I recently upgraded a control server to ansible 1.5.x and started getting these messages. The server where we have to run ansible is RHEL 6.x but it seems that the newest version of gmp available from RH is still only 4.3. (I suspect that python is using libgmp dynamically rather than statically linking it...)
The warning shows up on every single ansible run and spams us with email from some ansible jobs that launch from cron. I think I'm going to comment out the atfork block on our system just because this is so annoying - is there a better approach for RHEL6? Any way to suppress the warning or fix the issue without installing packages outside the standard repos? -Jeremy On Wednesday, August 21, 2013 10:54:51 PM UTC-5, Michael DeHaan wrote: > > > Unless it's EL 5/6 where there is no ControlPersist, it's almost always > better to use "-c ssh". > > > On Wed, Aug 21, 2013 at 10:49 AM, Bruce Pennypacker > <[email protected]<javascript:> > > wrote: > >> Ever since a recent patch to our Amazon instances we've been getting this >> warning when running Ansible: >> >> > PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using >> libgmp >= 5 to avoid timing attack vulnerability. >> >> In researching this I came across >> https://github.com/ansible/ansible/issues/276 where a number of people >> have reportedly just commented the warning out >> of /usr/lib64/python2.6/site-packages/Crypto/Util/number.py and gone on >> their merry way. Personally I don't like this approach since you're just >> hiding the issue and not actually addressing it in any way. >> >> In doing a little more research and testing I found that if I comment out >> the following block from ansible/lib/ansible/runner/__init__.py: >> >> HAS_ATFORK=True >> try: >> from Crypto.Random import atfork >> except ImportError: >> HAS_ATFORK=False >> >> And just replace this block with "HAS_ATFORK=False", then the warning >> also goes away. What other side effects will this cause in Ansible if we >> patch it this way? We'd much rather patch the application and deal with >> side effects rather than patch system libraries in a way that just hides >> the warning. Obviously upgrading libgmp would be the best solution, but we >> don't have the cycles to start building & deploying our own system >> libraries right now... >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3294ed93-a9a1-40f9-be7c-b344fb5a959a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
