Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-11-07

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:01 mapu joined #salt
00:14 baweaver joined #salt
00:22 zmalone joined #salt
00:27 colmm99 joined #salt
00:27 Rumbles joined #salt
00:41 dthom91 joined #salt
00:42 _JZ_ joined #salt
00:44 _ikke_ joined #salt
00:53 zmalone joined #salt
00:56 Sokel left #salt
00:57 robinsmidsrod joined #salt
01:02 Ryan_Lane is order: last supposed to be the last execution in a module, or in the entire state run?
01:02 Ryan_Lane it seems this behavior may have changed in 2015.8?
01:03 Gareth I thought of it as last in a state run.
01:03 Ryan_Lane it looks like it may be last in a module in 2015.8
01:03 Gareth like order: first is the first in a state run.
01:03 Gareth interesting.
01:09 Ryan_Lane nevermind
01:09 Ryan_Lane packer is confusing us :)
01:11 _ikke_ joined #salt
01:15 baweaver joined #salt
01:16 woodtablet left #salt
01:31 otter768 joined #salt
01:32 _ikke_ joined #salt
01:42 fsteinel_ joined #salt
01:49 zzzirk joined #salt
01:51 zmalone joined #salt
01:59 GreatSnoopy joined #salt
02:06 zmalone joined #salt
02:12 otter768 joined #salt
02:17 andrew_v joined #salt
02:32 zzzirk joined #salt
02:40 zmalone joined #salt
02:47 ilbot3 joined #salt
02:47 Topic for #salt is now Welcome to #salt | 2015.8.1 is the latest | Please use https://gist.github.com for code, don't paste directly into the channel | Please be patient when asking questions as we are volunteers and may not have immediate answers | Channel logs are available at http://irclog.perlgeek.de/salt/
02:47 shadowbeast joined #salt
02:52 catpiggest joined #salt
02:58 tzero joined #salt
03:01 larsfronius joined #salt
03:02 quasiben joined #salt
03:10 sunkist joined #salt
03:17 pdayton joined #salt
03:17 zzzirk joined #salt
03:48 JDiPierro joined #salt
03:54 hightekvagabond joined #salt
03:57 pdayton joined #salt
04:01 workthrick https://docs.saltstack.com/en/2015.5/ref/modules/all/salt.modules.runit.html <-- this mentions provider: argument, which is never mentioned in the docs for service module itself: https://docs.saltstack.com/en/2015.5/ref/states/all/salt.states.service.html#module-salt.states.service
04:01 workthrick how would I learn about the existence of this argument, and is there a way to make runit the default provider?
04:08 murkey workthrick: sounds like it's pretty new, there's this as well: https://docs.saltstack.com/en/latest/ref/states/providers.html
04:08 * murkey is no expert though. i have 2 salt setups and can't get either of them running atm :/
04:08 workthrick murkey: yup, just found that
04:08 workthrick I'm discovering the joys of Salt inside docker
04:08 workthrick they're not the best of friends so far
04:09 workthrick small wonder though, because my container looks a lot like ubuntu, but functions nothing like actual ubuntu OS
04:10 timoguin joined #salt
04:10 murkey oh wow
04:10 murkey that sounds kinda hard
04:10 murkey salt is pretty broken on ubuntu 14.04 right now
04:11 workthrick yup, ran into that as well. It doesn't install at all
04:11 workthrick and yeah, I'm discovering the pitfalls of docker the hard way, by running into them
04:11 murkey so i'm just kinda waiting to hear from devs and downloading a precise box at 637k/s
04:11 murkey oh... wait that's actually pretty good
04:11 murkey a minute ago it was like 100th of that
04:11 murkey i haven't messed with docker at all
04:11 murkey definitely want to
04:12 murkey i'm realizing the only thing left in tech that interests me is devops
04:12 workthrick heh, I spent like an hour waiting for packer to download a few days back, because its installer is ~120MB/s and I was getting around 10K/s
04:13 workthrick and when provisioning my docker images, sometimes downloads will randomly drop down to 20-60K/s for no discernible reason
04:13 murkey neat
04:13 murkey i didn't know about packer until now
04:13 murkey ugh yeah
04:13 bastion1704 joined #salt
04:14 workthrick we might actually end up using its multiple builders functionality if it turns out we can't make docker work for our purposes
04:14 otter768 joined #salt
04:15 murkey interesting
04:15 * murkey reads
04:18 murkey sigh. salt install is broken on precise as well. anyone know how to install a slightly older veresion of salt?
04:19 murkey er, not precise. vivid
04:19 clintberry joined #salt
04:27 workthrick murkey: install_salt.sh stable 2015.5
04:27 workthrick that one installs with no problem
04:27 workthrick murkey: see also https://github.com/saltstack/salt/issues/27820
04:28 murkey ahh, nice. thank you workthrick
04:29 workthrick np
04:36 anmolb joined #salt
04:37 s0undt3ch joined #salt
04:46 workthrick murkey: what issues are you running into when installing latest? I tried rerunning it, and it's been mostly fixed by the new release of the bootstrap script
04:46 workthrick the only kink being that you now need install both curl and wget for it to work
04:47 malinoff joined #salt
04:52 workthrick actually, just wget will also do, but it fails if you have curl and no wget
04:54 racooper joined #salt
04:54 murkey workthrick: it's mostly here https://github.com/saltstack/salt/issues/28371#issuecomment-154520751
04:55 moogyver joined #salt
04:55 murkey salt-common deps won't install
04:55 workthrick oh
04:55 workthrick LXC bootstrap seems to have its own issues
04:56 murkey lxc... linux containers? does that mean vagrant or...?
04:56 * murkey nub
04:57 murkey i'm just using vagrant with a super-basic vagrant file
04:57 murkey had a 40+ state system working a few days ago... now i can't get salt installed lol
04:58 moogyver vagrant isn't an lxc.  lxc is something like docker.
04:59 murkey oh, so my comment on that issue was out of place
04:59 murkey oops
04:59 murkey oh well
04:59 moogyver and docker is really just a frontend around the linux lxc stuff
04:59 workthrick it's not
04:59 workthrick docker and LXC have parted ways a long time ago
04:59 workthrick they both use cgroups
04:59 workthrick and docker used LXC prior to 0.9
05:00 workthrick but nowadays they're different thing with apparently differing views on what they try to provide
05:00 moogyver ah well there you go.
05:00 moogyver learn something new
05:01 workthrick aight, that's enough work for today, have a nice weekend y'all
05:09 murkey take it easy :)
05:11 moogyver hrm.  how do you specify a specific provider with salt-cloud when you're trying to perform an action and you have multiple providers defined?
05:13 quix joined #salt
05:16 hightekvagabond joined #salt
05:17 hightekvagabond joined #salt
05:34 furrowedbrow joined #salt
05:50 josue_ joined #salt
05:58 boargod2 moogyver, My guess is it just throws all those providers into a dict, so if you key the profile by provider...
05:58 moogyver boargod2 - yeah, I was hoping I'd be able to use some of the functions like 'start' and 'stop' without having to do profile stuff though.
05:59 boargod2 yeah I could see that being useful
06:25 otter768 joined #salt
06:43 asco1aro joined #salt
06:45 asco1aro Salt newbie here.  Would someone have time to teach me how to deploy apache to a new server?  I'm connected salt minion to my salt master and clone the apache formula from github and installed apache on the minion with state.apply apache.debian_full.
06:47 asco1aro I'm stuck on creating the vhost file... I'm not sure what to name the pillar file for the vhost or where exactly it should be placed within the pillar directory.
06:47 bhosmer_ joined #salt
06:48 learning joined #salt
07:28 Lionel_Debroux joined #salt
07:37 evle1 joined #salt
07:44 ignasr joined #salt
08:11 jaybocc2 joined #salt
08:20 cliluw joined #salt
08:20 geekatcmu joined #salt
08:26 otter768 joined #salt
08:29 eigart joined #salt
08:30 eigart hi !
08:32 eigart I have an issue with salt-ssh, and i just wanted to know if the host is supposed to have all çrequired python imports installed, or if salt-ssh was taking care of sending all the code to the host ?
08:39 eigart ok, it's an issue in salt-ssh
08:49 denys joined #salt
08:49 fxhp joined #salt
08:53 catpig joined #salt
09:05 larsfronius joined #salt
09:26 ashutoshn joined #salt
09:28 cyborg-one joined #salt
09:30 ashutoshn Is it possible to test a salt recipe on a VM running on remote host inside VirtualBox using vagrant ?
09:43 elsmo joined #salt
09:45 ygok joined #salt
09:48 ygok hi all.. I have a question about positioning saltstack ... I am reading about tanium ( https://www.tanium.com/ ); it is an endpoint security tool. What I see is tanium makes realtime querries on thousands of  nodes on the network.. Do you know this tool and has any comment comparing to saltstack?
09:53 ygok joined #salt
09:54 ashutoshn left #salt
09:58 Fiber^ joined #salt
10:02 viq joined #salt
10:22 GreatSnoopy joined #salt
10:22 jaybocc2 joined #salt
10:27 otter768 joined #salt
10:32 josue_ joined #salt
10:38 CeBe joined #salt
10:38 jaybocc2 joined #salt
10:39 elsmo joined #salt
10:39 slav0nic joined #salt
10:41 rmnuvg joined #salt
10:44 quasiben joined #salt
10:50 elsmo joined #salt
11:06 larsfronius joined #salt
11:13 sfxandy ygok, they are two very different products
11:31 ygok joined #salt
11:32 elsmo joined #salt
11:33 * ygok slaps sfxandy around a bit with a large fishbot
11:34 sfxandy what was that for ygok?
11:35 ygok sfxandy: it was a mistake.. sory
11:35 sfxandy really!
11:42 mbrgm joined #salt
11:55 amcorreia joined #salt
12:15 avs joined #salt
12:20 asco1aro How can I map a domain name inside of a pillar file?   Pillar render error: Rendering SLS 'monit' failed, render error: mapping values are not allowed here; line 6  server: 'smtp.mandrillapp.com'    <======================
12:23 quasiben joined #salt
12:24 asco1aro This example does the same thing... where he uses smtp.example.com in the pillar.example https://github.com/miguelpalma/saltstack-monit-formula/blob/master/pillar.example
12:28 otter768 joined #salt
12:31 quasiben joined #salt
12:35 asco1aro nm, I figured it out :)
12:38 quasiben joined #salt
12:50 jaybocc2 joined #salt
12:53 quasiben joined #salt
13:03 mehakkahlon joined #salt
13:05 jaybocc2 joined #salt
13:07 quasiben joined #salt
13:29 quasiben joined #salt
13:58 itisme joined #salt
14:29 otter768 joined #salt
14:39 JDiPierro joined #salt
14:45 zer0def joined #salt
14:58 mehakkahlon joined #salt
14:59 clintberry joined #salt
15:02 Guest55101 joined #salt
15:03 mehakkahlon joined #salt
15:06 hightekvagabond joined #salt
15:06 hightekvagabond joined #salt
15:06 hightekvagabond joined #salt
15:07 hightekvagabond joined #salt
15:07 hightekvagabond joined #salt
15:07 hightekvagabond joined #salt
15:08 mehakkahlon joined #salt
15:13 mehakkahlon joined #salt
15:18 mehakkahlon joined #salt
15:19 ldelossa_ joined #salt
15:23 quix joined #salt
15:23 mehakkahlon joined #salt
15:28 zzzirk joined #salt
15:28 mehakkahlon joined #salt
15:28 MeltedLux joined #salt
15:33 mehakkah_ joined #salt
15:34 Gi0 joined #salt
15:38 dthom91 joined #salt
15:38 mehakkahlon joined #salt
15:39 ericof joined #salt
15:39 ageorgop joined #salt
15:39 dthom91 joined #salt
15:41 scarcry_ joined #salt
15:42 scarcry joined #salt
15:43 mehakkahlon joined #salt
15:45 malinoff joined #salt
15:45 josue_ joined #salt
15:48 mehakkahlon joined #salt
15:53 mehakkahlon joined #salt
15:58 mehakkahlon joined #salt
16:00 boargod joined #salt
16:01 denys_ joined #salt
16:03 mehakkahlon joined #salt
16:04 Lionel_Debroux joined #salt
16:05 UtahDave joined #salt
16:08 mehakkahlon joined #salt
16:10 nicksloan can a pillar store which environment it is in?
16:10 nicksloan that is, an sls in a pillar
16:12 mik__R joined #salt
16:13 mehakkahlon joined #salt
16:15 mik__R joined #salt
16:18 mehakkahlon joined #salt
16:18 nicksloan here's the challenge: I have a formula that gets the salt:// path of a config file from the pillar. the formula is in the base environment, but the file is available in the dev environment. perhaps the best approach is to have a set of environment pillars like dev.sls, stage.sls and prod.sls, where I specify the environment overrides. I almost wish there was a pillar for my pillars
16:18 teryx510 joined #salt
16:21 shadowbeast joined #salt
16:21 dthom91 joined #salt
16:23 mehakkahlon joined #salt
16:23 UtahDave left #salt
16:28 mehakkahlon joined #salt
16:28 itisme joined #salt
16:29 otter768 joined #salt
16:33 mehakkahlon joined #salt
16:36 dthom91 joined #salt
16:38 larsfronius joined #salt
16:39 onovy joined #salt
16:45 otter768 joined #salt
16:47 writtenoff joined #salt
16:48 mehakkahlon joined #salt
16:53 mehakkahlon joined #salt
16:58 mehakkahlon joined #salt
16:59 clintberry joined #salt
17:03 mehakkahlon joined #salt
17:06 malinoff joined #salt
17:08 mehakkahlon joined #salt
17:13 mehakkahlon joined #salt
17:15 tongpu joined #salt
17:17 malinoff joined #salt
17:18 mehakkah_ joined #salt
17:18 armguy joined #salt
17:23 mehakkahlon joined #salt
17:28 mehakkahlon joined #salt
17:29 subsignal joined #salt
17:33 mehakkahlon joined #salt
17:34 sunkist joined #salt
17:38 mehakkahlon joined #salt
17:39 JDiPierro joined #salt
17:41 moogyver joined #salt
17:43 mehakkahlon joined #salt
17:48 mehakkahlon joined #salt
17:52 _Cyclone_ joined #salt
17:53 mehakkahlon joined #salt
17:58 mehakkahlon joined #salt
18:03 rdslw joined #salt
18:03 mehakkahlon joined #salt
18:04 rdslw I'm learning salt. What dictates order of pkginstall, fileinstall, servicestart in https://docs.saltstack.com/en/latest/topics/tutorials/states_pt2.html#require-other-states ?
18:04 elsmo joined #salt
18:05 rdslw I understand require working etc. (Im seasoned admin) but I'm curious what specifically says that service shut be started BEFORE or AFTER file index.html is copied by salt into directories .
18:05 rdslw s/shut/should/
18:06 rdslw anyone?
18:06 pdayton joined #salt
18:08 mehakkahlon joined #salt
18:12 dthom91 joined #salt
18:14 mehakkahlon joined #salt
18:19 mehakkahlon joined #salt
18:19 kermit left #salt
18:20 kermit joined #salt
18:24 mehakkahlon joined #salt
18:27 stupidnic rdslw: typically your states are going to be order in the order they are defined
18:28 stupidnic rdslw: you can modify that with your own order, or with the require, watch, etc directives
18:28 stupidnic there are also finite orderings like "last"
18:28 rdslw stupidnic: yeah, but often you want to avoid some race condition, e.g. running empty IPTABLES without any rules
18:29 mehakkah_ joined #salt
18:29 stupidnic rdslw: yes, in those instances you want to use orchestration
18:29 stupidnic which allows you to specifically dicate what order states are run
18:30 rdslw after reading tutorials, maybe because my english I didnt understood, that examples are not in par with wording, on the pt2  I understood description that order will be managed while it will be not without  specifically adding also another require: clause for file existence.
18:30 stupidnic the require is sort of like a depedency
18:30 kofi_ray joined #salt
18:31 kofi_ray Evening
18:31 stupidnic if that makes more sense
18:31 rdslw yeah yeah, I got.
18:31 kofi_ray does anyone have any examples of usinh salt for ec2 route tables ?
18:31 rdslw I had problem with #require-other-states example on page I quoted. It has only one require for apache: id while it would be better to have two requires, second for file present.
18:32 kofi_ray ----------
18:32 kofi_ray ID: Ensure public route table exists
18:32 kofi_ray Function: boto_vpc.route_table_present
18:32 kofi_ray Name: Public Subnet
18:32 kofi_ray Result: False
18:32 kofi_ray Comment: Failed to create route table: VPC VPC does not exist..
18:32 kofi_ray Started: 18:30:24.567218
18:32 kofi_ray Duration: 547.094 ms
18:32 stupidnic kofi_ray: don't paste in the channel
18:32 stupidnic read the topic
18:32 kofi_ray sorry
18:33 kofi_ray seems like it doesn't recognode the vpc_name or id
18:33 kofi_ray sorry about pasting
18:33 stupidnic rdslw: yes you are correct a second require to ensure the file is there would be better, it just wasn't included in the example
18:34 mehakkahlon joined #salt
18:34 kofi_ray ----------
18:34 kofi_ray ID: Ensure public route table exists
18:34 kofi_ray Function: boto_vpc.route_table_present
18:34 kofi_ray Name: Public Subnet
18:34 kofi_ray Result: False
18:34 kofi_ray Comment: Failed to create route table: VPC Salt-VPC does not exist..
18:34 kofi_ray Started: 18:30:24.567218
18:34 kofi_ray Duration: 547.094 ms
18:34 kofi_ray Changes:
18:34 rdslw stupidnic: yep, especially that it's described above "It isn't exactly useful to have a website without a webserver so we don't want Salt to install our HTML file until Apache is installed and running." which is not the case until you add second require.
18:34 kofi_ray ouch sorry
18:34 kofi_ray https://paste.fedoraproject.org/287960/46921255/
18:34 stupidnic it's important to understand that the example also is using a compact defintion state where it is defining two states in one item
18:34 kofi_ray so guys
18:34 kofi_ray didn't mean to
18:34 kofi_ray sorry
18:35 stupidnic rdslw: phg.installed and service.running
18:35 rdslw stupidnic: yeah. BTW, why in require clauses it's called just "pkg" and not "pkg.installed" ?
18:36 kofi_ray Any of the boto guys around to help with this please ?
18:36 stupidnic rdslw: that's just an identifier to identify the state itself
18:36 stupidnic so you don't have to worry about matching the specific state call, just the state module
18:36 stupidnic I struggled with that initally too
18:36 fbettag joined #salt
18:37 rdslw hmmm, let me grok it for a second.
18:37 sunkist joined #salt
18:37 stupidnic It comes with using it... that's about the only way you get comfortable with it
18:37 rdslw but this pkg (withing require) is in effect 'pkg.installed' ?
18:38 stupidnic yes
18:38 rdslw what if I want to use different function/call on pkg module?
18:38 rdslw while still within require ofc.
18:38 stupidnic you mean like making the require require another package?
18:39 mehakkahlon joined #salt
18:39 rdslw nah
18:39 rdslw imagin I can have pkg.installed but also just pkg.fetched (different state)
18:39 kofi_ray module.run also faile with the same error message
18:39 rdslw while both installed and fetched being functions within the same pkg package/module
18:40 rdslw and sometimes I want require: pkg.installed
18:40 Hazelesque Hey
18:40 stupidnic rdslw: true, but you can you have a fetched and an installed on the same package?
18:40 rdslw and sometimes just require: pkg.fetched
18:40 Hazelesque I saw this thread from last year, about using a "salt reactor" to join new minions to a FreeIPA realm...
18:40 rdslw depend on distro. on gentoo for sure :)
18:40 Hazelesque https://www.redhat.com/archives/freeipa-users/2014-August/msg00191.html
18:40 titilambert joined #salt
18:41 rdslw anyway, it's just an exmaple, of my general though, HOW salt chooses specific function/call on pkg module in require clause
18:41 rdslw or is it mistake on my thinking?
18:41 stupidnic rdslw: I think you can do something like
18:41 Hazelesque is there anything like that code that's open source, or should I write my own? it sounds a pretty cool way to solve the issue...
18:41 PeterO joined #salt
18:41 stupidnic foobar: pkg.fetched: - name: apache
18:42 stupidnic and foobar2: pkg.installed - name: apache
18:42 stupidnic and then reference them differently
18:42 stupidnic so require: - pkg: foobar
18:43 stupidnic I am guessing there, I haven't really tried that specific use case before, but require refers to the states globally unique name
18:43 stupidnic not the package itself
18:43 stupidnic I think that is where your confusion comes from perhaps
18:43 rdslw yeah, thats a solution, yet I'm still trying to understand salt to have a kind of 'mental picture' how it works, and this "shortcut" on require definitions makes me thinking HOW it works.
18:44 mehakkahlon joined #salt
18:44 rdslw I thought about it, but it's not just reference to the global state because here it checks INSTALLED stated, and global state can be anything.
18:44 stupidnic rdslw: you have to play with it to really understand it. I recommend setting up some vagrant instances and then just hammering on them
18:44 rdslw and there is NO installed word there.
18:44 rdslw yep, thats my step for Sunday :)
18:45 rdslw anyway, before I entrust it more data I need to understand HOW it works, to forsee eventuall errors/distasters in cfg
18:45 stupidnic rdslw: a test lab is important to test on
18:46 Hazelesque you might be able to get away with Vagrant though?
18:46 Hazelesque I find that the vagrant plugin "landrush" is really helpful for multi-machine vagrant files
18:46 stupidnic sure if it mirrors your production environment
18:46 Hazelesque you set a fake domain/tld, like ".dev" or "vagrant-sandbox.mycompany.com"
18:47 Hazelesque and it auto-generates DNS records inside it's little DNS server
18:47 stupidnic if you have access to something that supports cloud-init like Openstack or AWS then all the better because you don't have to stand up salt-minions and you can do it through the cloud-config yaml
18:47 Hazelesque you need to fiddle with dnsmasq on linux to point that domain at your local fake dns server
18:47 stupidnic but openstack and the like might be overkill for some people
18:47 Hazelesque but on mac, it sets it up automatically through Netinfo
18:48 kofi_ray left #salt
18:48 Hazelesque stupidnic: oh, I <3 openstack, but my laptop isn't quite powerful enough to run a full openstack stack on there *and* do real work ;)
18:49 mehakkahlon joined #salt
18:49 terratoma joined #salt
18:50 cberndt joined #salt
18:54 mehakkahlon joined #salt
18:56 zzzirk joined #salt
18:59 mehakkahlon joined #salt
19:01 Hazelesque rdslw: stupidnic: so I've butchered this a bit to censor $workstuff out of it, but this is roughly what I use for infra testing at work... https://gist.github.com/hazelesque/b154829a1297d7eeb73f
19:03 Hazelesque in case that's of any interest
19:04 mehakkahlon joined #salt
19:06 dthom91 joined #salt
19:07 stanchan joined #salt
19:09 mehakkahlon joined #salt
19:10 ggoZ joined #salt
19:14 mehakkahlon joined #salt
19:15 Todesengelchen joined #salt
19:19 mehakkahlon joined #salt
19:20 pdayton joined #salt
19:23 nidr0x joined #salt
19:24 mehakkah_ joined #salt
19:28 josue_ joined #salt
19:28 mehakkahlon joined #salt
19:31 whytewolf ahh fun, nothing like updating a NAS device during the weekend. why exactly do i put myself though work style things at home again?
19:32 Todesengelchen because you love it (:
19:33 whytewolf sigh, I do
19:34 itisme joined #salt
19:47 ziro` joined #salt
19:48 okfine joined #salt
19:54 clintberry joined #salt
19:55 dthom91 joined #salt
20:05 dthom91 left #salt
20:12 ziro` joined #salt
20:24 quix joined #salt
20:26 cyborg-one joined #salt
20:29 otter768 joined #salt
20:33 hightekvagabond joined #salt
20:39 JDiPierro joined #salt
20:50 rdslw Hazelesque: thank you.
20:51 bodgix joined #salt
20:52 bhosmer joined #salt
21:00 dthom91 joined #salt
21:01 Guest55101 joined #salt
21:14 ajw0100 joined #salt
21:15 itisme joined #salt
21:15 Destreyf joined #salt
21:18 ageorgop joined #salt
21:18 geomyidae_ joined #salt
21:30 simonmcc joined #salt
21:32 Phil-Work joined #salt
21:36 intr1nsic joined #salt
21:37 shadowbeast joined #salt
21:41 Sketch joined #salt
21:42 bfoxwell joined #salt
21:48 ziro` joined #salt
21:53 Knuta Does pillar only contain sls files? Is there any way of storing other kinds of files in there? I am thinking SSH host keys and the like.
21:58 riftman joined #salt
21:59 elsmo joined #salt
22:00 otter768 joined #salt
22:08 clintberry joined #salt
22:08 Hazelesque Knuta: as in, distributing the *private* keys to the hosts? or a central list of the known public keys?
22:18 whytewolf Knuta: pillar is a data structure. not a file system. the minions don't see the sls files but the data structure that they contain. that being said you might want to explore ext_pillars something like https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.file_tree.html
22:21 MK_FG joined #salt
22:29 stanchan joined #salt
22:32 nicksloan can anyone think of a workaround for this: https://github.com/saltstack/salt/issues/28257
22:36 Knuta Hazelesque: The private keys. I want the hosts to have the same private keys after a reinstall.
22:37 Hazelesque Knuta: ahh, I see... well, I suspect that -- if you have a good reason to be doing this -- pillar is not a terrible place to keep that information, as iirc you can restrict which clients can access which bits of data in pillar... but you would (afaik) have to store it as a big string...
22:37 Knuta whytewolf: this looks like something I can work with, thanks!
22:38 Hazelesque Knuta: I'd be tempted to manage the trust relationship, rather than keeping the private keys in "escrow" for rebuilds...
22:39 Hazelesque e.g. either by distributing a known_hosts file, or using the SSH CA stuff to *sign* a minion's SSH host keys
22:39 Knuta Hazelesque: these are login servers, who people can reach from any host. I can't control people's home computers.
22:40 larsfronius joined #salt
22:41 Hazelesque Knuta: fair point... unless you can convince your users to put a line like "@cert-authority *.bar.com ssh-rsa AAAAB3[...]== Comment" into their ~/.ssh/known_hosts file (per https://blog.habets.se/2011/07/OpenSSH-certificates) then that probably is the best you can do
22:42 Hazelesque in which case, using something like pillar is probably a reasonable approach :)
22:42 Knuta I'd rather have it just work :-)
22:43 * Hazelesque looks forward to the day that DNSSEC is standard, and we can actually use SSHFP records...
22:44 Hazelesque Knuta: in all honesty, we have an internet-facing SFTP service at work, and we do pretty much exactly the same thing for the keys for that...
22:44 itisme joined #salt
22:44 Hazelesque (although it's actually ProFTPD with mod_sftp, all running under a single uid...)
22:45 Hazelesque (not real UNIX accounts, heh~
22:46 josue_ joined #salt
22:46 Hazelesque will be interested to hear how you get on with using pillars for this :)
22:49 Knuta Hazelesque: looks like I can basically just slap it into salt.pillar.file_tree, like whytewolf suggested
22:50 Hazelesque Knuta: nice :)
22:50 Hazelesque I have to admit, our SFTP service at work is actually managed by CFEngine...
22:51 Knuta hmm, would be even better if I could use the IP address as key, though. Then I could pre-generate keys for the whole subnet.
22:51 whytewolf Knuta: you will still need a state that turns the pillar data into a file again.
22:51 Hazelesque we have a mixture of, uh, CFEngine (being phased out), SaltStack (hopefully sticking around at least for remote management) and Chef (being phased in)...
22:51 Knuta whytewolf: that's fine.
22:52 Hazelesque (Chef because that's what our outsourced provider uses)
22:52 Knuta Hazelesque: I just replaced a ten year old setup based on rdist and RCS :-P
22:52 Hazelesque nice :D
22:53 Hazelesque did you use m4 for config file templating? ;P
22:53 Hazelesque </horrors_of_sendmail>
22:54 Knuta Hazelesque: there was no templating per se, but some stuff was generated with perl based on disted config files.
22:54 Hazelesque ahh :)
22:55 Knuta Hazelesque: there's some M4 in the old DNS configuration, though. I think it's unnecessary with current bind, but haven't removed it.
22:55 Hazelesque ahhh, heheh
22:57 Knuta Hazelesque: the primary DNS server is a 5 MHz µVAX II with 4 MB of RAM, so we'll probably stick with languages designed a while ago :-P
22:58 Hazelesque I... can't tell if you're joking or not...
22:58 Knuta Hazelesque: There are faster caching DNS servers in front of it, we keep it around for fun
22:58 Hazelesque that makes my old SparcStation 20 look positively spritely
22:58 * Hazelesque still has the Solaris 7 install media on my shelf... the box is a bit dusty though...
22:59 Hazelesque heh
22:59 Knuta Hazelesque: NetBSD runs pretty well on it, we don't use VMS on it.
22:59 Hazelesque ahh, okay
22:59 Hazelesque last time I actually had the ss20 powered up, it was running Debian
22:59 Hazelesque but then they dropped the sparc32 support
23:00 Hazelesque iirc
23:00 Hazelesque so now the oldest currently-powered-and-running box I have here is a PowerPC G4 mac mini, running Debian
23:00 Knuta NetBSD is the only *NIX crazy enough to support µVAX II :-P
23:00 Hazelesque heheh
23:01 Hazelesque the ppc g4 is my DHCP server, hence why it's not been shut down... I've yet to have time to migrate it off... I keep planning to just set up a zone on one of the solaris boxes to do DHCP... heh
23:02 Knuta Hazelesque: they just dropped IA64 as well, so we'll have to replace the web server. We also have a POS terminal for candy running on an old lampshade iMac, but as you say they still support PowerPC. Everything else is running boring old x86.
23:03 Hazelesque this sounds like it's either a hackspace or an compsci department? ;P
23:03 Knuta Hazelesque: this is a university computer club, btw. I'm not crazy enough to use infrastructure like this at work :-P
23:03 * Hazelesque was close enough ;P
23:04 Knuta migrating the IA64 web server is going to be a pain, Certain People write their CGI "scripts" in C :-P
23:04 Hazelesque Oh goodie...
23:04 Knuta "please recompile your CGI scripts!"
23:04 Hazelesque does Bochs support IA64? >:3
23:04 Hazelesque as a guest arch
23:06 Hazelesque Knuta: http://wiki.qemu.org/Google_Summer_of_Code_2012#IA64_emulation ? ;)
23:07 Hazelesque make it slow enough and they'll /choose/ to migrate their CGI to the new arch... ;)
23:07 Knuta Hazelesque: most of those people won't notice for a few months if it breaks ;-)
23:07 Hazelesque heh, aw
23:09 Hazelesque Knuta: looks like http://ski.sourceforge.net/ might be able to use binfmt_* magic to transparently run ia64 binaries? ;)
23:09 Hazelesque if you need a good yak to shave
23:09 Hazelesque heh
23:16 Knuta haha
23:17 Hazelesque :D
23:20 cberndt joined #salt
23:48 stanchan joined #salt
23:51 otter768 joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary