Minion-master version mismatch false positive

Discussion:

David Ward

2014-06-16 01:47:21 UTC

Hi,

I just setup a new SOE based on our last SOE (with with ubuntu updates etc)
and in testing it out I am getting this in the logs:

2014-06-16 11:39:48,044 [py.warnings ][WARNING ]
/usr/lib/pymodules/python2.7/salt/minion.py:594: DeprecationWarning: Master
pub message signing is disabled but we received a signature for this
message. Most likely this means that your masters and minions are not the
same version. After Salt 0.17.6 this situation will throw an exception.
salt.utils.warn_until((0, 17, 6), 'Master pub message signing is disabled
but we '

Master:
ii salt-common 0.17.5-1precise1
Shared libraries that salt requires for all
packages
ii salt-master 0.17.5-1precise1
This package provides a remote manager to
administer servers via salt
ii salt-minion 0.17.5-1precise1
This package represents the client package for salt

Minion:
ii salt-common 0.17.5-1precise1
Shared libraries that salt requires for all
packages
ii salt-minion 0.17.5-1precise1
This package represents the client package for salt

I am not sure what pub signing is exactly in relation to salt.

Any thoughts appreciated.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/d/optout.

C. R. Oldham

2014-06-16 04:51:31 UTC

Permalink

/usr/lib/pymodules/python2.7/salt/minion.py:594: DeprecationWarning: Master pub message signing is disabled but we received a signature for this message.

Hi Dave,

We started cryptographically signing messages published from the master late in the 0.17 series as an additional security measure. Originally that defaulted to off to avoid incompatibilities and was supposed to default to on as of the 2014 series. It looks like we didn't change that default. I'll check when I get in the office tomorrow to see where that is at. If you turn on sign_pub_messages in the master config file does that help? See here for more information:

https://github.com/saltstack/salt/blob/0.17/conf/master#L191-205

ii salt-common 0.17.5-1precise1 Shared libraries that salt requires for all packages
ii salt-master 0.17.5-1precise1 This package provides a remote manager to administer servers via salt
ii salt-minion 0.17.5-1precise1

Thanks for that, it was very helpful to have your versions.

--cro

David Ward

2014-06-16 05:21:46 UTC

Permalink

Thanks CR.

I just wanted to add, I am seeing a bit of this in the minion logs too:

2014-06-16 13:20:27,226 [salt.minion ][WARNING ] The minion function
caused an exception: Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/salt/minion.py", line 722, in
_thread_return
return_data = func(*args, **kwargs)
File "/usr/lib/pymodules/python2.7/salt/modules/state.py", line 254, in
highstate
st_ = salt.state.HighState(opts, pillar)
File "/usr/lib/pymodules/python2.7/salt/state.py", line 2465, in __init__
self.state = State(self.opts, pillar)
File "/usr/lib/pymodules/python2.7/salt/state.py", line 518, in __init__
self.opts['pillar'] = self._gather_pillar()
File "/usr/lib/pymodules/python2.7/salt/state.py", line 535, in
_gather_pillar
ret = pillar.compile_pillar()
File "/usr/lib/pymodules/python2.7/salt/pillar/__init__.py", line 62, in
compile_pillar
aes = key.private_decrypt(ret['key'], 4)
File "/usr/lib/python2.7/dist-packages/M2Crypto/RSA.py", line 63, in
private_decrypt
return m2.rsa_private_decrypt(self.rsa, data, padding)
RSAError: data greater than mod len

2014-06-16 13:40:32,388 [salt.minion ][WARNING ] The minion function
caused an exception: Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/salt/minion.py", line 722, in
_thread_return
return_data = func(*args, **kwargs)
File "/usr/lib/pymodules/python2.7/salt/modules/state.py", line 254, in
highstate
st_ = salt.state.HighState(opts, pillar)
File "/usr/lib/pymodules/python2.7/salt/state.py", line 2465, in __init__
self.state = State(self.opts, pillar)
File "/usr/lib/pymodules/python2.7/salt/state.py", line 518, in __init__
self.opts['pillar'] = self._gather_pillar()
File "/usr/lib/pymodules/python2.7/salt/state.py", line 535, in
_gather_pillar
ret = pillar.compile_pillar()
File "/usr/lib/pymodules/python2.7/salt/pillar/__init__.py", line 62, in
compile_pillar
aes = key.private_decrypt(ret['key'], 4)
File "/usr/lib/python2.7/dist-packages/M2Crypto/RSA.py", line 63, in
private_decrypt
return m2.rsa_private_decrypt(self.rsa, data, padding)
RSAError: data greater than mod len

I'll look into this sign_pub_messages config option and post back.

Thanks.

Master pub message signing is disabled but we received a signature for this
message.
Hi Dave,
We started cryptographically signing messages published from the master
late in the 0.17 series as an additional security measure. Originally that
defaulted to off to avoid incompatibilities and was supposed to default to
on as of the 2014 series. It looks like we didn't change that default.
I'll check when I get in the office tomorrow to see where that is at. If
you turn on sign_pub_messages in the master config file does that help?
https://github.com/saltstack/salt/blob/0.17/conf/master#L191-205

Post by David Ward
ii salt-common 0.17.5-1precise1

Shared libraries that salt requires for all
packages

Post by David Ward
ii salt-master 0.17.5-1precise1

This package provides a remote manager to
administer servers via salt

Post by David Ward
ii salt-minion 0.17.5-1precise1

Thanks for that, it was very helpful to have your versions.
--cro

David Ward

2014-06-16 05:32:38 UTC

Permalink

Also, I am in open_mode if that matters.