Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2013-12-07

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:03 aleszoulek joined #salt
00:06 quanta_ joined #salt
00:14 quanta_ terminalmage: grains.item path
00:14 quanta_ MacBook-Pro.local:
00:14 quanta_ path: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
00:15 quanta_ but when running pkg.list_upgrades: https://gist.github.com/7835049
00:16 terminalmage quanta_: so that's the path when you launch as root?
00:17 quanta_ terminalmage: yes, I am running minion as root
00:18 bemehow_ joined #salt
00:18 aleszoulek joined #salt
00:18 pipps joined #salt
00:20 terminalmage ok, I know there has been some recent development in the brew module
00:20 terminalmage if you could test against an up-to-date git checkout, that'd be best
00:21 zandy joined #salt
00:21 frosty996 have a good weekend #salt folks
00:21 terminalmage and if you still have the error, file an issue
00:21 shadowsun joined #salt
00:21 zooz joined #salt
00:21 frosty996 left #salt
00:22 terminalmage I'm out of here for the evning, have a good weekend folks
00:26 bemehow joined #salt
00:28 jimallman joined #salt
00:29 bemehow__ joined #salt
00:34 rojem joined #salt
00:35 quanta_ joined #salt
00:36 rojem joined #salt
00:37 zandy joined #salt
00:37 rojem joined #salt
00:43 pipps_ joined #salt
00:45 aleszoulek joined #salt
00:47 Katafalkas joined #salt
00:49 salticus joined #salt
00:51 swa_work joined #salt
00:53 cachedout joined #salt
01:06 pavera joined #salt
01:08 pavera Hey everyone, I'm brand new to salt, and really the whole config management/automation game (very brief experience with puppet 2-3 years ago).  I'm attempting to do something I feel is pretty simple but can't make heads or tails of it.. Basically I'm trying to use salt to setup the network config of 2 minions
01:09 pavera but I'm not seeing a good example in the docs of how to create a "custom" config file for different minions
01:10 pavera IE I can push out the same file to multiple minions easily, and have the file be defined by parameters in pillar
01:10 pavera any help would be greatly appreciated
01:14 NV err, what file are you pushing?
01:15 rockey afaik saltstack only support rh/centos/fedora systems and you can find some information and the api here
01:15 rockey http://docs.saltstack.com/ref/states/all/salt.states.network.html
01:17 pavera I'm attempting to push /etc/network/interfaces
01:17 pavera the minions are ubuntu 12.04
01:18 pavera rockey I know the direct support only works for rh/centos... but I should be able to push the interfaces file to ubuntu and then run the command to restart networking
01:18 redondos joined #salt
01:19 Katafalkas joined #salt
01:19 bhosmer joined #salt
01:20 aleszoulek joined #salt
01:20 pavera I've successfully pushed /apt/sources.list.d/<new repo> files but those files are just static, except in 1 case I setup a pillar because the repo had a version number in it that varies, so I set the version I want in the pillar and then was able to generate the file and push it
01:23 pavera but I don't see how to differentiate the file per minion basically.. to inject different variables into the context based on the minion
01:25 NV pavera: you're talking about file.managed state?
01:25 NV if so, use a jinja templated source file
01:26 pavera yeah, that is what I'm attempting to do
01:26 pavera but I don't see how to say in the context block: interfaces: {look up the interface list for this minion in the pillar}
01:27 rojem joined #salt
01:27 pavera in pillar I have network:
01:27 nocturn joined #salt
01:27 nocturn joined #salt
01:28 pavera host01: eth0: <ip> eth1: <ip> host02: eth0: <ip> eth1: <ip>
01:29 NV use jinja in the state sls
01:29 NV or just look up the pillar directly in the templated file
01:29 NV (and dont use context)
01:30 pavera I mean, I don't know in the template what variable stores the current minion?
01:31 NV is english not your native language?
01:32 pavera I can do something like this {{ pillar.get('network') }}
01:32 pavera but right now I'm making the file for host01
01:33 NV pillar data is per-minion
01:33 pavera so I need to dereference the pillar.get('network')[<name of minion>]
01:33 NV so you should really have network.eth0 network.eth1 etc
01:33 pavera ok, then I'm adding it to the pillar incorrectly
01:33 NV without the name of the minion in between it
01:33 NV because each minion will have a different network dict anyway
01:34 NV alternatively, if you actually do want to get the minion id, it is exposed in a grain, but reorganise your pillar data
01:35 pavera ok so in laying out my pillar data, how would I go about adding data to a specific minion?
01:35 NV have /srv/pillar/network/minionname.sls
01:35 pavera in my pillar top file would I just put in a section specific to each minion?
01:36 NV where each minionname.sls has the network dict for that minion
01:36 NV then in top.sls include network.minionid when minionid is matched
01:36 NV etc
01:36 pavera ok
01:36 pavera thanks!
01:37 pavera is my general approach ok?  I'm really new to this, but is there any other way to do network config for ubuntu?
01:38 AdamSewell joined #salt
01:38 NV tbh im not sure why you're doing network config with salt at all
01:38 NV for salt to work, your network must already work
01:39 NV network config seems to make more sense being done when your vm is provisioned
01:39 pavera well, these are physical machines
01:40 pavera they boot up and 1 interface comes up via static DHCP, but I have 2-4 other networks that the machines are connected to
01:40 pavera I suppose I could put a DHCP server everywhere
01:42 Gareth pavera: I just added some code to manage networking on Debian/Ubuntu machines, it got added into the develop branch this morning.
01:43 rockey using the correct network infrastructure, you can have very few DHCP servers in your entire environment
01:43 pavera yeah, I meant I could trunk all the VLANs onto my DHCP server and setup scopes for all the networks
01:44 pavera not that I would have more physical DHCP servers...
01:45 NV pavera: better would be using dhcp relaying :P
01:45 pavera well... then I'd have to get a better switch :)
01:46 NV is there not a router on each vlan?
01:46 pavera no, most of them are internal only/private networks
01:48 rockey so how are they communicating with salt-master with no routing? :)
01:48 pavera because each host has a NIC in the management network
01:49 pavera which is where the salt master lives (and also that VLAN does have a router and can talk to the internet)
02:02 jalbretsen joined #salt
02:03 lyska joined #salt
02:08 bemehow joined #salt
02:10 ckao joined #salt
02:21 favadi joined #salt
02:24 pavera Ok! thanks NV and rockey, that is working now
02:24 quanta_ joined #salt
02:29 lyska joined #salt
02:32 thelorax123 joined #salt
02:35 quanta_ joined #salt
02:36 ckao joined #salt
02:41 redondos joined #salt
02:41 lyska joined #salt
02:43 ertac joined #salt
03:03 quanta_ joined #salt
03:12 jimallman joined #salt
03:18 flebel joined #salt
03:24 junedm joined #salt
03:30 junedm joined #salt
03:30 junedm left #salt
03:32 mgw joined #salt
03:32 MZAWeb joined #salt
03:50 altj joined #salt
03:57 quanta_ joined #salt
04:00 Gifflen joined #salt
04:06 vipul joined #salt
04:16 xmltok joined #salt
04:34 logix812 joined #salt
04:45 ckao joined #salt
04:46 quanta_ joined #salt
05:08 ckao joined #salt
05:09 nocturn joined #salt
05:25 cowyn joined #salt
05:38 quanta_ joined #salt
05:39 quanta_ joined #salt
05:40 ckao joined #salt
05:43 prooty joined #salt
05:44 MZAWeb joined #salt
05:45 higgs001 joined #salt
06:01 thelorax123 joined #salt
06:07 cachedout joined #salt
06:12 thelorax123 joined #salt
06:19 nkuttler joined #salt
06:24 qx__ joined #salt
06:26 sandGorgon joined #salt
06:47 kermit joined #salt
07:29 thelorax123 joined #salt
07:34 quanta_ joined #salt
07:39 quanta_ joined #salt
07:51 thelorax123 joined #salt
08:11 Katafalkas joined #salt
08:20 pdayton joined #salt
08:28 rope_ joined #salt
08:32 quanta_ joined #salt
08:39 juso joined #salt
08:46 cowyn joined #salt
08:59 dennyamd joined #salt
09:02 dennyamd joined #salt
09:03 dennyamd joined #salt
09:06 fllr joined #salt
09:34 Katafalkas joined #salt
09:46 sgviking joined #salt
09:58 aleszoulek joined #salt
10:07 fllr joined #salt
10:10 bhosmer joined #salt
10:16 sandGorgon joined #salt
10:38 pengunix joined #salt
10:45 sandGorgon joined #salt
10:57 jakub joined #salt
11:07 fllr joined #salt
11:30 bhosmer joined #salt
11:33 netzmonster joined #salt
11:44 quanta_ joined #salt
11:48 aleszoulek joined #salt
11:52 sandGorgon joined #salt
11:58 anuvrat joined #salt
12:05 quanta_ joined #salt
12:06 bruniolos joined #salt
12:07 fllr joined #salt
12:17 logix812 joined #salt
12:36 redondos joined #salt
12:36 redondos joined #salt
13:00 Sheco joined #salt
13:03 quanta_ joined #salt
13:07 fllr joined #salt
13:22 patrek Is there a tutorial on how to use the mine_functions (setting values from minions and fetching them in a state file)?
