrets watcher

• fix: transaction rollback handling

• fix: get correct controller uuid for image metadata cli

• fix: ddlgen script for versions with tags

• fix(ci): metrics tests didn’t check the right logger

• fix(ci): update ubuntu charm in run_secret_drain

• fix(operation): improve error handling for undefined charm actions

• fix: check agent binary version and architecture

🔒 Security / hardening

Provisioning needs modern config. Cloud-init’s older apt mirror settings no longer work the way users expect, so Juju must use the supported spec. Agent binary fetching needed stricter validation too—version alone isn’t enough.

• fix: reduce the scope of the resources the mutating webhook matches on

• fix: use new apt mirror spec with cloud init

📚 Documentation updates

Secret backend package documentation: introduces internal documentation for secretbackend, making backend behavior and extension points easier to reason about. docs(secretbackend): introduce package documentation

📘 Summary

Overall, 4.0.1 focuses on making the Juju 4.0 more dependable for real migrations, safer controller lifecycle operations, and smoother day-2 debugging and secrets usage.