Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2015-11-11

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:01 breakingmatter joined #salt
00:01 tmkerr joined #salt
00:12 masterkorp left #salt
00:13 ggoZ joined #salt
00:19 RandyT Ryan_Lane: you run a pretty tight ship from security standpoint it sounds, how are you dealing with the fact that salt does not support KMS keys for S3 access?
00:20 RandyT Just discovered that today...
00:20 RandyT Unless of course you are running develop branch which you may be.
00:28 7YUAAANHD joined #salt
00:31 hasues joined #salt
00:31 hasues left #salt
00:33 sunkist joined #salt
00:34 jaybocc2 joined #salt
00:43 Ryan_Lane RandyT: we don't use the S3 stuff in salt
00:43 Ryan_Lane it's poorly implemented and we hit a lot of bugs with it
00:43 Ryan_Lane I really don't understand why they're so opposed to using boto or boto3
00:47 iggy not consistent with other cloud providers
00:49 mackattack joined #salt
00:49 mackattack hi all
00:50 mackattack Wanted to see if there was anyone on the chan that might be able to help me out with a salt + svn issue I'm having?
00:50 Ryan_Lane iggy: that's not a good reason
00:50 Ryan_Lane iggy: boto and boto3 are massive. reimplementing all of it is a great way to always have shitty bugs
00:51 morissette2 joined #salt
00:52 cberndt joined #salt
00:58 Ryan_Lane (and also to just be missing a lot of features)
01:02 breakingmatter joined #salt
01:03 bhosmer joined #salt
01:05 larsfronius joined #salt
01:08 iggy some people rank consistent user experience higher than ZOMG 100000000000000 features
01:14 Ryan_Lane even it's a consistently bad experience?
01:15 Ryan_Lane the S3 support in salt is frequently broken in ways that wouldn't be broken in boto
01:15 Ryan_Lane also, just because you use boto doesn't mean the user experience would be different for the end-user
01:16 Ryan_Lane except they'd need to install boto
01:16 iggy I've never used AWS, but I do greatly appreciate that I currently run servers in 3 cloud providers and salt makes that consistent between them
01:16 RandyT regarding boto, it has just been suggested to me that I "drop the boto module into _modules" to get around some of the shortcomings.
01:16 Ryan_Lane I don't think that's going to help. it won't use boto. the S3 support in salt makes calls through urllib
01:16 RandyT How do I go about dropping the boto module into local _modules.
01:17 Ryan_Lane they have their own custom implementation
01:17 RandyT doing that with some standalone single files.
01:17 Ryan_Lane there's the boto_* state and execution modules, but that's for other stuff
01:17 Ryan_Lane there's no boto_s3 module at this point
01:20 opensource_ninja joined #salt
01:28 otter768 joined #salt
01:30 nickermire joined #salt
01:35 mackattack joined #salt
01:37 fsteinel joined #salt
01:38 subsignal joined #salt
01:51 big_area joined #salt
01:53 fyb3r joined #salt
01:53 edrocks joined #salt
01:57 StolenToast joined #salt
02:00 sunkist joined #salt
02:00 borgstrom joined #salt
02:09 stooj joined #salt
02:09 felskrone joined #salt
02:16 StolenToast joined #salt
02:18 kickerdog joined #salt
02:18 kickerdog Do anyone know what rpm the system module depends on?
02:18 kickerdog I'm getting "    Module 'service' is not available."
02:18 kickerdog on some of my minions
02:30 mapu joined #salt
02:30 wbill joined #salt
02:32 malinoff joined #salt
02:33 malinoff joined #salt
02:37 writtenoff joined #salt
02:45 opensource_ninja joined #salt
02:46 evle joined #salt
02:47 catpigger joined #salt
02:52 jaybocc2 joined #salt
02:54 cberndt joined #salt
02:56 ajw0100 joined #salt
03:00 kickerdog left #salt
03:03 breakingmatter joined #salt
03:04 bhosmer__ joined #salt
03:05 anmolb joined #salt
03:05 ageorgop joined #salt
03:09 dthom91 joined #salt
03:16 favadi joined #salt
03:21 PeterO joined #salt
03:23 _JZ_ joined #salt
03:29 otter768 joined #salt
03:30 Vynce what does it mean to "enable" or "disable" a state?
03:31 hemebond Vynce: Just guessing but I would say "enable" means it gets applied on a highstate, and "disable" means it doesn't.
03:31 hemebond But that's just a guess.
03:32 Vynce sadly, that (a) sounds perfectly likely and (b) doesn't actually tell me what it means and (c) is more information than the docs seem to give.
03:32 hemebond LOL, oh dear.
03:33 Vynce i mean, i have all these fiels on disk that (theoretically) define what it means to highstate a machine.  if i "disable" a state, does that change files on disk, or jsut a cache somewhere?  if the latter, (*panic*) how do i know what the cache has? i've been reading the files on disk and assuming they were Truth.
03:34 Vynce if the former… wut?
03:34 hemebond I have a feeling, based on something I heard a long time ago, that it keeps the state of the state in memory and it is lost on restart/reboot.
03:37 favadi joined #salt
03:38 Vynce oh, salt. i wish you had a "light" mode that only did things that made sense.
03:38 hemebond lol
03:38 hemebond I've never thought to "disable" a state so I've never looked into this.
03:38 Vynce mostly because then maybe the docs would be a manageable size and i could grok the effing system instead of constantly wandering down rabbit holes of dear gods why
03:38 Sketch joined #salt
03:39 Vynce i wouldn't have ever thought of it either.  sadly, teh docs don't hide the "why would you ever want this" features.
03:39 Vynce and i learn by reading docs
03:39 Vynce well, i try to
03:40 Vynce sadly, usually tech docs are written in such a way as to make me contemplate the joys of a life of salvage and piracy on the open sea.
03:40 hemebond Someone has been lucky enough to have not used Puppet :-)
03:41 hemebond Still, if you look at the code for state.disable you might find your answer about how it does it.
03:41 Vynce or chef or ansible.  which is maybe half the problem; any time i can find anythign that's not written as if i already understand salt, it's trying to explain it in terms of one of those.
03:42 Vynce only if i spend 6 months reading salt code on git.  trust me, i've tried this approach for other questions.
03:42 Vynce i really jsut want to know "what does it mean" and i think i've decided that "it doesn't matter, cthulhu will eat you before you need it"
03:42 hemebond Well, I suppose the answer to your original question is, "it stops that state from being run"
03:43 hemebond or "stops that function from being run"
03:43 hemebond Like it shows in the docs.
03:43 Vynce are you sure of that?  because i couldn't find that in the docs. also, what does it mean by "that state"? but really, i'm pretty sure whatever it means, i no longer care.
03:44 hemebond https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.state.html#salt.modules.state.disable
03:44 Vynce uh.. which docs?  the ones i have show a call syntax and say *NOTHING* about what that syntax accomplishes
03:44 Vynce yeah that
03:44 Vynce that's a syntax, with no explanation of what it does.
03:44 hemebond It disables it. Won't run it. Or apply it.
03:44 hemebond If you try to apply a disabled state, it won't do anything.
03:45 hemebond If you run a highstate, that state will not be applied.
03:45 hemebond If you try to run a disabled module function, it won't do anything.
03:46 hemebond lol it did nothing.
03:46 hemebond I just disabled test.ping on several Windows minions. It said it was disabled but I could still call it.
03:47 hemebond Maybe it's just states.
03:47 hemebond Oh, just states. My bad.
03:47 hemebond I mistook the doc example for a module.function
03:47 Vynce "won't run it" — on future highstates?  on any future thing at all until i explcitly re-enable? just for that command?  i mean, i guess that's the most intuitive reading of that doc, but it doesn't *say* that, and i cannot fathom why that would be useful, which in the absence of explication makes me hesitant to assume.  but sure.  as i said, i am now sure that *whatever* it does, it's not what i came here looking for, so i no longer
03:48 hemebond I'll test it for you now.
03:48 Vynce it's really OK
03:49 Vynce i don't know if you missed it, but i'm sure i don't care any more. i mean, test it for yourself, if you're curious, but i'm still trying to understand enough to do what i actually am trying to do.
03:50 hemebond Well if it's something you want to know, and you wish the document would state it explicitly, then we can raise an issue to have the documentation amended.
03:50 hemebond I've never wondered about it so I would not have cared what the docs say.
03:50 Vynce i have raised that about every page of the documentation i have ever read.  my understanding is they hired someone earlier this year to work on the docs full-time.
03:51 Vynce it's only something i wanted to know because i was reading the docs and wondered what it meant. i'm actually looking for something else.
03:51 hemebond Possibly. The docs are also updated by the community through issues and pull requests.
03:51 Vynce also, fwiw, "enable" says "function or sls run" so i dunno why disable wouldn't work for a function.
03:55 xDamox joined #salt
03:56 racooper joined #salt
03:56 hemebond Okay, the disabling of the state survives a reboot.
03:56 hemebond So it's there until I re-enable it.
03:56 hemebond It has disabled the state and refuses to apply it.
03:58 djstorm joined #salt
04:00 hemebond Unfortunately it does seem to apply it via highstate.
04:00 hemebond So I'm not even sure what the goal of disabling a state is.
04:00 hemebond I wonder if it's purely to disable a command.
04:00 Vynce so it's disabled for explicit CLI use only? yeah, salt, i don't get you.
04:01 hemebond As in, explicit calls to that state.
04:01 Ryan_Lane_ joined #salt
04:01 Vynce i don't even know how to explicitly set a particular state.
04:01 hemebond What do you mean?
04:01 hemebond Oh, state.apply_state
04:02 hemebond salt '*' state.apply_state mystate
04:02 hemebond Wait...
04:03 mapu I am setting a PTR record using rt53 state. I need to split off the last octet of the IP address to assign- was windering what the best method to do that might be?
04:04 hemebond Okay I disable the entire state directory and it behaves the same; can't apply directly but can highstate to apply it.
04:07 ekristen joined #salt
04:12 viq joined #salt
04:12 yuhlw joined #salt
04:16 dthom91 joined #salt
04:18 ^C mapu: octets = string.split('.') then maybe {{ octets[3] }} ?
04:18 mapu I tried this so far: {% set rev = {{ grains['fqdn_ip4'] }}.split('.') %}
04:19 mapu thinking I have a syntax error- getting “Rendering SLS 'base:rt53' failed: Jinja syntax error: expected token ':', got '}'; line 13"
04:19 ^C mapu: dont think you need the second set off {{
04:19 ^C of
04:19 hightekvagabond joined #salt
04:20 hightekvagabond joined #salt
04:21 mapu Whe I try {% set rev = grains['fqdn_ip4'].split('.') %} I get an error - Rendering SLS 'base:rt53' failed: Jinja variable 'list object' has no attribute 'split'
04:21 mapu i know I am missing something simple
04:22 ^C its a list
04:23 ^C i'd try grains['fqdn_ip4'][0]
04:24 chamunks How angry will salt minions get if I want to move my salt-master.  (Basically what can I expect to see have issues.)
04:27 clintberry joined #salt
04:30 Vynce I don;t know.  I tihnk i recall seeing that the minions will refuse to aknowledge the new master if the secrets change.
04:31 hemebond chamunks: The minions bind to the IP. If the IP changes then you will need to restart minions.
04:31 Vynce but you might be able to use the old master to add the new master to all the minions (by changing /etc/salt/minion or whatever) and then get the new master to accept all teh new mminions, then remove the old master
04:31 ramteid joined #salt
04:32 jaybocc2 joined #salt
04:32 chamunks hemebond could I make them bind to a domain name instead of an IP?
04:32 hemebond chamunks: They will resolve the domain name and bind to that IP.
04:32 hemebond They will not re-resolve the DNS name to an IP until they are restarted.
04:32 quasiben joined #salt
04:33 chamunks I think I tried that before Vynce salt minions do not like being restarted by a salt master.  From my last experience.
04:33 Vynce i'm pretty sure i've done it without issue.
04:34 hemebond You could, as Vynce suggests, adding a new master to the minion config. If the minion loses connectivity to one it should reconnect to the other.
04:34 colegatron joined #salt
04:34 chamunks I suppose that could work.
04:34 hemebond Would still require starting the minions to pick up the new config.
04:35 ^C i've moved minions between masters before, from memory i just had to copy minion keys from master to master, and change the master.pub  (and master: xx.xx.xx.xx in the config) on the minion
04:35 ^C it was relatively pain free
04:35 hemebond Yes, all keys will need to be transferred.
04:36 chamunks I was thinking of moving the salt-master to a docker container.
04:37 chamunks Of course on another machine I just like keeping things encapsulated in containers these days.  As I do contract work everything I do has to be fairly tolerant of things changing.
04:38 ^C depends how complex your master is i guess
04:39 ^C if you end up requiring a crapload of functionality, a container might not cut it?
04:43 Vaelatern joined #salt
04:43 chamunks Basically I greatly underutilize salt personally.
04:43 chamunks Just using salt 'glob' cmd.run 'blah.sh' and things like that.
04:44 chamunks basically flamin_scotsman who is usually in here deploys stuff for me using salt templates he wrote.
04:44 chamunks I'm not nearly that swift so I'm kind of muddling along in his wake trying to sort out how to do 10% of what hes doing.
04:53 solidsnack joined #salt
04:58 hightekvagabond joined #salt
05:05 bhosmer_ joined #salt
05:08 wych I am reading salt-doc's best practice section, I don't actually understand  “Don't use grains for matching in your pillar top file for any sensitive pillars” means. The doc link is here: https://docs.saltstack.com/en/latest/topics/best_practices.html
05:11 ^C i'm guessing because grains can be changed on the minion itself, its a security risk
05:12 ^C say someone hacks on of your servers, and changes a grain called 'role' to 'master'
05:12 wych Yeah, I see. But if not using grains, what should be used to matching?
05:12 ^C if your pillar matching is grain based, you may start serving sensitive 'master' data to the minion
05:13 wych Like different vpn configs for different minions, seems grains['id'] is the only way to do this.
05:14 iggy name is prety much your only option (assuming you care to follow that recommendation)
05:15 ^C besides... you can use grain, as long as its a) not sensitive b) mixed with other things (ie compound)
05:16 iggy or if you really trust your other security config
05:16 iggy (or like my case used to be... if someone got root on any box, we were pretty much screwed anyway)
05:17 wych iggy sounds like my case right now...
05:22 malinoff joined #salt
05:23 ageorgop1 joined #salt
05:29 wych grains['id'] is not bind to minion_id, I can change grains['id'] in minion config file, shouldn't some key values be verified?
05:29 iggy no?
05:29 otter768 joined #salt
05:30 iggy I mean if you want to match on the name, just do a name match
05:30 iggy the master verifies that against the key data it has for each minion in /etc/salt/pki/
05:30 wych no, I can change id, fqdn, ip address...
05:31 wych iggy  How to match a name?
05:31 iggy in the states top file, you can also match on pillar (but not in the pillar top file as you won't have any pillar data when it's processed)
05:31 iggy that's the default type of matching
05:31 wych iggy  I can set a different id in /etc/salt/minion without effecting /etc/salt/minion_id
05:31 anmolb joined #salt
05:32 iggy yes, but salt's default matching doesn't use the id grain
05:32 iggy it uses the name associated with that key
05:33 wych Ah, I see. But could I use that name in state file or pillar file not just top.sls ?
05:33 chamunks Whoever started doing the tutorial videos is my hero.
05:46 favadi joined #salt
05:54 Vynce joined #salt
05:55 hightekvagabond joined #salt
05:57 wych iggy  seems we can use opts['id'] instead, see this https://gist.github.com/MarloweW/5b0d3a4cccb62c49cf53
06:00 iggy you should do your mapping in the top file
06:04 wych Hmm, Yes. Just in case If I have to do mapping in states.
06:07 OliverMT_ joined #salt
06:08 iggy then you could use pillar data
06:08 analogbyte joined #salt
06:08 _ikke_ joined #salt
06:09 hemebond joined #salt
06:14 favadi joined #salt
06:14 xDamox joined #salt
06:43 jaybocc2 joined #salt
06:44 ashmckenzie joined #salt
06:44 terratoma joined #salt
06:51 Emantor joined #salt
06:51 hojgaard Hello. I have a problem. When i am targeting minions using grains eg: salt -C 'G@friendlyname:test1' test.ping it is like its sending the request to all minions even though only one has that grain value
06:52 hojgaard but for the minion that has the grain value it responds correctly but for all the rest it seems to respond with "minion did not return, not connected"
06:56 hemebond hojgaard: Does the same thing happen if you just use -G 'friendlyname:test1'
06:56 hemebond ?
06:59 colttt joined #salt
07:00 malinoff_ joined #salt
07:05 breakingmatter joined #salt
07:05 bhosmer_ joined #salt
07:08 larsfronius joined #salt
07:13 mehakkahlon joined #salt
07:14 hojgaard hemebond, sorry, but yes it does still
07:14 hemebond I've seen something similar when trying to use the subnet targeting.
07:14 hemebond I either get none or I get lots where only a few come back successfully.
07:15 zionsofer joined #salt
07:15 hojgaard hemebond, yeah i tried that also..
07:15 golodhrim|work joined #salt
07:16 impi joined #salt
07:22 hemebond Subnet targeting seems terribly unreliable. I wonder if it's the same for grains.
07:25 solidsnack joined #salt
07:29 KermitTheFragger joined #salt
07:30 hemebond All my targeting seems unreliable.
07:30 otter768 joined #salt
07:32 AndreasLutro joined #salt
07:34 hemebond No wait, I'm a slug-brain.
07:34 hemebond Grains work fine for me.
07:35 hemebond hojgaard: Are you sure those other minions don't have the grain you're targeting?
07:35 hemebond Have you done a grains.items to check?
07:35 hojgaard yes i am completely sure
07:36 hemebond Are they online?
07:36 hojgaard they are online and a salt '*' test.ping all of the responds
07:36 hojgaard it so weird
07:36 hemebond Yeah.
07:36 hemebond I don't know what it's trying to do.
07:38 hojgaard hemebond, but thanks for taking your time
07:42 msciciel_ joined #salt
07:42 hojgaard hemebond, i now think i know why. I cleared the grains cache
07:43 hojgaard but now i restarted all the minions and now only a few is targeted besides the one with the correct grain walue
07:44 sinh joined #salt
07:44 armyriad joined #salt
07:44 tawm04 joined #salt
07:44 jb_ joined #salt
07:45 sk_0 joined #salt
07:45 dthorman joined #salt
07:45 hemebond Did you do a saltutil.sync_grains afterwards?
07:47 alvinstarr joined #salt
07:49 CryptoMer joined #salt
07:50 honestly in a python renderer, is there an easy way to get 'the paths to all files in salt://foo/bar/'?
07:50 MeltedLux joined #salt
07:51 mehakkah_ joined #salt
07:51 Vynce joined #salt
07:53 tawm04 joined #salt
07:53 honestly __env__ is supposed to give me the "file server environment" but I don't see any docs about how to use it
07:53 AndreasLutro honestly: you could use the cp.list_master module function
07:53 sk_0 joined #salt
07:59 cberndt joined #salt
08:00 Vaelatern joined #salt
08:07 fdgfdg joined #salt
08:08 honestly I'll have to use list_master, yeah
08:11 schinken joined #salt
08:11 schinken If I have a salt file for nginx, but I only want to provide my ssl certificate so specific hosts, how would I do that?
08:11 mattiasr joined #salt
08:12 schinken I know I can use pillar, but I'm note sure how to restrict access / manage restrictions
08:12 schinken Is there a good example somewhere?
08:12 hemebond schinken: Restrict to whom/what?
08:12 babilen schinken: You would simply target the pillar SLS that contains the cert to only the minion(s) you want it to have
08:13 schinken If I have a host with users which have sudo rights, I want to prevent that they can require the nginx state and retrieve the ssl certificates
08:13 nafg joined #salt
08:13 schinken I want to restrict it to "trusted clients"
08:13 babilen schinken: You mean on a *different* minion?
08:13 schinken jep
08:13 favadi joined #salt
08:13 babilen Well, simply don't target the pillar to that minion.
08:14 babilen Pillars are specific to each minion
08:14 schinken Okay... but what if i want to allow them to install a nginx, but don't retrieve the ssl?
08:14 schinken Should I have 2 nginx states? One with ssl, one without?
08:15 wych you can put an variable there
08:15 dRiN joined #salt
08:15 babilen schinken: States and pillars are independent and you would, normally, write your states in such a way that they do the right thing depending on the availibility of certain data.
08:16 babilen You could, naturally, write two states too (say, nginx.ssl and nginx)
08:16 babilen https://github.com/saltstack-formulas/nginx-formula might give you an idea
08:16 wych I noticed that as minions grows, the top.sls will increase and may get unmaintainable, what's the best way to manage top.sls ?
08:16 Eric___ joined #salt
08:17 hemebond wych: Some people have used grains and a templated top.sls to do that.
08:17 babilen Or pillars
08:17 schinken babilen: The goal is to "do the right thing depending on the availability of certain data" ;)
08:18 hemebond babilen: That's what I'm thinking of doing.
08:18 babilen But you can render your top.sls based on data. This would, for example, allow you to keep host <-> state mappings in a database, access that as external pillar and render your top.sls from that
08:18 wych hemebond  won't that be more difficult to understand top.sls? I am wondering if I can split top.sls and use include just like puppet's sites.pp and manifests/*.pp
08:19 wych but it seems salt doesn't allow that.
08:19 babilen schinken: Well, I meant you could define a "nginx:site:ssl" pillar and include a state that manages the certificate if the data is available (or something along those lines)
08:19 hemebond wych: You could split into environments.
08:19 hemebond wych: But you can also include Pillar files into others.
08:19 babilen Environments are rather for modelling workflows/testing though
08:20 schinken babilen: I guess the trick is, to require the pillar, restricted to hosts and catch the case, where a minion is restricted to get ssl certs.
08:20 schinken Or doesn't the pillar fail, if a restriction doesn't match?
08:20 hemebond babilen: I'm just assuming his top.sls is large because he has multiple environment-type groups all in the one file.
08:20 schinken (Sorry, I'm kind of new to salt and pillar)
08:20 wych Agree with babilen. If split into environments, there would be 10+ environments...
08:20 hemebond I use environments for workflow and for projects.
08:21 hemebond wych: Why is your top.sls so large?
08:21 hemebond Are all minions in the same project/environment?
08:22 babilen schinken: Pillars are working under a closed world assumption, which means that you have to explicitly target data to minions and that data that hasn't been targeted to a minion will not be available to it.
08:22 wych hemebond All minions are in the production environments. but there's many roles, webserver, proxyserver, logserver, cachesever, dataserver, and so on ...... nearly 20.
08:22 hemebond wych: Ah okay. I thought it was large because they were for different projects or environments.
08:23 hemebond Can't you include files into top.sls?
08:23 babilen No
08:23 wych hemebond  I didn't get it work.
08:23 wych top.sls doesn't support inlcude.
08:24 babilen How many lines do you have in your top.sls, wych ?
08:24 hemebond Then a template that uses grains or pillars would possibly work for you.
08:24 babilen I don't see the point of using grains for that mapping (why save it distributed on the minions?)
08:25 wych babilen 100+  for now, and it's growing.
08:25 babilen wych: And you can't group/abstract it more?
08:25 Eric___ .HELP
08:25 hemebond babilen: Dunno, but that's what people have done, so I'm mentioning it for completion-sake :-)
08:25 babilen sure
08:26 * babilen solves Eric___'s problems.
08:26 babilen You are welcome
08:26 wych babilen I have try my best, if abstract more, states will be too complicated to maintain for others.
08:27 Eric___ :-) i need help with salt-cloud on ec2 with windows
08:28 babilen No, I meant things like "tagging" minions and targeting states by that or using specific grains (e.g. target pkgrepo.managed states based on the oscodename grain, rather than by id, ...)
08:29 babilen I guess we can't really help without seeing your top.sls though :(
08:29 TOoSmOotH joined #salt
08:29 mehakkahlon joined #salt
08:30 wych babilen  Yeah, that could work. I got many servers should apply uniq states, that's why top.sls grows so big.
08:30 wych babilen I will post an example.
08:32 babilen wych: It really sounds as if you want to use more generic states and then tailor their behaviour by providing different data in pillars. Take a look at some of the formulas on https://github.com/saltstack-formulas for examples of that. salt-formula is quite good and you might also want to take a look at collectd, nagios, ...
08:33 Guest55101 joined #salt
08:34 babilen So rather than writing a "webserver.foo_minion" state you write a "webserver.sites" state that reads data about the configuration of that site from pillars and uses that to generate a suitable configuration file.
08:34 mehakkahlon joined #salt
08:34 wych babilen won't this make pillar top.sls big?
08:36 wych I would lots of mapping in pillar top.sls.
08:36 babilen Well, if you have ten thousand exceptions then you have to model them *somewhere*
08:37 babilen A good example is the users-formula. You can target it to every single node and it doesn't do anything without data in the pillar.
08:37 calvinh joined #salt
08:40 babilen Normally you find levels of abstractions though (e.g. groups of users). Say you want an "admin" group to have access to all boxes, but grant them sudo on only a subset. For that you'd target a "default" SLS to all boxes and then let salt merge in the sudo stuff from another SLS...
08:40 mehakkah_ joined #salt
08:42 wych babilen  thanks, I see how users-formulas made this.
08:42 Eric___ i have a q how to make salt-cloud use pywinrm and not winexe
08:43 wych In users-formula's case, I put all info in database,and write an api to query users can login to a host. then let pillar query that api.
08:46 Norrland joined #salt
08:47 babilen wych: You could even interface with the db directly: https://docs.saltstack.com/en/latest/ref/pillar/all/
08:50 slav0nic joined #salt
08:50 kawa2014 joined #salt
08:50 Norrland When running states with service.running, I'd like to have a 'onlyif' that will halt the operation if the script returns anything else than 0. Is that possible?
08:52 jrklein joined #salt
08:54 wych babilen great!
08:55 wych Norrland you can use unless https://docs.saltstack.com/en/latest/ref/states/requisites.html
08:56 Norrland "The unless requisite specifies that a state should only run when any of the specified commands return False."
08:57 babilen Norrland: "halt the operation" ?
08:58 Norrland babilen: like in, do not continue with next operation that would be to reload the service specified.
08:59 babilen Norrland: States that require a failed state also fail (as their requisites aren't met)
08:59 babilen It is also not clear to me what "the script" refers to in this context
09:00 Norrland babilen: I want to run a syntax check "service icinga2 checkconfig". And if that is OK, reload the service. Otherwise, fail the state.
09:01 babilen Norrland: Then require the "cmd.run" state in the service.running state
09:01 Norrland babilen: ah, will try.
09:01 babilen (and you wouldn't reload based on the outcome of the cmd.run check, but based on changes to a configuration file)
09:02 babilen So: Don't watch the cmd.run state, but a file.managed state
09:03 Norrland yes, watch: - file: myconfig<CR>- require: - cmd: config-check
09:03 Norrland or?
09:03 wych Norrland  there's onlyif in that page.
09:03 babilen Yeah, something like that
09:04 rotbeard joined #salt
09:04 Guest55101 joined #salt
09:04 babilen Sure, onlyif would work too
09:06 shiriru joined #salt
09:06 breakingmatter joined #salt
09:06 bhosmer_ joined #salt
09:07 Rumbles joined #salt
09:10 crashmag_ joined #salt
09:13 wych how to list states for a minion only? is something like liststates ?
09:18 zerthimon joined #salt
09:23 AndreasLutro wych: state.show_top
09:26 Erik____ joined #salt
09:26 GreatSnoopy joined #salt
09:27 wych ah, great! thanks!
09:31 otter768 joined #salt
09:31 charli joined #salt
09:34 jaybocc2 joined #salt
09:35 Erik____ hi all i need help with salt-cloud. How can i make it work with winrm and not winexe
09:35 Erik____ i see in debug mode Executing command(PID 29810): 'winexe -U
09:37 MadHatter42 joined #salt
09:38 charli joined #salt
09:41 larsfronius joined #salt
09:45 larsfron_ joined #salt
09:48 17SAD1FMG joined #salt
09:50 solidsnack joined #salt
09:50 jaybocc2 joined #salt
09:52 ziro` joined #salt
09:56 tuxx hey guys how do i add a repo to apt-get using salt
09:56 hemebond tuxx: pkgrepo
09:56 raqua joined #salt
09:57 tuxx hemebond: ok ill take a look
10:01 raqua Hi all, I have problem getting multi environment working. I am doing orchestration, not sure if that has something to do with it or I just do not understand it properly. Let me describe the situation:
10:02 raqua my master settings: https://gist.github.com/raqua/9c33e8dd7f3d001f873c
10:03 raqua on every minion I have set environment: cf_stag
10:06 ggoZ joined #salt
10:08 raqua I am not sure if it is ok to actually have only pillars per env and shared states for all env
10:11 raqua my pillars structure and contents: https://gist.github.com/raqua/325d30c2d5942dc61451
10:12 raqua I have the same variable in all three default*.sls and it stores value of environment (just for testing this)
10:14 raqua_ joined #salt
10:14 raqua_ what am I doing wrong?
10:21 _JZ_ joined #salt
10:21 _mel_ joined #salt
10:24 16WAAQOAM joined #salt
10:27 CeBe joined #salt
10:37 cyborg-one joined #salt
10:39 tuxx how can i make a salt minion pull changes?
10:39 fredvd joined #salt
10:40 tuxx so far i can provision by making the master push changes
10:40 tuxx salt '*' state.highstate
10:40 babilen salt-call state.highstate on the minion
10:40 babilen But then: What's wrong with pushing?
10:44 Twiglet Is an extend overwriting something expected behaviouir?
10:44 Twiglet http://hastebin.com/saqodehede.vhdl
10:44 HiHi joined #salt
10:45 HiHi 'ZMQIOLoop' object has no attribute 'call_later'. What's this mean?
10:45 ziro` joined #salt
10:47 felskrone joined #salt
10:48 HiHi The log of master always tells: This salt-master instance has accepted 0 minion keys. But I can see there are connections between master and minion by netstat
10:48 felskrone joined #salt
10:49 felskrone joined #salt
10:50 HiHi So nobody here can help. I quit :(
10:50 giantlock joined #salt
10:51 favadi joined #salt
10:56 Norrland babilen: awesome. requiring the 'cmd.run: service foo check' works
10:59 ziro` joined #salt
11:07 bhosmer joined #salt
11:08 breakingmatter joined #salt
11:20 chiui joined #salt
11:22 traph joined #salt
11:24 traph would a compound match a list grain?
11:25 sjorge joined #salt
11:25 sjorge joined #salt
11:26 traph e.g.: salt 'some-*' mine.get 'test-*' 'P@roles:webserver' compound
11:26 traph "roles" grain has a list of roles assigned to it
11:27 AndreasLutro you could test it
11:28 DanyC joined #salt
11:29 traph I did and actually it doesn't get the nodes with that role
11:31 AndreasLutro guess that answers your question
11:31 babilen Norrland: You might want to try defining  "- onlyif: service ...." in the service.running state too. It might make your intent clearer
11:32 babilen traph: You might also want to consider defining this in pillars rather than grains
11:32 traph babilen, why is that?
11:32 otter768 joined #salt
11:33 amcorreia joined #salt
11:34 traph AndreasLutro, I guess my actual question is how to match an entry in a list?
11:34 babilen traph: I don't necessarily see any merit in storing this information in a distributed fashion (on the minions), rather than on the master
11:35 babilen (or in a database/external pillar)
11:36 AndreasLutro traph: doesn't look like it's possible
11:37 giantlock joined #salt
11:37 JeffChen joined #salt
11:37 AlberTUX1 joined #salt
11:38 wolog joined #salt
11:39 solidsnack joined #salt
11:39 s_kunk joined #salt
11:40 babilen traph: It should match. Could you paste the output of "salt 'some-*' grains.get roles" and "salt -C 'P@roles:webserver' test.ping"  to one of http://refheap.com, http://paste.debian.net, https://gist.github.com, http://sprunge.us, http://dpaste.de, … please?
11:43 babilen traph: Oh, if you use mine.get you'd have to set expr_form if you want to use a compound matcher
11:43 babilen (it uses glob by default)
11:43 * babilen will just wait for the paste
11:47 amy_ joined #salt
11:47 ziro` joined #salt
11:47 amy_ hello
11:47 amy_ Anyone know how to install salt on ubuntu 14.04.3 with RAET?
11:47 DanyC all, could someone tell me what does schedule.conf file in /etc/salt/minion.d/ dir? i'm trying to understand what someone else where they are copy 2 files onto salt master minion.d dir - see http://hastebin.com/lohopufose.sm
11:48 amy_ no clue...
11:48 amy_ what about installing Salt with RAET on Ubuntu 14.04?
11:48 babilen amy_: From what I've heard: RAET won't ever make it into production (has essentially been obsoleted already)
11:48 DanyC reading the doc it says the schedule.conf is generated but the person is uploading it - very confused
11:49 amy_ where did you read that?
11:49 wolog left #salt
11:49 babilen amy_: In here
11:49 DanyC babilen: that is a news, will that be replaced by something else ?
11:49 babilen It has been superseded by another approach
11:49 amy_ There is a inherent problem with Salt. Sometimes not all the minion respond to the master and I have to restart the salt-minion.
11:50 traph babilen, https://www.refheap.com/111567
11:50 DanyC babilen: thanks
11:50 babilen Let me try to find some details .. last time it was very much based on information from a salt dev
11:51 amy_ This is a well-known problem. The salt-minion sometimes doesn't respond.
11:51 amy_ so I thought the new transport (RAET) would fix this.
11:52 traph babilen, isn't "compound" in the salt command the expression form?
11:52 babilen ""P@client:test P@environment:(uat|prod) and roles:(webserver|test)"" is missing an "and" in between "test" and "P@environment"
11:52 babilen traph: It is, but you didn't mention that earlier. And as you can see: You can match on "webserver" just fine
11:52 traph corrected it, but same output
11:53 babilen What does "salt -C 'P@client:test and P@environment:(uat|prod) and roles:(webserver|test)' test.ping" give you?
11:54 babilen And are you sure that they have information in the mine? I mean we are conflating several issues here (targeting, list element matching, mine setup, mine retrieval, ....)
11:54 traph babilen, no output
11:54 amy_ joined #salt
11:54 babilen Oh, and that shouldn't be "roles:(webserver|test)" but "P@roles:(webserver|test)" naturally
11:54 DanyC amy_: fyi what babilen said - http://irclog.perlgeek.de/salt/2015-09-11 - search for RAET and you can see the response
11:55 babilen DanyC: Thanks
11:55 traph babilen, yeah it matched
11:55 Erik____ hi all anyone understand use_winrm in salt-cloud
11:55 Erik____ ?
11:55 babilen traph: I'd recommend to tweak your targeting expression with test.ping before trying to use it in mine.get
11:56 Erik____ i try to use it but its not working
11:56 traph babilen, probably have to do saltutil.refresh_pillar
11:56 chiui joined #salt
11:56 babilen How do pillars factor into this? You seem to still be using grains for "roles".
11:56 amy_ Sometimes the salt-minion does not respond.. any idea how to fix this issue with Salt?
11:56 babilen amy_: Which version of salt?
11:57 babilen And what are the exact symptoms of "does not respond" ?
11:57 traph babilen, right
11:57 amy_ for examples: salt "*" test.ping
11:57 amy_ we have about 300 hosts...
11:57 babilen traph: Can you mine.get if you target a particular minion explicitly?
11:58 amy_ what is mine.get?
11:58 babilen amy_: Did you set "ping_on_rotate: True" in your master config?
11:58 traph babilen, it seems to be working now
11:58 babilen traph: \o/
11:58 traph salt 'test-*' mine.get "P@client:test and P@environment:(uat|prod) and P@roles:(webserver|test)" network.ip_addrs compound
11:58 traph this returns the right output
11:58 amy_ no, I didn't set that.
11:58 babilen traph: Please consider using pillars in lieu of grains though (in particular if you don't want the minions to be able to decide which states they get)
11:59 amy_ It's not just test.ping... we could be running other salt commands and the minion does not respond.
11:59 traph amy_, it's a way to collect information from the minions to the master and use it in states, for example
11:59 DanyC so who knows what this files on salt master node do? http://hastebin.com/lohopufose.sm i get the mine.conf but not sure about the _schedule.conf (isn't that auto generated? )
11:59 babilen amy_: You might want to try that. It might not necessarily be the source of your problem, but it did make a massive difference for us with larger setups. Essentially what happens is that the master is rotating its keys every 24h and the minions have to pick up on that.
12:00 traph babilen, how can minions decide to change their grains?
12:00 tuxx ive not quite understood the concept of pillars, when do i need pillars?
12:01 swisstone joined #salt
12:01 traph babilen, and how to define each minion's role with pillars?
12:01 babilen amy_: Setting "ping_on_rotate: True" gets the master to ping all minions whenever that happens so that the "cycle key" event can get through. Doing this would make sense if your symptoms are: 1. Ping all minions → not all reply 2. Wait a little, ping again → all minions reply
12:01 Norrland babilen: http://a6ec420c8f819fe1.paste.se/
12:01 Norrland babilen: with the onlyif.
12:01 jaybocc2 joined #salt
12:03 amy_ babilen: thank you. I'll try that.
12:03 babilen traph: You write a pillar in which you assign roles to minions (essentially return a list of assigned roles) and then target them with "J@roles:$FOO". Depending on your input data it might make sense to maintain a mapping from roles to minions, then invert that mapping and return a suitable list. I'd probably write that in Python. You could also wait for deep merging of pillars and just target whatever roles
12:03 babilen you want to target to the minion.
12:04 babilen You could also maintain multiple files (one per minion in the extreme case) in which you list all applicable roles, but I'd consider that unmaintainable.
12:05 traph definitely will do some research on that.
12:05 babilen My preferred variant would probably be that you maintain this mapping in a database (your management software could even write to that directly) and then return it from an external pillar.
12:05 swisstone Hey, when creating an instance using salt-cloud the IP for the instance is returned along with other data, is this then stored somewhere on the master? How do I then run a script / state using this value? I guess it doesn't necessarily need to be specific to salt-cloud.
12:06 babilen traph: Essentially the *only* trustworthy information about minions is its id. You should ground other things on it and build abstractions on top of it. If you can't exploit certain patterns in the id (say foo-dev-web1) then you need a mapping between role and id *somewhere*.
12:07 babilen I mean: How do you manage/target your grains?
12:07 traph babilen, so the pillars would respond to minion ids. I get why ids are reliable - because of the key exchange.
12:07 traph I use the ids again, so that makes sense
12:08 traph decided to implement that approach because of flexibility
12:12 traph but you attach the pillars to target minion ids always. If you want a certain additional role to be added to the minion, you'd have to override it by explicit definition in the pillar hierarchy
12:16 babilen I don't quite follow .. I had something in mind like: https://www.refheap.com/111569 (very basic example)
12:16 babilen (or invert the role to minion mapping, invert the dictionary and then return that)
12:17 jaybocc2 joined #salt
12:17 babilen You could even read that information from a YAML file and write the "role" pillar that does the data munging in Python (or mako or ...)
12:18 babilen You could even write a program that returns the right information as YAML or JSON and use the cmd_json ext pillar ...
12:18 babilen So many options ;)
12:19 amy_ joined #salt
12:19 ingslovak joined #salt
12:30 catpig joined #salt
12:30 ekristen joined #salt
12:31 dthom91 joined #salt
12:32 felskrone joined #salt
12:32 swisstone As an example https://gist.github.com/anonymous/d70d7a018b0f3db58343 I want to take the IP address returned and add a DNS entry using a salt module / state
12:33 swisstone I am very new to salt, just finding my feet
12:34 shiriru joined #salt
12:40 solidsnack joined #salt
12:43 hightekvagabond joined #salt
12:44 babilen swisstone: I'd use network.ip_addr with a suitable cidr mask in a state or even send that information to the mine if you need information about other minions (e.g. information about all minions on the one running the server)
12:46 jhauser joined #salt
12:46 swisstone as the IP is nat'd the minion does not know this IP address. Can I send it to the mine once it is returned from the initial command?
12:49 babilen no idea
12:49 Erik____ anyone can help with salt-cloud?
12:55 seatan joined #salt
12:55 dthom91 joined #salt
12:57 seatan hello :)
12:58 toanju joined #salt
12:59 seatan i'm getting this "[ERROR   ] You should upgrade pyOpenSSL to at least 0.14.1 to enable the use of X509 extensions" when running salt-ssh 2015.8.0, and i can't figure out why
12:59 seatan does anybody have any idea?
13:00 Norrland seatan: maybe because the pyOpenSSL package in your system is older than 0.14.1?
13:00 seatan 1. i pip installed 0.15
13:01 seatan 2. shouldn't salt manage that dependency on its own?
13:03 AndreasLutro seatan: did you pip install on the minion or the master? it looks like it's an optional dependency, which salt arguably shouldn't manage
13:04 seatan i pip installed it on the master, and i'm running commands on through salt-ssh
13:05 breakingmatter joined #salt
13:05 AndreasLutro right - you need to install it on the minion
13:05 AndreasLutro you can do it in a state
13:06 ziro` joined #salt
13:08 bhosmer joined #salt
13:08 DammitJim joined #salt
13:08 ziro` joined #salt
13:09 seatan i don't understand why is this error thrown tho', i've changed nothing in my states or servers since a few months ago
13:10 mortis_ any points as to where i should look to find out how to import an sls pillarfile in a python-script? its full of jinja, so a yaml.load wount work :)
13:10 mortis_ pointers*
13:11 tuxx hey guys.. right now i have a salt dir hierachy like /srv/salt/packages/vim.sls /srv/salt/hosts/host1.sls and /srv/salt/top.sls which includes hosts.host1, which in return includes packages.vim etc... i'm not sure if that is a good file hierachy however... does that seem ok?
13:13 kavakava joined #salt
13:13 ThomasJ joined #salt
13:14 TooLmaN joined #salt
13:16 bmcorser joined #salt
13:17 bmcorser trying to run the unittests
13:17 bmcorser https://www.irccloud.com/pastebin/1vTuXKfl/salt-test-err
13:17 bmcorser its locked my terminal up :(
13:17 ziro` joined #salt
13:18 babilen bmcorser: Congratulations!
13:19 bmcorser @babilen do i need to do something other than follow instructions on https://docs.saltstack.com/en/latest/topics/development/tests/index.html#running-the-tests ?
13:19 babilen I don't think so
13:20 bmcorser any know issues with running the suite in a virtualenv?
13:20 seatan does salt automatically read .py files from the the file_roots _modules dir, or does the path needs to be explicitly defined?
13:21 quasiben1 joined #salt
13:21 babilen seatan: The former
13:22 bmcorser and when i use `python setup.py test`:
13:22 bmcorser https://www.irccloud.com/pastebin/UIJslGuk/
13:24 seatan babilen: and if for some reason it doesn't, why would that be?
13:24 babilen seatan: Why do you think that it didn't?
13:27 seatan babilen: because i'm getting this error http://pastebin.com/raw.php?i=VZQJQ4ju (where salt/_modules/helpers.py contains the timestamp function)
13:28 babilen Ah, salt-ssh
13:29 seatan :) the black sheep of the salt family?
13:29 babilen Well, every "I know" turned into "I hope that .." ;)
13:30 seatan isn't the same implementation, only instead of using zeromq to communicate it uses ssh?
13:30 babilen Also my next question "Did you sync modules prior to running a state?" is unimportant. I'd check if the module is actually synced
13:30 AndreasLutro custom modules work fine with salt-ssh, you don't need to sync anything
13:30 AndreasLutro are you sure you put it in the right path?
13:30 babilen Yeah, which is why I'm not asking that question as it doesn't make sense in the context of salt-ssh
13:31 jvz joined #salt
13:31 babilen seatan: Mind showing your configuration (particularly file_roots) ?
13:31 seatan yes, the same code worked a two months ago, i just moved now on a new computer and reinstalled salt
13:32 jvz Running salt-ssh command returns "ValueError: unknown locale: UTF-8". Cannot run any salt-ssh commands because of this. Any ideas?
13:32 AndreasLutro jvz: maybe you need to install a utf-8 system locale?
13:33 babilen jvz: Show us the output of "locale" on one of http://refheap.com, http://paste.debian.net, https://gist.github.com, http://sprunge.us, http://dpaste.de, … please
13:33 seatan babilen: http://pastebin.com/raw.php?i=abqgVmjj
13:33 otter768 joined #salt
13:33 bmcorser omg none of the test suite runs
13:34 AndreasLutro seatan: do you have root_dir set in the master config?
13:34 seatan AndreasLutro: no
13:34 bmcorser even with docker `tests/runtests.py --docked=salttest/ubuntu-12.04 -v` invocation, it bombs
13:34 babilen seatan: That is everything or a subset? Where did you set that? Does /Users/seatan/Projects/salt/saltyCloud/salt/_modules/ exist and is that directory containing the module in question? Could you show us that module?
13:35 bmcorser can anyone advise on how i can write a few unit tests?
13:35 jvz babilen: https://www.refheap.com/111573
13:36 AndreasLutro bmcorser: copy an existing test that does something similar is the easiest way
13:36 babilen jvz: Run "locale" and check what you set there
13:36 bmcorser AndreasLutro: i need to be able to run the suite first
13:36 mik__R joined #salt
13:36 bmcorser that's what i was asking about
13:37 AndreasLutro aha
13:37 AndreasLutro I run tests out of a virtualenv, it works fine - just extremely slow
13:37 jvz babilen: All looks ok https://www.refheap.com/111574
13:38 babilen jvz: What does "locale -a" give yoU?
13:39 jvz babilen: https://www.refheap.com/111575
13:39 babilen jvz: My guess is that your locale is missing on the other side and that the SSH server accepts your locale.
13:39 mpanetta joined #salt
13:39 Grokzen joined #salt
13:39 jvz babilen: I'll see if i can add it. Thanks
13:39 babilen Might want to look into AcceptEnv on the other side
13:40 babilen (or generate your locale on the target host)
13:40 jvz babilen: Ok
13:40 seatan babilen: contents and location of helpers http://pastebin.com/raw.php?i=baStXdr9 & full config: http://pastebin.com/raw.php?i=Kzs4TESJ
13:40 babilen It might be something different also :)
13:41 bmcorser AndreasLutro: yes i am in a virtualenv
13:41 babilen seatan: That module looks fine
13:42 bmcorser AndreasLutro: my issue is that i hit a recursion error
13:42 AndreasLutro no idea about that
13:42 zerthimon joined #salt
13:42 seatan babilen: might the module failure be related to the fact that it spits out this error as well: "[ERROR   ] You should upgrade pyOpenSSL to at least 0.14.1 to enable the use of X509 extensions"
13:43 seatan i'm on v2015.8.0
13:45 Illusioneer joined #salt
13:46 malinoff joined #salt
13:49 jvz babilen: Thank you! I generated my locale and reconfigured, and it worked.
13:49 babilen great
13:50 babilen seatan: Doesn't necessarily strike me as related
13:50 morissette joined #salt
13:50 seatan babilen: just to clarify, that error says something about the master, not about the minion, right?
13:53 JDiPierro joined #salt
13:53 babilen seatan: I don't even know in which context you get that error, but salt-ssh essentially copies salt into a temporary location on the remote host and runs from there.
13:55 fe92 joined #salt
13:57 JDiPierro joined #salt
13:58 JDiPierro joined #salt
13:58 zsoftich2 joined #salt
14:01 subsignal joined #salt
14:03 nafg_ joined #salt
14:07 kawa2014 joined #salt
14:08 seatan babilen: path to pillar data was incorrect it seems. def my fault, but damn, those errors were confusing.
14:08 ziro` joined #salt
14:09 jvz joined #salt
14:09 hightekvagabond joined #salt
14:10 jvz babilen: Just to let you know. It was on the salt master where the issue was, not the minion. Did a package upgrade just before
14:10 babilen aye
14:12 pdayton joined #salt
14:12 Grokzen joined #salt
14:12 MadHatter42 joined #salt
14:13 catpig joined #salt
14:15 numkem joined #salt
14:16 bmcorser joined #salt
14:16 ThomasJ joined #salt
14:16 traph joined #salt
14:16 crashmag joined #salt
14:16 rotbeard joined #salt
14:16 MeltedLux joined #salt
14:16 Emantor joined #salt
14:16 brianvdawson joined #salt
14:16 s0undt3ch joined #salt
14:16 lorengordon joined #salt
14:16 arif-ali joined #salt
14:16 GothAck joined #salt
14:16 skrobul joined #salt
14:17 morissette joined #salt
14:17 bmcorser wtf
14:18 quix joined #salt
14:20 oguz joined #salt
14:21 zer0def joined #salt
14:21 oguz what happened to the low-hanging fruit github label?
14:21 babilen All picked?
14:22 RandyT Erik____: you seem to be in a slightly different timezone than I. Let me know if you are on as you appear to be running into some things with salt-cloud that I can help with.
14:22 quasiben joined #salt
14:23 bastion1704 joined #salt
14:23 sunkist joined #salt
14:23 RandyT lorengordon: you mentioned in a github issue I created that it is simple to drop boto module into local _modules directory.
14:23 RandyT I've done this for simple single file modules. Can you give me pointer as to how to do this with something like boto?
14:25 lorengordon lorengordon: i saw Ryan_Lane mentioned that it was unlikely to work, as there is no boto_s3 module
14:26 lorengordon he wrote salt's boto modules, so i'd defer to him
14:27 lorengordon another option would be to shell out to boto, awscli, or the powershell aws commandlets
14:28 lorengordon RandyT: lol, didn't mean to reference myself there
14:28 solidsnack joined #salt
14:28 jaybocc2 joined #salt
14:28 Erik____ hi Randy
14:29 RandyT lorengordon: :-) thanks for the feedback.
14:29 RandyT seems like shell is our friend. :-)
14:29 RandyT Greetings Erik____
14:29 RandyT Have seen you asking a few windows cloud questions that are familiar. Where are you stuck?
14:30 Erik____ i try to use salt-cloud to provision windows in ec2
14:30 lorengordon if you're comfortable in python, you could write your own module to support your specific use case and import boto that way
14:31 Erik____ i am trying to make salt-cloud to use winrm to install the minion with use-winrm: True
14:31 anmolb joined #salt
14:31 Erik____ but its using winexe
14:31 RandyT lorengordon: not as comfy as I need to be, but that might be the best approach...
14:31 RandyT Erik____: I've not used winrm
14:31 RandyT Erik____: why are you not using winexe?
14:32 RandyT Erik____: because it doesn't work? :-)
14:32 Erik____ cant make it working :-)
14:32 perfectsine joined #salt
14:32 RandyT Yeah, if you search github issues (where I find a lot of my answers) I've logged a ticket for this.
14:32 RandyT winexe will work with Windows 2008 images.
14:33 RandyT When going to 2012, it does not work. You need to build your own binary for winexe.
14:33 Erik____ i am using 2012 r2
14:33 RandyT Erik____: https://github.com/juliogonzalez/winexe-rpm
14:33 RandyT using that repo, you can build a winexe that will work
14:34 RandyT now, I am making an assumption there that you are on a RHEL/Centos master...
14:34 Erik____ checking
14:34 Ahlee RandyT: that uses > smbv1?
14:34 RandyT if not, there are some versions of winexe floating around that labeled 1.1
14:34 RandyT Ahlee: yes
14:34 Ahlee I gave up trying to get them working on rhel6, waf was annoying to step through
14:35 Ahlee curious, what are you using this for?
14:35 RandyT https://github.com/saltstack/salt/issues/21256
14:35 Ahlee as I was using it (before we started rolling out r2 hosts) to restart minions on windows hosts
14:36 RandyT winexe is required to transfer minion code for one example.
14:36 Ahlee wait, salt itself uses/ships winexe?
14:37 RandyT Ahlee: no, salt does not ship winexe
14:37 Ahlee ok, this is long. I need to read through this
14:39 Ahlee oh snap RandyT, thank you!
14:39 Ahlee You just saved me rewriting our minion health monitoring for windows.
14:39 sn00py joined #salt
14:40 RandyT Ahlee: np
14:40 racooper joined #salt
14:44 Tyrm joined #salt
14:44 jaybocc2 joined #salt
14:44 zzzirk joined #salt
14:45 colttt joined #salt
14:46 numkem joined #salt
14:47 Erik____ mingw64-gcc is needed by winexe-1.1-1b787d2.amzn1.x86_64         mingw32-gcc is needed by winexe-1.1-1b787d2.amzn1.x86_64
14:47 JDiPierro joined #salt
14:47 Erik____ cant find rpms for centos
14:47 amcorreia joined #salt
14:54 RandyT Erik____: use yum to install and it will get dependencies for you.
14:54 quix joined #salt
14:54 Erik____ do you have the repo for it?
14:54 colttt joined #salt
14:55 domel joined #salt
14:55 Erik____ Loaded plugins: priorities, update-motd, upgrade-helper 37 packages excluded due to repository priority protections No package mingw32-gcc available. Error: Nothing to do
14:56 jvv joined #salt
14:57 colttt joined #salt
14:58 andrew_v joined #salt
14:58 domel hey guys can anyone hep out with syntax of pillar merge? https://gist.github.com/anonymous/2d3282cb4e08a0e4cd58
14:59 domel im trying to evaluate grains['id'] then do a lookup
15:00 mik__R joined #salt
15:00 andrew_v domel: You probably want (grains['id'] + ":lookup") rather than what you have there.
15:02 domel ty very much looks to be working
15:03 bodgix left #salt
15:03 RandyT Erik____: are you following process in that repo link I sent you?
15:03 RandyT Erik____: you will probably need to also install epel-release first
15:03 Erik____ trying
15:04 mik__R_ joined #salt
15:05 johtso joined #salt
15:05 fyb3r joined #salt
15:06 Erik____ found winexe 1.1 rpm
15:06 Erik____ winexe version 1.1
15:06 Erik____ trying to run salt-cloud
15:07 colttt joined #salt
15:07 cyborglone joined #salt
15:09 bhosmer joined #salt
15:10 Erik____ ok looks like iam over this problem but i have a new one :-)
15:10 Erik____ [DEBUG   ] Caught exception in wait_for_winrm: 500 WinRMTransport. [Errno 111] Connection refused [DEBUG   ] Retrying WinRM connection to host 172.31.19.3 on port 5986 (try 12351)
15:16 RandyT Erik____:  you'll need to share some provider and profile info via gist. Seems you still have a confirmation option for winrm...
15:16 dthom91 joined #salt
15:16 Erik____ ok
15:17 zmalone joined #salt
15:19 Erik____ https://gist.github.com/erikpar/9196ad694f92bc5144cb
15:28 mehakkahlon joined #salt
15:29 dthom91 joined #salt
15:32 ziro` joined #salt
15:32 RandyT Erik____: I don't see in any of that config where you have configured to use winrm.
15:33 mehakkah_ joined #salt
15:33 Erik____ i removed them but i changed in cloud.py file to be defult i just revert back i testing it
15:33 RandyT since I don't have any experience with winrm, I would just suggest that you figure out where you were setting that since that seems to be the source of the error you showed.
15:34 otter768 joined #salt
15:35 Erik____ bravo :-) its working
15:35 RandyT Erik____: excellent
15:36 Heartsbane joined #salt
15:36 Heartsbane joined #salt
15:36 Erik____ ok we over the problem now a new one :-)
15:37 Erik____ 'XXXXXXX', 'event': 'created instance'}
15:37 Erik____ test300:     ----------     Error:         ----------         Not Deployed:             Failed to start Salt on host test300
15:37 RandyT Erik____: oh, I am sure there are... I am only a few weeks ahead of you it seems and there have been many.
15:38 RandyT Erik____: you'll need to run your deploy with -l debug and post more detail via gist. Will try to jump in as you post
15:38 Erik____ let me do it :-)
15:38 clintberry joined #salt
15:39 quix joined #salt
15:40 clintberry joined #salt
15:40 Erik____ looks like impacket is not installed trying again :-)
15:40 conan_the_destro joined #salt
15:43 ziro` joined #salt
15:45 rmnuvg joined #salt
15:46 Grokzen joined #salt
15:49 RandyT <soapbox>It would go a long way toward saltstack success on windows if these dependencies were included in the install...</soapbox>
15:50 Erik____ its alive alive !!!!!
15:51 hightekvagabond joined #salt
15:51 ziro` joined #salt
15:53 Erik____ RandyT: Are you working with salt on Amazon?
15:54 DanyC hi, i just switched my pillar from fileserver to ext_pillar and now nothing works - http://hastebin.com/qigiyuvofo.avrasm any ideas? i'm on 2015.5.5 and in the master debug log i don't see anything
16:00 Grokzen joined #salt
16:00 DanyC any help pls?
16:00 nafg_ joined #salt
16:03 fyb3r why switch it if it was working before
16:06 cpowell joined #salt
16:06 fredvd joined #salt
16:07 DanyC fyb3r: beucase i want to encrypt my credentials in the pillar, store them in a git (currently i can't as everyone can see the info) and then let the gpg render to decrypt it
16:07 slav0nic joined #salt
16:07 ekleog joined #salt
16:09 DanyC i just run the refresh_pillar and i got http://hastebin.com/xilatidizu.vbs . Anyone knows how to clear it out ?
16:09 tkharju joined #salt
16:10 ekleog joined #salt
16:10 vfong joined #salt
16:12 dh__ joined #salt
16:12 mpanetta_ joined #salt
16:12 k00mi joined #salt
16:13 mehakkahlon joined #salt
16:13 anotherZero joined #salt
16:14 munhitsu_ joined #salt
16:15 shadowsu1 joined #salt
16:15 chrischr1s joined #salt
16:15 onovy_ joined #salt
16:16 apejens_ joined #salt
16:16 dec_ joined #salt
16:16 EugeneKay joined #salt
16:16 TOoSmOotH_ joined #salt
16:17 dec joined #salt
16:17 Guest36022 joined #salt
16:18 DammitJim joined #salt
16:18 cliluw joined #salt
16:18 \ask joined #salt
16:19 cro joined #salt
16:20 RandyT joined #salt
16:20 dh__ joined #salt
16:22 tuxx salt 'develop' state.highstate test=True; echo $?
16:22 tuxx echos '0' even on failure
16:23 tuxx is that intended? i want to perform a dry-run in order to test the integrity of my salt-tree
16:24 babilen That is intentional, yes
16:24 tuxx is there any way i can test if my tree is valid?
16:25 zmalone I'm not sure it is intentional, there are long running tickets for "Set exit codes appropriately on failure"
16:25 babilen It'll tell you if states failed. Are you after a programmatic way?
16:26 tuxx babilen: well i want a git-hook which will refuse pushes which push commits which fail to validate
16:26 babilen zmalone: Okay, maybe not "intentional" in that sense that it was considered to be the best solution, but in the "yes, you are seeing what everybody else is seeing" sense
16:26 tuxx babilen: i see
16:26 ziro` joined #salt
16:26 babilen Arguably the salt run *itself* didn't fail, just because it couldn't apply all states.
16:27 zmalone I think it got hashed out in the issues, and people at Saltstack realized that their view of exit codes was incorrect, but it's a ton of work to fix.
16:27 tuxx well thats like saying a daemon didnt fail just because it cldnt parse its config
16:28 shiriru joined #salt
16:28 zmalone Yeah, which they eventually realized
16:28 jalbretsen joined #salt
16:28 zmalone if you take that approach to it's conclusion, anything that didn't segfault was code running successfully!
16:28 babilen zmalone: I'd change it as it would make it a *lot* easier to run tests or integrate it into CI or whatnot
16:28 tuxx yep
16:29 babilen Just elaborating on the thinking behind it
16:29 tuxx ok thx for the info
16:29 tuxx salt is cool btw ;)
16:29 zmalone https://github.com/saltstack/salt/issues?utf8=%E2%9C%93&amp;q=is%3Aissue+is%3Aopen+exit+code
16:29 tuxx seems strange that it would be so much work to fix
16:30 giantlock joined #salt
16:30 tuxx ok is there a way i can execute jinja templates from the cli to dump the template that it would generate?
16:30 zmalone I feel like https://github.com/saltstack/salt/issues/18510 has the best discussion of some of these issues
16:31 zmalone So maybe in 2015.11.0?
16:32 zmalone But given that it's been a year or two, I wouldn't hold my breath.
16:32 babilen tuxx:
16:32 babilen https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.cp.html#salt.modules.cp.get_template
16:32 tuxx ahh okay i'll try that .. thanks!
16:33 AlberTUX1 left #salt
16:34 tuxx sudo salt '*' cp.get_template salt:///srv/salt/users/init.sls develop
16:34 tuxx develop is my host, i guess thats not correct, aye?
16:35 babilen yes, you want 'develop' in lieu of '*' there
16:35 ageorgop joined #salt
16:35 tuxx babilen: ah yes.. and the salt:// path is relative not absolute
16:36 tuxx works now i *think*
16:36 tuxx babilen: thanks for the hint
16:37 deus_ex joined #salt
16:37 babilen There are a couple of other helpful functions in the cp and state modules .. I'd quickly browse them while you are at it
16:37 tuxx or not.. i dont understand what the last param is for
16:37 breakingmatter joined #salt
16:37 fyb3r trying to figure out whats missing from reactors to give them proper functionality >_> the things I do as a hobby
16:38 babilen tuxx: The location where you want to save the rendered template
16:39 tuxx it outputs develop: /tmp/a but the file doesnt exist
16:39 tuxx ah is it rendered on the minion?
16:39 tuxx ahhh its on the minion .. duh :)
16:41 babilen show_sls also comes to mind .. it really depends on what you want (just take a look at those two modules, you might find what you need)
16:45 big_area joined #salt
16:46 hasues joined #salt
16:48 zsoftich2 joined #salt
16:49 DanyC for whoever comes across and want to know - don't don't use ext_pillar on 2015.5.5 is so broken that you wanna cry
16:50 impi joined #salt
16:50 DanyC ext_pillar + git
16:55 zzzirk joined #salt
16:55 hightekvagabond I'm new to saltstack…. trying to build a structure to keep our software on various machines…. each minion has a custom grain with the version number in it, I want to have an sls file that takes into account the version in the grain to decide which sls to run…. can anyone point me towards an example or tutorial on this approach?
16:58 traph does specifying a source in file.blockreplace state take contents of the source file to replace what's in the block?
17:01 traph hightekvagabond, you can specify that in the top.sls file
17:02 traph use something like {% if grain['version'] ... %}, other options are also available
17:02 hasues left #salt
17:04 traph grains['version'], sorry
17:06 babilen hightekvagabond: Or target different SLS files based on the grain: https://docs.saltstack.com/en/develop/topics/targeting/index.html (see grains and compound). I would, however, prefer a single state that simply "does the right thing" depending on the version.
17:06 babilen hightekvagabond: It should also be noted that it is a bit atypical for the minion to "ask" for a specific version rather than you telling it to use a specific version
17:08 amy_ joined #salt
17:09 bhosmer joined #salt
17:09 lukayeh joined #salt
17:13 JDiPierro joined #salt
17:14 chamunks https://pypi.python.org/pypi/salt/2015.8.1 is there a download for something like this but just directly from the different branches?
17:14 chamunks So like with bootstrap you would have the git develop branch etc.
17:20 jeffpatton1971 joined #salt
17:21 AlberTUX1 joined #salt
17:22 AlberTUX1 hi there, any good guides on saltstack patterns implementations?
17:22 jeffpatton1971 howdy room, I have a question about pillars...I am running marathon in my prod and dev environments, but I have different constraints in prod vs dev...do I need to setup multiple environments in salt? or is there a shortcut somehow using a pillar for dev and prod and using a single top file to apply those settings to my minions
17:23 jfindlay chamunks: yes, only 2015.8.1 is 'unhidden' on pypi
17:23 jfindlay chamunks: you can hack the url with the version that you want.  I'm not sure if there's a way to list all downloads
17:24 chamunks I was hoping for a static binary to the latest.
17:25 jfindlay what do you mean?
17:26 jfindlay AlberTUX1: what do you mean by patterns?
17:26 jfindlay jeffpatton1971: probably the easiest way is going to be using pillar environments
17:26 chamunks So a url that doesnt change but the binary changes.
17:26 jfindlay oh, I see :)
17:26 AlberTUX1 like roles/categories, etc
17:26 jfindlay I'm not sure if pypi provides that
17:28 jfindlay AlberTUX1: what are you wanting to do with roles and categories?
17:28 jeffpatton1971 @jfindlay so I have right now /srv/pillar and /srv/salt with a top in each...i'd wind up I think with /srv/pillar/dev /srv/pillar/prod would I also need /srv/salt/dev /srv/salt/prod and then on the /srv/salt folders have duplicate formulas for the apps that are identical except for settings that differ between environments?
17:29 jfindlay jeffpatton1971: I see what you mean.  I'm not experienced enough with environments to say for sure, but I think you can mix and match between saltenvs
17:29 baweaver joined #salt
17:30 jfindlay jeffpatton1971: many users user git as a fs and a pillar backend, and manage this with git branches
17:30 stupidnic I have a bit of an issue with my salt-minions. It is more of a minor annoyance than anything else. I am preseeding my minions to build them via pxe and installing salt-minion. When the server first boots I get this message:
17:31 stupidnic "the salt master has rejected the minion's public key!" and then the minion exits
17:31 stupidnic not a huge deal I just restart the minion and everything is good to go
17:31 stupidnic is there a setting that I can set in the minion initially to prevent this behavior?
17:32 stupidnic having to restart the minion on 10 servers after a reinstall is a bit time consuming
17:32 AlberTUX1 jfindlay: i want to see some examples on how is saltstack setup on a big infrastructure to avoid known pitfalls
17:32 AlberTUX1 jfindlay: we have a lot of edge cases to consider and i'd like to start with a good design
17:33 jfindlay AlberTUX1: you can start here: https://docs.saltstack.com/en/latest/topics/tutorials/intro_scale.html
17:34 DanyC any idea what this render error means? http://hastebin.com/yoyeqekahi.vbs i should note taht at the top of my sls i do have #!yaml|gpg
17:35 AlberTUX1 jfindlay: i've seen some articles for patterns in puppet, and a few use cases for saltstack. i've read that document you just sent, but i'm looking for pillar and state layouts
17:35 otter768 joined #salt
17:35 jeffpatton1971 @jfindlay so the idea would be to check out a dev branch to /srv/salt/dev and a prod branch to /srv/salt/prod
17:35 DanyC w/o the renderer and the gpg cipher i have no problem
17:35 jfindlay salt itself seems to scale well in large environments with minimal adjustments to tuning parameters.  The challenges seem to be how to scale the tools and utilities you use to integrate with salt, like for managing and storing return data
17:36 zmalone DanyC: the gpg renderer has problems with special characters and quoting.
17:36 fredvd joined #salt
17:36 zmalone I don't know what's inside your gpg content, but it could be your problem
17:36 jfindlay jeffpatton1971: yes
17:36 zmalone (does it contain a colon?)
17:37 DanyC zmalone: but the error isn't it related to the gpg is it? as in the line shows me is on the haproxy line
17:37 jfindlay AlberTUX1: you can check previous saltconf presentations.  There are many that have discussed salt at large scale
17:37 impi joined #salt
17:37 zmalone ex. https://github.com/saltstack/salt/issues/24556
17:38 zmalone but the haproxy line follows the gpg line, so it's possible that the gpg-ed content is rendering as broken yaml, and it finally really breaks on the following line.
17:41 DanyC zmalone: ah i see, check this one http://hastebin.com/tuhiqanasi.vbs - how can i see under which conditions fails ? the ticket doesn't mention that
17:42 impi_ joined #salt
17:42 jfindlay AlberTUX1: https://saltstack.com/saltconf15-video/
17:43 cpowell Greeting everyone. If you have two states that both 'include' a third state and the two are both run. Does it only include once, run it twice or have an id conflict?
17:44 AlberTUX1 jfindlay: thanks, i'll take a look
17:46 DanyC zmalone: read again the ticket, the OP said it failed if in case it had {} ' " chars although i can't see that in his example. i feel hopeless here
17:47 zmalone Between the gpg rendering issues, the character limits, and that the gpg is still decrypted on the master prior to distributing to minions, I ended up not using the gpg feature, so I'm afraid I can't help.
17:47 zmalone Once I learned all the limits of it, it was no longer worth the implementation and upkeep effort
17:48 zmalone sorry
17:48 cpowell zmalone: what limits have you found? We are rolling it out now...
17:49 DanyC zmalone: no prob. any alternatives you might be able to suggest? basically i want to encrypt a password which is part of sls file (i don't want to encrypt the whole file, only the text)
17:49 feliks joined #salt
17:50 zmalone You need to vet your encrypted secrets for special characters, or you run into bugs.  You decrypt all content on the master, and then rely on salt for security after that, which means that you don't really have secrets encrypted all the way up to their destination.  There is no tooling for rotating secrets, and stuff like that, so you end up with endless gpg runs and then copy-pasting the secrets back into your pillars.  As I recall there were some other gpg r
17:51 cpowell ahh, didn't know about the special chars. Thanks
17:51 Guest55101 joined #salt
17:51 JDiPierro joined #salt
17:51 zmalone For one or two secrets in a small environment, it could work, but over hundreds of secrets, it was a huge management hassle for little security gain, given that it just means you have encrypted secrets at rest in whatever place you keep your salt code.
17:52 zmalone They are still unencrypted on your minions, and the master has the keys to unencrypt them present, so that's no more secure either.
17:54 DanyC zmalone: very true indeed however between not being able to keep your pillar data in GIT due to the secretes in clear or not being able to look at other params in the file (i.e encrypt the whole pillar dir or files) is a better option
17:54 armyriad joined #salt
17:55 zmalone Yeah, there are not really great options for this in the Salt ecosystem
17:56 DanyC zmalone: at least it solve some part and if you lucky later to run your stuff on AWS you can use KMS which is much better. Unless you have a different idea ?
17:56 larsfronius joined #salt
17:56 DanyC zmalone: well i'm not sure if in other CMs the principle is different - maybe in Ansible but not 100% sure
17:57 zmalone something like chef-vault or hashicorp vault is one way, but neither one lends themselves to the salt model, as they expect the client to be able to fetch it's own secrets
17:57 zmalone while salt does all of that on the master
17:57 zmalone lyft is a salt shop, and recently announced https://eng.lyft.com/announcing-confidant-an-open-source-secret-management-service-from-lyft-1e256fe628a3
17:57 zmalone I don't know how they integrate it with salt though
17:57 zmalone (ryan lane is in this channel)
17:58 cpowell implemented as an external pillar I bet
17:58 cpowell its the only way with the Master being in control of the pillars
17:59 DanyC zmalone: cpowell well @Ryan_Lane is lucky and his solution works because they rely on KMS :D
18:00 zmalone Until the next release, the gpg implementation is completely useless if you use state.sls too, thanks to https://github.com/saltstack/salt/issues/28455
18:01 zmalone Sorry I can't help more, I got frustrated by this and decided to wait until there were better options, but hopefully pointing out my issues can help you make a choice.
18:02 DanyC zmalone: much thanks, i appreciated! it seems i'll follow your frustration, damn
18:05 DanyC zmalone: btw any idea what is the character limit and the full list of special one which should be avoided ?
18:06 zmalone I think anything that might be interpreted as yaml/jinja, {} were definitely in there, and I believe : and quotes were too.
18:14 mohae joined #salt
18:23 hightekvagabond joined #salt
18:25 baweaver joined #salt
18:30 Ryan_Lane zmalone: howdy
18:30 Ryan_Lane zmalone: external pillar is easiest
18:31 Ryan_Lane we ship a very basic an unopinionated client: https://github.com/lyft/confidant/blob/master/confidant_client.py
18:31 Ryan_Lane it can be used directly, as a library, or as an example of how to implement it
18:32 Vynce joined #salt
18:32 jaybocc2 joined #salt
18:32 Ryan_Lane zmalone: one approach is to have the client write the returned data into a ramdisk (/dev/shm on debian/ubuntu is an option), then have a simple external pillar that just loads the data from that in whichever format you want to make it available
18:34 Fiber^ joined #salt
18:35 Ryan_Lane basepi: is it possible to have external pillars on minions when doing master/minion
18:35 Ryan_Lane ?
18:35 Ryan_Lane or does that only work with masterless?
18:36 zmalone I thought externals were on the master
18:36 basepi My first instinct is that it only works with masterless.
18:36 basepi Or, in other words, that only the master can fetch data from external pillars in a normal master/minion relationship
18:38 pdayton joined #salt
18:38 dthom91 joined #salt
18:39 breakingmatter joined #salt
18:41 ajw0100 joined #salt
18:43 cberndt joined #salt
18:45 anmolb joined #salt
18:47 pdayton joined #salt
18:49 zmalone I think something like Vault, could work with cmd.run-ing vault commands on the minions, and then executing more command on the minions to put the secrets where they should go would work.
18:49 zmalone Or doing the same, but with gpg on the client
18:50 zmalone but that got into a lot of working around saltstack for me.
18:50 fivehole joined #salt
18:54 giantlock joined #salt
18:55 ageorgop joined #salt
18:58 DanyC zmalone: but if you run the vault cmd on the minions, how will that map wiht the pillar and maybe grain match etc ?
18:58 larsfronius joined #salt
19:00 dthom911 joined #salt
19:01 cpowell Openstack is working on Barbican, not sure when it will be read though. https://github.com/openstack/barbican
19:03 cberndt joined #salt
19:05 breakingmatter joined #salt
19:07 bluenemo joined #salt
19:10 chai_ joined #salt
19:10 bhosmer joined #salt
19:10 chai_ hi, i have a question.. is there a way a minion can report status back to master on some event happening on VM
19:10 szhem joined #salt
19:14 baweaver joined #salt
19:16 fyb3r good god, the comments inside the source code is so sparce >_>
19:16 perfectsine joined #salt
19:19 hal58th chai_: Have an example on the event?
19:21 DanyC cpowell: i've been on the Openstack comunity, i wouldn't put much hope on Barbican, i expect at least 2 cycles before it will even get into experimental phase
19:21 scbunn joined #salt
19:21 cpowell yeah, they have been working on it for a while
19:22 scbunn since I upgraded to 2015.8.1 I've noticed some weird behavior.  It seems that whenever I run salt-call <anything> on a minion it is triggering a highstate.  I used to be able to do salt-call state.sls <foo> to test, but now whenever I do that it complains that a highstate is already running.  If I look at the logs it triggers the highstate when I run the command.
19:24 chai_ joined #salt
19:24 chai_ Hi, say when a device is connected to a VM, I want the minion on the VM to report to the master that X device is connected or say somebody logs into the VM i want the minion to report that status back to the master
19:24 DanyC_ joined #salt
19:25 scbunn but, if I call state.sls from the salt master (salt <foo> state.sls <bar>) it doesn't not tigger a highstate and works as expected.
19:25 chai__ joined #salt
19:30 tampakrap joined #salt
19:30 opensource_ninja joined #salt
19:30 dthom91 joined #salt
19:32 dh joined #salt
19:33 dthom911 joined #salt
19:36 otter768 joined #salt
19:42 Ryan_Lane basepi: hm. that’s unfortunate :(
19:43 hightekvagabond joined #salt
19:43 Ryan_Lane it would be really nice if ext_pillar worked on master/minion where it merged the pillars from the master with the extra pillars on the minion
19:44 Ryan_Lane for cases like confidant, where the master is ideally out of the loop
19:44 Ryan_Lane because it’s more secure for the minion to request its secrets directly from the secret management system
19:44 chai__ hi
19:44 chai__ Hi, say when a device is connected to a VM, I want the minion on the VM to report to the master that X device is connected
19:44 chai__ or say somebody logs into the VM i want the minion to report that status back to the master
19:45 chai_ we'd like to have a way the minion reports it to the master
19:46 joyrida08 joined #salt
19:47 TooLmaN joined #salt
19:51 conan_the_destro joined #salt
19:55 mehakkahlon joined #salt
20:00 mehakkahlon joined #salt
20:02 sbogg joined #salt
20:03 amcorreia joined #salt
20:05 mehakkahlon joined #salt
20:06 solidsnack joined #salt
20:10 mehakkahlon joined #salt
20:11 iggy chai_: beacons might be a good use for that
20:11 iggy I think there's already one to watch logins
20:11 ajw0100 joined #salt
20:15 mehakkahlon joined #salt
20:20 GreatSnoopy joined #salt
20:20 mehakkahlon joined #salt
20:22 Rumbles joined #salt
20:23 baweaver joined #salt
20:25 Illusioneer joined #salt
20:25 mehakkahlon joined #salt
20:28 hightekvagabond joined #salt
20:30 mehakkahlon joined #salt
20:35 mehakkahlon joined #salt
20:36 DammitJim joined #salt
20:37 armguy joined #salt
20:37 DammitJim is there an easy way to create the same user on different servers and set the same password on all of them?
20:39 geekatcmu LDAP
20:39 geekatcmu Kerberos
20:39 geekatcmu ActiveDirectory
20:39 geekatcmu OpenDirectory
20:39 Ryan_Lane salt ;)
20:39 geekatcmu "every non-trivial CM tool ever written"
20:39 Ryan_Lane if you’re going to have a small number of users (<200 or so) it’s probably fine to just have salt manage all of the users
20:40 Ryan_Lane assuming you can ensure salt is running on all the nodes
20:40 DammitJim I have created users through salt
20:40 geekatcmu http://home.gallew.org/disagree.jpg
20:40 DammitJim but I haven't set the password
20:40 DammitJim is there an easy way to set the password on the servers?
20:40 DammitJim this is for Disaster recovery (local users)
20:40 mehakkahlon joined #salt
20:41 geekatcmu Creating a "field" account with password "service"?
20:41 mapu joined #salt
20:42 Ahlee i couldn't imagine trying to do password management through a config management tool rather than just setting up ldap/active directory/etc
20:42 Ahlee "just use keys!"...lol.
20:43 DammitJim using keys is an interesting option Ahlee
20:43 DammitJim I should ask them people at the disaster recovery site
20:44 larsfronius joined #salt
20:44 Ahlee DammitJim: there's a - password option that works well in salt for local users.
20:44 Ahlee you just need to provide the encrypted password, there's various was to do it
20:45 DammitJim Ahlee, the encrypted password is generated per server though, right?
20:45 DammitJim you can't use the same encrypted password on a dozen servers?
20:45 mehakkahlon joined #salt
20:46 Ahlee You can.
20:46 Sketch you can
20:46 baweaver joined #salt
20:46 DammitJim oh
20:46 DammitJim why did I think that the encrypted password had some kind of salt per server and it would vary
20:46 DammitJim thanks guys
20:46 Ahlee no problem
20:46 Vynce joined #salt
20:47 Sketch it's salted at the time it was generated, but that doesn't mean it will only work on that server
20:48 armguy joined #salt
20:50 mehakkahlon joined #salt
20:51 baweaver joined #salt
20:55 mehakkahlon joined #salt
20:56 cowpunk21 joined #salt
20:56 DanyC joined #salt
20:56 DanyC left #salt
20:56 DanyC joined #salt
20:58 Guest55101 joined #salt
20:59 lnxnut joined #salt
21:00 mehakkahlon joined #salt
21:01 ajw0100 joined #salt
21:01 nafg_ joined #salt
21:02 jhauser joined #salt
21:03 whytewolf DammitJim: sorry I'm late to the convo. but I see that you have learned about salted linux passwords. but if you want a more indepth read on the subject of what exactly is in the stored passwords in shadow read this http://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils
21:04 DammitJim thanks whytewolf !
21:05 whytewolf np, it is something everyone who manages a linux system should know. so I am always happy to spread that knowledge
21:06 mehakkahlon joined #salt
21:09 * whytewolf remembers when linux didn't have shadow ... sigh that was a long time ago
21:09 DammitJim so, that's when the actual password was in /etc/passwd?
21:09 whytewolf yes, and everyone could read it
21:10 whytewolf made finding open accounts ALOT easier
21:10 zmalone DammitJim: if you'll be pushing creds out to live on a host via configuration management, it's usually better to use ssh keys, in that they are explicitly designed for the pub/priv model
21:11 mehakkahlon joined #salt
21:11 bhosmer_ joined #salt
21:11 zmalone While /etc/shadow|/etc/passwd hashes are easier to crack if someone gets access to the hash
21:12 DammitJim I still need to set the password for the user in case they sudo (which they will need)
21:13 Grokzen joined #salt
21:14 zmalone depending on your environment, the NOPASSWD option for sudo plus ssh keys may be a more secure choice than passwords where everyone can get the hashes
21:16 mehakkahlon joined #salt
21:16 cberndt joined #salt
21:16 whytewolf at the very least the password should ask for a new password the second they login.
21:17 zmalone until salt is run again
21:17 whytewolf eh, not if setup right
21:19 whytewolf although salt does need a simpler way to do something like firstrun
21:21 mehakkahlon joined #salt
21:23 mohae joined #salt
21:24 basepi Ryan_Lane: I agree, it would be useful. And (probably) fairly straightforward to implement, since both systems are already in place. I haven't looked to be sure, though.
21:24 Ryan_Lane ok. I’ll open an issue for it
21:24 Ryan_Lane basepi: ^^
21:25 armguy joined #salt
21:26 mehakkahlon joined #salt
21:27 basepi 👍
21:29 fyb3r so __data__ isnt available inside reactors with the py renderer
21:29 moeyebus Hi
21:30 moeyebus I've been trying to figure out how to create and manage lxc containers with saltstack.
21:30 RandyT Greetings
21:30 moeyebus I've read a lot of the documentation concerning salt-cloud, and I've tried to make it work. Right now I'm kind of stuck.
21:31 RandyT I've asked this question before and not received a response. Trying again...
21:31 mehakkahlon joined #salt
21:31 moeyebus I think I might have misunderstood how salt-cloud works.
21:31 RandyT Windows minions that I am deploying when doing a highstate, timeout with "no-response".
21:31 RandyT Subsequent attempts to run highstate again fail indicating that the PID is still running.
21:32 dthom91 joined #salt
21:32 RandyT I have confirmed that it is still running although not clear if it is doing anything.
21:32 whytewolf RandyT: sounds like something in your highstate is prompting for a response.
21:32 moeyebus RandyT: which version of salt-minion are you running on your windows machines?
21:32 RandyT Is there a way to increase the delay?
21:32 RandyT whytewolf: interesting thought
21:32 Divaloper salt -t <timeout> will wait longer
21:33 RandyT moeyebus: 2015.8.1
21:33 dthom911 joined #salt
21:33 moeyebus RandyT: you should downgrade your salt minions.
21:33 Divaloper but, yeah, something's still running. increase your minion log to debug and see where it's getting hung up
21:33 Divaloper moeyebus: hmm? Why's that?
21:34 RandyT moeyebus: yeah, why's that? :-)
21:34 Ryan_Lane basepi: https://github.com/saltstack/salt/issues/28793
21:34 edrocks joined #salt
21:35 RandyT I'll try running debug on the minion to see what I learn.
21:35 moeyebus Divaloper, RandyT: I've experienced timeouts a lot with 2015.8.1 when I tried it on windows.
21:36 RandyT What is default timeout to wait and can that be set on per profile basis? These windoze instances seem to be very busy after a deploy... :-)
21:36 mohae joined #salt
21:36 mehakkahlon joined #salt
21:36 zmalone Ryan_Lane/basepi: https://github.com/hashicorp/vault/issues/323 has related design decision discussion, if it matters to you
21:36 Divaloper RandyT: https://docs.saltstack.com/en/latest/ref/configuration/master.html#timeout
21:37 otter768 joined #salt
21:37 Ryan_Lane zmalone: thanks
21:37 Divaloper RandyT: I have a job that runs saltutil.running 30 minutes after I run highstate against my windows hosts, and if they're still processing i kill the job
21:38 RandyT Divaloper: that could be helpful. thanks
21:38 dthom91 joined #salt
21:38 cberndt joined #salt
21:38 Divaloper moeyebus: interesting.
21:39 Divaloper moeyebus: and disappointing.
21:39 RandyT Divaloper: the timeout seems to be amount of time that the query goes back to the minion. (if that makes sense) What controls how long it retries before giving up with "no response"?
21:40 moeyebus Divaloper: I didn't get into the "why" of the matter, since I was just testing 2015.8.1
21:40 Divaloper moeyebus: word. We're prepping our upgrade from 0.17.5 to 2015.8.1, so I'm sure i'll get into those nitty gritties soon enough
21:41 mehakkahlon joined #salt
21:41 dthom91 joined #salt
21:42 Divaloper RandyT: time timeout is strange. It's (if memory serves) the amount of time the LocalClient object waits to get an update from the minion
21:42 Divaloper since salt's async, it's kind of like "wait this long, then give up"
21:42 Divaloper but the job itself will keep going
21:46 mehakkahlon joined #salt
21:47 racooper wonder...is pkgrepo.managed supposed to create a repo file if non-existent? because it's failing for me. https://gist.github.com/racooper/7a61f84fa01cd551a64c
21:49 ajw0100_ joined #salt
21:50 DanyC Ryan_Lane: thanks for opening it. In your proposal i guess we still want for master to pull the pillar from git (currently is possible via ext_pillar) and the secrets by minion from Confidant? http://hastebin.com/iduximaqog.sm
21:51 mehakkahlon joined #salt
21:54 hightekvagabond joined #salt
21:56 mehakkahlon joined #salt
21:57 Ryan_Lane DanyC: yeah, basically everything would normally come from the master, but pillars on the minion (like confidant) would be merged in
21:57 cyborglone joined #salt
21:58 iggy fyb3r: I imagine it was an oversight, you should open a ticket
21:59 DanyC Ryan_Lane: cool, that make sense
21:59 dthom91 joined #salt
22:00 nafg joined #salt
22:01 mehakkahlon joined #salt
22:02 fyb3r but iggggyyyy
22:02 fyb3r i dont wanna
22:03 fyb3r im actually doing some testing on what IS available :D
22:04 fyb3r ill have an answer for ya in about 10 minutes. ya know, cause i know you're dying to find out ;)
22:05 zmalone racooper: I had bad luck with pkgrepo.managed on ubuntu hosts, and directly modified the sources files themselves.
22:06 mehakkahlon joined #salt
22:06 nidr0x joined #salt
22:06 sontek joined #salt
22:06 cowpunk21 joined #salt
22:07 hal58th joined #salt
22:07 hal58th_ joined #salt
22:07 fyb3r weird. just salt, grains, and opts are available
22:07 racooper once I manually create the files, pkgrepo.managed will make changes to them. but I have to add them first by hand.
22:11 mehakkahlon joined #salt
22:11 Rumbles joined #salt
22:11 mik__R joined #salt
22:11 fyb3r Ill put a ticket in in just a few iggy.
22:15 moeyebus Has anyone managed to make this work: https://docs.saltstack.com/en/develop/topics/cloud/lxc.html
22:16 mehakkah_ joined #salt
22:17 jeffspeff joined #salt
22:18 conan_the_destro joined #salt
22:21 mehakkahlon joined #salt
22:21 whytewolf moeyebus: lxc? no. never tried either. I do however work with openstack and salt-cloud. what exectly are you trying to do?
22:23 mosen joined #salt
22:25 moeyebus whytewolf: I've created a provider file, and now, I'm trying to use that provider to create containers and add them as minions.
22:25 whytewolf provider is only half the puzzle. you need profiles also
22:26 mehakkahlon joined #salt
22:26 moeyebus whytewolf: I know. I'ver tried to create a usable profile.
22:26 amcorreia joined #salt
22:27 whytewolf moeyebus: okay. are you getting an error?
22:28 moeyebus There was an error listing images: No cloud providers matched 'my-host-base'. Available selections: Available selections: my-host-base-lxc
22:28 fyb3r @iggy, can I mention that you requested that I put the issue in?
22:30 whytewolf moeyebus: and the command that was run? salt-cloud -p?
22:30 moeyebus salt-cloud --list-images snafu-host-base
22:30 moeyebus I'm figuring things out very slowly. I think the documentation is a little misleading.
22:31 iggy fyb3r: if you want
22:31 whytewolf ahh ok. where did you setup your provider? and can you gist it?
22:31 iggy not sure if that will help or hurt
22:31 mehakkahlon joined #salt
22:31 dthom91 joined #salt
22:32 moeyebus whytewolf: I've figured out why this error. Really, it's not a question of a particular problem. It's a matter of understanding what is meant by a provider, and a profile.
22:32 moeyebus Also, how these two interact together.
22:32 moeyebus That's what I'm having trouble with.
22:32 pogotech joined #salt
22:33 fyb3r @iggy, well if it hurts then ive lost all faith in the system and ill just write the code to fix it myself ;)
22:33 DanyC on github salt repo i do see issues being tagged with RIoT - anyone knows what it stands for ?
22:33 fyb3r then ill share it with you, and we can sit and laugh at them because they dont have our awesome reactors
22:33 moeyebus whytewolf: I've finally managed to do it \o/
22:33 whytewolf provider is just that. the provider of the instances and the configs for that [lxc, openstack, aws, linode], a profile is a general description of the instences. and how they should be configured on the provider.
22:33 zmalone DanyC: https://docs.saltstack.com/en/latest/topics/development/labels.html
22:34 moeyebus whytewolf: Is there a way to use salt-cloud in a state file ?
22:34 DanyC zmalone: thank you!
22:34 whytewolf moeyebus: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cloud.html
22:34 iggy fyb3r: I was joking about whether name dropping my name would be a bad thing in their eyes
22:35 fyb3r I know
22:35 whytewolf moeyebus: been almost a year since i last used that state though. your milage may very.
22:35 solidsnack joined #salt
22:36 fyb3r And I was joking about the joke >_> which has now become unfunny
22:36 mehakkahlon joined #salt
22:36 whytewolf unfunny joke what is this irc?
22:38 moeyebus whytewolf: Is it really necessary to run a salt minion on each lxc container?
22:39 moeyebus I'd like to be able to use salt-ssh by default. Does the lxc cloud driver support that kind of stuff?
22:39 fyb3r no. its just my life as of late :(
22:39 * whytewolf shrugs. thats outside of my scope.
22:39 fyb3r first the errors you helped me with the other night and now reactors that are lacking
22:39 fyb3r its as if salt were some opensource software or something
22:40 RandyT moeyebus: starting to buy into your suggestion of timeouts on Windows minions running 2015.8.1.
22:41 moeyebus RandyT: when does timeouts occur?
22:41 RandyT captured a complete debug log on this highstate run on windows minion and I see no reason that it stopped... render of yaml is complete. no errors. just stops responding.
22:41 moeyebus Running a particular command?
22:41 mehakkahlon joined #salt
22:41 moeyebus Using a particular state? Or with anything?
22:41 RandyT no particular command. After complete yaml render
22:41 moeyebus For me, it timedout all the time.
22:41 DanyC_ joined #salt
22:41 RandyT does not perform any action on the minion, just render's yaml and stops...
22:42 moeyebus does it timeout with test.ping ?
22:43 Vynce1 joined #salt
22:44 whytewolf RandyT: moeyebus: could it be related to this? https://github.com/saltstack/salt/issues/27866
22:44 RandyT moeyebus: test.ping works fine
22:46 RandyT whytewolf: love it... will give it a try
22:46 moeyebus whytewolf: I don't know. I kind of figured: I'll upgrade whenever I have the time to solve that issue.
22:46 mehakkahlon joined #salt
22:51 mehakkah_ joined #salt
22:52 timoguin joined #salt
22:53 RandyT whytewolf: moeyebus  my minion config on the windows instance was set to multiprocessing: false.
22:53 RandyT changing it to true doesn't really make any difference.
22:53 moeyebus RandyT: (I ask just in case) have you restarted the salt minion?
22:54 baweaver joined #salt
22:55 cberndt joined #salt
22:56 mehakkahlon joined #salt
22:59 trojan joined #salt
23:00 trojan left #salt
23:01 ajw0100 joined #salt
23:01 mehakkah_ joined #salt
23:01 trojan joined #salt
23:01 RandyT moeyebus: yes, restarting frequently here as the only way I have found to get the parameters for debug to stick is to run it at command line on the minion
23:02 trojan this is the chat for  all things salt?
23:02 whytewolf RandyT: does the highstate run fine if you run is from the minion?
23:02 RandyT whytewolf: how would I run the highstate from the minion?
23:03 RandyT sorry, a bit green here
23:03 whytewolf salt-call -l debug state.highstate
23:03 RandyT and do I need to have a minion process running to do that?
23:03 whytewolf it helps
23:04 whytewolf but i don't think it is needed no
23:06 mehakkahlon joined #salt
23:09 MadHatter42 joined #salt
23:11 mehakkah_ joined #salt
23:12 bhosmer_ joined #salt
23:13 RandyT whytewolf: so that was a helpful exercise. I have a state that fails due to lack of pkg.refresh_db run...
23:13 RandyT which I thought I had configured properly in a reactor...
23:15 Vynce joined #salt
23:15 hackel joined #salt
23:15 hal58th__ joined #salt
23:15 hal58th_1 joined #salt
23:16 mehakkahlon joined #salt
23:18 noliverio joined #salt
23:19 amy_ joined #salt
23:21 mehakkahlon joined #salt
23:23 RandyT could someone help me understand why this reactor is not working?
23:23 RandyT https://gist.github.com/rterbush/379eae8548d12384bdc4
23:24 adelcast joined #salt
23:26 mehakkahlon joined #salt
23:26 bfoxwell joined #salt
23:28 Tyrm_ joined #salt
23:30 Ch3LL RandyT: I responded to your gist
23:30 Ch3LL with a possible solution
23:31 mehakkahlon joined #salt
23:31 hightekvagabond joined #salt
23:35 moeyebus And now this...
23:35 moeyebus [ERROR] Request to sign key for minion "lxcXXX" on hyper "nox"  denied: no authorization.
23:36 amcorreia joined #salt
23:36 ajw0100 joined #salt
23:36 mehakkahlon joined #salt
23:37 otter768 joined #salt
23:38 RandyT Ch3LL: Thanks for that suggestion. I tried your approach and am getting the same result. My understanding of reactor is that these states should run when the minion contacts the master.
23:39 RandyT restarting the minion is not triggering that reaction.
23:41 mehakkahlon joined #salt
23:42 Ch3LL RandyT: You need to specify an event.. typically in your /etc/salt/master file that tells the reactor which sls files to run when particular events show up
23:42 Ch3LL what's your reactor configuration look like?
23:43 markm joined #salt
23:43 Ch3LL and i'm assuming when you say "getting the same result" you mean the sls file isnot being run
23:45 larsfronius joined #salt
23:46 fyb3r hm heres another interesting issue. apparently with syndic presence events, the tag 'syndic/ID/salt/presence/present' will trigger a reactor if the tag being searched for is 'salt/presence/present'
23:46 whytewolf RandyT: did you set this part up? https://docs.saltstack.com/en/latest/topics/reactor/#mapping-events-to-reactor-sls-files
23:46 mehakkahlon joined #salt
23:46 RandyT Ch3LL: I've added my master reactor config to the gist
23:46 RandyT I'm attempting to trigger on minion_start
23:47 RandyT whytewolf: yeah, just added what I have in my master config to the gist
23:47 Ch3LL and what behavior are you seeing? or is nothing happening?
23:47 whytewolf RandyT: your event is wrong in that reactor setup. it should be 'salt/minion/*/start'
23:48 RandyT whytewolf: ok... taken from example in the docs https://docs.saltstack.com/en/latest/topics/reactor/#syncing-custom-types-on-minion-start
23:48 Ch3LL yeah i believe thats an event
23:49 Ch3LL i remember seeing it when the minion initially connects alongsied the salt/minion/*/start
23:49 Ch3LL RandyT: what do you see in your debug logs? do you see the event occuring?
23:49 Ch3LL or you can type `salt-run state.event`
23:49 whytewolf humm. ok. I"ll belive you. I always used the long names
23:49 Ch3LL i believe it is to see the events live
23:49 DanyC joined #salt
23:50 RandyT Ch3LL: salt-run on the master?
23:50 Ch3LL yes
23:50 DanyC joined #salt
23:50 Ch3LL but your debug logs should logs the events as well
23:50 Ch3LL and you can find out if the event is triggered and if the reactor is working
23:51 mehakkahlon joined #salt
23:51 Ch3LL but you might as well try what whytewolf suggested
23:51 Ch3LL i believe both of those events trigger when the master connects the master. i can't remember entirely though
23:53 RandyT so I see a minion_start, also shown as salt/minion/[id]/start
23:53 Ch3LL cool yeah see if using `salt/minion/*/start` helps.
23:53 Ch3LL i could have sworn i've used minion_start before but i could be wrong
23:54 whytewolf yeah i just checked myself they both show up. looks like they have the same data in them as well. which means that one is probley a shortcut
23:54 Ch3LL okay cool
23:55 Ch3LL so theres a different reason why the reactor is not working
23:55 DanyC joined #salt
23:55 Ch3LL i would check your debug logs RandyT on the master
23:56 RandyT I have tried the long form as well with same results.
23:56 mehakkahlon joined #salt
23:56 Ch3LL yeah they both show up. you will need to check your debug logs
23:56 Ch3LL your configuraiotn is accurate as far as i can tell
23:57 RandyT I do see in the state.event log though a "saltutil.pkg.refresh_db  is not available"
23:57 whytewolf wait why saltutil?
23:58 whytewolf shouldn't that just be local.pkg.refresh_db
23:59 whytewolf or cmd.pkg.refreesh_db

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary