The following sections describe the currently known issues in SaltStack Enterprise version 6.4.0.
- If the PostgreSQL database is not set to use UTF-8, sorting will not be consistent across the application.
- Job return numbers may differ from target numbers based on current key state and grain data.
- When creating compound targets using grains, the Enterprise API will return no minions if the grain name has a space in the name. Change the name of the grain to remove spaces.
- When upgrading SaltStack Enterprise, some users might notice a queue of stale jobs that are stuck in a pending state. Upgrading the Enterprise API (RaaS) node can cause these jobs to run unless they are first cleared out. See the Upgrade the Enterprise API (RaaS) node step in the Upgrade from a previous version guide for more information.
The Enterprise Console¶
- Scheduled jobs display in the Enterprise Console only if scheduled within the next 12 weeks.
- After upgrading SaltStack Enterprise (for example, from 6.3.0 to 6.4.0), you must clear your web browser cache. Failing to clear the cache might result in unpredictable behavior in the Enterprise Console.
- When running jobs against a large number of minions, only 2,000 job returns show in the Enterprise Console by default. To retain job returns for all minions, use the Enterprise API to query the
If you are using multiple masters and have enabled
sseapi_cluster_idon more than one master, the master might not show up in the Reports workspace in the Master version report (Home > Reports > Master Versions). It might also affect masters that have been installed using a single-node installation.
To check whether your system is affected by this issue, SSH into your master and run the following command:
sudo salt-run config.get sseapi_cluster_id
If you find nothing after running this command, then this issue does not apply to you. If you do see a response, it means you have enabled
sseapi_cluster_idand your master does not appear in the report. If this node is not in a cluster, you can safely comment the configuration out and restart your salt-master. However, if your master is operating in a cluster, you must not change this setting.
SaltStack Comply and SaltStack Protect¶
- SaltStack Comply and SaltStack Protect require Salt version 2018.3.3 or later for Linux or Unix minions, and 3000 or higher for Windows minions.
- It is recommended SaltStack Comply and SaltStack Protect assessments and remediations are run weekly or biweekly for target groups greater than 1,000 minions. If run more frequently, the results table will quickly consume all available disk space.
- In the Enterprise Console, SaltStack Protect does not show any minions included in a newly-created policy until you have run the first assessment.
- A SaltStack Protect security policy’s Advisories tab does not show vulnerabilities that have been remediated. To view remediated advisories, go to the policy’s Minions tab, select a remediated minion, and then select the Last Remediation tab to verify the minion was remediated.
- Remediating vulnerabilities on a minion might not result in any changes to the minion if the operating system has not yet provided updated packages required to remediate the vulnerability. In these cases, the remediation job returns successfully, but the vulnerabilities have not been remediated.
- After running a SaltStack Protect scan one day, vulnerabilities are shown in the policy dashboard charts. If those vulnerabilities are not remediated and a new scan is run the following day, the policy chart resets to zero and begins with a fresh count for that day. This behavior is expected as the chart is intended to act as a daily scan summary. The chart does not display results for the days on which no vulnerability scans were run.
- In SaltStack Comply, you might need to repeat the process of remediating and scanning multiple times in order to achieve full compliance. This is because some checks are dependent on the completion of others. For example, one check might require a package that’s deployed by another check before it can be remediated properly.
LDAP and Active Directory¶
- When configuring Active Directory services, the results are limited to 10,000 users or less. Using a filter can help narrow down the directory to the specific users you would like to sync with SaltStack Enterprise.