Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-04-04

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:01 scbunn joined #salt
00:03 SheetiS1 joined #salt
00:03 JDiPierro joined #salt
00:04 crane joined #salt
00:14 timoguin joined #salt
00:19 markm joined #salt
00:21 JDiPierro joined #salt
00:33 markm joined #salt
00:34 sunkist1 joined #salt
00:39 jerematic joined #salt
00:51 dopesong_ joined #salt
00:56 kermit joined #salt
00:58 _1_alexcaro joined #salt
00:58 _1_alexcaro hey
00:58 zwi joined #salt
01:00 kermit joined #salt
01:02 pdayton joined #salt
01:08 otter768 joined #salt
01:20 kermit joined #salt
01:26 druonysuse joined #salt
01:26 druonysuse joined #salt
01:28 kermit joined #salt
01:30 seev I just perfected my state which retrieves private ssh keys and public ssh key fingerprints from pillar
01:36 jonlangemak joined #salt
01:37 jerematic joined #salt
01:49 favadi joined #salt
01:49 druonysus joined #salt
01:49 druonysus joined #salt
01:59 zwi joined #salt
02:13 scbunn joined #salt
02:20 timoguin joined #salt
02:23 ajw0100 joined #salt
02:29 echo joined #salt
02:31 MatthewsFace joined #salt
02:31 subsigna_ joined #salt
02:33 donmichelangelo joined #salt
02:34 hasues joined #salt
02:37 pdayton joined #salt
02:38 pdayton joined #salt
02:40 iromli joined #salt
02:42 hasues left #salt
03:08 pdayton joined #salt
03:09 otter768 joined #salt
03:14 zircote joined #salt
03:15 zircote joined #salt
03:23 scbunn joined #salt
03:24 pdayton joined #salt
03:28 viq joined #salt
03:28 hasues joined #salt
03:28 hasues left #salt
03:33 teskew joined #salt
03:34 pdayton joined #salt
03:37 hasues joined #salt
03:37 hasues left #salt
03:39 nickg left #salt
03:40 pdayton joined #salt
03:54 echo joined #salt
04:01 vbudv joined #salt
04:02 vbudv Hello Salted People :).
04:02 vbudv I have an issue with 2014.7.2 on Debian.
04:02 mzbotr joined #salt
04:03 vbudv I am using pygit2 0.22.0 with a couple tens of state repositories.
04:03 vbudv I see the following error in the logs - OSError: [Errno 2] No such file or directory: '/var/cache/salt/master/gitfs/7f3550e1fb5f794472c54c6603aafe59/update.lk'.
04:03 vbudv But only when I target multiple minions...
04:04 p0rkbelly joined #salt
04:05 seev joined #salt
04:05 vbudv Here is the traceback - http://hastebin.com/raw/opayadenab
04:30 echo_ joined #salt
04:31 spicyWith joined #salt
04:32 jasonrm joined #salt
04:32 tkharju joined #salt
04:51 jonlangemak joined #salt
04:56 kaictl joined #salt
04:57 vbudv 2014.7.1 didn't have the above problem.
04:59 vbudv Targeting a couple of machines via grains and running a state.sls gives me the following errors - TypeError encountered executing state.sls: string indices must be integers, not str. See debug log for more info. stefan.db.###.com:
05:03 SpX joined #salt
05:10 echo joined #salt
05:10 otter768 joined #salt
05:36 chandankumar joined #salt
05:40 evle1 joined #salt
05:49 echo joined #salt
05:55 catpigger joined #salt
06:06 mdln joined #salt
06:15 Furao joined #salt
06:16 subsignal joined #salt
07:01 beneggett joined #salt
07:02 thehaven joined #salt
07:03 Auroch joined #salt
07:03 dopesong joined #salt
07:07 glyf joined #salt
07:11 otter768 joined #salt
07:20 baoboa joined #salt
07:20 capricorn_1 joined #salt
07:22 malinoff joined #salt
07:23 beneggett joined #salt
07:33 TyrfingMjolnir joined #salt
07:53 Joeto joined #salt
07:56 Joeto Hi all,  I m stuck with master_id variable in multy syndic deployment where I need to put this on central master or on syndics?
07:57 Joeto Because whatever i put it salt loop jobs and start to execute same think indefenetly
08:04 chandankumar joined #salt
08:20 ckao joined #salt
08:21 beneggett joined #salt
08:24 wicope joined #salt
08:25 wicope joined #salt
08:38 JlRd joined #salt
08:43 Joeto Hi again anyone can help me with master_id?
08:45 babilen apparently not
08:49 Joeto Yeeaaa :)  looks like.
08:52 beneggett joined #salt
09:02 JlRd joined #salt
09:07 bhosmer joined #salt
09:08 jngd joined #salt
09:12 otter768 joined #salt
09:16 beneggett joined #salt
09:18 bhosmer_ joined #salt
09:33 linjan joined #salt
09:40 viq joined #salt
09:41 chandankumar joined #salt
10:32 bluenemo joined #salt
10:45 ekkelett left #salt
10:47 aquassaut joined #salt
11:11 glyf joined #salt
11:11 jngd I'm getting error when I point minion to master. I edit /etc/hosts to put 'salt' resolvable with ip of the salt-master in local net. Thus, when i make salt-minion, I get Master hostname: salt not found. Any idea thats is going on?
11:13 otter768 joined #salt
11:21 peters-tx joined #salt
11:23 hax404 joined #salt
11:29 ryys jngd: `getent hosts salt` return as expected?
11:35 jngd ryys, is solved, the issue was a bad configuration in /etc/salt/minion file. Thanks for your help
11:40 Auroch joined #salt
11:44 echo joined #salt
11:53 Norbell_ joined #salt
11:58 denys joined #salt
12:05 SpX joined #salt
12:08 dalexander joined #salt
12:28 pdayton joined #salt
12:34 bhosmer joined #salt
12:45 Phyks joined #salt
12:45 Phyks hi, I was wondering, is there any way to use salt with an already existing install, or should salt be used from the beginning ?
12:47 Auroch joined #salt
12:48 eliasp Phyks: sure, you can use it with an existing OS installation as well
12:49 Setsuna666 joined #salt
12:50 jerematic joined #salt
12:52 o5k_ joined #salt
12:54 vstoniest joined #salt
13:02 jerematic joined #salt
13:09 Dev0n Hey, I've got a few instances of a backend running and currently using a remote logging service to log any errors. I'm thinking of using the salt event system and have the backend send the error payload up to a central point in master, would this be an appropriate use for SaltStack?
13:10 babilen Dev0n: I'd just log in an appropriate fashion and use something else for handling the logging. rsyslog with a different server or ELK stack comes to mind
13:12 Phyks eliasp: so I can just write a Salt State corresponding to my current state and start using salt without any reinstallation and it will be fine ?
13:12 Dev0n babilen:  Ahh, I see. I liked the slack state salt comes with and was thinking of nicely integrating log events to send straight to a slack channel.
13:12 eliasp Phyks: exactly… and you can always use "test=True" to check what kind of changes _would_ happen to your system before actually applying those changes
13:12 Dev0n not heard of ELK stack, I'll check it out
13:13 Phyks eliasp: ok, thanks a lot! I'll give it a try then :)
13:13 eliasp Dev0n: ELK = ElasticSearch, LogStash, Kibana
13:13 Dev0n oh :( LogStash
13:13 Dev0n not really fan of it tbh
13:13 otter768 joined #salt
13:15 Dev0n is that a recommended setup for log handling and analysis?
13:15 Dev0n just trying to see if it's worth setting up my own or sticking with logentries
13:17 I3olle joined #salt
13:31 jonlangemak joined #salt
13:35 amcorreia joined #salt
13:37 bhosmer joined #salt
13:45 m000p joined #salt
13:47 wicope joined #salt
13:48 jonlangemak joined #salt
13:49 m000p Hi guys, I'm trying to use a macro in my sls file but it fails when inside a for loop. http://pastebin.com/LDDv2NtQ
13:50 m000p There's some problem with line #13, shouldn't that work?
13:52 Joeto joined #salt
13:53 m000p Just says '[CRITICAL] Rendering SLS 'base:vhosts' failed: Unknown yaml render error; line 23'
13:53 m000p vhost('default', true)
13:54 scbunn joined #salt
13:54 chandankumar joined #salt
13:59 Dev0n Are there any security features build into SaltStack that would prevent disastrous run commands (e.g. rm -rf) from being pushed to the minions? Some sort of password prompt? I guess if an atacker gets into master then there is nothing really you could do to secure it, they could always write salt states and push them through...
14:00 Dev0n Any recommendations to make sure master can do the least amount of damage should someone break into one?
14:05 zwi joined #salt
14:06 glyf joined #salt
14:07 ryys you can allow certain users to only use certain functionality, but personally i don't bother worrying about it. if someone is doing dangerous things on the server that manages the fleet config, you're kind of screwed in the general case
14:09 Dev0n True, so I guess it's really down to how secure you keep your master server.
14:11 Dev0n I'd assume something that powerful is usually locked down for internal access only but the cases where a master would be on AWS for example would need to be really be locked down in a lot of ways?
14:12 ryys so whats your intention, that the salt master processes still retain all their power over the fleet, but access to that functionality is restricted a bit more than the default? [ie: can't just switch to root and do *?]
14:14 amcorreia joined #salt
14:15 Dev0n ryys, yea, that sounds about right
14:16 Dev0n You can secure your SSHD using two-factor for example using PAM module, something similar to that for SaltStack would be ideal.
14:17 ryys well, its very difficult to protect a process from a root user
14:18 CeBe joined #salt
14:18 Dev0n But again, you're securing SaltStack, if someone has already gained accessed to master and worked their way into root, would salt really be a barrier for the intruder to cause destruction of the minions?
14:18 Dev0n yea ryys, it is indeed :(
14:20 Dev0n There would always be a way, it's just from a security point of view, if this single point failure didn't exist, your n servers _might_ still be ok, or at least the damage could be less than someone running rm -rf in parallel n servers
14:20 scbunn joined #salt
14:23 Joeto Hi guys,  i have a question about master_id and syndic configs.  Anyone avaylable?
14:28 deares joined #salt
14:34 bhosmer_ joined #salt
14:37 glyf joined #salt
14:40 sunkist joined #salt
14:51 jerematic joined #salt
15:08 donmichelangelo joined #salt
15:09 subsignal joined #salt
15:13 beneggett joined #salt
15:14 aphor joined #salt
15:14 otter768 joined #salt
15:16 JDiPierro joined #salt
15:17 tomh- joined #salt
15:18 JDiPierro Hey all. I've got a gitfs root configured with a formula but when I highstate it says no matching SLS found. Here's my master config: http://pastebin.com/KyjbnkQq Am I missing anything?
15:24 Fiber^ joined #salt
15:25 \ask joined #salt
15:27 echo joined #salt
15:33 eliasp JDiPierro: how are you using the formula SLS in your highstate?
15:33 bluenemo_ joined #salt
15:35 stoogenmeyer__ joined #salt
15:38 eliasp JDiPierro: you might want to specify the formula's root per formula repo. usually, the root of a formula is in the corresponding subdirectory, for the "official" ntp-formula the actual formula content is in ntp-formula/ntp, so you'd have to set the root for this formula to "- root: ntp-formula", see also:
15:38 eliasp http://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html#gitfs-per-remote-config
15:39 eliasp JDiPierro: another (still broken) approach to handle formulas: https://github.com/saltstack/salt/issues/21413
15:49 JDiPierro joined #salt
15:50 iggy and your indentation is off
15:50 yuhl_work_ joined #salt
15:53 iggy Dev0n: securing your infrastructure is your job, not salt's... that said, if you have suggestions that don't impact others, I'm  sure the devs would love to hear them
15:58 jonlangemak joined #salt
16:02 jilele joined #salt
16:02 TyrfingMjolnir joined #salt
16:03 stoogenmeyer__ joined #salt
16:04 quintinadam joined #salt
16:07 Dev0n iggy, oh I totally agree. However, given the nature of salt and how destructive it can be, I was just wondering what safety measures there are (if any) that would prevent someone that has broken through the initial line of defence.
16:08 jilele left #salt
16:08 Dev0n I would assume an op would have notify services put in place for intrusion detection and if an anomaly was detected then they could command from another master (if the main master is compromised) to cut of all ties from the minions to the main master.
16:08 jilele joined #salt
16:09 jilele left #salt
16:09 Dev0n But again, salt is fast and even a second could be too late to stop and salvage anything.
16:10 scbunn joined #salt
16:14 Dev0n iggy: As for suggestions, at least a layer of authentication and authorisation on top of salt would do wonders to mitigate such risks.
16:20 sandah joined #salt
16:22 stanchan joined #salt
16:25 echo joined #salt
16:31 I3olle joined #salt
16:31 markm joined #salt
16:33 jilele joined #salt
16:34 iggy you mean like eauth?
16:38 Dev0n iggy, eauth could be a way but simply something like: salt -p ... to prompt the op for a password before anything is executed would be a good start. Similiar to mysql -p, psql etc.
16:39 jilele left #salt
16:41 scbunn joined #salt
16:42 dork left #salt
16:43 captine joined #salt
16:44 arnoldB could it be the case that custom exec modules are not accessible from within (custom) returners using the __salt__ dunder dict?
16:45 JDiPierro joined #salt
16:48 JDiPierro joined #salt
16:51 linjan joined #salt
16:59 iggy Dev0n: that doesn't sound any more secure... if someone gets into the system, they can just change that password
17:00 iggy arnoldB: custom grains aren't, so it wouldn't surprise me
17:02 captine joined #salt
17:13 Dev0n iggy, I'm sure we could get really deep into security and go staight to someone having physical access to the server who could do all kind of wonderful things but still there are things we could put in place to _slow_ these guys down (BIOS pass, full-disk encription etc.)
17:13 Dev0n iggy, regarding someone changing the password, there are obviously ways we could implement this security.
17:14 Dev0n For example, the hash could be read into memory on first run so direct changes to the hash file would have no effect to an intruder.
17:15 Dev0n Unless the intruder decided to shutdown and restart the salt master or even uninstall and reinstall, in which case all minion connections could be invalidated since the new password hash would be different from an alternative hash based on the password hash that will be passed down to the minions...
17:15 otter768 joined #salt
17:15 Dev0n if you can get an idea of what I mean :o
17:18 Dev0n The idea here is to slow down the effect of the attack by going against salt's goal of being really fast to improve security.
17:18 quintinadam joined #salt
17:21 arnoldB iggy: weird, I added #22361
17:21 iggy Dev0n: feel free to submit pull requests
17:21 smcquay joined #salt
17:22 iggy I don't actually care about such a feature (and I'm not a dev), so arguing it with me is a waste of your time
17:22 quintinadam joined #salt
17:23 Dev0n Hehe, hopefulyl that was a discussion and not an argument, but yea, I'll make an issue and see what others think.
17:23 Dev0n hopefully*
17:23 intellix joined #salt
17:24 o5k__ joined #salt
17:27 bhosmer joined #salt
17:31 bfoxwell joined #salt
17:32 glyf joined #salt
17:51 TheOtherDude joined #salt
17:58 SeeDickCode joined #salt
18:01 linkedinyou joined #salt
18:01 Dev0n iggy, when you mentioned eauth earlier, I wasn't sure if you meant that as an idea or that it does already exist. I didn't know it did, http://docs.saltstack.com/en/latest/topics/eauth/index.html
18:01 Dev0n was that what you meant?
18:12 iggy si
18:13 Dev0n it still doesn't portect you from root thought right? from what I can read, the eauth doesn't work with root anyway?
18:13 Dev0n though*
18:13 jonlangemak joined #salt
18:15 SeeDickCode joined #salt
18:16 eliasp joined #salt
18:21 mapu joined #salt
18:22 intellix joined #salt
18:24 dopesong joined #salt
18:26 otter768 joined #salt
18:28 SeeDickCode joined #salt
18:31 jonlangemak joined #salt
18:41 irctc847 joined #salt
18:42 swa_work joined #salt
18:43 irctc847 Are there any open source salt states/pillars repos to look at for best practice use cases?
18:55 swa_work joined #salt
19:01 vieira joined #salt
19:06 iggy irctc649: there are some on github
19:06 iggy none "blessed"
19:20 TyrfingMjolnir joined #salt
19:21 antani joined #salt
19:25 \ask joined #salt
19:25 dopesong joined #salt
19:36 LotR don't formulas count as state/pillar repos?
19:36 Joeto joined #salt
19:49 MatthewsFace joined #salt
19:51 JDiPierro joined #salt
20:10 dfelix joined #salt
20:11 dfelix I'm currently using puppet masterless as a means for our developers to self-provision their own machines. I already use salt a bit for master/minion provisioning and I'd prefer it if my toolkit only used salt. Could anyone offer advice or talk me through how I might replace puppet masterless?
20:16 dfelix I was thinking about using salt with a gitfs backend as my module storage. I think this would be a lighter and more efficient way to work with modules than the current puppet forge way I'm working on. I'm just not sure what bootstrapping steps I need to take for developers to go from ground 0 to installed.
20:16 beneggett joined #salt
20:17 TyrfingMjolnir_ joined #salt
20:26 echo joined #salt
20:26 dopesong joined #salt
20:37 bhosmer joined #salt
20:51 chandankumar joined #salt
20:52 diegows joined #salt
20:56 cheus joined #salt
21:05 curiousdude97 joined #salt
21:06 curiousdude97 Hi there, how do I install salt-bootstrap minion with CoreOS?
21:08 kashyap_ joined #salt
21:09 kashyap_ hi
21:13 dfelix curiousdude97: I think the salt-bootstrap script in "ubuntu" mode would work for coreos, but it's not technically supported
21:14 dfelix I'm not sure if you can force a mode, I think it autodetects when you run it
21:28 scbunn joined #salt
21:28 intellix joined #salt
21:31 otter768 joined #salt
21:34 deares joined #salt
21:36 pdayton joined #salt
21:38 dude051 joined #salt
21:39 glyf joined #salt
21:43 Dev0n is it safe to use salt.modules.postgres to push schema to production, anyone in here currnetly using it for that or recommend anything else I should be doing to update schema changes?
21:54 dude051 joined #salt
21:57 TyrfingMjolnir joined #salt
22:02 HexOffender joined #salt
22:05 pdayton joined #salt
22:15 dopesong joined #salt
22:35 TyrfingMjolnir joined #salt
22:38 scbunn joined #salt
22:43 SpX joined #salt
22:48 aquassaut joined #salt
23:00 CeBe joined #salt
23:01 TyrfingMjolnir joined #salt
23:08 Corey joined #salt
23:10 alynpost joined #salt
23:13 quintinadam joined #salt
23:14 Corey joined #salt
23:15 alynpost I have a /srv/pillar/top.sls file with a single environment, base.  In that environment, I'm trying to associate a variable with specific minion ids.  I have no '*' entry, but instead single entries for each minion id.
23:16 fusionx86 joined #salt
23:16 alynpost I cannot seem to get that data push to my minions.  saltutil.refresh_pillar and saltutil.sync_all seem to run, but pillar.items isn't showing anything.
23:17 alynpost I'm wondering if I'm using my pillar/top.sls file incorrectly, and that my problem is I don't understand how entries are matched in an environment.
23:17 alynpost though even a simple base: '*': data entry isn't working.
23:17 alynpost I'm on a combination of ubuntu 12/14 machines, with my master running ubuntu 14.
23:17 alynpost Did I miss anything obvious?
23:17 alynpost (very new to salt.)
23:18 alynpost Oh, I should note it's working on my salt master, which also has a salt minion installed.  But not working on any other machine.
23:20 bhosmer joined #salt
23:29 dopesong joined #salt
23:32 otter768 joined #salt
23:34 TyrfingMjolnir joined #salt
23:39 overyander joined #salt
23:41 elfixit joined #salt
23:52 Corey joined #salt
23:54 alynpost All right, another clue.  My /srv/salt/top.sls has entries for the operating system, but highstate is returning "No Top file or external nodes data matches found"  I must be doing something wrong in that file.
23:54 Corey joined #salt
23:55 jessie_ joined #salt
23:56 Corey joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary