Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-10-05

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 gladiatr joined #salt
00:05 pm90__ joined #salt
00:11 scoates joined #salt
00:18 pravka joined #salt
00:20 cpowell joined #salt
00:21 John_Kang joined #salt
00:34 falenn joined #salt
00:39 otter768 joined #salt
00:40 tmclaugh[work] joined #salt
00:50 charli Tried 2015.8 2015.5.0 2015.5.5, all fail, I think it's related to mine.get under ssalt-ssh. The doc says, salt-ssh support this from 2015.5.0. The hostsfile.hostname under the formula works.
01:04 aidin_ joined #salt
01:05 keimlink joined #salt
01:05 clintberry2 joined #salt
01:15 dthom91 joined #salt
01:19 charli command `salt-ssh web1 mine.get web1 network.ip_addrs` works fine.
01:23 dthom911 joined #salt
01:29 aidin_ joined #salt
01:34 aparsons joined #salt
01:35 larsfronius joined #salt
01:40 aparsons joined #salt
01:45 zwi joined #salt
01:45 pm90_ joined #salt
01:52 catpiggest joined #salt
01:58 pm90__ joined #salt
02:05 tristianc_ joined #salt
02:15 SheetiS joined #salt
02:16 Akhter joined #salt
02:23 sunkist joined #salt
02:24 pm90_ joined #salt
02:29 clintberry2 joined #salt
02:32 MichaelRomig joined #salt
02:37 ageorgop joined #salt
02:54 aparkr joined #salt
02:55 NightMonkey joined #salt
02:56 evle joined #salt
03:03 mohae_ joined #salt
03:04 favadi joined #salt
03:07 msciciel_ joined #salt
03:18 markm joined #salt
03:21 geekatcmu joined #salt
03:40 clintberry2 joined #salt
03:43 tisteegz_ joined #salt
03:44 ramteid joined #salt
04:04 Joeskyyy joined #salt
04:07 Joeskyyy_ joined #salt
04:10 aparsons joined #salt
04:15 ajw0100 joined #salt
04:19 zmalone joined #salt
04:53 ronrib joined #salt
04:59 markm joined #salt
05:08 ramteid joined #salt
05:10 ashirogl joined #salt
05:14 ashirogl1 joined #salt
05:14 UForgotten joined #salt
05:33 rdas joined #salt
05:39 Joeskyyy joined #salt
05:43 pm90__ joined #salt
05:45 aidin_ joined #salt
06:00 ALLmightySPIFF joined #salt
06:00 moogyver joined #salt
06:05 colttt joined #salt
06:09 capricorn_1 left #salt
06:09 dkrae joined #salt
06:10 jvipa5g joined #salt
06:11 hasues joined #salt
06:11 sirex joined #salt
06:12 hasues left #salt
06:12 pm90_ joined #salt
06:15 lb joined #salt
06:24 evle joined #salt
06:29 katyucha joined #salt
06:33 AndreasLutro joined #salt
06:37 hasues joined #salt
06:39 illern_ joined #salt
06:40 amit_k joined #salt
06:40 amit_k Why do i get this error : Salt request timed out
06:40 AndreasLutro joined #salt
06:46 amit_k anyone here for assitance?
06:46 Joeskyyy amit_k: Well that's a general question
06:47 hasues joined #salt
06:48 hasues left #salt
06:49 amit_k where can i paste an error... i got a big screen error ... when i executed salt '*' state.sls httpd
06:50 malinoff joined #salt
06:50 malinoff joined #salt
06:51 amit_k salt.client:     Data failed to compile: ----------     Rendering SLS httpd failed, render error: while parsing a block mapping   in "<unicode string>", line 1, column 1:     httpd:     ^
06:52 Joeskyyy Gonna suggest you use pastebin for error dumps
06:52 Joeskyyy FYI
06:54 malinoff joined #salt
06:54 amit_k http://pastebin.com/bB2p4GTq
06:55 Joeskyyy Looks like your state isn't in proper YML bro
06:55 amit_k i will paste u that sls in dump
06:56 amit_k http://pastebin.com/nuVdMx9b
06:56 Joeskyyy Might wanna review this page: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkg.html
06:57 Joeskyyy Because yours is.... way off base.
06:58 amit_k i just pasted the thing from walk-through as this is my day 1
06:58 aidin_ joined #salt
06:59 Joeskyyy Definitely understand. Not trying to be rude, just, if you can't grasp the basic states, you're going to run into bigger issues with salt haha
06:59 amit_k hahaha... but it kinda worked when i tried last week :'(
07:00 Joeskyyy If you're following the review try this one again: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkg.html
07:00 amit_k ummmm Okaay i will try thos
07:01 amit_k this
07:01 Joeskyyy Or just use the pre=baked formulas: https://github.com/saltstack-formulas/apache-formula
07:02 viq joined #salt
07:02 malinoff_ joined #salt
07:02 amit_k ohh cool.. thanks a lot :)
07:03 harkx joined #salt
07:06 amit_k Any good links to start learning
07:14 illern_ joined #salt
07:14 amit_k joined #salt
07:15 amit_k anyone here can take my salt basics lecture ? :)
07:19 edulix joined #salt
07:28 Grokzen joined #salt
07:30 amit_k joined #salt
07:32 jvblasco joined #salt
07:34 amit_k any easy source to learn salt
07:37 larsfronius joined #salt
07:38 kbaikov joined #salt
07:40 eseyman joined #salt
07:41 babilen amit_k: https://docs.saltstack.com/en/latest/topics/tutorials/index.html and https://www.packtpub.com/networking-and-servers/learning-saltstack
07:41 amit_k :) thanks :)
07:45 CeBe joined #salt
07:47 larsfronius joined #salt
07:48 amit_k Also is this ebook good ? "saltstack for devops Aymen El Amri "
07:49 Corey How are people handling the permissions aspect of checking out the lastest salt state git repository on their salt masters?
07:49 Corey amit_k: Never heard of it.
07:49 amit_k its on saltstack's page :) &corey
07:49 rim-k joined #salt
07:50 dalibro joined #salt
07:50 Corey Hmm. Looks new.
07:51 Corey The intro isn't particularly promising, but if you don't like the official docs it might be a reasonable place to start.
07:51 amit_k how about packtpub.com ebook
07:52 Corey amit_k: What're you trying to solve?
07:53 amit_k I have just started to learn salt.. and looking for  a good guranteed start ...
07:53 larsfronius joined #salt
07:53 amit_k If something seems complicated when reading any source... we start feeling bored
07:54 ultralord left #salt
07:54 Corey Well, reading a book on how to do it seems like a poor option then. Set out to solve a prticular problem. When you get stuck, ask, read the source, see what other folks have done, etc.
07:55 babilen amit_k: I recommended two sources of documentation. The official walkthrough will teach you the basics of many things and you can, once you're done with it, just keep on reading. That is how many in here have learned salt. There are, as of now, a number of books available and I'd recommend "Learning SaltStack" and "Mastering SaltStack" (both Packt)
07:55 babilen My recommendation at this point would be to simply read the walkthrough and then *do* something specific. Once you've done that you can read the book(s), but that would mean that you have to invest some money
07:56 amit_k ohhh Great... then ... i guess its better to stick with the documentation ... rather that getting confused by reading many things
07:56 amit_k @babilen -- yes thats true
07:56 babilen fwiw, I've never heard of "Saltstack for Devops" either
07:57 Corey I do think that $15 for an ebook that nobody has ever heard of is... suspect. :-)
07:57 babilen (which doesn't have to mean that it's bad, just that I'm not keeping too close an eye on what is being published)
07:58 amit_k ahh true...
07:58 MadsRC Anyone here using SaltStack repo with CentOS 6? I'm having problems resolving all dependencies, as it want's a version of python-crypto that isn't in the base repo (or epel)?
07:58 amit_k i guess i will start ith the tutorial link which you gave me @babilen
07:59 amit_k @MadsRC- yes i am using and i know what problem u r exaclly facing
07:59 GreatSnoopy joined #salt
07:59 MadsRC Amit_K: Ah, Got a quick solution :P?
08:00 amit_k just do ... yum update python
08:00 amit_k its a 5.4MB update
08:00 amit_k this will solve your problem
08:00 amit_k on centOS6
08:00 Rumbles joined #salt
08:00 babilen amit_k: And unrelated to salt: On IRC other people are typically referenced by writing they name and suffixing it with a colon or comma as in "babilen:" or "amit_k:" at the beginning of the line. @$NICK is a convention used on twatter and meaningless and weird on IRC.
08:01 MadsRC Amit_K: Ah, you're right, that could be it... Shitty old server with a shitty old python version :P
08:02 Corey Generally "yum update" prior to installing things from third party repositories is... a best practice. :-)
08:02 amit_k "MadsRC:" tell me if that worked
08:02 markm joined #salt
08:02 amit_k babilen: Okay got that :)
08:02 MadsRC Corey: I'm aware, justa bit hesitant to just update this server...
08:03 MadsRC As it's potentially a few hundred calls to me if something goes wrong :D
08:03 Corey MadsRC: If you can replicate the issue on an updated machine (VM or container if necessary) then you've found something interesting. If not... fix your environment. :-)
08:03 Corey This is why we have test environments.
08:03 amit_k yum update can touch many packages which we might not want to update
08:04 MadsRC Corey: Already did this in a test enviroment :D
08:04 Corey If you don't have a decent copy of the production environment to test these things with, you're going to have a bad time.
08:04 MadsRC Corey: And it works fine on a up-to-date machine
08:05 MadsRC Corey: But having a 1:1 copy of these few machines isn't possible (or very labourous) as there's a bug in the kernel that won't allow me to snapshot or clone it with the hypervisor... SO I have to restore the machine from a backup and place it in a test enviroment :P
08:07 Corey Okay, but you're unlikely to find a Salt bug that's dependent upon a particular kernel version in EL6. :-)
08:09 arif-ali joined #salt
08:09 MadsRC Oh yes, I was'nt thinking it was a bug in Salt, but something about my enviroment :P Which it seems like it was... I'll try to update python in a sec
08:10 amit_k it will work :madsrc
08:11 Corey Realize that if you break Python on CentOS, a lot of other things will break, such as yum.
08:15 MadsRC Meh, there's no updates for python :P
08:16 thefish joined #salt
08:16 Corey MadsRC: Paste the dep errors you get to a pastebin?
08:16 anmolb joined #salt
08:17 s_kunk joined #salt
08:17 MadsRC Corey: https://www.refheap.com/499058719428e67825fff7c82
08:18 Corey That's... not CentOS.
08:19 amit_k it worked for me perfectly.... have u installed epel repo?
08:19 Corey The cloudlinux repo has started eating your Python installation.
08:19 arif-ali joined #salt
08:19 Corey No, he's got cloudlinux contaiminating it. :-)
08:19 MadsRC Meh, fail @cloudlinux :P Works fine when installed from source, but that's prolly because of PIP :P
08:19 Corey Particularly without yum-protectbase installed / enabled.
08:20 Corey Yes. Pip bypasses system packages for a lot of things.
08:20 elsmo joined #salt
08:20 Corey It's... kinda terrible.
08:20 MadsRC :D
08:20 Corey The problem with pip in this context is that it's not sustainable at scale.
08:20 Corey "Here's 2000 servers, just pip install saltstack on them..."
08:20 MadsRC Indeed. yum is preferable
08:21 AndreasLutro as long as you set up a virtualenv I don't see the issue
08:24 traph joined #salt
08:26 amit_k MadsRC : instal epel repo.. update python....
08:26 amit_k this should do the trick
08:26 amit_k as it did for me
08:26 MadsRC Amit_K: Won't work - Already got epel
08:26 amit_k ohhh my my
08:26 amit_k :p
08:27 MadsRC I'm just installing it from source, it's on a few servers - The rest are proper CentOS and will work fine
08:28 amit_k :) great...
08:28 nihe joined #salt
08:28 amit_k srry that didnt work for u
08:31 markm_ joined #salt
08:31 malinoff joined #salt
08:34 thalleralexander joined #salt
08:35 mike25de joined #salt
08:36 chiui joined #salt
08:36 keimlink joined #salt
08:39 arif-ali joined #salt
08:41 denys joined #salt
08:50 Rumbles joined #salt
08:51 arif-ali joined #salt
08:57 illern_ joined #salt
09:04 malinoff joined #salt
09:05 anmol joined #salt
09:05 Jimlad joined #salt
09:06 KermitTheFragger joined #salt
09:07 ThomasJ joined #salt
09:07 kidneb joined #salt
09:09 malinoff joined #salt
09:09 malinoff joined #salt
09:30 subsignal joined #salt
09:40 Dev0n joined #salt
09:44 KermitTheFragger joined #salt
09:45 Dev0n Hey, just getting started with salt, I'm just wondering if the master needs to be online at all times.
09:45 Dev0n Since I'm currently developing and only pushing to staging, would it be ok to run the master locally and control minions from there?
09:51 losh joined #salt
09:53 babilen Dev0n: You could use salt-ssh to begin with.
09:54 Dev0n babilen: gotcha, does that mean I won't be able to use any modules like the docker unless I run the master remotely?
09:54 babilen I typically develop locally on a number of vagrant boxes, before I push it into the "testing" production environment (i.e. when it leaves my laptop).
09:55 bluenemo joined #salt
09:55 mehakkahlon joined #salt
09:55 Dev0n so you have a master running on your local machine?
09:55 Dev0n I have a similar setup currently babilen
09:55 babilen It would mean that you can't use a number of salt features such as the mine, but it would allow you to control minions directly from your laptop.
09:56 Dev0n ahh not heard of mine, just looked it up, prob not something I need at this stage
09:56 babilen No, I don't have a master running on my box. I bootstrap a number of virtual machines and one of them acts as the master for the others. The setup reflects the setup I have in "The Cloud"â„¢ and allows me to test new code without having to show it to anyone ;)
09:57 babilen Well, in a way that would be running on my box, but what I meant is: "My laptop does not act as master for minions that are not running locally"
09:58 Dev0n ooh ok, so you've replicated your cloud setup locally. That's fine, however, what do you do when you push up to staging where others are likely to test, guess you have a remote master setup for those situations?
09:58 alfborge joined #salt
09:59 babilen Exactly, I have a master that controls minions in two environments (qa and prod). I push to QA and roll that out to the QA minions which allows us to check if things are working as expected in the "real world", before we merge the changes into prod./
10:00 babilen The entire development process is done locally within virtual machines that reflect boxes I have in the cloud (I would, naturally, only have one box per type of box in the cloud and do not bootstrap 50 identically provisioned webserver for example)
10:01 aqua^c joined #salt
10:01 Dev0n babilen: that's the setup I currently have minus salt. Managing has become a bit time consuming so I'm planning to put salt in front. Makes sense to have two remote salt masters for qa and prod, especially with security.
10:02 Dev0n So I take it you would ssh into qa and prod master then run your salt commands from there?
10:02 hoonetorg joined #salt
10:03 babilen I have only a single master, but two environments (aka git branches), but yes: I do mosh into the salt master and run commands from there
10:03 Dev0n oh, your single master controls both qa and prod?
10:03 babilen It does, yeah
10:04 Dev0n I think my confusion was to why masters weren't run locally but if you have a big team and/or needed to run the extra module then a remote master would be ideal.
10:04 malinoff joined #salt
10:05 malinoff joined #salt
10:05 Nazca__ joined #salt
10:07 Dev0n Great, babilen, thanks for clearing that up for me. Now to get started :)
10:08 aidin_ joined #salt
10:16 elsmo joined #salt
10:24 giantlock joined #salt
10:26 SunPowered joined #salt
10:31 Dev0n Humm, so it seems that the minions do require master location to specified. That's a bit of an issue when you run the master locally since the local IP is dynamic. Is there a way to setup the master and minions to work push only?
10:32 Dev0n Without setting up a masterless minion
10:34 wm-bot4 joined #salt
10:38 markm_ joined #salt
10:39 babilen Dev0n: No
10:39 Dev0n ahh, snap
10:40 Dev0n I could go down the dyndns route but that's not ideal
10:40 wordstoliveby joined #salt
10:40 babilen I use landrush with vagrant and use "saltmaster.test" as domain name
10:42 babilen It really wouldn't work to have a master for remote minions running on your laptop
10:42 Dev0n Yea, for local it's should be simple. Bridging that gap between local master and remote minions are proving to be difficult.
10:43 babilen Well, I'm sure that you can make it work, but I wouldn't recommend to pursue that path
10:43 Dev0n You're right babilen, back to the drawing board.
10:43 babilen Why can't you use a remote master?
10:44 Dev0n babilen: I will eventually have to run a remote master when everything is up and running at production level. Was hoping to mimic that setup on development/staging though.
10:44 Dev0n I could just get another VPS to run as master I guess.
10:44 babilen So, use vagrant and mimic it locally?
10:44 Dev0n Wouldn't make much sense to run the master and minion on the same server, event for testing since that's not a true setup.
10:45 Dev0n babilen: I use vagrant and have development setup but I'm moving stuff up to staging which is remote
10:45 babilen I always run a minion on the master (so that I can salt salt itself among other things, but yeah ...)
10:45 Dev0n oh so, it's not an issue to run a master on server that has a minion... ahh ok
10:46 babilen Dev0n: I use https://github.com/saltstack-formulas/salt-formula to configure the master and minions
10:47 Dev0n ha cool
10:54 pravka joined #salt
10:56 Dev0n ok so I can use salt-ssh, which isn't really using salt to its full potential or get another vps to run a salt master to control staging then production at a later stage
10:58 Dev0n What I ideally want to do is local (master) -> local(minions) // remote(master) -> staging(minions)/production(minions)
10:58 masterkorp1 left #salt
10:58 Dev0n maybe have a local(master) that will salt-ssh to remote(master)
11:01 penguinp1wernz joined #salt
11:02 slav0nic joined #salt
11:09 fredvd joined #salt
11:09 John_Kang hi there
11:10 John_Kang I am trying to make the state for installing minion via salt-ssh
11:10 John_Kang May I get some adivices for accepting the key automatically after installing minion ?
11:16 sgargan joined #salt
11:16 janne__ joined #salt
11:18 schneider joined #salt
11:18 schneider left #salt
11:19 briner joined #salt
11:24 evle1 joined #salt
11:27 illern_ joined #salt
11:34 pravka joined #salt
11:40 Mate joined #salt
11:40 Mate joined #salt
11:44 Joeskyyy_ joined #salt
11:46 John_Kang anybody there ?
11:48 Zytox joined #salt
11:49 Norrland John_Kang: hang around, someone will probably read it.
11:50 John_Kang Norrland: thank you T.T
11:50 AndreasLutro just because someone reads it doesn't mean they will know an answer
11:51 John_Kang :) i see
11:54 jdesilet joined #salt
11:56 impi joined #salt
12:01 PI-Lloyd John_Kang: take a look at reactors
12:01 John_Kang PI-Lloyd: OKAY!!! :D
12:02 tmclaugh[work] joined #salt
12:03 PI-Lloyd there is actually an example reactor doing this exact thing - https://docs.saltstack.com/en/latest/topics/reactor/index.html#a-complete-example
12:10 JDiPierro joined #salt
12:11 babilen There's also https://docs.saltstack.com/en/latest/ref/configuration/master.html#auto-accept
12:12 babilen The best way really depends on your particular situation. auto_accept wouldn't be appropriate at all if that poses a security problem for example
12:13 babilen It might, otoh, simplify your setup tremendously if you know a priori that all incoming requests are legitimate
12:15 edulix joined #salt
12:16 John_Kang babilen: thank you sir, actually, i am considering this configuration as workaround :D
12:17 John_Kang but as you know this is what I wanted to conigure exactly ^^
12:17 babilen Combine that with startup_states and you are done
12:17 John_Kang this is not*
12:17 babilen Why isn't it exactly what you wanted? Sounds like the perfect solution to "accepting the key automatically after installing minion", doesn't it?
12:18 John_Kang I just want to accept the salt-minion that is installed by state, via salt-ssh
12:19 John_Kang if unauthorized minion tries to connect to Master, it should not be tursted
12:20 babilen And the problem is that auto_accept overgenerates in that it would also accept keys from minions that have been installed by another method?
12:20 babilen How do you differentiate between "unauthorised" and "authorised" ?
12:20 shantanoo joined #salt
12:22 John_Kang i added the target to roster and ran a command like "salt-ssh 'test_machine' state.sls salt-minion
12:22 John_Kang I meant i just wanted to accept the key came from 'test_machine'
12:22 breakingmatter joined #salt
12:22 John_Kang not the all of keys which are pending
12:23 babilen So you only want to accept keys from minions you install manually with salt-ssh ?
12:23 John_Kang exactly
12:25 TooLmaN joined #salt
12:25 babilen And no other installation method should be supported and you have no way to determine if a request is legitimate apart from remembering a list of minions that have been installed by that way?
12:27 babilen https://docs.saltstack.com/en/latest/ref/wheel/all/salt.wheel.key.html#salt.wheel.key.accept is the execution module you are looking for, run that on the master minion, once you installed a new minion
12:27 John_Kang btw
12:27 John_Kang this is what I've done so far
12:27 John_Kang https://gist.github.com/upgradeksh/282e8072502f20efba3f
12:27 John_Kang this works as I expected but not accept the key
12:28 John_Kang babilen: i saw this doc but I had no idea what I should :(
12:28 babilen I'd use https://github.com/saltstack-formulas/salt-formula for installing the minion
12:28 edrocks joined #salt
12:30 John_Kang for isntalling minion ?
12:30 John_Kang installing*
12:30 babilen yes
12:31 babilen Well, installing and configuring minions and the master
12:31 John_Kang how to accept the key with your method ?
12:31 babilen Which method are you referring to exactly?
12:32 John_Kang salt-ssh ?
12:32 John_Kang I don't think I get it what you meant
12:34 dyasny joined #salt
12:36 thalleralexander joined #salt
12:40 markm_ joined #salt
12:40 babilen John_Kang: You'd expose wheel.key.accept via netapi and call that.
12:40 babilen (or you simply log into the master and do it)
12:42 babilen I see two sensible ways of dealing with this: 1. Ensuring that all incoming requests are legitimate (proper network setup) 2. Rolling out a pre-shared key that you send along with an event and test that in a reactor that calls wheel.key.accept on the master
12:43 babilen I mean test for anything that you deem appropriate. If you can't determine legitimacy based on something in your infrastructure (e.g. ip, mac, ...) then you have to include a PSK.
12:44 sunkist joined #salt
12:44 babilen The other way is to "manually" call salt-key accept, either via the netapi or simply by logging into the master and running that command
12:44 aqua^c joined #salt
12:44 John_Kang babilen: thank you so much for your advice (bow)
12:44 babilen Most people either use auto_accept: True and ensure that their infrastructure is secure to begin with or implement tests in a reactor.
12:45 John_Kang i got it
12:46 babilen I wouldn't go the netapi way, but if you really want to ensure that only a single person can install minions with a single method then roll out a PSK with your "install minion" state(s) and raise an event with that key by calling https://docs.saltstack.com/en/latest/ref/states/all/salt.states.event.html#salt.states.event.send
12:46 babilen You'd then have a reactor on the master that checks the key in some way and then calls wheel.key.accept with the minion id
12:49 subsignal joined #salt
12:49 John_Kang babilen: okay sir, i will check that all you mentioned
12:49 John_Kang babilen: thanks again
12:51 babilen I mean you can make this as complex as you want to ... you could, for example, automatically generate client certificates that you send to the master with your event to allow it to check the legitimacy of the incoming request. That would mean that clients that don't have a suitable cert won't be accepted
12:53 John_Kang okay
12:58 Steven- left #salt
12:59 hojgaard joined #salt
12:59 Dev0n joined #salt
13:00 Dev0n hey John_Kang, I was following your question but got disconnected, did you figure out a solution?
13:00 Dev0n oh dang, too late
13:01 ferbla joined #salt
13:02 babilen In summary: 1. auto_accept: True, ensure infrastructure is secure (e.g. run salt on a private network) 2. Expose wheel.key.accept via the netapi 3. Roll our a pre-shared key, raise an event with that and check for proper authentication in the reactor
13:02 babilen Ah .. the easy: 0. Simply log into your master and run "salt-key -a $ID"
13:03 Dev0n 1) sounds terribly insecure but I guess depends on infrastructure, easy 0 sounds simple enough
13:05 babilen I have other problems if I were to get rogue requests in some of my private networks
13:05 toastedpenguin joined #salt
13:05 shantano1 joined #salt
13:05 Dev0n true
13:07 TranquilityBase joined #salt
13:10 toastedpenguin joined #salt
13:12 murrdoc joined #salt
13:13 Dev0n when you want to get a minion installed on a remote machine, is the normal method to install it through salt-ssh by running the salt-forumla salt.minion?
13:13 Dev0n would it be wise to disable ssh access to the machine after the minion has been installed?
13:14 Dev0n (re 1: apart from logging into the new machine and installing the minion yourself manually, I'm hoping to do this all through master)
13:15 pravka joined #salt
13:15 illern_ joined #salt
13:19 babilen Dev0n: You have three options: 1. Include the minion when you bootstrap the box 2. Install via salt-ssh (and yes, the formula is a decent choice) 3. Use any other provisioning system to do that or just do it manually over SSH
13:20 bhosmer joined #salt
13:20 tkharju joined #salt
13:20 babilen Please keep in mind that the master can't do anything with a minion that has neither been installed nor accepted. If you are using a well-known cloud provider you might be able to do this all via salt-cloud
13:22 Kurisutian joined #salt
13:22 Dev0n gotcha, thanks, I can see there is an article on DO for auto provisioning which should come in handy later
13:22 Dev0n I'll go with the manual install over SSH for now, thanks babilen
13:22 babilen https://docs.saltstack.com/en/latest/topics/cloud/digitalocean.html
13:23 pravka joined #salt
13:23 Dev0n great, thanks
13:23 murrdoc joined #salt
13:23 Kurisutian Hi! Does anyone here have salt-minion running as a non-root user? I need to get it going with limited permissions due to security reasons... I'm looking for the best way to do this and what has to be set up to make this work...
13:24 numkem joined #salt
13:24 babilen Kurisutian: https://docs.saltstack.com/en/latest/ref/configuration/nonroot.html
13:24 msx joined #salt
13:25 babilen I wonder where the sudo part was documented again ...
13:25 Kurisutian The goal is to run salt-minion as a tooluser who has limited rights so salt itself can only execute non-OS critical tasks (eg. Deployments on Tomcat, run supervisorctl for certain services, etc)
13:26 Kurisutian babilen: thanks for the link... so this is still the way to go? I was reading about the ACL and was wondering if that is a better way to limit functionality?
13:27 babilen I'm not using that functionality, so I'm not keeping too close an eye on it
13:28 Kurisutian OK, thanks :-)
13:28 babilen Ah, but I guess that you would have to go that route if you want to limit specific actions
13:28 babilen The "run as different user" way simply calls salt-call through sudo (which doesn't buy you much)
13:29 babilen But this is an entire area in salt that I have no need for, so you better wait for someone in here who is more familiar with the topic, before you start implementing something
13:30 racooper joined #salt
13:31 thefish joined #salt
13:31 teryx510 joined #salt
13:32 Kurisutian Here's the scenario: At our company we have seperate departments for setting up servers up to the OS level (they use puppet) and the ones starting at the application level (setting up application servers, deploying artifacts, restarting the services, etc.). The "Application Admins" want to use Salt and to prevent problems I need to have salt not run OS tasks like installing/removing packages, etc.
13:33 babilen What do you want salt to do if it can't install a package it should configure?
13:33 babilen This will get hairy, I can tell you that
13:34 pravka I can say that running salt is probably not your best bet, if that is your use-case.
13:34 Rkp joined #salt
13:34 mike25de Kurisutian: for your scenario it's easier to use Ansible
13:34 pravka You could always create your own package using saltstack's upstream repo, but remove the pkg execution & state modules
13:34 pravka ^ what mike25de said
13:35 babilen I'd sort out the political situation ("os people" vs "application people" first) and ensure that they work together and accept that in order to work with $application you have to have the ability to install it ;)
13:35 pravka what's more, 'restarting the services' will require root-level privs
13:35 mike25de true babilen :)
13:35 pravka unless you use something like supervisor running under a non-priv account
13:36 Kurisutian well, I intend to automate things with Rundeck running on top of salt... and it has a salt-plugin to run agains the API directly...
13:36 mike25de pravka: thanks for reminding me of supervisor :) i need that for one project
13:36 babilen This isn't a technical issue .. this is a political one in that certain people don't want to grant other people certain permissions
13:37 babilen mike25de: How would ansible help in this situation? I'm not too familiar with it ever since I evaluated it about two years ago
13:38 mike25de babilen:  I think that Ansible is easier to manage... not sure if in the end it will fit... his scenario.  Ansible might be used just to run the commands remotely, like a cli-framework.
13:38 Kurisutian pravka: this is exactly how it is implemented... I know it's political but as somebody from the application ops team, I need to play along... unless they start trusting that we only run the functions we have to and have zero interest to mess with the system itself ;)
13:38 mike25de Kurisutian:  get a new job :) with less paranoid people.
13:39 babilen mike25de: That doesn't buy you anything over salt (or salt-ssh), does it?
13:40 Kurisutian babilen: Does salt-ssh need anything as a dependency on the client side? I already thought about using this rather than doing the Unprivileged User "hack"
13:41 babilen Kurisutian: The problem is that you would, normally, implement salt states in such a way that it can handle all dependencies of a state. For some services you simply have to ensure that some packages are installed. If you want salt to fail and call an "ops admin" for help whenever it runs into "pkg not installed" function your system will be hard to use as you'll end up with broken runs here and there
13:41 mike25de babilen: i forgot about salt-ssh ... i never used it :) you are right as always :P
13:41 babilen Kurisutian: You have to allow it to run "salt-call" as root through sudo with NOPASSWD
13:42 Kurisutian I wanted to run the artifactory.get_release function with username and password, but it won't work....
13:42 babilen mike25de: I was simply curious what it was about ansible that allows it to work around this problem ... to me this sounds like a problem that has to be solved on a completely different level than "tool a" vs "tool b"
13:42 babilen Kurisutian: artsywhat?
13:42 * babilen googles
13:42 Kurisutian babilen: I don't intend to use the states on those systems rather than the modules due to the rundeck automation ;)
13:43 Kurisutian babilen: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.artifactory.html
13:43 Kurisutian it's a binary repository we use to manage deployment artifact inhouse...
13:44 babilen Ah, ... enterprise. The closest I come to Maven normally is Clojars and Maven Central when I develop Clojure
13:44 babilen Yes, your entire problem is very enterpriseyâ„¢
13:45 perfectsine joined #salt
13:45 protoz joined #salt
13:45 cpowell joined #salt
13:46 Kurisutian I want to check out something using salt-ssh and when doing so, all I get it this error: http://pastebin.com/HPLkpXVf
13:46 Kurisutian babilen: Yeah I know.... LOL
13:46 babilen Kurisutian: But to be helpful: You can define a fine-grained permission scheme for salt modules per user. This should allow you to restrict actions that can be run by certain identities to a sufficiently specific degree to fit your use case.
13:46 cpowell joined #salt
13:46 subsignal joined #salt
13:47 babilen Kurisutian: That being said: I would *strongly* recommend to think about the global setup and tear down the distinction between OS and Application as it simply doesn't exists if you see "Install $pkg_needed_for_service" as an "OS team" task.
13:47 cpowell joined #salt
13:48 babilen But then you are probably the last person that has to be convinced in that debate ...
13:48 mike25de :)
13:51 babilen As if all this wasn't hard enough to begin with when you don't also have to fight against idiosyncratic and, often, well meant, but not well designed rules
13:51 Kurisutian babilen: I'd love to do so, but this is politics I cannot change here.... we mainly work with scripts, application-server (tomcat, jboss), springboot applications, mysql and postgresql. So everything else is basically being taken care of by others. We would also not have the capacity to do the OS part as well... we're talking about a couple of hundred different application server with multiple deployments a day. And these should
13:51 Kurisutian be automated with salt and rundeck... that's my Use-Case right now... so it's imperative only at this point
13:52 babilen yeah, that's all fine
13:52 Kurisutian later on we probably do a mixture and set up the whole environment (Jboss install, Tomcat, etc.) when we use the states as well... ;-)
13:52 babilen So, what do you do when you *have* to install a package?
13:52 Deevolution joined #salt
13:53 babilen You open a ticket with the OS people and they sort it out $in_due_course ?
13:53 patchedmonkey joined #salt
13:53 Kurisutian But again, ideally all limited to the given tooluser with it's rights... ;-)
13:54 Kurisutian Nope, they only know puppet and don't care to use salt... so no support from that end ;-)
13:54 babilen Sure, but what do actually do right now?
13:55 cpowell joined #salt
13:55 giantlock joined #salt
13:55 cpowell_ joined #salt
13:56 Kurisutian Application Server operation.... we run, maintain and deploy applications on Application Servers.... and all tasks that go along with that when it comes to deployments, root cause analysis when things don't work on the application level, etc.
13:56 babilen Sorry, I meant: What do you do if you require a package to be installed on a box?
13:57 Kurisutian Open a ticket so they will change their puppet config and roll out the package...
13:57 babilen Okay
13:57 timoguin joined #salt
13:58 masterkorp joined #salt
13:58 masterkorp hello
13:58 kevinquinnyo1 joined #salt
13:59 murrdoc my name is elder price
14:00 Kurisutian babilen: so everything is configured in a way that we can change configs e.g. on Apache etc. but only as a (tool)user. Restarting is done with supervisor where we have the rights, etc. So basically I want to run salt the same way... just to keep them quiet und give us some efficient toolset ;)
14:00 huddy joined #salt
14:00 masterkorp this this salt's most annoying error https://ptpb.pw/B_OU
14:00 masterkorp how can I actively parse for this
14:00 babilen Kurisutian: Sounds as if client_acls are indeed the way to go
14:02 jettero joined #salt
14:02 anotherZero joined #salt
14:03 jettero I'm a novice at Salt, but I'm getting there.  I'd like to add this bunch of shellscripts a friend wrote to a state for install.  Problem is, the scripts use Dialog and it seems there's no way to disable the TUI elements and assume defaults.
14:03 jettero What's the usual workaround for TUI installers?
14:04 jettero I started stripping out the Dialog bits, but stopped and figured this was a question for #salt
14:04 Kurisutian babilen: OK, that sounds great. Do they run well with LDAP? I have not looked into that direction at all... ;)
14:05 Kurisutian babilen: something else: Do you know what I am missing because of this error: http://pastebin.com/HPLkpXVf ?
14:06 Kurisutian Is there something missing on the client side? Does the client need to have something specific installed when running salt-ssh?
14:06 moski joined #salt
14:07 AndreasLutro Kurisutian: what python version does your servers run?
14:07 babilen Make the web a better place and boycott pastebin.com, use one of http://refheap.com, http://paste.debian.net, https://gist.github.com, http://sprunge.us, http://dpaste.de, … !
14:08 Kurisutian AndreasLutro: python2.7 and python3.4 are installed
14:08 andrew_v joined #salt
14:08 babilen Kurisutian: https://docs.saltstack.com/en/develop/topics/eauth/index.html#openldap-and-similar-systems
14:08 AndreasLutro odd that it's missing as it's part of the stdlib
14:09 AndreasLutro but google "pstats missing" with your distro name
14:09 AndreasLutro maybe you'll find something
14:09 babilen Kurisutian: Could you log into the server and run "python -c 'import pstats'" ?
14:10 babilen It was probably removed by the OS people just to annoy the application guys ;)
14:10 zmalone joined #salt
14:10 Kurisutian babilen: I am running this from my local machine (I'm root on that one...)
14:10 ageorgop joined #salt
14:11 babilen Kurisutian: Sure, but that error is on the remote box
14:11 Kurisutian Oh, OK....
14:11 babilen salt-ssh essentially copies it's "installation" to /tmp and runs it from there ...
14:12 babilen (as if it were properly installed)
14:12 Kurisutian Ah, I see... well on the target Server there's python 2.6 installed (only)
14:13 babilen Still, that command should run. You do get the same ImportError, don't you?
14:13 zmalone joined #salt
14:13 Kurisutian ImportError: No module named pstats
14:13 Kurisutian Yes, I do
14:13 babilen Could you install python-profiler and ....
14:14 babilen *sigh*
14:14 babilen .. open a ticket for OS people to install python-profiler and try it again
14:14 Kurisutian OK, I see.... well, that helps.... :-D
14:14 Kurisutian I expected this... LOL
14:14 babilen This is Ubuntu isn't it?
14:14 Kurisutian Debian Wheezy
14:15 mpanetta joined #salt
14:15 babilen Hmmm
14:16 babilen Do you have /usr/lib/python2.6/pstats.py on the box?
14:17 Kurisutian No, it's not there
14:17 edulix joined #salt
14:17 babilen But "dpkg -l python2.6|tail -n1" shows the package as installed? (ii ....)
14:18 Kurisutian Yes: 2.6.6-8+deb6u3
14:19 babilen That's not up-to-date .. are you sure this is wheezy and not squeeze?
14:19 Kurisutian yes
14:20 babilen Kurisutian: Could you paste the output of "apt-cache policy python2.6" ? Do you have debsums installed on that box?
14:20 Kurisutian eventually they used a different version or did not update
14:20 Kurisutian I'm not allowed to run apt-cache there
14:20 babilen The version you have installed is currently only in squeeze-security-lts, wheezy has 2.6.8-1.1
14:21 babilen Because gathering information is so dangerous
14:21 babilen Okay, lets assume that the box hasn't been updated in a while and contains lots of outdated packages. I take it that debsums isn't installed either or that you have no right to run it?
14:22 Kurisutian It's installed and I can run it
14:22 babilen \o/
14:23 babilen What does "debsums -s python2.6" give you?
14:24 Kurisutian btw., it there anything known when the new version 2015.8 will hit the external wheezy repo? Some of the changes (especially with the artifactory module)....
14:24 Kurisutian it doesn't give me anything
14:25 babilen Does it show pstats.py as OK when you run it without "-s" ?
14:25 babilen It might be a difference in the version you have installed ...
14:25 berserk joined #salt
14:26 Kurisutian no pstats listed
14:26 zmalone joined #salt
14:26 babilen Okay, one second please
14:27 msx joined #salt
14:29 zwi joined #salt
14:29 pm90_ joined #salt
14:29 babilen Ah, profile/pstats was added to python2.6 in 2.6.7-2, which is newer than the version you have installed
14:30 babilen It was kept separate due to licensing issues before (hence the python-profiler) .. You essentially have to as OS people to keep their boxes (or this particular one) up-to-date
14:30 pm90__ joined #salt
14:30 babilen http://bazaar.launchpad.net/~doko/python/pkg2.6-debian/view/head:/changelog#L77
14:30 Kurisutian OK, well, than I know where the problem is... thanks a lot for that... can I ask you one more thing in regards to the ACL?
14:31 babilen I shall permit it ;)
14:31 Kurisutian Is this defined on the master or the minion? I need to have different rights on different machines... it that possible to set up?
14:31 mapu joined #salt
14:32 berserk joined #salt
14:32 Kurisutian Nevermind, I found it in the docs... LOL ;-)
14:32 babilen You do that by using different globs/target expressions
14:33 babilen The ".*" and "web*" in the documentation
14:33 tkharju joined #salt
14:33 Kurisutian awesome.... this is being put into the master config file, correct?
14:34 babilen https://github.com/saltstack-formulas/salt-formula/blob/master/salt/files/master.d/f_defaults.conf#L280 is the part in salt-formula, you could configure this entirely pillar-driven. You might even be able to utilise external pillars for that.
14:34 Kurisutian Nice... :-)
14:35 Kurisutian Thanks for the hint... I will definitely go that way and have them set the rights in puppet when rolling out the initial server(s).... ;-)
14:35 babilen Key here is "salt:master:client_acl:$USER" and you'd define a list there
14:35 zmalone joined #salt
14:37 Kurisutian Thanks a lot for your help.... now I have to attend at the next meeting in a couple of minutes... thanks for the support! :-)
14:37 babilen You are welcome
14:39 Brew joined #salt
14:39 Brew joined #salt
14:40 zmalone joined #salt
14:42 debian112 joined #salt
14:42 thalleralexander hi is it possible to write something to the log from jinja? like {{ debug('test') }}?
14:42 Akhter joined #salt
14:44 Akhter joined #salt
14:44 pravka thalleralexander: not out of the box, no.
14:45 thalleralexander pravka, hmh ok thx :/
14:46 pravka thalleralexander: does it have to be logged, or do you just want to catch certain actions?
14:47 shantanoo joined #salt
14:47 thalleralexander pravka, just be logged like '[DEBUG   ] Reading configuration from /usr/local/etc/salt/master'
14:47 thalleralexander from the command line
14:48 pravka yeah, to my knowledge there's no `log` module that's available for use from within a state
14:48 thalleralexander hmh
14:48 pravka would writing to a custom grain work for your use-case?
14:48 thalleralexander nah would just be nice to quickly debug stuff
14:48 hasues joined #salt
14:49 thalleralexander maybe i will try to write a module then
14:49 hasues left #salt
14:49 thalleralexander if thats easy enough :D
14:49 pravka it is, it's not a bad idea tbh
14:49 thalleralexander yeah sometimes it would help
14:50 pravka actually
14:50 pravka I just found this: https://groups.google.com/forum/#!topic/salt-users/_wMNHmVkYwM
14:50 pravka didn't know about that
14:51 pravka I've never tried that
14:52 pravka `In almost any salt state or execution module, the logger has already been instantiated as `log`, so you can just use `log.info('string')` or `log.debug('string')`.  Not exactly sure what you're asking, but I hope that helps.`
14:53 moski pravka: do you know if the logic is the same for runners? I was trying to add some logging to a runner last week and it seemed to ignore any logging I instantiated.
14:54 pravka it would appear so: https://github.com/saltstack/salt/blob/develop/salt/runner.py#L20
14:56 moski I was specifically trying to add logging to this. as you can see, no logger instantiated, and even if I did so it ignored any logging messages. https://github.com/saltstack/salt/blob/develop/salt/runners/manage.py#L33
14:58 moski Just curious if those runners are snowflakes. It's ok if you don't know.
14:58 pravka moski: I don't know :)
14:59 sirex joined #salt
15:00 Akhter joined #salt
15:00 tzero joined #salt
15:01 clintberry2 joined #salt
15:01 lumtnman joined #salt
15:01 _JZ_ joined #salt
15:01 windoverwater joined #salt
15:04 keimlink joined #salt
15:04 dthom91 joined #salt
15:05 sunkist joined #salt
15:09 dthom911 joined #salt
15:09 kaptk2 joined #salt
15:09 kawa2014 joined #salt
15:10 bhosmer joined #salt
15:11 berserk joined #salt
15:13 John_Kang joined #salt
15:13 berserk joined #salt
15:14 tanta_g joined #salt
15:15 berserk joined #salt
15:23 sirex joined #salt
15:24 stupidnic joined #salt
15:26 rhodgin joined #salt
15:26 aqua^c joined #salt
15:27 tristianc joined #salt
15:29 Fiber^ joined #salt
15:31 pm90_ joined #salt
15:32 adendrag joined #salt
15:32 techdragon joined #salt
15:34 Zachary_DuBois joined #salt
15:34 mr_const joined #salt
15:35 RedundancyD joined #salt
15:36 mr_const Hi all, I have several minions with different domain names and static IP addresses, what is the correct way to 'script' this data?
15:36 mr_const pillar, sh script which passes pillar data, something else?
15:37 larsfronius joined #salt
15:38 zmalone joined #salt
15:41 moski mr_const: what do you mean by 'script'? What are you trying to do?
15:42 mr_const I mean, I have pillar with custom data for minion
15:43 mr_const and when I want to run states against another minion, I have to edit this pillar data
15:43 DammitJim joined #salt
15:45 mr_const pillar contains: admin_fqdn: admin.ptest2.domain.tld, this is valid for minion 'proxy1', but for 'proxy2' I need to change value to: admin.pdev.domain.tld
15:47 bastiandg joined #salt
15:48 moski you could template out your pillar data with jinja
15:50 philpep joined #salt
15:51 moski mr_const: something like this https://gist.github.com/anonymous/9c78616635aa51f913cf
15:52 mr_const moski, hm... It might help, thanks
15:53 markm joined #salt
15:58 patchedmonkey joined #salt
16:00 berserk joined #salt
16:00 moogyver joined #salt
16:00 ALLmightySPIFF joined #salt
16:04 shantanoo joined #salt
16:04 alemeno22 joined #salt
16:05 bhosmer joined #salt
16:08 berserk joined #salt
16:12 Akhter joined #salt
16:17 dthom91 joined #salt
16:18 BogdanR Hello
16:18 NV joined #salt
16:18 dthom911 joined #salt
16:18 BogdanR I would like to use the data provided by "salt 'node1' network.ip_addrs" in jinja templates.
16:18 BogdanR Is this possible?
16:19 jonher joined #salt
16:20 mr_const BogdanR, you could probably use something like: grains['ip_interfaces']['eth0'][0]
16:21 whytewolf BogdanR: yes, all exacution modules are avalible for jinja templates. but they can be kind of tricky sometimes. {% set salt['netowrk.ip_addrs'](interface='eth0') %}
16:22 whytewolf things to keep in mind. exacution modules are run from the host the render is done on. so for states and file jinja that is the minion, but for pillar that is the master.
16:27 Gareth o/
16:28 whytewolf \o
16:30 Thiggy joined #salt
16:31 writtenoff joined #salt
16:31 BogdanR Thanks guys. Very enlighting answers.
16:32 Thiggy I feel like I'm missing something super basic. On an ubuntu/deb based system, how do I tell my minions, "do an apt-get update and install the latest version of this one specific package"?
16:33 whytewolf Thiggy: pkg.latest?
16:33 Thiggy That's a state right?
16:33 Thiggy I didn't see an equivalent module function.
16:34 whytewolf oh, you want the module.
16:35 hal58th joined #salt
16:35 Thiggy Yeah, I probably should have specified that. Sorry. https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.aptpkg.html#module-salt.modules.aptpkg <-- I've read this and just don't see it.
16:35 whytewolf pkg.install with only_upgrade
16:36 Thiggy Ahhhhhh ok. Do I also need refresh=True?
16:36 whytewolf it doesn't hurt
16:36 teebes joined #salt
16:36 whytewolf [it defaults to true already iirc]
16:37 Thiggy Awesome. Thank  you!
16:37 tesaf_ left #salt
16:37 keimlink joined #salt
16:39 deus_ex joined #salt
16:40 whytewolf honestly just pkg.install will do it on it's own. the only_upgrade will fail if the package isn't already installed
16:40 fxhp joined #salt
16:41 bhosmer joined #salt
16:42 aboe joined #salt
16:42 hal58th_ joined #salt
16:42 aboe basepi, something intressting for saltstack business: https://susecon2015.smarteventscloud.com/connect/search.ww#loadSearch-searchPhrase=saltstack&amp;searchType=session&amp;tc=0&amp;sortBy=&amp;p=
16:45 bhosmer joined #salt
16:45 berserk joined #salt
16:48 aparsons joined #salt
16:51 berserk joined #salt
16:52 Bryson joined #salt
16:52 troyready joined #salt
16:56 dthom911 joined #salt
17:02 wee321 joined #salt
17:03 BitBandit joined #salt
17:03 BogdanR Can I define a grain from a state?
17:04 BogdanR For example can the mysql state also be instructed to set that minion as part of the database grain?
17:07 Akhter joined #salt
17:09 mehakkahlon joined #salt
17:10 nate_c joined #salt
17:11 pm90_ joined #salt
17:11 X67r joined #salt
17:12 ajw0100 joined #salt
17:12 bhosmer joined #salt
17:15 tanta_g joined #salt
17:19 Dev0n joined #salt
17:21 ashirogl joined #salt
17:21 jalbretsen joined #salt
17:21 conan_the_destro joined #salt
17:23 ajw0100 joined #salt
17:24 zma joined #salt
17:26 X67r joined #salt
17:27 berserk joined #salt
17:28 zma If I have all files copied to /srv/salt and use top file for deployment, how can I choose between "roles" for minions if the minion does not know its role? Use case, I want to give a parameter in my salt command to say that btw we are going to do "netconfig". I've been reading a lot of Salt Roles and Environments but just can't get my head around it..
17:28 dthom91 joined #salt
17:29 shantanoo joined #salt
17:29 zma I keep getting stuck with "Role" assuming Minion being pre-setup and "Environment" requiring there are no duplicates ids which there would be between (but I'd structure it so that same Id would never be deployed twice)
17:30 impi joined #salt
17:31 dthom911 joined #salt
17:32 andrew_v_ joined #salt
17:33 whytewolf zma, roles are arbitrary in salt. just a pillar or grain you add the the minion to track it through other means. enviroments are a pain. but can be seperated through the minion. however ALL minions have acccess to the base enviroment. which is why ID's absolutly need to be different through out all minions
17:36 zma whytewolf: I see. In that case I think I could just have an extra step then to set custom grain with salt <minion> grain.append <my role definition> and then match it in my top.sls
17:38 pravka joined #salt
17:40 bhosmer__ joined #salt
17:40 traph joined #salt
17:41 whytewolf zma: that is an option yes. keep in mind however. if you are using pillars for secure data then becareful of targeting by grains. as grains can be created on the minion and are stored on the minion vs on your trusted master server.
17:44 thefish joined #salt
17:45 bhosmer joined #salt
17:46 Sketch whytewolf: speaking of that, do you know how to target based on a subkey with multiple values?
17:47 whytewolf Sketch: you mean like roles:mysql:server
17:50 Sketch well, i only want to match one value.  i tried 'key:value' and it didn't match, so i wondered if there's something else you have to do to match a list item
17:50 whytewolf huh, I use things like roles:<servers roll> all the time.
17:50 Sketch because i had to use different syntax to match one in a salt grain, so i assume i need some different syntax in pillar too since the obvious didn't work
17:51 Sketch i'll have to test again, maybe i did something silly, i was just starting out with pillar at the time
17:52 Sketch though i'm not sure that will actually be any more secure anyway, since i'm still matching based on grain
17:52 whytewolf humm it should work. unless you are trying to access pillars from within pillars. iirc that isn't supported
17:52 Sketch just in a different way
17:52 Sketch nah, grains
17:52 whytewolf humm
17:52 whytewolf https://gist.github.com/whytewolf/58282bc6b2f35dc21907
17:52 whytewolf thats in my pillar top file
17:53 whytewolf and roles has multiple values
17:53 Sketch so...how would you target trusted data outside of grains? defining the same thing in pillar?
17:53 whytewolf Sketch: yeap.
17:53 Sketch hmm, looks just like what i tried :) since then, however, i have changed the way it's laid out anyway, so i'm only doing targetting in the sub pillar files
17:54 Sketch (using jinja)
17:54 Sketch i guess i could probably still do it that way, but i have some cases where i'm doing ors so i would still need the jinja in some cases anyway
17:57 ajw0100 joined #salt
17:57 baweaver joined #salt
17:58 solidsnack joined #salt
18:01 baweaver joined #salt
18:02 fivehole joined #salt
18:03 perfectsine joined #salt
18:04 Akhter joined #salt
18:04 alemeno22 joined #salt
18:05 stanchan joined #salt
18:05 trph joined #salt
18:05 solidsnack joined #salt
18:06 SunPowered hey there.  Does a top.sls file need to be present in all branches of a git_pillar repo?
18:07 SunPowered From the docs, it sounds like it just needs to be present in the master branch, and have definitions for all environments
18:08 s_kunk joined #salt
18:09 aqua^c joined #salt
18:09 quasiben1 joined #salt
18:11 alemeno22 joined #salt
18:13 pcn Is there somewhere to track how 2015.8.1 is doing in QA?
18:13 Akhter joined #salt
18:13 tanta_ge joined #salt
18:16 big_area joined #salt
18:17 denys joined #salt
18:17 baweaver joined #salt
18:21 dthom911 left #salt
18:21 DammitJim joined #salt
18:22 breakingmatter joined #salt
18:22 babilen SunPowered: I would even keep it in its own repository (so that you can merge easily between different git branches that are being interpreted as environments). See https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.git_pillar.html#git-pillar-2015-8-0-and-later for detailed documentation
18:23 GreatSnoopy joined #salt
18:24 trph joined #salt
18:24 SunPowered thanks, I've read that.  I'll try it and see if it helps.
18:25 SunPowered I'm still puzzled why my top file was not recognized when it was defined in my base env (master branch)
18:26 SunPowered all defined env/branch pairs merge on top of the base data, no>?
18:27 fyb3r joined #salt
18:28 v0rtex joined #salt
18:30 dthom911 joined #salt
18:31 babilen SunPowered: Not sure what you mean exactly but: Yeah, sure ... why not? ;)
18:33 katyucha joined #salt
18:33 SunPowered babilen: :)  I expected that all data in my environment branch (say, 'dev'), is merged with the base env branch ('master').  This would result in a compiled set of pillar data, including a top file
18:34 SunPowered or do I need to merge my base data upstream to the following env branches?
18:34 babilen It is really really simple. You have a single top file that defines which minions are in which environment and which pillars (from the respective environment) they have access to. base isn't really special in that scheme.
18:34 babilen (same for states)
18:35 babilen No magic apart from the braindead decision to equate branchen with environments
18:35 SunPowered ok, so I need to be merging my base pillar code to the other environment branches
18:35 SunPowered there is no merging
18:36 babilen The top file is being merged across branches (which is why you keep a single one in its own repo)
18:36 SunPowered I mean, there is no merging the pillar data
18:36 SunPowered ok, got it
18:37 babilen Well, data is merged if multiple pillars define the same key-value pair. The merging strategy is defined by https://docs.saltstack.com/en/latest/ref/configuration/master.html#pillar-source-merging-strategy but I think you meant the enviroments
18:38 babilen Extra fun: Figure out what happens if you assign a pillar that differs in values to a minion in two environments
18:39 babilen I'd say: Just play with it and see how it behaves. We can talk all day and simply trying it will make things a lot clearer. Just keep the top files in their own repo so that you can merge easily between branches (if you want that)
18:41 bVector joined #salt
18:42 bVector is it possible to have standalone minion with s3fs backend?
18:43 dthom911 joined #salt
18:45 babilen bVector: Try it?
18:45 afics joined #salt
18:45 babilen Don't necessarily see a reason why it shouldn't work
18:48 diegows joined #salt
18:49 SunPowered babilen:  thanks, I'm splitting the pillar-repo up right now.
18:51 cberndt joined #salt
18:52 diegows hi
18:52 diegows OT, but anyone tried to use IAM authentication with any service?
18:52 diegows I'm tring with aws elasticsearch, but experience with something like RDS should be valid to understand how it works
18:53 quantum-x joined #salt
18:55 quantum-x hey all. hopefully what should be a simple question, but I'm tripping up over myself and my google searches. I've got a few load balancers in my group prod-lb. Now, they obviously share many config files - but in on config file, i need it to have a different IP configured depending on which node it is. What would the best mthod be to acheive this ?
18:56 moski quantun-x: use a pillar to do the host: ip assignment, than use jinja to do a pillar lookup in the config file. Then use file.managed to render/put the config file in place
18:57 quantum-x moski, than you kindly for the pointers
18:58 BogdanR moski: But how would you go about configuring the IP address of a database node to a webserver node?
18:59 BogdanR And of course, the IP address should not be hardcoded but somehow retrieved with a scalable solution
18:59 babilen (i.e. the mine)
18:59 moski BogdanR: for data lookup from one minion to another minion you would have to set up salt mine: https://docs.saltstack.com/en/develop/topics/mine/index.html
19:00 quantum-x Correct, I mean I'd like my config file to be sent out, and then on all of the load balancers, the local IP sub'd in
19:01 moski quantum-x: since file.managed is rendered on the minion you can just do a grain lookup in your jinja
19:01 chiui joined #salt
19:01 babilen Which is, STILL, not available in pillars: https://github.com/saltstack/salt/issues/21403
19:03 quantum-x I always get the worst headache from salt docs :D
19:03 BogdanR moski: I am already trying to use salt-mine and I added something like this to pillar: http://hastebin.com/bisanobudi.py
19:03 whytewolf babilen: check out this thread towards the middle. https://github.com/saltstack/salt/issues/11509 they talk about a work around for mine in pillar.
19:03 BogdanR But it doesn't render
19:04 hacks Anyone have any thoughts as to why in my minion log I get "Returning information for job:" but on the master, I keep getting an error that the minion did not return?
19:05 whytewolf since 2015.8 and 2015.5.6 using the mine runner may work
19:08 babilen whytewolf: I really don't want to tinker with my templates to accomodate for this as this renders *all* formulas useless in their current state.
19:09 whytewolf babilen: understandable.
19:09 FNDA joined #salt
19:11 babilen whytewolf: I mean it works. Which is something, but I am a proponent of using generic formulas that take all their data from the pillar. You just don't want to force users to maintain multiple forks just because some values in the pillar should be filled with data from the mine (well, *other* minions to put it more generic)
19:11 dthom911 joined #salt
19:11 babilen the main problem in all this is that we don't have static pillars (or pre-pillars or something that allows users to differentiate between dynamic (e.g. filles by the mine) and static pillar data.
19:12 berserk joined #salt
19:12 TheoSLC joined #salt
19:13 moski quantum-x: it could be related to the bug BagdanR posted. You could try the work-around posted in that Issue. https://github.com/saltstack/salt/issues/11509#issuecomment-138980156
19:13 quantum-x Let me check it out, thnks
19:13 moski unfortunately I have not used salt mine myself, so my guidance is limited
19:13 gthank joined #salt
19:14 markm_ joined #salt
19:15 gthank Roughly speaking, how much horsepower would a salt master need if it were in charge of < 50 machines?
19:15 babilen whytewolf: But this seems to be a case of "Either I set aside a week and implement it myself, or it won't happen" sadly
19:15 babilen gthank: one horse
19:15 babilen gthank: You should easily get along with two/three cores and 2G of RAM.
19:16 gthank But is that a t2.mini-horse-instance or a m4.draft-horse instance?
19:16 babilen Well, even one core, but salt loves cores (as it uses multiprocessing)
19:16 chiui joined #salt
19:18 babilen My setups: 1. ~100 minions, master has 12 cores 4G, 1200 minions, 24 cores 6G, 10 minions, 4 cores 4G RAM. These are all overpowered though as I don't pay for cores ...
19:18 tmclaugh[work] joined #salt
19:19 babilen (just to name three)
19:19 SunPowered babilen: heavy on the CPU power
19:20 babilen SunPowered: We run it on our own hardware and salt is very spikey in that if it runs it needs all the cores it can get, but you rarely run highstates on all minions (in the grand scheme of things)
19:21 babilen So I would have given it one core per minion for even the tiniest of setups, but realised that that would be a bit too much ;)
19:22 babilen But I hate waiting and Python's multiprocessing loves cores ... so: Why not?
19:22 berserk joined #salt
19:23 cyborg-one joined #salt
19:23 SunPowered If you're equipped with Rambo firepower, why not bring it along into the jungle
19:25 babilen Well, that is the difference if you run on your own hardware or buy it from a cloud provider I guess
19:25 babilen Once the hardware is sitting there you can just as well use it
19:26 SunPowered right, CPUS need to be justified on VPS
19:29 baweaver joined #salt
19:31 SunPowered urgh, one of my git pillar repos is not being read properly.  Is there a useful command to debug the pillar configuration from a running master?
19:32 Dev0n hey, just trying to figure out a good workflow after reading the salt FAQ, would you split salts according to environment (staging/prod) or platform/service where you would use pillars to determine the environmental specifics?
19:32 Dev0n I assume the former would lead to salt duplication?
19:33 babilen SunPowered: Run the master in debug mode (salt-master -ldebug) and see what happens if you run "salt-run fileserver.update" ?
19:33 babilen Dev0n: What do you mean by "salts" exactly?
19:33 Dev0n sorry, salt states*
19:34 Akhter joined #salt
19:34 Dev0n so I my staging and prod will be almost identical apart from a few secrets and configurational options such as API keys
19:34 SunPowered babilen:  It just returns 'True'
19:34 jmreicha joined #salt
19:34 Dev0n so would it not make sense to have the salt states to cover the "service" rather than the "environment"?
19:34 babilen Dev0n: I would split salt states based on semantics (like formulas), that means: One each per service. Then a repo for top files and a repo for pillars with as many branches as you have environments (if you want to merge from one to the other) or one repo each (if you don't want to merge)
19:34 Dev0n not sure if this is making sense
19:35 babilen SunPowered: Well ... pesky bugger!
19:35 Dev0n babilen, that kinda makes sense, is there an example of such a setup?
19:35 Dev0n so pillars basically become your envs as I assumed
19:36 babilen Dev0n: You are aware of https://github.com/saltstack-formulas and https://github.com/SS-archive/salt-states aren't you?
19:36 SunPowered Dev0n: The salt-formulas are great tools to learn about state/pillar relationships
19:36 * babilen still thinks that "SS-archive" is a *very* unfortunate name
19:36 SunPowered jawohl
19:37 babilen Zu Befehl, Herr Obersalzbandführer!
19:37 murrdoc herpaderp
19:38 sunkist joined #salt
19:38 larsfronius joined #salt
19:39 impi joined #salt
19:39 Dev0n babilen, I am aware of them but I don't think I've fully grasped the use of formulas yet
19:40 jmreicha_ joined #salt
19:40 Dev0n but the SS repo should be good to have an idea of how they get tied in
19:41 Dev0n there are so many components that seem to make up the saltstack you just end up getting lost in it :D
19:42 SunPowered Dev0n: yes, the rabbit hole goes deep, and lot's of new names and concepts to keep track of
19:42 SunPowered babilen: so there is no equivalent to the 'fileserver.file_list' for pillar data, is there?
19:43 jmreich__ joined #salt
19:43 babilen SunPowered: There might be ... but it is hidden somewhere in the rabbit hole. What is the exact issue you are facing?
19:43 SunPowered well, I need to see what pillar files are being picked up.
19:43 babilen So far I was able to figure out all my pillar problem by looking at the master debug log
19:45 babilen Well, that is one thing you like to do to debug a problem. What happens if you run the master in debug mode and execute "salt-run filserver.update" followed by "salt 'the_minion_in_question' saltutil.refresh_pillar" ?
19:46 babilen But no, I'm not aware of such a function
19:48 DanyC joined #salt
19:48 SunPowered both return a simple 'True' to the caller
19:48 SunPowered The salt master is complaining it can't find the file: 'Specified SLS 'database' in environment 'base' is not available on the salt master'
19:49 SunPowered Which 'database' is the pillar file defined in the top file for that node
19:49 SunPowered I might scrap the ext_pillar for now and just manage the repo myself
19:49 SunPowered using roots
19:51 toastedpenguin joined #salt
19:52 rim-k joined #salt
19:52 baweaver joined #salt
19:57 coval3nce joined #salt
19:58 herlo joined #salt
19:58 coval3nce Anyone know if there is a way to get git external pillars to act the same as gitfs_remotes for files where environments are automatically mapped to branch names?
19:58 protoz joined #salt
19:59 SunPowered coval3nce: There are some rules to the naming that you can configure.  By default 'master' branch maps to the 'base' environment, and other branch names map to similarly named environments
20:00 armguy joined #salt
20:00 SunPowered you can also map specific branches to environments if they are not named the name.  This is all done in ext_pillar configuration
20:01 coval3nce I know that works for git file roots, but does not appear to work for external git pillars
20:01 whytewolf coval3nce: pre or post 2015.8?
20:01 oznah joined #salt
20:01 coval3nce I upgraded to 2015.8 in hopes to get it to work whytewolf
20:02 coval3nce just got that running now to prove out the functionality - unless i understood the docs wrong, i thought you could use “__env__” as a special branch name
20:02 coval3nce and it would map environments to branches
20:02 whytewolf doesn't look like it that was pre 2015.8
20:03 illern_ joined #salt
20:03 whytewolf post looks like you have to pass - env: <enviroment> as an option to each external pillar
20:03 whytewolf https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.git_pillar.html#configuring-git-pillar-for-salt-releases-2015-8-0-and-later
20:03 herlo left #salt
20:03 coval3nce That means there is no way to “auto map’ correct?
20:03 coval3nce Yup, been using those docs for last 20 mins ;)
20:04 whytewolf humm actually it says it uses the branch name if you don't use an - env:
20:05 coval3nce Hmm, not seeing that behavior either.  Essentially i;d like to “match branch name to envionment name, if branch name does not exist, use base”
20:05 coval3nce Or something to that effect.
20:06 whytewolf https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.git_pillar.html#configuring-git-pillar-for-salt-releases-2015-8-0-and-later
20:06 whytewolf ack wrong  paste
20:06 whytewolf # No per-remote config parameters (and no trailing colon), 'qa' will # be used as the environment - qa https://gitserver/git-pillar.git
20:06 Grokzen joined #salt
20:08 whytewolf never used ext_pillar git so I'm only going off the docs here
20:08 coval3nce So what i’m trying to do isn’t supported then it seems.  I want to define a repo, and never define the environment or branch.
20:08 coval3nce similar to gitfs_remotes
20:08 whytewolf yeah that doens't look to be supported
20:09 coval3nce That would be super nifty, so you can do test/envs without ever touching your master config
20:09 whytewolf you have to tell it the branches to pay attention to
20:09 coval3nce Yeah, bummer.  I love how you don’t have to do that with gitfs_remotes for the files.
20:10 DanyC all, what is the diff between {% endfor -%}  and {% endfor %} ? what does - in this context ?
20:10 coval3nce its for stripping spaces in the final rendered output in jinja @DanyC
20:10 coval3nce depending where you put it, stripts spaces before/after etc
20:11 DanyC coval3nce: thanks !
20:11 toastedpenguin joined #salt
20:11 timoguin joined #salt
20:11 whytewolf DanyC: more explination and other things to use can be found here http://jinja.pocoo.org/docs/dev/templates/#whitespace-control
20:11 coval3nce +1
20:12 chiui joined #salt
20:18 conan_the_destro joined #salt
20:19 tanta_ge joined #salt
20:22 DanyC whytewolf: much thanks!
20:23 thefish joined #salt
20:25 andrew_v_ joined #salt
20:25 kawa2014 joined #salt
20:26 Akhter_ joined #salt
20:28 dthom912 joined #salt
20:30 CheKoLyN joined #salt
20:31 jeffspeff joined #salt
20:31 Akhter joined #salt
20:33 markm_ joined #salt
20:38 baweaver joined #salt
20:39 timoguin joined #salt
20:45 Akhter joined #salt
20:47 tzero joined #salt
20:47 rim-k joined #salt
20:48 cliluw How come there are no packages or downloads for Salt 2015.8.1? I can only find packages for 2015.8.0.
20:49 whytewolf because 2015.8.1 hasn't been released yet?
20:50 cliluw whytewolf: It's not released yet? I see release notes for it here. https://docs.saltstack.com/en/latest/topics/releases/2015.8.1.html
20:50 whytewolf read the topic of this channel. "Welcome to #salt | 2015.8.0 is the latest"
20:51 babilen It has not been released (not even for packagers)
20:52 twork i'm doing it wrong with some directory perms: https://gist.github.com/mjinks/09286fe05d6ddc5f0a64
20:52 dthom911 joined #salt
20:53 berserk joined #salt
20:56 hasues joined #salt
20:57 hasues left #salt
20:59 baweaver joined #salt
21:02 edrocks joined #salt
21:05 Akhter joined #salt
21:09 keimlink_ joined #salt
21:09 stanchan joined #salt
21:17 Rumbles joined #salt
21:18 coval3nce There a cool nifty way to use salt-ssh without having to create a roster file?  E.g. use salt-ssh for minions showing down as with “manage.down”?
21:18 pm90_ joined #salt
21:19 teebes joined #salt
21:19 pm90__ joined #salt
21:22 babilen coval3nce: You can use the scan roster, you might have to raise the timeout: 'salt-ssh -c ~/salt/ --scan-timeout=0.1 --user=$USER -i --roster scan $CIDR test.ping'
21:22 babilen Throw in ssh identity configuration as you deem sensible
21:23 coval3nce sweet will rtfm on “scan roster”
21:23 dcs__ joined #salt
21:23 babilen There isn't really much configuration, but it essentially allows you to run salt-ssh on network ranges identified by CIDR mask
21:24 babilen (it'll simply try to connect to every box in that range and do its thing)
21:24 coval3nce Thats cool, but doesn’t really satisfy what i’m looking for.
21:24 coval3nce Damn good to know about tho.
21:25 babilen Not sure if what you are looking for exists, to be honest (if you find something, *please* let me know), but the scan roster is quite useful for those "don't have a roster file" situations
21:25 coval3nce https://docs.saltstack.com/en/latest/ref/roster/all/salt.roster.cache.html#module-salt.roster.cache
21:25 coval3nce bam…i think this would do it
21:26 babilen Ah, sorry, should have mentioned that
21:26 babilen You *did* connect to them before, didn't you?
21:26 ajw0100 joined #salt
21:26 coval3nce Yeah, they used to be conencted to master, but not anymore for some reason.
21:26 coval3nce So was fishing for a an easy way to reestart minion service on the ones showing down, without having to go back to ansible
21:27 babilen right, yeah, the cache roster is exactly what you want in that case (and if only to run a couple of "service.restart salt-minion")
21:27 babilen yeah, exactly ... perfect for that
21:27 coval3nce yeah, will how to invoke this thing ;)
21:28 babilen Roster documentation really isn't up to standards is it?! ;)
21:29 babilen I think you just do "--roster cache"
21:30 giantlock joined #salt
21:31 coval3nce I bet that doesn’t work with grains tho
21:34 breakingmatter joined #salt
21:36 nofxrok joined #salt
21:37 ALLmightySPIFF joined #salt
21:39 dagir joined #salt
21:45 aqua^c joined #salt
21:49 schristensen joined #salt
21:50 baweaver joined #salt
21:51 jmreicha joined #salt
21:54 ajw0100 joined #salt
22:00 murrdoc iggy:  where u at
22:00 sinh joined #salt
22:00 murrdoc anyone see iggy
22:00 murrdoc or know how to check last activity
22:01 moogyver ./whois iggy
22:01 moogyver iggy signed on at September 28, 2015 at 5:48:44 PM PDT and has been idle for 1 day, 19 hours, 56 minutes, 29 seconds
22:02 DanyC moogyver: nice one :)
22:04 murrdoc k thats not good
22:04 murrdoc thanks moogyver
22:05 moogyver sure
22:10 DanyC_ joined #salt
22:16 twork if anybody followed up on my latest cry for help: i see the bug now. oops. carrying on.
22:18 hahuang61 joined #salt
22:18 hahuang61 if I want to set a group on an existing file, how might I do that?
22:19 solidsnack joined #salt
22:21 markm_ joined #salt
22:29 keimlink joined #salt
22:31 protoz joined #salt
22:37 markm_ joined #salt
22:41 mosen joined #salt
22:41 coval3nce Hmm, if you reference a pillar such as “a.b” does init.sls auotmatically get included from “a” ?
22:43 armguy joined #salt
22:43 coval3nce Assuming “a” and “b” are folders in the pillar tree.
22:51 fyb3r left #salt
22:58 zwi joined #salt
22:59 bhosmer_ joined #salt
23:01 trph joined #salt
23:02 kevinquinnyo1 joined #salt
23:02 tmclaugh[work] joined #salt
23:03 falenn joined #salt
23:06 GrueMaster joined #salt
23:09 ajw0100 joined #salt
23:10 ageorgop joined #salt
23:10 armguy joined #salt
23:17 markm_ joined #salt
23:19 otter768 joined #salt
23:20 nnedi3 joined #salt
23:23 trph joined #salt
23:23 nnedi3 left #salt
23:24 hasues joined #salt
23:24 hasues left #salt
23:29 baweaver joined #salt
23:31 kawa2014 joined #salt
23:37 falenn joined #salt
23:40 larsfronius joined #salt
23:40 ageorgop joined #salt
23:47 Joeskyyy_ joined #salt
23:48 otter768 joined #salt
23:48 Joeskyyy joined #salt
23:51 bfoxwell_ joined #salt
23:51 rhodgin joined #salt
23:53 blueyed Is there some FAQ answer to the question of how to ignore "undefined name '__salt__' [E303]" errors with pyflakes etc?
23:54 pm90_ joined #salt
23:55 aqua^c joined #salt
23:59 otter768 joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary