New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

salt produces verbose python warnings since upgrading to 2014.1.10-4 #15548

Closed
deuscapturus opened this Issue Sep 5, 2014 · 6 comments

Comments

Projects
None yet
6 participants
@deuscapturus
Contributor

deuscapturus commented Sep 5, 2014

How to fix or quiet these messages?

Platform: Amazon Linux AMI release 2014.03
Salt: 2014.1.10
Python: 2.6.9 (unknown, Mar 28 2014, 00:06:37)
Jinja2: 2.7.2
M2Crypto: 0.20.2
msgpack-python: 0.1.13
msgpack-pure: Not Installed
pycrypto: 2.6.1
PyYAML: 3.10
PyZMQ: 2.2.0.1
ZMQ: 3.2.4
gmp-4.3.2-1.11.amzn1.x86_64

@terminalmage - thanks for the help.

[root@ip-10-1-0-116 ec2-user]# service salt-master start
Starting salt-master daemon: /usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
/usr/lib64/python2.6/site-packages/Crypto/Util/randpool.py:40: RandomPool_DeprecationWarning: This application uses RandomPool, which is BROKEN in older releases.  See http://www.pycrypto.org/randpool-broken
  RandomPool_DeprecationWarning)
[root@ip-10-1-0-116 ec2-user]# salt -G 'roles:sdk' test.ping
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
  _warn("Not using mpz_powm_sec.  You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
/usr/lib64/python2.6/site-packages/Crypto/Util/randpool.py:40: RandomPool_DeprecationWarning: This application uses RandomPool, which is BROKEN in older releases.  See http://www.pycrypto.org/randpool-broken
  RandomPool_DeprecationWarning)

@terminalmage

This comment has been minimized.

Member

terminalmage commented Sep 5, 2014

This doesn't look like it has anything to do with Salt.

The warning states that pycrypto should be built against libgmp >= 5. I'm not sure what repos your AMI is using. python-crypto is in RHEL/CentOS base, so this might be something for which a bug report needs to be submitted to Amazon to handle the packaging.

What is the output of yum info python-crypto on the minion?

@basepi basepi added Bug and removed Bug labels Sep 5, 2014

@basepi basepi added this to the Blocked milestone Sep 5, 2014

@basepi

This comment has been minimized.

Member

basepi commented Sep 5, 2014

Yep, this does appear to be an upstream bug.

@UtahDave

This comment has been minimized.

Member

UtahDave commented Sep 5, 2014

Yeah, this is an Amazon Linux packaging issue.

This state suppresses the warning, but doesn't fix the underlying issue:

https://gist.github.com/UtahDave/eb64e806328e5ebab5b7

@basepi

This comment has been minimized.

Member

basepi commented Sep 5, 2014

Thanks for the workaround, @UtahDave! I'm going to close this one as an upstream bug since we have a workaround for now.

@basepi basepi closed this Sep 5, 2014

@mrh666

This comment has been minimized.

mrh666 commented Oct 2, 2014

First warning I easily suppressed on AWS Elastic Beanstalk (Amazon Linux):

yum -y install python-devel && \
wget https://ftp.gnu.org/gnu/gmp/gmp-6.0.0a.tar.bz2 && \
tar -xvjpf gmp-6.0.0a.tar.bz2 && \
cd gmp-6.0.0 && \
sudo ./configure && \
sudo make && \
sudo make check

And if all tests passed:

sudo make install && \
sudo yum install -y python-pip && \
sudo pip install --ignore-installed PyCrypto 
@rfairburn

This comment has been minimized.

Contributor

rfairburn commented Nov 20, 2014

Just in case this will help anyone, I went a step further and built rpms to push to all of my systems:

http://devop.ninja/configuration%20management/2014/11/20/saltstack-gmp-and-pycrypto-on-amazon-linux/

I can share out the packages themselves as well if-needed once I get a little bit more testing done, but so far this seems sane.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment