Re: Salt master on -stable and communication with minions on -current 3006.7 version

Wed, 06 Mar 2024 03:48:28 -0800 

Sorry for the confusion.

I mixed the patch with an old one which tried to patch this file... My
fault.

On 06 Mar 10:26, Robert Nagy wrote:
> On 06/03/24 10:44 +0100, Uwe Werler wrote:
> > Salü Robert,
> > 
> > it seems that patches/patch-salt_utils_network_py is already in the attic...
> > 
> > Best regards
> > 
> > Uwe
> 
> Why whould we need that patch? I am confused.
>  
> > On 06 Mar 08:56, Robert Nagy wrote:
> > > On 06/03/24 08:43 +0100, Robert Nagy wrote:
> > > > I think we can backport this until there is a new release out.
> > > 
> > > Please try the following diff:
> > > 
> > > Index: Makefile
> > > ===================================================================
> > > RCS file: /cvs/ports/sysutils/salt/Makefile,v
> > > diff -u -p -u -r1.183 Makefile
> > > --- Makefile      1 Mar 2024 12:02:55 -0000       1.183
> > > +++ Makefile      6 Mar 2024 07:56:07 -0000
> > > @@ -18,6 +18,8 @@ COMMENT =               remote execution and configur
> > >  MODPY_EGG_VERSION =      3006.7
> > >  DISTNAME =               salt-${MODPY_EGG_VERSION}
> > >  
> > > +REVISION =               0
> > > +
> > >  CATEGORIES =             sysutils net devel
> > >  
> > >  HOMEPAGE =               https://saltproject.io/
> > > Index: patches/patch-salt_channel_server_py
> > > ===================================================================
> > > RCS file: patches/patch-salt_channel_server_py
> > > diff -N patches/patch-salt_channel_server_py
> > > --- /dev/null     1 Jan 1970 00:00:00 -0000
> > > +++ patches/patch-salt_channel_server_py  6 Mar 2024 07:56:07 -0000
> > > @@ -0,0 +1,52 @@
> > > +52d98866200384dbaf3dbdecf66de00ff6d2195c fix: Older keys end with a 
> > > newline, this breaks minion auth.
> > > +4e72e2f0a57b594c3f7e14cc385a066097a268b2 fix: typo's
> > > +0f4c022fdaabb41962e7fde1baca7bf73122f534 Simply check against cleaned 
> > > key from disk.
> > > +ecc39aa994c55b22c10320380abf6bd24529496d Refactor and add some tests
> > > +
> > > +Index: salt/channel/server.py
> > > +--- salt/channel/server.py.orig
> > > ++++ salt/channel/server.py
> > > +@@ -52,6 +52,16 @@ class ReqServerChannel:
> > > +         transport = salt.transport.request_server(opts, **kwargs)
> > > +         return cls(opts, transport)
> > > + 
> > > ++    @classmethod
> > > ++    def compare_keys(cls, key1, key2):
> > > ++        """
> > > ++        Normalize and compare two keys
> > > ++
> > > ++        Returns:
> > > ++            bool: ``True`` if the keys match, otherwise ``False``
> > > ++        """
> > > ++        return salt.crypt.clean_key(key1) == salt.crypt.clean_key(key2)
> > > ++
> > > +     def __init__(self, opts, transport):
> > > +         self.opts = opts
> > > +         self.transport = transport
> > > +@@ -371,7 +381,7 @@ class ReqServerChannel:
> > > +         elif os.path.isfile(pubfn):
> > > +             # The key has been accepted, check it
> > > +             with salt.utils.files.fopen(pubfn, "r") as pubfn_handle:
> > > +-                if salt.crypt.clean_key(pubfn_handle.read()) != 
> > > load["pub"]:
> > > ++                if not self.compare_keys(pubfn_handle.read(), 
> > > load["pub"]):
> > > +                     log.error(
> > > +                         "Authentication attempt from %s failed, the 
> > > public "
> > > +                         "keys did not match. This may be an attempt to 
> > > compromise "
> > > +@@ -480,7 +490,7 @@ class ReqServerChannel:
> > > +                 # case. Otherwise log the fact that the minion is still
> > > +                 # pending.
> > > +                 with salt.utils.files.fopen(pubfn_pend, "r") as 
> > > pubfn_handle:
> > > +-                    if salt.crypt.clean_key(pubfn_handle.read()) != 
> > > load["pub"]:
> > > ++                    if not self.compare_keys(pubfn_handle.read(), 
> > > load["pub"]):
> > > +                         log.error(
> > > +                             "Authentication attempt from %s failed, the 
> > > public "
> > > +                             "key in pending did not match. This may be 
> > > an "
> > > +@@ -536,7 +546,7 @@ class ReqServerChannel:
> > > +                 # so, pass on doing anything here, and let it get 
> > > automatically
> > > +                 # accepted below.
> > > +                 with salt.utils.files.fopen(pubfn_pend, "r") as 
> > > pubfn_handle:
> > > +-                    if salt.crypt.clean_key(pubfn_handle.read()) != 
> > > load["pub"]:
> > > ++                    if not self.compare_keys(pubfn_handle.read(), 
> > > load["pub"]):
> > > +                         log.error(
> > > +                             "Authentication attempt from %s failed, the 
> > > public "
> > > +                             "keys in pending did not match. This may be 
> > > an "
> > > Index: patches/patch-salt_grains_core_py
> > > ===================================================================
> > > RCS file: /cvs/ports/sysutils/salt/patches/patch-salt_grains_core_py,v
> > > diff -u -p -u -r1.12 patch-salt_grains_core_py
> > > --- patches/patch-salt_grains_core_py     28 Apr 2023 18:30:40 -0000      
> > > 1.12
> > > +++ patches/patch-salt_grains_core_py     6 Mar 2024 07:56:07 -0000
> > > @@ -24,7 +24,7 @@ Index: salt/grains/core.py
> > >       return grains
> > >   
> > >   
> > > -@@ -2652,10 +2654,12 @@ def os_data():
> > > +@@ -2744,10 +2746,12 @@ def os_data():
> > >               # derive osrelease from kernelversion prior to that
> > >               grains["osrelease"] = grains["kernelrelease"].split("-")[0]
> > >           grains.update(_bsd_cpudata(grains))
> > 
> > -- 
> > wq: ~uw
> 
> -- 
> Regards,
> Robert Nagy

-- 
wq: ~uw

Reply via email to