13:24 junedm joined #salt
13:29 junedm1 joined #salt
13:30 junedm1 left #salt
13:36 zooz joined #salt
13:42 quanta_ joined #salt
13:48 sandGorgon joined #salt
13:50 che-arne joined #salt
13:54 anuvrat joined #salt
13:59 quickdry21 joined #salt
14:05 anitak joined #salt
14:07 fllr joined #salt
14:12 Psi-Jack_ joined #salt
14:12 AdamSewell joined #salt
14:19 junedm joined #salt
14:19 junedm left #salt
14:22 ertac joined #salt
14:25 junedm joined #salt
14:25 junedm left #salt
14:40 jimallman joined #salt
14:41 Tekni joined #salt
14:56 anuvrat joined #salt
14:56 ertac joined #salt
15:03 a1j joined #salt
15:07 fllr joined #salt
15:17 rojem joined #salt
15:25 altj joined #salt
15:28 mgw joined #salt
15:29 rojem joined #salt
15:29 xinkeT joined #salt
15:33 dvogt joined #salt
15:37 isomorphic joined #salt
15:42 andersb joined #salt
15:45 jslatts joined #salt
15:48 darrend joined #salt
15:58 pdayton joined #salt
16:01 MZAWeb joined #salt
16:03 favadi joined #salt
16:07 fllr joined #salt
16:08 anuvrat joined #salt
16:08 logix812 joined #salt
16:08 swa_work joined #salt
16:08 JordanRinke joined #salt
16:08 jkyle joined #salt
16:08 indymike joined #salt
16:08 Nazzy joined #salt
16:08 crazysim joined #salt
16:08 terminalmage joined #salt
16:08 opapo joined #salt
16:08 abele joined #salt
16:08 copelco joined #salt
16:08 jean-philippe joined #salt
16:08 giantlock joined #salt
16:08 shennyg joined #salt
16:08 carnedepassaro joined #salt
16:08 drogoh joined #salt
16:08 godber joined #salt
16:08 jpaetzel joined #salt
16:08 codysoyland joined #salt
16:08 brutasse joined #salt
16:08 _FL1SK joined #salt
16:08 NV joined #salt
16:08 cyrusdavid joined #salt
16:08 londo_ joined #salt
16:08 chitown joined #salt
16:08 \ask joined #salt
16:08 mirko joined #salt
16:08 jcockhren anyone got external_auth via pam with 0.17.2?
16:08 jcockhren working?
16:12 modafinil joined #salt
16:12 scristian joined #salt
16:16 jcockhren yep... totally a blocker.
16:16 jcockhren hanging on commands being run even after auth
16:24 jimallman joined #salt
16:37 bhosmer joined #salt
16:41 elfixit joined #salt
16:52 Katafalkas joined #salt
16:54 smccarthy joined #salt
17:07 fllr joined #salt
17:08 rojem joined #salt
17:08 thelorax123 joined #salt
17:16 MZAWeb joined #salt
17:17 zandy joined #salt
17:19 rojem joined #salt
17:26 freelock_ joined #salt
17:27 freelock_ Hi,
17:28 freelock_ Curious about the best approach for distributing an SSL certificate...
17:28 freelock_ We manage a mix of customer servers and internal production servers
17:28 freelock_ have a wild card certificate that needs to be updated on our internal production servers only
17:28 freelock_ I'd like to push out via salt
17:29 freelock_ but if I make it available through salt:// , seems like a customer might potentially be able to retrieve it
17:29 alunduil joined #salt
17:29 freelock_ If I put it in Pillar, I can keep it away from customer boxes, but then its contents would be sent with every salt update...
17:30 freelock_ is there another approach I could use to only make it available to certain servers?
17:30 freelock_ I'm thinking possibly environments, but don't really understand how to get started with those
17:32 higgs001 joined #salt
17:36 mapu joined #salt
17:38 Katafalkas joined #salt
17:55 jcockhren freelock_:
17:55 jcockhren freelock_: there's a couple appraoches you can use
17:56 jcockhren I suggest using pillar to contain the s3 location
17:56 jcockhren secure the s3 bucket and have the certificates accessed vis the s3 salt module
17:57 jcockhren with pillar, you can target the pillar data
17:57 jcockhren in it's top file
17:57 jcockhren http://docs.saltstack.com/topics/pillar/index.html
17:58 jcockhren freelock_: ^
17:58 freelock_ s3 as in aws?
17:58 jcockhren yeah. OR what ever store you choose
17:59 jcockhren doesn't have to be s3... s/s3/youfavoritestore/
18:00 zandy joined #salt
18:01 freelock_ Hmm. In general that seems like a workable approach -- just not sure I want to have the private key in more places than necessary -- is there a secure way to set this up in the salt:// store? e.g. in an environment only accessible from certain matching hosts?
18:02 jcockhren firstly: access 3s with api creds.
18:02 jcockhren secondly: yes
18:02 jcockhren of course this means requires you to define "secure"
18:03 jcockhren you can limit states and data to certain minions
18:03 freelock_ :-)
18:06 fllr joined #salt
18:07 freelock_ I'm still having a hard time getting my head around how to actually use environments.
18:07 freelock_ Where/how does a minion get associated with an environment?
18:07 jcockhren where? the states top file and in the minion's config
18:09 jcockhren http://docs.saltstack.com/ref/configuration/minion.html?highlight=environment#environment
18:09 jcockhren freelock_: ^
18:10 freelock_ what has me confused is that the top file is in the environment ?!?
18:10 jcockhren only in the base env
18:10 jcockhren one gotcha
18:10 jcockhren the top files from all the environments are merged
18:11 jcockhren it's best to only define the top file in the base environment
18:11 jcockhren and in that top file you can place states under those environments
18:11 jcockhren soo... gotcha!
18:12 jcockhren ;)
18:12 freelock_ ok. So if I use the gitfs back end, and specify a different branch per environment,
18:12 jcockhren only have a top file in the master branch
18:12 freelock_ then the top file in the master branch should contain the matching rules to specify the environment for a minion?
18:13 jcockhren 1. you set the environment of a minon in it's config
18:13 jcockhren see the docs
18:13 jcockhren 2. the job of the top file is to associate minion's within that environment to states
18:14 Sheco joined #salt
18:14 freelock_ ok. The main thing I'm thinking about is that I don't trust (all) my minions
18:14 jcockhren so if a minion has a 'environment: dev' in its config
18:15 jcockhren and you have a git branch of states associated with 'dev'
18:15 freelock_ so if a minion can declare its environment, it can conceivably reach a private key file wherever I put it in the salt:// fs
18:15 jcockhren then the top file will allow you to target minions within the dev environment
18:15 jcockhren doesn;t matter that states backend
18:16 jcockhren keyword here is: within
18:16 jcockhren ;)
18:16 jcockhren so trust isn't assumed
18:17 jcockhren you have to be explicit with the truth within an environment
18:17 jcockhren for example... look at the example top.sls
18:18 jcockhren it says the following states and their target apply to the 'base' environment
18:18 jcockhren it doesn't apply to all minions in the base envrionment unless you do a glob like: '*'
18:19 freelock_ bbl, thanks for your help... I'm still trying to see how this prevents a minion from using a direct request on a salt:// resource. I mean you can use state.sls to grab a state regardless of whether you're matching in the top file, right?
18:20 jcockhren http://docs.saltstack.com/topics/targeting/index.html
18:20 jcockhren the targeting prevents direct access
18:20 jcockhren (or enables)
18:20 jcockhren for example...
18:20 jcockhren if you have salt:// stuff
18:20 rojem joined #salt
18:20 jcockhren it will only go the minions you tell it to go
18:21 jcockhren meaning... the minions will NOT any data/states that isn't meant for them
18:21 zandy joined #salt
18:22 jcockhren maybe I misunderstood, but I'm thinking if your data is in a pillar, then with properly targeted pillars, the same thing applys like it does in states
18:22 jcockhren b/c pillars have top files as well
18:23 rojem joined #salt
18:33 zooz joined #salt
18:44 mapu Good afternoon. With salt-cloud, I can create a volume from an existing snapshot on the command line. Can this be done in my cloud profile config file as well? Something like - { size: 100, device: /dev/sdf1 snapshot: snap-XXXX } ?
18:46 MZAWeb joined #salt
18:48 prooty joined #salt
18:51 prooty hi. is there a way to pass context variables to the source of a cmd.script, similar to the defaults argument in file.managed?
19:15 BrendanGilmore joined #salt
19:16 nmistry joined #salt
19:21 zandy joined #salt
19:22 jimallman joined #salt
19:25 jslatts joined #salt
19:41 aleszoulek joined #salt
19:47 nebuchadnezzar joined #salt
19:56 sandGorgon joined #salt
20:01 tsantero joined #salt
20:03 Se[V]eN joined #salt
20:08 Gifflen joined #salt
20:16 Se[V]eN left #salt
20:21 zandy joined #salt
20:50 higgs001 joined #salt
20:51 xmltok joined #salt
20:57 Nazzy joined #salt
21:05 mgw joined #salt
21:09 Gifflen_ joined #salt
21:11 darrend_ joined #salt
21:12 zach_ joined #salt
21:12 eculver joined #salt
21:12 eculver joined #salt
21:14 jslatts joined #salt
21:14 blast_hardcheese joined #salt
21:16 ajw0100 joined #salt
21:21 zach_ What does the saltstack guys charge hourly for consulting?
21:22 zach_ s/does/do/
21:23 sroegner joined #salt
21:23 zooz joined #salt
21:25 dvogt joined #salt
21:25 Shenril joined #salt
21:31 AdamSewell joined #salt
21:38 altj joined #salt
21:52 AdamSewell joined #salt
22:01 bhosmer joined #salt
22:04 redondos joined #salt
22:14 JordanRinke joined #salt
22:14 Chrisje joined #salt
22:16 toastedpenguin joined #salt
22:21 zandy joined #salt
22:25 JordanRinke joined #salt
22:30 rojem joined #salt
22:31 harobed_ joined #salt
22:41 terminalmage joined #salt
22:45 dvogt joined #salt
22:46 jslatts joined #salt
22:47 freelock_ jcockhren: the way I'm thinking about it:
22:48 freelock_ - can put path to the correct key file in a pillar, but I would prefer not to have the actual key in the pillar because it will get sent across so much, appear regularly when doing pillar.data, etc.
22:49 freelock_ - can perhaps put the key file in salt:// somewhere if I can put it in an environment a minion cannot access
22:49 freelock_ the problem is, if a minion can state which environments it's in, I'm assuming it can load anything via salt://
22:50 aleszoulek joined #salt
22:50 freelock_ As I'm understanding it, the top file in salt mainly specifies what states are included in the highstate, but don't actually control any access
22:50 freelock_ In pillar it does control data available to the minions, so pillar is a much better place for sensitive data
22:51 freelock_ do I understand that correctly?
22:52 freelock_ I am using nodegroups to specify which minions are in our internal production group, if I could leverage that somehow to ensure that only minions in a particular nodegroup have access to a particular environment, seems like that would work
22:52 freelock_ as long as a minion couldn't just specify its environment anyway
22:52 freelock_ Otherwise I'm still unclear about how to lock this down properly
22:53 AdamSewell joined #salt
22:53 kula if a minion knows the environment name, it can access every file in that environment. i don't remember off hand if the minions can enumerate all environments from the fileserver, but i do know that if they know an environment name it can access every file in that environment.
22:54 kula pillars are the only thing that is explicitly locked down to a particular minion --- well, it's the only thing that can be.
22:57 kula i've thought of a couple of ways around this, i think there's a need for something like wallet: a fileserver that makes decisions before it gives a file to a particular minion. i haven't had time to write it, though.
23:01 dvogt joined #salt
23:05 quanta_ joined #salt
23:13 nmistry joined #salt
23:18 mgw joined #salt
23:18 gadams999 joined #salt
23:21 zandy joined #salt
23:39 forresta joined #salt
23:42 AdamSewell joined #salt
23:44 snuffeluffegus joined #salt
23:48 dgo joined #salt
23:58 jusoo joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary