Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-02-08

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:07 Corey joined #salt
00:07 Corey_ joined #salt
00:07 Barbarossa joined #salt
00:07 Barbarossa Hi there
00:08 Barbarossa I'm using a jinja template and trying to include another one (well, a piece of static text) into that template but Salt is telling me that the file does not exists
00:08 Barbarossa The file name that seems to not exist really does exist in the same file as the template
00:09 Barbarossa http://pastebin.com/0NndqCsy
00:10 scoates joined #salt
00:12 CeBe1 joined #salt
00:18 keeth joined #salt
00:20 Barbarossa ah well, the path has to be prefixed by the directory the files lives in. :)
00:28 Barbarossa left #salt
00:30 nitti joined #salt
00:35 bluenemo joined #salt
00:41 yomilk joined #salt
00:48 Godfath3r hello everybody
00:48 scoates joined #salt
00:49 Godfath3r i'm trying to install salt minion with bootstrap script and i'm getting this: http://pastebin.com/S8a7MhJ8
00:50 Godfath3r any suggestions?
00:51 Godfath3r the command i'm giving is: sh install_salt.sh git develop
00:51 ocdmw joined #salt
00:51 Cottser `type` worked, rather than `which`. not sure why.
00:56 aquinas joined #salt
00:56 msheiny joined #salt
00:59 Cottser spoke too soon.
00:59 Cottser bleh
01:00 hasues joined #salt
01:06 hasues left #salt
01:09 Cottser `test -e $(which foo)` seems to work as expected.
01:10 TyrfingMjolnir joined #salt
01:15 akas joined #salt
01:17 jdowning joined #salt
01:18 jalaziz joined #salt
01:20 otter768 joined #salt
01:21 Rockj joined #salt
01:22 Whissi joined #salt
01:30 Furao joined #salt
01:32 MatthewsFace joined #salt
01:37 GabLeRoux Hey there, I've been trying to get my vagrant config working with pillar, and I can't seem to find a way to use vagrant's hostname in `pillar/top.sls`. I've set `config.vm.hostname = "dev-whaterver.com"` and in `pillar/top.sls`, I have something like `base: "*" - shared.sls "dev*" - vagrant.sls` (on multiple lines), but only shared.sls is being rendered. I tried to put `id: dev-whatever.com` in `salt/minion` but n
01:37 GabLeRoux o chance. Any idea?
01:37 higgs001 joined #salt
01:38 iwishiwerearobot joined #salt
01:38 TTimo joined #salt
01:39 GabLeRoux when I do `$ python` `import socket` `socket.getfqdn()`, it outputs the desired hostname, but still, when I call stage.highstate, I don't see vagrant.sls in the debug output
01:41 GabLeRoux I've added `- vagrant` to "*" atm to make things work, but that's a bit of a deal breaker :(
01:44 yomilk joined #salt
01:54 primechuck joined #salt
02:03 jhauser_ joined #salt
02:06 aparsons joined #salt
02:12 Cottser|away joined #salt
02:20 Cottser|away joined #salt
02:22 malinoff joined #salt
02:25 jalaziz joined #salt
02:28 nitti joined #salt
02:39 rihannon joined #salt
02:47 ilbot3 joined #salt
02:47 Topic for #salt is now Welcome to #salt | SaltConf 2015 is Mar 3-5! http://saltconf.com | 2014.7.1 is the latest | Please be patient when asking questions as we are volunteers and may not have immediate answers | Channel logs are available at http://irclog.perlgeek.de/salt/
02:48 GabLeRoux joined #salt
02:48 jdowning joined #salt
02:55 Cottser joined #salt
03:00 Cottser|away joined #salt
03:07 chris___ joined #salt
03:07 chris___ good evening everyone
03:08 chris___ Recently had a master server crash, and created a new one but I'm having issues getting the existing clients working would anyone know how to revoke and re-add client?
03:10 Cottser|away joined #salt
03:11 Kelsar joined #salt
03:14 Cottser joined #salt
03:18 atree joined #salt
03:20 Cottser|away joined #salt
03:21 otter768 joined #salt
03:22 atree I'm having some trouble with a template, been googling and trying to figure this out for a couple days to no avail, anyone wanna take a stab at it?
03:23 timoguin chris___: salt-key -L to list the keys. salt-key -d keyname to delete a specific one.
03:24 timoguin And then you should be able to see the minion keys show back up in the list when they try to reauth
03:24 timoguin atree: shoot
03:25 atree timoguin:  thank you!  I need to be able to do something like:
03:25 timoguin pastebin or some other such service if it's a big chunk. :)
03:26 iwishiwerearobot joined #salt
03:26 atree - apache, which will hit the apache.sls file, which will reference a jinja template, say httpd.conf, but I need to use the word that was used in the top file in that template
03:26 atree :/ does that make sense?
03:27 net128 joined #salt
03:29 aparsons joined #salt
03:30 atree I *think* "apache" would be the state name?  is that available as a variable in the template
03:30 atree ?
03:30 Cottser|away joined #salt
03:30 monkey66 left #salt
03:31 jalaziz joined #salt
03:31 smcquay joined #salt
03:31 timoguin Is the name of the state itself available in the template?
03:31 timoguin I think it may be, but haven't done that.
03:31 smcquay joined #salt
03:32 timoguin @atree: yes, it's available: http://docs.saltstack.com/en/latest/ref/states/vars.html#sls
03:32 timoguin just {{ sls }}
03:33 timoguin Well, it's available in the SLS template. You may have to pass it to the template explicitly, but I'd try it without first.
03:33 chris___ thanks timoguin yes they are in the list and figure it out just need to replace master certificate
03:33 schlueter joined #salt
03:33 timoguin @chris___: oh you need to revoke the old master cert on all the minions?
03:34 chris___ yes I do
03:34 atree Fantastic!  I tried that yesterday and just ended up with {{ sls }} in the file, I'll RTFM some more :D  Thank you!
03:35 timoguin it's in /etc/salt/pki/minion/minion_master.pub, I think
03:35 timoguin You're left with SSH at this point.
03:35 timoguin atree: yea, try passing the variable via the contexts argument to file.managed
03:35 timoguin docs should show examples
03:38 atree awesome, thanks!
03:40 ocdmw joined #salt
03:43 primechuck joined #salt
03:43 chris___ yes not so bad just used scp and bash script
03:44 chris___ going to test it out right now
03:50 Cottser|away joined #salt
03:52 smcquay joined #salt
03:52 Cottser|away joined #salt
03:54 Ryan_Lane joined #salt
04:04 linjan joined #salt
04:05 dooshtuRabbit joined #salt
04:16 heewa joined #salt
04:17 schlueter joined #salt
04:21 jonatas_oliveira joined #salt
04:34 pdayton joined #salt
04:42 pdayton joined #salt
04:43 ocdmw joined #salt
04:44 schlueter joined #salt
04:49 jdowning joined #salt
04:52 MaliutaLap joined #salt
04:53 smcquay joined #salt
04:55 eyeball01 joined #salt
05:05 michelangelo joined #salt
05:06 Morbus joined #salt
05:06 dave_den joined #salt
05:06 TTimo joined #salt
05:06 ocdmw joined #salt
05:07 knot joined #salt
05:08 ajw0100_ joined #salt
05:10 SheetiS joined #salt
05:13 mr_chris joined #salt
05:15 yomilk joined #salt
05:15 stevednd joined #salt
05:15 iwishiwerearobot joined #salt
05:16 bhosmer joined #salt
05:16 yomilk joined #salt
05:16 tyler-baker joined #salt
05:18 yomilk joined #salt
05:22 otter768 joined #salt
05:27 yomilk joined #salt
05:28 aparsons joined #salt
05:30 timoguin joined #salt
05:32 primechuck joined #salt
05:43 monkey661 joined #salt
05:48 brianfeister joined #salt
05:57 yomilk joined #salt
06:21 pdayton joined #salt
06:24 timoguin joined #salt
06:43 yomilk joined #salt
06:44 Furao joined #salt
06:45 David_ joined #salt
06:45 David_ Hi, all have a quick question, can salt be used to manage Cisco routers/swtiches?
06:48 Furao David_: no. but maybe, I wanted to add such features
06:48 Furao render templates and copy those config to running router
06:48 timoguin joined #salt
06:49 David_ okay thanks
06:50 jdowning joined #salt
06:55 capricorn_1 joined #salt
07:04 iwishiwerearobot joined #salt
07:05 badon joined #salt
07:16 evle joined #salt
07:16 bash1245_ joined #salt
07:19 Ryan_Lane joined #salt
07:19 jalbretsen joined #salt
07:21 primechuck joined #salt
07:23 otter768 joined #salt
07:30 mikeywaites joined #salt
07:32 bloo joined #salt
07:39 badon joined #salt
07:40 felskrone joined #salt
07:49 timoguin joined #salt
08:00 timoguin joined #salt
08:05 bash124512 joined #salt
08:08 TTimo joined #salt
08:13 EWDurbin joined #salt
08:13 LinuxHorn joined #salt
08:14 akoumjian joined #salt
08:14 jay_d joined #salt
08:14 chiui joined #salt
08:14 basepi joined #salt
08:14 mattl joined #salt
08:14 octarine joined #salt
08:14 JlRd joined #salt
08:14 hillna joined #salt
08:14 mihait joined #salt
08:15 JonGretar joined #salt
08:15 modafinil_ joined #salt
08:15 wavis joined #salt
08:15 manytrees joined #salt
08:15 doriftoshoes joined #salt
08:15 simonmcc joined #salt
08:16 gyre007 joined #salt
08:16 Tritlo_ joined #salt
08:16 joeyparsons joined #salt
08:16 neilf_______ joined #salt
08:16 moderation joined #salt
08:17 ocdmw joined #salt
08:17 goki joined #salt
08:18 abele joined #salt
08:18 pf_moore joined #salt
08:18 zadock joined #salt
08:19 iml joined #salt
08:19 akitada joined #salt
08:43 arret joined #salt
08:43 arret can you use standard jinja macros/functions in salt.sls / jinja renderer?
08:44 phx AFAIK yes
08:44 arret I would like to use http://jinja.pocoo.org/docs/dev/templates/#length but get ` failed: Jinja variable 'length' is undefined` when I do so.
08:45 arret in my .sls, I use: `{{ length(dict['key']) }}`
08:48 BigBear joined #salt
08:48 arret "Saltstack extends builtin filters with these custom filters" is noted in the docs
08:48 arret with a link to the jinja docs
08:48 babilen arret: You'd use: dict['key']|length
08:49 hvn joined #salt
08:49 hvn joined #salt
08:49 babilen Ah, no
08:49 arret babilen: oh? interesting. I will try that
08:49 arret no?
08:49 babilen Sorry, misread that
08:49 arret :(
08:49 babilen But try it, who knows?
08:49 timoguin joined #salt
08:49 bash124512 :D
08:50 bash124512 arret : from the documentation I see that length takes an object as a paramenter
08:50 arret bash124512: I am giving it a list
08:50 arret or I think I am
08:51 jdowning joined #salt
08:52 bash124512 well I image you are giving it a key from a dict which is not an object or something list can iterate.
08:52 arret bash124512: the problem is that the macro isn't found
08:52 arret jinja is thinking this is a variable
08:52 bash124512 try using only dict as a paramenter
08:53 arret bash124512: no go
08:53 iwishiwerearobot joined #salt
08:53 jalaziz joined #salt
08:55 bash124512 {% set list = ['one', 'two'] %}
08:56 bash124512 {{ length(list) }}
08:56 bash124512 not tested but the above should work
08:57 CeBe joined #salt
08:57 arret bash124512:  Rendering SLS 'base:foo' failed: Jinja variable 'length' is undefined
08:57 arret not here
09:00 bash124512 {{ list|length }}
09:02 berserk_ joined #salt
09:03 moderation joined #salt
09:04 joeyparsons joined #salt
09:04 manytrees joined #salt
09:04 wavis joined #salt
09:04 SheetiS1 joined #salt
09:04 goki joined #salt
09:04 abele joined #salt
09:05 cmek joined #salt
09:05 iml joined #salt
09:09 TTimo joined #salt
09:10 primechuck joined #salt
09:16 babilen Might also be different jinja versions
09:17 Auroch joined #salt
09:24 otter768 joined #salt
09:25 cberndt joined #salt
09:28 wavis joined #salt
09:30 arret bash124512: almost.. ` TypeError encountered executing state.sls: argument of type 'int' is not iterable. See debug log for more info.`
09:30 arret changing to 'red', 'blue' in the list didn't help
09:30 iml joined #salt
09:33 bash1245_ joined #salt
09:33 warp joined #salt
09:34 WarP|work hello
09:34 WarP|work may someone help me to understand - why when i running salt in background as service - it doesn't works, all clients fails to authenticate. and when i run it in foreground with -l debug - everything works fine?
09:37 bluenemo joined #salt
09:41 arret WarP|work: that sounds funny. when you run as a service, can you see the logs? how are you running the service?
09:41 WarP|work arret: service salt-master start =)
09:42 arret so upstart?
09:42 arret WarP|work: what do you have in /var/log/salt/minion?
09:42 WarP|work i'm unsure if its possible to see logs when you run as service - its running with default verbosity
09:42 WarP|work i'll check one moment
09:42 arret do not paste here
09:42 * arret must head out, sorry
09:42 arret time to sleep.
09:42 WarP|work i mean service salt-master start of course. not minion
09:43 arret WarP|work: check both salt minion/master logs
09:43 arret sometimes you need to see both before you solve your prolbem
09:43 WarP|work nothing
09:43 WarP|work no updates
09:43 arret goodluck
09:43 arret WarP|work: more clearly describe the symptoms, with detailed pasted on what you see in the console, and someone here will surely help
09:43 WarP|work thanks
09:44 WarP|work in /var/log/salt/minion - no logs
09:44 WarP|work arret:  - i dont see anything in console, its in background
09:44 WarP|work and nothing in /var/log/salt/master
09:44 WarP|work only logs from previous manual run
09:44 WarP|work where everything works
09:48 egil then check /var/log/syslog for traces of the service
09:48 WarP|work egil: cat: /var/log/syslog: No such file or directory - i'm in fedora
09:48 WarP|work but i changed service file to run salt with debug
09:49 timoguin joined #salt
09:49 WarP|work and it works
09:49 WarP|work wtf
09:50 WarP|work with -l debug it works
09:50 WarP|work without - just stall and when i trying to run any state i getting Failed to authenticate!  This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).
09:52 egil WarP|work: start the service using sudo?
09:52 WarP|work i'm root , so as sudo, yea
09:53 WarP|work hmmm
09:53 WarP|work might be that salt-master looking for different folder configuration without -c ?
09:57 g3cko joined #salt
10:00 ocdmw joined #salt
10:01 egil WarP|work: I dunno, but really seems like an issue with user rights
10:01 egil how did you install salt? and which version?
10:02 WarP|work egil - to be honest - i installed this like 10 month ago =)))
10:02 WarP|work via PIP i think
10:02 WarP|work then i updated it couple of times via yum from updates repo
10:03 WarP|work now i have salt 2014.7.1 (Helium)
10:03 WarP|work only master on server
10:04 tzero joined #salt
10:04 WarP|work all agents are 2014.7.0 as far as i remembe
10:07 egil WarP|work: not sure what default syslog in fedora is, but there really should be a trace from the service when trying to start up
10:08 egil which should give you a clue to whats going on as long as there is no entry in /var/log/salt/master
10:11 TTimo joined #salt
10:12 WarP|work hmm... ok i will  get back and check
10:12 WarP|work i think its somewhere in messages or so
10:14 felskrone joined #salt
10:17 ocdmw joined #salt
10:25 bash1245_ joined #salt
10:39 aboe joined #salt
10:41 iwishiwerearobot joined #salt
10:49 timoguin joined #salt
10:52 jdowning joined #salt
10:59 primechuck joined #salt
11:02 Samos123 left #salt
11:10 yomilk joined #salt
11:11 TTimo joined #salt
11:13 bhosmer joined #salt
11:21 hvn joined #salt
11:22 ocdmw joined #salt
11:25 otter768 joined #salt
11:35 johtso joined #salt
11:39 Grokzen joined #salt
11:40 yomilk joined #salt
11:41 viq_ joined #salt
11:49 timoguin joined #salt
11:50 jansauer joined #salt
11:52 Hell_Fire joined #salt
11:53 fxhp joined #salt
11:57 Tritlo_ joined #salt
11:59 bash1245_ joined #salt
12:00 Tritlo joined #salt
12:05 Furao joined #salt
12:09 bash1245_ joined #salt
12:12 TTimo joined #salt
12:13 yomilk joined #salt
12:21 calvinh joined #salt
12:30 iwishiwerearobot joined #salt
12:31 hvn joined #salt
12:35 Godfath3r joined #salt
12:35 yomilk joined #salt
12:39 mapu joined #salt
12:40 hebz0rl joined #salt
12:41 JlRd joined #salt
12:45 [LF] joined #salt
12:46 arnoldB hmm major problem here. when firing state.highstate the states can't get pillar data using salt['pillar.get'](), with state.sls saltenv=<env> <SLS file> everything works fine
12:47 arnoldB this happens on several/ all minions
12:47 primechuck joined #salt
12:49 timoguin joined #salt
12:52 jdowning joined #salt
13:10 Cottser|away joined #salt
13:20 Cottserz joined #salt
13:20 jalaziz joined #salt
13:23 ocdmw joined #salt
13:25 scottasdfasdf joined #salt
13:26 otter768 joined #salt
13:30 Cottserz joined #salt
13:36 arret arnoldB: check pillar's top.sls ?
13:37 arnoldB arret: pillar's top.sls should be fine.
13:38 arnoldB on state.highstate no single pillar is available, in fact salt['pillar.items']() returns {}
13:42 TTimo joined #salt
13:43 arret arnoldB: what is the problem exactly?
13:44 arnoldB arret: when firing "state.highstate saltenv=<env>" the states can't get pillar data using salt['pillar.get']() in jinja template, with "state.sls saltenv=<env> <SLS>" everything works fine
13:46 arnoldB salt['grains.items']() works in both cases
13:49 timoguin joined #salt
13:50 Cottserz joined #salt
13:51 yomilk joined #salt
13:53 monkey661 left #salt
13:55 hvn joined #salt
13:55 hvn joined #salt
14:04 arnoldB alright __pillar__ is {} in salt.renderes.jinja.render()
14:04 arnoldB so far so bad
14:09 blkwlf joined #salt
14:11 blkwlf hi. I'm using git.latest in salt to keep a website up to date. I have all "force*" set to True. however, if I delete a file for example, salt will not get it from git again. can I do that somehow? make sure that the local repository is kept up to date, no matter what changes?
14:13 markm joined #salt
14:19 iwishiwerearobot joined #salt
14:21 BigBear joined #salt
14:22 Godfath3r i'm trying to send: salt '*' state.highstate but it returns nothing
14:23 ocdmw joined #salt
14:24 jalaziz joined #salt
14:29 arret arnoldB: what version?
14:30 arret can you paste minion log with -l debug?
14:36 primechuck joined #salt
14:37 arnoldB arret: 2014.7.0-2-g956b89a (based on git develop). the logs don't contain helpful information for this issue. the dunder dictioniaries seem to become after salt.modules.state.highstate() triggers the highstate using salt.state.Highstate.render_highstate() run. I'm on it..
14:40 rudi_s Hi. What is a good way to classify hosts in "groups"? Should I use notegroups and then set variables in a pillar? I'd like to use something like {% if server %} .. {% endif %} in my templates. Thanks.
14:40 rudi_s (And assign specific hosts/ids to this server "group".)
14:40 hasues joined #salt
14:48 blkwlf I'm using git.latest state to get a repository from gitlab. Then I change a file in the local repository, add something, whatever. running 'git status' shows the file as modified. in the sls file, "force_checkout" (Force a checkout even if there might be overwritten changes) is set to True. is it supposed to overwrite my changes for the file and download it from gitlab again?
14:48 blkwlf because reading the doc, it sounds to me like it
14:48 blkwlf it's suppoosed to, but it doesn't
14:48 blkwlf so is it a bug?
14:50 s8weber_ sounds like it.... you could issue a 'git clean -fd' IIRC
14:51 blkwlf I can work areound it, not use the state, use cmd.run, but is it something that should be reported as a bug? kinda suprised that it isn't
14:53 pdayton joined #salt
14:53 jdowning joined #salt
14:57 clintberry joined #salt
14:57 hasues left #salt
14:57 s8weber_ ya you should do a search to see if you need to create an issue
15:02 s8weber_ did you try force
15:03 s8weber_ i think your using the wrong arg
15:03 blkwlf I did, couldn't find anything, which is why I'm here
15:04 s8weber_ the state does not take arg force_checkout it takes force
15:04 ocdmw joined #salt
15:04 s8weber_ err nm
15:04 s8weber_ to early for me...
15:06 TTimo joined #salt
15:10 brianfeister joined #salt
15:10 brianfeister joined #salt
15:11 jonatas_oliveira joined #salt
15:14 _mel_ joined #salt
15:14 hvn joined #salt
15:16 wincus joined #salt
15:18 Grokzen joined #salt
15:22 TTimo joined #salt
15:24 bhosmer joined #salt
15:26 otter768 joined #salt
15:27 calvinh joined #salt
15:27 wincus joined #salt
15:28 jonatas_oliveira joined #salt
15:28 bash1245_ joined #salt
15:31 jalaziz joined #salt
15:31 jonatas_oliveira joined #salt
15:31 malinoff joined #salt
15:34 blkwlf joined #salt
15:35 CeBe1 joined #salt
15:41 Grokzen joined #salt
15:45 amcorreia joined #salt
15:46 Laogeodritt joined #salt
15:47 GabLeRoux joined #salt
15:49 timoguin joined #salt
15:55 Laogeodritt Hi! I'm trying to set up a new salt minion and for some reason, it's auto-detecting 'debian' as the minion ID rather than the hostname in /etc/hostname. -l debug or -l trace doesn't exactly help clarify the generate_minion_id logic. I know I can manually specify it in the config, but I'd really like to figure out where it's getting 'debian' rather than the hostname (stubbornness about understanding problems!)... any ideas or suggestions for inves
15:56 Laogeodritt I'm using salt 2014.7.1 on Debian 7.7 (stable)
15:57 GabLeRoux Laogeodritt: to make sure hostname is right on your machine, run python: >>> import socket >>> socket.getfqdn()
15:58 Laogeodritt GabLeRoux: thanks for the reply. I checked that, it is correct hostname
15:59 TTimo joined #salt
16:03 GabLeRoux Maybe you can find something in your grains, sudo salt-call -g, in my case, my id is the same as fqdn
16:04 GabLeRoux looks like it's setting lsb_distrib_id as your id
16:06 ocdmw joined #salt
16:07 ocdmw joined #salt
16:07 GabLeRoux or maybe osfullname
16:08 iwishiwerearobot joined #salt
16:08 the_lalelu hmm, when i start a minion as non-root and using verify_master_pubkey_sign and always_verify_signature, i got a permission denied on "/etc/salt/pki/minion/minion_master.pub". looks like the verify_signing_master method is somehow running before forking and changing euid etc. pp. and salt.utils.fopen writes the file as root. after the fork the minion gets a permission denied on that file and dies.
16:10 the_lalelu when i patch something like "os.chown(m_pub_fn, pwd.getpwnam(self.opts['user']).pw_uid, grp.getgrnam(self.opts['user']).gr_gid)" into that verify_signing_master method everything works as expected.
16:10 the_lalelu someone else having those kind of problems on 2014.7.1?
16:13 wincus left #salt
16:25 linjan joined #salt
16:25 primechuck joined #salt
16:32 bgdnlp joined #salt
16:35 jalaziz joined #salt
16:41 rudi_s Hi. I'm looking for a way to distribute private data (like passwords) for specific hosts. According to the documentation I should use pillars for this. But how can I create host-specific pillars? Thanks.
16:43 rudi_s (I know I could match each host in /srv/pillar/top.sls but that feels overly complicated, especially when I have many files/data and hosts. I'd prefer something like foo.host-a, foo.host-b, foo.host-c and then include the file or dict value.)
16:46 TheoSLC joined #salt
16:49 timoguin joined #salt
16:53 rihannon joined #salt
16:54 bgdnlp look into "grains"
16:54 jdowning joined #salt
16:54 bgdnlp and how a minion can define custom grains
16:58 rihannon joined #salt
17:01 [LF] joined #salt
17:01 arnoldB arghhh. something is horrible broken in the 2014.7 branch
17:06 Grokzen joined #salt
17:20 aquinas joined #salt
17:21 verzie joined #salt
17:25 peters-tx joined #salt
17:27 rudi_s bgdnlp: "distribute _private_ data" - as the grains are provided by the minions, they could be faked and thus receive data which is not intended for them.
17:27 otter768 joined #salt
17:29 harukomoto joined #salt
17:30 dave_den joined #salt
17:31 bgdnlp aren't you supposed to manually approve minions?
17:31 rudi_s bgdnlp: So?
17:31 rudi_s If a minion is compromised, I still don't want it to be able to receive all data from my master.
17:31 rudi_s Like root passwords for important servers.
17:31 BigBear joined #salt
17:33 bgdnlp not sure how it works, don't use that yet
17:33 rudi_s Ok. If anybody else has an idea, please tell me.
17:33 bgdnlp but that is assuming whoever compromised it knows what the other servers are asking for
17:34 rudi_s bgdnlp: Not really, they just have to look into /var/cache/salt/
17:34 harukomoto left #salt
17:34 jY if someone comprimises your minion they have root anyway
17:34 jY what are you worried about root password for?
17:35 bgdnlp they have root on that particular minion, but only that
17:35 zadock joined #salt
17:35 jY why are you setting a root pw in a pillar anyway?
17:35 rudi_s jY: Exactly. - Lets say I manage multiple servers and client machines. If a client gets compromised, I don't want the servers to be compromised.
17:36 rudi_s jY: How would you set the root password?
17:36 rudi_s (Anyway, it's not specific to root passwords. It could be any private data, like private keys, etc.)
17:36 jY salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..'
17:36 jY from the master if needed
17:37 jY but if they comprised your machine they have the keys or anything salt is setting
17:37 rudi_s jY: So? I still want to manage other private data in a stateful way for my minions.
17:37 rudi_s jY: So?
17:37 StDiluted joined #salt
17:37 bgdnlp I thought that the minion would say something like "hello, I am George, my ID is 12345" and the master would say "Hello George, here's your data". are you saying that the ID for all minions is in /var/cache/salt on all minions?
17:37 jY you can send the info encrypted
17:37 rudi_s jY: Stop talking nonsense please.
17:37 jY then use like gpg ont he minion to deceypt it with a module on the minion
17:37 jY hah ok
17:38 rudi_s bgdnlp: The state is shared on all minions, pillars are not.
17:38 rudi_s jY: pillars are the concept in salt for this (see http://docs.saltstack.com/en/latest/topics/best_practices.html 4./5. entry) - so I look for a way to use that.
17:38 ocdmw joined #salt
17:39 bgdnlp so, an important  minion can ask for a certain pillars, but another minion can't unless they know exactly what they ask for. did I get that wrong?
17:40 bgdnlp what I'm saying is, you can user a custom grain as a password
17:40 bgdnlp that would only be present on minions that you specifically set to have it
17:41 bgdnlp or, I might be totally wrong and talking bullshit
17:41 rudi_s bgdnlp: Minions get all state data, but they don't get any pillar data. - However a client can also set arbitrary grains. So if you match your pillars based on grains, then the client can still receive all the pillar data by faking its grains.
17:41 jalaziz joined #salt
17:41 bgdnlp yes, exactly, if they know what to fake
17:41 bgdnlp it's not much, I realize that
17:42 bgdnlp there really should be something better, maybe there is, as I said, I don't actually know
17:42 rudi_s Ok.
17:48 rudi_s Another question, can I match the "current" minion id in pillar files? i.e. nothing provided by grains, but by the salt directly. So it can't be faked by the client?
17:49 s8weber_ yes
17:49 timoguin joined #salt
17:49 s8weber_ thats how i do it
17:49 rudi_s How?
17:50 s8weber_ perhaps i miss understand you.... i just use my minion id in the top file...
17:51 s8weber_ I dont use grains for anything but detecting os type because grains cant be trusted
17:51 rudi_s s8weber_: Yeah, that works. But then I have to "know" all minion ids. I'd like something like: match current minion id and include host/{{ current_min_id }} if it exists.
17:51 chiui joined #salt
17:52 s8weber_ so match '*'
17:52 s8weber_ ?
17:52 rudi_s s8weber_: And then do what? - Won't that distribute the pillar on all minions?
17:52 s8weber_ so top file:  would have '*'
17:52 s8weber_ then in the sls file that gets applied for *
17:53 s8weber_ for can have https://{{ grains['id']//...
17:53 rudi_s s8weber_: But that will distribute the sensitive data to all hosts.
17:54 rudi_s What I'll do is this: {% set hosts = 'host-a', 'host-b', 'host-c', .. %} {% for x in hosts %} '{{ host }}': - host/{{ host }} {% endfor %} in my pillar/top.sls
17:55 rudi_s And I'd like to either get a list of all hosts from salt or the "current" minion id so I can replace the for loop.
17:55 s8weber_ well you could but perhaps put it in the sls file applied for the * match
17:55 s8weber_ then use somthing like {% load_yamal as vars %}
17:55 LinuxHorn joined #salt
17:55 s8weber_ and in that block define the list...
17:56 rudi_s s8weber_: Still, how would I get the current minion id?
17:56 s8weber_ after that block you can so somthing like {% if grains["id" in vars %} .... your passwords stuff {% endif %}
17:56 s8weber_ grains['id']
17:56 s8weber_ you can trust that one grain
17:57 iwishiwerearobot joined #salt
17:57 s8weber_ it cant be changed without breaking security/communication
17:58 intellix joined #salt
17:59 rihannon joined #salt
18:00 rudi_s s8weber_: Thanks, that seems to work. Still makes me feel a little uneasy to trust grains data.
18:00 s8weber_ the grains[id] is enforced to = the pubkey name
18:01 s8weber_ i made dame sure of that ... it was an issue a year ago however.
18:01 s8weber_ I should take another look tho
18:01 s8weber_ perhaps you can find the id in the ops['id']
18:01 rudi_s s8weber_: ;-) sounds like a good idea. I think I'll live with a list of minions for now, feels safer to me.
18:02 s8weber_ also
18:02 s8weber_ i have a small module...
18:02 s8weber_ def decrypt(value, dfile='/root/.pass'):
18:02 s8weber_ '''
18:02 s8weber_ salt-call openssl.decrypt U2FsdGVkX1+uNDhmDwGjiVk3wpt3uQ=
18:02 s8weber_ '''
18:02 s8weber_ r = __salt__['cmd.run']('sh -c \'echo -e "{0}" | openssl enc -aes-256-cbc -a -d -pass file:{1}\''.format(value, dfile))
18:03 s8weber_ def encrypt(value, dfile='/root/.pass'):
18:03 s8weber_ '''
18:03 s8weber_ echo 'decrypt_password' > /root/.pass
18:03 s8weber_ salt-call openssl.encrypt passwordToHide
18:03 s8weber_ '''
18:03 s8weber_ r = __salt__['cmd.run']('sh -c \'echo -e "{0}" | openssl enc -aes-256-cbc -a -pass file:{1}\''.format(value, dfile))
18:03 s8weber_ return r
18:03 TyrfingMjolnir joined #salt
18:03 arnoldB s8weber_: use a nopaste service
18:03 s8weber_ sorry about pasting that in here but ya... its nice if you want to encryped some fields in yout pillar and have the master resolve the password when it compiles the pillars
18:06 rihannon joined #salt
18:08 the_lalelu s8weber_: i use the gpg renderer for something like this.
18:09 s8weber_ i should give the pgp a second look... i just hacked this up because it seemed to work well with sourcecontrol
18:09 s8weber_ thanks
18:09 the_lalelu s8weber_: so you can have secrets in the pillar, only readable for a specific minion - or only readable by the master (or for both ... all ... $whoever)
18:10 s8weber_ the master can only read it... but the master renders the file then passes it to the minion
18:10 the_lalelu s8weber_: no
18:10 bhosmer joined #salt
18:10 s8weber_ ...
18:11 the_lalelu s8weber_: try it on your own. if the master does not have the key, he cant decipher ... (how should he?)
18:11 s8weber_ the master has the key....
18:11 rudi_s s8weber_: Thank you for your help.
18:11 s8weber_ np
18:12 s8weber_ the master renders the pillar that has somthing like ...         bind_password: {{ salt['openssl.decrypt']('U2FsdGVkX19Z2x6ADpQPLiJtHQdt/ruo9qqALUBlV3WxK+wecWPJ4U6gNITllWvH') }}
18:13 s8weber_ if the module call was in a base/sls file then the minion would need the password in /root/.pass
18:14 primechuck joined #salt
18:15 s8weber_ also note you need the module in ... _extmods
18:15 BigBear joined #salt
18:16 s8weber_ anyways ill likle rebuild it to use python only
18:17 the_lalelu if you want to do this on your own, then i would suggest to maybe implement this also as a renderer
18:19 s8weber_ rather do it as a module because want both pillars and sls files to beable to use it
18:19 s8weber_ that is without users having to think tomuch
18:19 TyrfingMjolnir joined #salt
18:22 s8weber_ o i missread.. perhaps a render after the fact.
18:22 lnxnut joined #salt
18:24 scoates joined #salt
18:30 otter768 joined #salt
18:34 pdayton joined #salt
18:41 scoates joined #salt
18:42 bash1245_ joined #salt
18:43 wincus joined #salt
18:46 jalaziz joined #salt
18:46 jonatas_oliveira joined #salt
18:52 [LF] joined #salt
18:52 Laogeodritt I'm trying to use archive.extracted to extract a tar file which is in my salt states, but it keeps failing: tar is returning "Cannot open: No such file or directory" (retcode 2) for a file in /var/cache/salt/minion/files, which is in fact there and which I can extract manually. Any thoughts what's going on/how to debug this?
18:52 Laogeodritt *in my salt directory, rather. Also, debian 7.7, salt 2014.7.1
18:55 jdowning joined #salt
18:56 timoguin joined #salt
18:56 jonatas_oliveira joined #salt
18:57 arnoldB could someone please review + reproduce that simple problem in https://github.com/saltstack/salt/issues/20506 ? if not I'm becoming insane
18:58 arnoldB Laogeodritt: can you please nopaste the exact code of the state
18:58 arnoldB ?
19:02 ocdmw joined #salt
19:02 s8weber_ i dont know if i trues the contents: part
19:02 s8weber_ trust
19:02 ckao joined #salt
19:04 s8weber_ try - contents: {{ pillar|json }}
19:05 s8weber_ or a template file.
19:05 arnoldB s8weber_: well I can test it, but you know state.highstate and state.sls are rendering the same SLS file?
19:06 ocdmw joined #salt
19:06 s8weber_ ill give it one more readover
19:08 s8weber_ it should be good...
19:10 the_lalelu yeah, refresh_pillar sounds good
19:11 Auroch joined #salt
19:11 arnoldB s8weber_: contents, contents_pillar, source or any other don't make any difference
19:12 Laogeodritt arnoldB: http://pastebin.com/tULEkivc this is the relevant state. I've double checked that the pillars are up-to-date, and both the source tar and the target directory exist on the minion.
19:18 arnoldB s8weber_: see https://github.com/saltstack/salt/issues/20506 . as I said: both state.sls and state.highstate are rendering the same SLS file. the problem shouldn't be related with salt.states.file
19:19 arnoldB Laogeodritt: could you try something like the following? http://pastebin.com/czgzNj4S
19:20 bfoxwell joined #salt
19:20 arnoldB Laogeodritt: additionaly there are some open bug reports: https://github.com/saltstack/salt/issues?q=is%3Aissue+is%3Aopen+archive
19:26 TTimo joined #salt
19:28 s8weber_ joined #salt
19:29 jdowning joined #salt
19:32 JDiPierro joined #salt
19:36 s8weber_ arnoldB: yap somthing is wrong here.
19:36 the_lalelu hmm, running minion as non-root is somewhat broken. stumbled again over the situation where the minion creates files as root user and then double fork/set euid and can't read/write data. could it be that this is a more general problem?
19:37 Laogeodritt arnoldB: #20201 seems to be my issue
19:37 arnoldB s8weber_: that crap took my whole Sunday
19:38 s8weber_ humm i think i see the issue
19:38 s8weber_ what if you go saltenv=base
19:39 rudi_s Can I get the current state module (e.g. /srv/salt/state/foo/init.sls would return foo) in the jinja template while I'm in foo/init.sls?
19:39 s8weber_ nm
19:40 Laogeodritt arnoldB: seems to have been introduced in 2014.7.1, had no problem with this on 2014.7.0
19:40 [LF] joined #salt
19:45 iwishiwerearobot joined #salt
19:48 schlueter joined #salt
19:48 arnoldB s8weber_: there's no pillar env for prod. it's simply base
19:50 timoguin_ joined #salt
19:51 jalaziz joined #salt
19:54 linjan joined #salt
19:55 \ask joined #salt
19:56 rudi_s And I'm trying to use jinja's include. Can I get the path to the current template file? I want to include a file relative to the template file itself.
20:01 nethershaw joined #salt
20:03 g3cko joined #salt
20:03 primechuck joined #salt
20:04 s8weber_ perhaps {{ slspath }}might be helpfulll but thats the base path to the sls file
20:05 bash1245_ is there anyway to autodelete minions that are not responsive ? ideas ? :)
20:08 s8weber_ salt-run manage -d
20:09 quickdry21_ joined #salt
20:10 s8weber_ salt-run manage.down -d
20:10 MatthewsFace joined #salt
20:11 s8weber_ \nick steverweber
20:11 jdowning joined #salt
20:11 quickdry21_ joined #salt
20:11 arnoldB steverweber: => /nick
20:11 arnoldB ah, nvm
20:11 steverweber yaya
20:11 steverweber :)
20:14 steverweber arnoldB: i'll have to give up on your issue for now... best of luck
20:18 g3cko joined #salt
20:18 schlueter joined #salt
20:19 bhosmer joined #salt
20:22 felskrone joined #salt
20:28 bash1245_ joined #salt
20:29 ocdmw joined #salt
20:32 Madhurranjan joined #salt
20:32 TTimo joined #salt
20:33 Madhurranjan hi, I'm having some trouble writing unit tests for custom states that I've written . I've installed salt testing module but in the bin , it asks me to use salt-runtests but that binary isn't there . How can I go about ? Is there an example that i can refer ?
20:34 steverweber i think there is a doc page on installing salt-runtests
20:34 Madhurranjan I'm using salt 2014.7.1
20:36 bash1245_ joined #salt
20:37 mikeywaites joined #salt
20:42 bhosmer joined #salt
20:42 timoguin joined #salt
20:44 arif-ali joined #salt
20:54 williamthekid joined #salt
20:57 jalaziz joined #salt
21:11 lnxnut joined #salt
21:15 elfixit joined #salt
21:17 Grokzen joined #salt
21:18 ocdmw joined #salt
21:21 ajw0100 joined #salt
21:22 g3cko joined #salt
21:22 viq joined #salt
21:23 ShadowHntr joined #salt
21:25 monkey66 joined #salt
21:29 armguy joined #salt
21:31 monkey66 joined #salt
21:34 iwishiwerearobot joined #salt
21:36 TTimo joined #salt
21:49 donmichelangelo joined #salt
21:52 primechuck joined #salt
21:52 InAnimaTe joined #salt
22:02 ralalala joined #salt
22:03 CeBe1 joined #salt
22:03 linjan joined #salt
22:04 mschiff joined #salt
22:05 jalaziz joined #salt
22:11 jdowning joined #salt
22:11 singularo joined #salt
22:11 singularo joined #salt
22:12 ralalala joined #salt
22:13 mosen joined #salt
22:15 lnxnut joined #salt
22:21 ralalalala joined #salt
22:23 GabLeRoux joined #salt
22:26 Grokzen joined #salt
22:37 ralalala joined #salt
22:41 ralalalala joined #salt
22:42 InAnimaTe joined #salt
22:46 Guest21863 joined #salt
22:53 faust_ joined #salt
22:56 ralalalala joined #salt
23:00 yomilk joined #salt
23:04 ralalala joined #salt
23:10 jalaziz joined #salt
23:12 ralalala joined #salt
23:15 alexhayes joined #salt
23:16 ralalalala joined #salt
23:21 bhosmer joined #salt
23:22 ralalalala joined #salt
23:23 iwishiwerearobot joined #salt
23:28 GabLeRoux joined #salt
23:29 jonwincus joined #salt
23:33 [LF]1 joined #salt
23:33 MatthewsFace joined #salt
23:33 net128 joined #salt
23:38 ralala joined #salt
23:40 scoates joined #salt
23:41 primechuck joined #salt
23:41 badon joined #salt
23:43 ralalala joined #salt
23:43 kellnola joined #salt
23:46 jstorey_ joined #salt
23:47 jstorey joined #salt
23:49 wincus joined #salt
23:55 s8weber_ joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary