Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2016-03-29

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 i90rr joined #salt
00:00 djgerm left #salt
00:02 dendazen joined #salt
00:04 AdamSewell joined #salt
00:07 digitalhero joined #salt
00:07 jankmcjanker joined #salt
00:07 flowstate joined #salt
00:08 subsignal joined #salt
00:08 ajw0100 joined #salt
00:09 jankmcjanker is there an efficient, automated way that i can embed a salt key into a virtual/bare metal resource? i'm trying to execute a state.highstate when a new server is recognized by salt as soon as it is provisioned via digital ocean/aws/linode/softlayer
00:09 jankmcjanker going to the salt master to accept the salt key is fine, but i'd like to automate that process
00:10 teatime I think salt-cloud does that?
00:10 jankmcjanker hmm, does that work for bare metal provisioned by softlayer as well?
00:10 teatime hrm, well there's salt-... what's it called.  1 second.
00:11 ahammond jankmcjanker http://salt-cloud.readthedocs.org/en/latest/topics/softlayer.html
00:11 jankmcjanker oo, very nice, thanks ahammond
00:11 _Cyclone_ joined #salt
00:14 teatime I beleive I was thinking of cloud.saltify, for bringing pre-existing servers under salt control.
00:15 teatime which may or may not be relevant, no idea.
00:19 nZac joined #salt
00:20 qman__ joined #salt
00:27 overyander joined #salt
00:31 hightekvagabond joined #salt
00:32 nZac joined #salt
00:33 Disorganized_ joined #salt
00:36 kliquori joined #salt
00:45 Gibzon joined #salt
00:46 Gibzon hello can someone help me with this error im having when i installed salt with bootstrap
00:46 Gibzon AttributeError: 'module' object has no attribute 'BASE_THORIUM_ROOTS_DIR'
00:46 Gibzon i cannot start the service
00:46 Gibzon or use salt cli
00:47 Gibzon i tried latest 2015.8.8
00:54 fracklen joined #salt
00:58 voileux_ joined #salt
01:00 akhter joined #salt
01:00 amcorreia joined #salt
01:06 akhter joined #salt
01:10 voileux joined #salt
01:10 onlyanegg joined #salt
01:11 quasiben Why do people typically implement a syndic node ?  I've seen a few examples of wanting the syndic inside a firewall and masterofmasters outside the firewall but I'm unclear as to why that's desirable
01:11 quasiben why not have masterofmasters inside the firewall ?
01:13 akhter joined #salt
01:14 quasiben I suppose it's useful when distributing work
01:14 SheetiS joined #salt
01:17 RobertChen117 joined #salt
01:21 brianfeister joined #salt
01:23 akhter joined #salt
01:25 k_sze[work] joined #salt
01:27 sauvin joined #salt
01:28 akhter joined #salt
01:30 hightekvagabond joined #salt
01:46 brianfeister joined #salt
01:52 brianfeister joined #salt
01:53 flowstate joined #salt
01:53 ajw0100 joined #salt
01:56 catpig joined #salt
01:57 nyx_ joined #salt
02:02 digitalhero joined #salt
02:04 _Cyclone_ joined #salt
02:10 k_sze[work] joined #salt
02:11 _Cyclone_ joined #salt
02:12 spuder joined #salt
02:12 aw110f joined #salt
02:15 onlyanegg joined #salt
02:17 beardedeagle joined #salt
02:25 kliquori joined #salt
02:31 digitalhero joined #salt
02:33 cwyse joined #salt
02:36 evle joined #salt
02:36 rem5 joined #salt
02:39 efm joined #salt
02:40 RobertChen117 joined #salt
02:41 aharvey joined #salt
02:59 anmol joined #salt
03:01 aw110f joined #salt
03:02 aharvey joined #salt
03:06 RobertChen117 joined #salt
03:17 mavhq joined #salt
03:18 capricorn_1 joined #salt
03:26 flowstate anyone else having trouble hitting the saltstack yum repos?
03:26 kliquori joined #salt
03:26 stooj joined #salt
03:28 XenophonF joined #salt
03:35 nyx_ joined #salt
03:37 ramteid joined #salt
03:39 spuder_ joined #salt
03:43 orion joined #salt
03:45 orion Hi. What's the best practice regarding the names of states? Currently I name my states something like, "logstash-config", "logstash-service", etc where "logstash" is the name of the directory in which the state is contained.
03:45 digitalhero joined #salt
03:46 cyborg-one joined #salt
03:47 hightekvagabond joined #salt
03:50 teatime you can just put them in 'logstash/config.sls' (or 'logstash/config/init.sls'; more for when you want 'a.b' to exist in addition to 'a.b.c' and 'a.b.z') and thus call them like 'logstash.config'; I don't know of any drawbacks / namespace clashes from this.
03:51 teatime or do you mean inside the files, what to name the keys?  in that case, just make sure they're unique across the state data (but can use name: and names: to help.)
03:52 orion You're allowed to put '.'s in state names?
03:53 beardedeagle @flowstate: been spinning up vm's left and right tonight, no issues hitting the repos here so far
03:53 teatime orion: 'a.b.c' will map to 'a/b/c.sls' || 'a/b/c/init.sls'
03:54 orion We're talking states, not pillar, right?
03:54 teatime yes, but it's the same in both cases.
03:56 orion Wouldn't it then be ambiguous if you did, say, {% if pillar.foo.bar.baz %} considering that you allow '.' in the names?
03:58 XenophonF orion: do you mean state names or salt state filenames
03:58 orion State names
03:59 XenophonF orion: i tend to name them expositionally
03:59 orion What do you mean by expositionally?
03:59 armguy joined #salt
03:59 sarlalian joined #salt
04:00 XenophonF like, if i have an sls for openstack keystone in keystone/init.sls, i have a key named "openstack_keystone", with pkg.installed, user.present, group,present, file.recurse, and service.running states
04:01 XenophonF assume suitable overrides for the name kwarg, dependencies, etc.
04:01 orion hmm
04:01 XenophonF when debugging it makes it easy to ID the malfunctioning state
04:02 XenophonF let's say i have a file.managed state for PAM services
04:02 neilf__ joined #salt
04:02 XenophonF i'll have a pam_service_ftpd: {file.managed: [name: "/etc/pam.d/ftpd", ...]} state definition
04:02 XenophonF might have a separate one named pam_service_sshd
04:02 XenophonF and so forth
04:03 XenophonF anyway, the gist is, i name the states logically, tending to use the top-level SLS almost like a namespace
04:04 XenophonF so all of my openstack keystone states (that is, in addition to the ones i just mentioned) get a prefix of "openstack_keystone_"
04:04 orion I see.
04:04 XenophonF all of my kerberos5 states get "kerberos5_"
04:04 XenophonF and so forth
04:05 orion As far as directory layout is concerned, do you keep one directory per role (db, rabbitmq, elk, etc), or one directory per service with the service/role mapping in top.sls?
04:05 XenophonF you can see examples of this style in https://github.com/irtnog/salt-states
04:05 XenophonF the latter
04:05 XenophonF again, see my git repo
04:06 XenophonF i try to write one top-level sls for each individual service
04:06 whytewolf personally I never combine states under single id's like that. but that is just me. and I perfer breaking things out indpendently. however they all do go into the same file.
04:06 XenophonF so i have a top-level sls named "apache" and another named "postfix" and two more named "ssh" and "sshd" respectively
04:07 XenophonF and generally my top-level sls modules? files? whatever are independent of one another
04:07 aqua^c joined #salt
04:07 orion hmm
04:07 XenophonF that way i can run "salt-call state.sls <module> saltenv=<env>"
04:07 XenophonF when deploying changes to the states
04:07 orion Right, so rather than having one top-level SLS per role, you have one top-level SLS per service.
04:07 XenophonF correct
04:07 orion I see.
04:08 XenophonF now take my postfix sls for example
04:08 XenophonF my "mail-relay" role doesn't specify it because the postfix sls gets assigned to all my unix/linux-based minions
04:08 XenophonF so it's already running on the mail relays
04:08 hemebond left #salt
04:09 XenophonF instead, the mail-relay-specific magic happens in pillar
04:09 XenophonF which i have structured a bit differently
04:09 XenophonF there, i have sls files named after what i think of as the public endpoints of a given service
04:09 orion What do you do when you run in to corner cases, like, "Only machines in the database role need a file chmod'd to 755" -- where it doesn't make sense to put such a state definition in the, say, "postgres" top-level SLS?
04:10 XenophonF so for example, in my (private) pillar tree, i have an sls called "mx1.irtnog.org" a/k/a "mx1/irtnog/org/init.sls"
04:10 spuder joined #salt
04:10 orion In other words, how do you handle "overrides" where some roles are special and don't fit in to the generic service definition?
04:10 XenophonF if i have interesting corner cases like that, i make separate, one-off sls files
04:11 orion I see.
04:11 XenophonF like, for example, i have a "clamav.amavisd" state that adds some glue between my amavisd and clamav SLSes
04:11 XenophonF only for use on my mail relays, which are special in this regards
04:12 XenophonF i could have written a combined amavisd+clamav sls
04:12 XenophonF but i could see a point where i might want to deploy them independently
04:12 XenophonF hence the special sls only called by minions with the "mail-relay" role
04:13 orion Are these special SLS files top-level?
04:14 XenophonF whytewolf: i used to write separate state IDs to go with each state funcall - i dunno why combining them under one state ID appeals to me, call it an aesthetic choice
04:14 XenophonF i'd hesitate to say i had some engineering rationale behind it :)
04:15 XenophonF orion: no, e.g., in my public salt-state repo, they're one level down, e.g., clamav/amavisd.sls
04:15 zer0def joined #salt
04:16 XenophonF which, if you look at it, is really quite simple - just adding clamav to the amavisd group so that it can read the mail spool
04:16 orion Your public repo only has three files.
04:17 orion Oh, you have many branches.
04:17 XenophonF yes
04:17 orion git branches
04:17 XenophonF one for each DTAP phase
04:17 orion I see, I was slightly confused as to what you were talking about since all I saw were three files.
04:17 XenophonF i'm using a github flow-like change management model
04:17 XenophonF with an empty base environment (targeting only via top.sls)
04:18 XenophonF there's an example pillar repo at https://github.com/irtnog/salt-pillar-example
04:18 XenophonF i don't use environments in pillar
04:19 XenophonF which i might change at some point in the future
04:19 orion How important do you consider the map.jinja/pillar.example style to be?
04:19 orion Right now I have an entire development environment that never uses them even once.
04:19 orion But, *every single node* runs Ubuntu 14.04, so I think I can get away with it for now.
04:20 XenophonF ah well homogeneity means you don't really need to use distro- or version-specific special cases
04:21 XenophonF at work we're running CentOS 7, Ubuntu 12.04 and 14.04, and Windows Server 2008 R2/2012 R2
04:22 XenophonF so especially for cross-platform stuff it pays to write states like formulas
04:22 XenophonF i have a bunch of sls modules? directories? whatev that aren't written generically, e.g., the wordpress sls that i ought to be working on right now instead of chatting it up with you all ;)
04:23 XenophonF i'm only running wordpress on centos, so i haven't bothered to make it formulaic
04:23 XenophonF lots of hardcoded paths and package names and the like, direct references to pillar, &c.
04:23 orion I've wasted a lot of time trying to make things generic when it doesn't have to be.
04:23 XenophonF there you go
04:23 orion Direct references to pillar?
04:24 XenophonF at home i have a larger menagerie
04:24 XenophonF like, instead of following the defaults.yaml/maps.jinja pattern and using something_settings.variable
04:24 XenophonF i have direct calls to salt['pillar.get']('something:variable')
04:25 XenophonF or rather salt['pillar.get']('something:variable', 'default')
04:25 orion As opposed to, ?
04:27 XenophonF if you look at https://github.com/irtnog/salt-states/tree/development/poudriere/init.sls
04:27 XenophonF contrast with https://github.com/irtnog/salt-states/tree/development/postfix/init.sls
04:27 sagerdearia joined #salt
04:28 XenophonF the poudriere sls looks various settings up in pillar directly via pillar.get
04:28 kliquori joined #salt
04:28 XenophonF the postfix sls is functionally equivalent but there's a layer of indirection in map.jinja
04:28 orion Ah, rather than map.jinja
04:28 XenophonF which merges whatever's in pillar with defaults.yaml plus os-specific settings
04:28 XenophonF yeah you got it
04:28 orion Interesting. I appreciate you sharing this with me.
04:29 XenophonF my pleasure!
04:29 XenophonF i think the key thing to keep in mind is that you're writing these states less for the computer and more for your colleagues
04:30 XenophonF i personally think this arrangement is logical
04:30 XenophonF but you shouldn't take it as gospel
04:30 anmolb joined #salt
04:30 orion Why did you use git branches as opposed to salt environments?
04:30 XenophonF git branches == salt environments
04:30 XenophonF automatically
04:30 beardedeagle automagically
04:30 XenophonF heh
04:31 orion With 'master' being mapped to 'base'?
04:31 XenophonF yes, by default
04:31 brianfeister joined #salt
04:31 orion Wow, I never knew that feature existed.
04:32 XenophonF it's documented in either the gitfs tutorial or the salt-master config settings, hang on i'll look it up
04:32 XenophonF https://docs.saltstack.com/en/latest/ref/configuration/master.html#std:conf_master-gitfs_base
04:33 orion Thank you.
04:33 XenophonF and here's the gitfs tutorial - https://docs.saltstack.com/en/latest/topics/tutorials/gitfs.html
04:33 XenophonF at work we are using the git ext_pillar, which points at a private git repo containing our pillar data
04:33 XenophonF that's in addition to using gitfs for state data
04:34 XenophonF which is also in a private git repo
04:34 XenophonF the salt master has its own account on our git server
04:34 XenophonF read-only
04:34 XenophonF at some point i'm going to figure out gpg and encrypt all of the pillar data, too
04:35 XenophonF which someone on here mentioned (recommended? struggled with?) a while back - probably babilen
04:43 beardedeagle You know I love salt and all, but it will be good to do something else for a change...
04:45 beardedeagle @XenophonF: one of our teams here (security I think, go figure) gpg encrypts ALL the things
04:45 RobertChen117 joined #salt
04:46 XenophonF that's my goal in life, too
04:46 XenophonF encrypt all the things
04:46 beardedeagle you ever thought of -> vault -> consul ?
04:46 XenophonF i'm supposedly the team ISO but we all wear multiple hats, so real infosec stuff gets short shrift
04:46 beardedeagle can get much more granular with access that way
04:47 jhauser joined #salt
04:47 beardedeagle using secrets to unlock secrets
04:47 beardedeagle it's the only way to fly
04:47 XenophonF i've thought of it, but i'm not sure we're ready for it
04:48 beardedeagle the vault thing is what I am working on next
04:48 XenophonF tbh i'm the john the baptist of the group, preaching the gospel of configuration management and automation
04:48 beardedeagle everyone on my team is a windows admin...
04:48 beardedeagle makes me a sad panda
04:49 XenophonF i've already had team members ask for my head
04:49 XenophonF yeah same here
04:49 XenophonF actually, it's not that they're windows admins, it's that they have like no ambition to extend themselves beyond the gui
04:49 XenophonF it's super frustrating
04:49 beardedeagle I think I have access to his repo's, let me study them real fast
04:50 XenophonF like, most of the team have really nice macs, and all they do is boot up vmware fusion so they can run windows
04:51 XenophonF last summer i was trying to teach them unix basics and couldn't get past that
04:52 XenophonF even on windows, i'm not sure how to convince them to dive into powershell and friends
04:52 XenophonF i was hoping that salt would help with a lot of it, but so far i'm the only one authoring states :(
04:53 beardedeagle you know I hate windows, but I love powershell
04:53 XenophonF oh it's great!
04:53 XenophonF i'm coming at it from the COM/.NET side of things, and it's so great
04:54 XenophonF lightyears ahead of the old vbscript/script stuff, and easier to work with compared to .net
04:54 XenophonF i wish there were better interfaces between python/salt and powershell
04:55 XenophonF right now they're pretty kludgey
04:55 flowstate joined #salt
04:55 XenophonF esp. when it comes to passing error conditions back and forth
04:56 jagguli joined #salt
04:57 beardedeagle huh, so that's gpg. doesn't seem that hard.
04:58 XenophonF no it doesn't
04:58 XenophonF it's on my list of things to do in my Copious Free Time
04:59 digitalhero joined #salt
05:08 XenophonF i just realized that, to an outsider, my saltstack toolchain looks pretty intimidating
05:09 XenophonF emacs, magit, git, github, saltstack, jinja, yaml, bash/powershell
05:09 XenophonF to me that all makes perfect sense
05:10 XenophonF i've been using some of those technologies for 20+ years
05:10 XenophonF but to someone used to working through the windows gui only...
05:10 XenophonF i dunno - there has to be a way to simplify it for my colleagues
05:13 XenophonF just learning one of those tools, like git, is a big deal for somone unfamiliar with version control systems in general
05:13 RobertChen117 joined #salt
05:14 beardedeagle idk, seems legit to me. I am probably as old as you have been doing this stuff and I get it.
05:14 kliquori joined #salt
05:15 beardedeagle except vim over emacs lol. (let the flame war start mwahaha)
05:18 XenophonF heh
05:21 Disorganized_ left #salt
05:22 sarlalian joined #salt
05:29 orion hmm
05:38 anmolb joined #salt
05:41 Garo_ joined #salt
05:43 orion If your git server is not the same as your salt master, how do you clear the cache? Is it simply: salt-run fileserver.update?
05:53 favadi joined #salt
05:54 XenophonF yes
05:55 XenophonF if you want to get fancy, you can setup webhooks that trigger an update before the cache update interval
05:55 XenophonF via salt-api/reactor
05:55 orion I see.
05:56 XenophonF i haven't gotten it to work yet with github
05:56 orion I'm reading over your top.sls file now.
05:56 XenophonF but my preliminary configs are posted on github
05:56 XenophonF let me know if you figure it out ;)
05:56 felskrone joined #salt
05:56 ikarpov joined #salt
05:56 orion What is the full state.sls command you use to deploy changes from staging to production?
05:57 XenophonF so let's say i updated the postfix sls
05:57 XenophonF and i have the change manager's approval to deploy in production
05:57 flowstate joined #salt
05:57 XenophonF i'd merge the changes from the testing branch to the staging branch
05:58 XenophonF then i'd deploy on my production mail relays like this:
05:59 XenophonF salt -C "I@environment:production and I@role:mail-relay" state.sls postfix saltenv=staging test=True
05:59 XenophonF and if that looks good:
05:59 XenophonF salt -C "I@environment:production and I@role:mail-relay" state.sls postfix saltenv=staging
06:00 XenophonF i'd perform whatever user acceptance testing i had planned as part of my change request
06:00 orion I see.
06:00 XenophonF if that failed, i'd revert:
06:00 XenophonF salt -C "I@environment:production and I@role:mail-relay" state.highstate
06:00 XenophonF if my testing succeeded, i'd merge staging->production
06:00 XenophonF the production branch always reflects what's _currently_ in production
06:01 orion Right, makes sense.
06:01 XenophonF i'm just a highstate job away from returning to a known good config
06:01 orion Although, in theory the deployment of staging could create files that wouldn't get deleted with state.highstate.
06:01 digitalhero joined #salt
06:01 XenophonF this is true
06:03 anmol joined #salt
06:04 orion I've heard of people who adopt the philosophy of killing a server completely and rebuilding it from scratch on every deploy. Do you think that's overkill?
06:05 beardedeagle thats what we do here
06:05 beardedeagle yay openstack
06:06 RobertChen117 joined #salt
06:06 beardedeagle also helps us with patch management
06:06 beardedeagle since the base images are pretty much up to date at any given time
06:06 XenophonF i say nuke the site from orbit.  it's the only way to be sure.
06:07 XenophonF well, to be honest, i'm not there yet
06:07 XenophonF i'd like for our servers to be wholly disposable, but some of them can't be
06:07 orion XenophonF: Sure, like the DB master.
06:07 XenophonF like database servers, ldap directories, file servers, email, and the like
06:07 beardedeagle use that cloud cache. delete the server outside of salt somehow, and salt will rebuild it on the fly lol
06:08 XenophonF i really, really dig salt-cloud
06:08 XenophonF omg that's the killer app for me
06:08 beardedeagle yup
06:08 beardedeagle built an entire platform on top of it
06:08 orion XenophonF: How do you deal with package updates? For example, let's say there was a big vulnerability in the linux kernel. How do you respond?
06:08 XenophonF even better are the new boto states
06:08 XenophonF we are _really_ aggressive when it comes to patching
06:09 XenophonF to the point where we're willing to risk outages caused by bad updates
06:09 beardedeagle we have had that, only because of docker and kernel updates
06:10 orion XenophonF: Do you apply the patch and nuke when possible, or do you just do a reboot?
06:10 XenophonF we patch servers every weekend and reboot immediately
06:10 XenophonF we have three windows: tier 1 includes core IAM services (basically, Active Directory), 12am-3am
06:11 beardedeagle we host a 3rd of the domains in the world, cant do that
06:11 XenophonF tier 2 which are backends (Exchange, file servers, database servers), 3-6am
06:11 XenophonF tier 2 which are frontends (web servers and the like), 6-9am
06:11 XenophonF all on saturday
06:11 XenophonF yeah we're not operating under those kinds of enterprise constraints
06:11 jfindlay beardedeagle: how many of those are squatters? :-)
06:12 orion I'm in fintech, so any downtime is not acceptable, which is why we have all nodes in triplicate.
06:12 XenophonF i think contractually we're only required one 9
06:12 beardedeagle @jfindlay: you mean like parked or cash pages?
06:12 XenophonF all of my data centers are in remote parts of africa supporting academic/scientific research
06:12 jfindlay yeah
06:13 beardedeagle oh a crap ton
06:13 beardedeagle more than I can count, but they pay us all the same
06:13 beardedeagle so meh
06:13 XenophonF heh
06:14 jfindlay XenophonF: that's cool.  I used to do research until I dropped out of graduate school a few years ago
06:14 loacker joined #salt
06:14 orion jfindlay: I was very depressed in grad school.
06:14 beardedeagle and we just entered china...so who knows how much we will grow by there
06:15 jfindlay I keep getting tempted to go back, but then I remember how isolating and competitive it was, and the crushing depression
06:15 XenophonF i tell you what, jfindlay, i'm not usually an esprit-de-corps kind of guy, but i am a whole-hearted believer in our mission
06:15 XenophonF we support global hiv/aids, malaria, and tb research (among others)
06:15 jfindlay that's awesome
06:15 beardedeagle here here
06:16 jfindlay orion: what did you study?
06:16 orion jfindlay: biochemistry. Now I'm doing devops in fintech. :p
06:17 XenophonF woah that's quite a jump
06:17 jfindlay orion: nice
06:17 jfindlay XenophonF: that's the nice thing about computer jobs.  The need is universal, so you can practically pick a cause :)
06:18 XenophonF true!
06:18 orion I was the slightly aspy 10 year old programmer. When I picked biochemistry people thought I was crazy for not studying computer science, but I wanted to learn about something I didn't already know.
06:18 jfindlay I got lucky having salt in my hometown, or close enough.  It's awesome being part of an open source project
06:19 XenophonF paid work on FLOSS projects would be awesome
06:19 joe_n joined #salt
06:19 jfindlay it's a really great community
06:20 beardedeagle super jelly @jfindlay
06:20 XenophonF absolutely
06:20 orion XenophonF: Which directory contains your user states?
06:20 orion Or, do you not allow logins?
06:20 XenophonF pillar, using users-formula
06:20 orion ah
06:21 brianfeister joined #salt
06:21 jfindlay it's also humbling as most of the people I deal with are much more accomplished and intelligent that I am :)
06:21 XenophonF but for sysadmins/users, we have an ldap of one form or the other
06:21 beardedeagle modest
06:21 XenophonF jfindlay: there are a lot of really sharp people in the saltstack community
06:21 orion XenophonF: If you could do it all over, would you choose ldsp for user authentication?
06:22 XenophonF yes absolutely
06:22 orion You don't find it old/antiquated?
06:22 XenophonF ldap?
06:22 orion yes
06:22 XenophonF not really
06:23 orion Have you tried Kerberos?
06:23 XenophonF yes
06:23 XenophonF since V4
06:23 XenophonF Kerberos+LDAP is why I fell in love with Active Directory
06:23 orion Not a fan?
06:23 XenophonF huge fan
06:24 XenophonF you know what i find antiquated?
06:24 XenophonF NIS
06:24 jfindlay YP :)
06:24 XenophonF and i'm sorry to say that i'm still running it here at home out of sheer laziness
06:24 XenophonF NIS+Kerberos
06:25 XenophonF at work we're running LDAP+Kerberos
06:25 XenophonF and we're getting ready to add federated logons into the mix
06:25 orion XenophonF: Assuming a nix only environment, why would you need LDAP and Kerberos? Can't Kerberos suffice?
06:26 XenophonF Kerberos isn't a directory service, so no.
06:26 XenophonF at least, not the way i build things
06:26 orion Why do you need a directory service?
06:27 XenophonF you mean, why a directory service instead of salt-managed users/groups?
06:27 orion To be honest, I am not too familiar with the finer points of SSO.
06:28 XenophonF so i do use salt to manage user accounts, but not humans' user accounts
06:28 XenophonF service accounts only
06:28 honestly you need a directory server if you want any kind of fine-grained management of user / authentication / authorization data and if you want it to used by other software it needs to have an LDAP frontend :)
06:28 XenophonF plus root/Administrator
06:29 colttt joined #salt
06:29 orion I see.
06:29 XenophonF what @honestly said
06:29 XenophonF the directory holds a lot more information about users than just username+password
06:29 XenophonF we implement role-based access controls in the directory
06:30 XenophonF so it ends up reflecting a good portion of the business hierarchy
06:30 honestly Also ACLs for who can read and/or write which attributes in which trees
06:30 XenophonF yup
06:30 orion hmm, but can't you authenticate against LDAP directly and skip Kerberos?
06:30 XenophonF yes
06:30 jagguli is there a way to reference pillars from pillars, is this possible ?
06:31 XenophonF jagguli: no - but you can use jinja templates in pillar sls files, and so share variable data that way
06:31 beardedeagle @jagguli: don't think so
06:31 jagguli can i use jinja variables across files ?
06:32 beardedeagle yes
06:32 beardedeagle well
06:32 jagguli oh
06:32 beardedeagle sorta
06:32 XenophonF jagguli: yes, just like you'd use map.jinja in a state sls file
06:32 jagguli :|
06:32 beardedeagle you can pass pillar values between states
06:32 XenophonF orion: i tend to use nss_ldap/pam_krb5 everywhere
06:32 XenophonF probably out of habbit
06:33 XenophonF i mean, i've been using some form of directory service with some form of kerberos for 20 years now
06:33 felskrone anyone know if its possible to extend the dunder dicts like __salt__ with my own variables or alternatively how to share variables between custom modules?
06:33 XenophonF starting with NIS/Krb5/AFS
06:33 XenophonF felskrone: yes
06:33 orion XenophonF: You've been doing this labout as long as I've been alive.
06:33 jagguli cool thanks @XenophonF
06:33 beardedeagle lol thats what I said
06:33 XenophonF felskrone: see https://github.com/irtnog/salt-states for an example
06:34 felskrone XenophonF: will take a look, thx :-)
06:34 XenophonF felskrone: look in the development branch, there's _modules/irtnog.py which exports a module that's used by apache/map.jinja iirc
06:34 XenophonF and maybe elsewhere
06:34 XenophonF orion: omg i'm not that old already am i?
06:35 beardedeagle you said 20+ years
06:35 beardedeagle one assumes...
06:35 XenophonF heh
06:36 RobertChen117 joined #salt
06:36 XenophonF orion: here's an interesting change we're making to user auth
06:36 jagguli can we use jinja include statements in state/pillars?
06:36 XenophonF ldap with ssh public keys stored in the directory
06:37 orion XenophonF: I really dislike password based authentication.
06:37 XenophonF using saml to authenticate users to a bit of middleware that handles the provisioning
06:37 favadi joined #salt
06:37 orion How difficult was it to deploy public key based authentication with the keys in LDAP?
06:37 XenophonF we're setting up some hpc resources in africa that the locals plus the visiting scientists can use in situ
06:37 XenophonF but we don't want to have to manage all of those visitors' accounts
06:37 XenophonF hence, saml
06:38 XenophonF (and maybe openid connect in the future, who knows)
06:39 XenophonF orion: the ldap public key bits were really easy
06:39 atester123 joined #salt
06:39 beardedeagle @jagguli: https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.jinja.html#include-and-import
06:41 XenophonF sssd includes a script that you tell sshd to run, and the script handles the lookups for sshd
06:42 honestly XenophonF: You can generate a SSH public key from an RSA X.509 certificate :D
06:42 XenophonF AuthorizedKeysCommand is the key setting
06:42 felskrone XenophonF: i see the dictupdate, but that makes a function available through the irtnog module which would then be available through __salt__['irtnog.update'](), but it does not extend __salt__ nor does it make variables available to other modules if im not mistaken
06:42 XenophonF felskrone: it's automagic
06:43 XenophonF hang on let me get you actual line numbers
06:43 orion XenophonF: Would it be easy to add 2FA to your existing system?
06:43 felskrone i have the line numbers :-)
06:43 XenophonF oh good
06:43 beardedeagle yay automagic
06:43 XenophonF felskrone: let me get you a different example
06:43 XenophonF felskrone: https://github.com/irtnog/active-directory-formula
06:43 fracklen joined #salt
06:44 brianfeister joined #salt
06:44 XenophonF specifically _modules/windows_servicing.py and _states/windows_feature.py
06:45 XenophonF which get called from ad/ds/*.sls
06:45 XenophonF the key bit is that __virtual__() function
06:46 XenophonF i'm particularly proud of _modules/identityserver_sts.py
06:46 honestly orion: 2FA is easy, you just put encrypted keys on a hardware dongle
06:47 honestly need the dongle to get the key, need to password to decrypt the key
06:47 honestly bam, 2 factors
06:47 fracklen joined #salt
06:47 orion I was more referring to TOTP, like Google Authenticator.
06:47 darxmurf joined #salt
06:47 darxmurf hi all
06:48 XenophonF TOTP doesn't provide the level of assurance our regulators require
06:48 XenophonF we're probably going to end up using duo
06:48 XenophonF for our webapps, yes, adding mfa should be "a simple matter of programming"
06:48 XenophonF for servers, dunno
06:49 XenophonF iirc other people are using duo or yubikey or whatever to provide mfa
06:49 XenophonF we'll need something that works across linux and windows, since we have bioinformatics stuff on both platforms
06:49 fracklen joined #salt
06:49 kawa2014 joined #salt
06:50 orion Doesn't that require you to trust a third party?
06:50 XenophonF yes
06:50 mpanetta joined #salt
06:50 XenophonF that's kind of the point of a trust fabric implemented using technologies like saml
06:51 orion :/
06:51 darxmurf I'm trying to find the cleanest solution to detect if there is a Raid card in machines and copy the raid tools depending the brand of the card.
06:51 felskrone XenophonF: i think i did not make myself clear enough, im not talking about states at all. i have custom module library.py which has  global variable called GLOBAL_DB_DIR for example. now i want that variable available in custom_mysql.py or through the __salt__ dict for all other modules. currently i just do 'import library' in custom_mysql.py, but that does work, because it does not make GLOBAL_DB_DIR available, just the function
06:52 XenophonF so if the identity provider commits to guaranteeing a certian LOA, i'm ok with trusting their assertion
06:52 darxmurf for the moment I create a grain containing the result of "lspci | grep RAID" but I don't think it's super clean
06:52 darxmurf :)
06:52 JohnnyRun joined #salt
06:52 darxmurf how would you do it ?
06:52 XenophonF felskrone: you might need to add an accessor function
06:53 XenophonF i don't think salt exports variables via the dunder dictionaries
06:54 XenophonF actually darxmurf you can probably skip the grain
06:54 linjan joined #salt
06:54 darxmurf the other option is to copy all the raid tools anyway
06:55 darxmurf even on machines without RAID
06:55 XenophonF or at least my naive first pass on that would just to check the output of lspci|grep RAID in a jinja tempalte
06:55 felskrone XenophonF: yeah, thats what i figured so far, but i dont quite get why 'import library' does not make my variables available, its a python import and has nothing to with salt. the accessor-function probably is the way to go
06:55 felskrone ill post to the mailing list, maybe theres another way
06:55 flowstate joined #salt
06:55 XenophonF felskrone: maybe because the dunder dictiory folders (_modules etc.) aren't in the pythonpath?
06:56 XenophonF i would expect an import of libs in those directories to fail
06:56 XenophonF so i'm kinda surprised if it worked
06:58 felskrone it works as long as the modules lay side by side
07:00 XenophonF darxmurf: honestly a custom grain sounds pretty clever to me
07:01 XenophonF alright folks the coffee is finally wearing off and theoretically, i need to be up for work in about 5 hours, so i'll catch you on the flip
07:01 XenophonF it's been nice chatting with everyone
07:01 XenophonF left #salt
07:03 elsmo joined #salt
07:04 aw110f joined #salt
07:05 lempa joined #salt
07:07 freeaks joined #salt
07:07 anmol joined #salt
07:07 aw110f_ joined #salt
07:10 digitalhero joined #salt
07:16 kliquori joined #salt
07:16 cyborg-one joined #salt
07:17 dgutu joined #salt
07:20 kshlm joined #salt
07:21 darxmurf how do you check if a variable matches a regex ?
07:21 darxmurf {% set lsraid = salt['cmd.run']('lspci | grep RAID') %}
07:21 darxmurf {% if lsraid match("*Areca*") %}
07:21 darxmurf ?
07:22 ronnix joined #salt
07:26 rdas joined #salt
07:30 toogley1 joined #salt
07:34 iggy jinja doesn't have regex abilities
07:34 favadi joined #salt
07:35 dariusjs joined #salt
07:35 iggy {% if "Areca" in lsraid %}
07:35 iggy or {% if lsraid.endswith('Areca') %}
07:35 iggy or other string functins
07:38 josuebrunel joined #salt
07:39 anmol joined #salt
07:41 darxmurf iggy: thanks I'll try
07:41 darxmurf by the way, is there a way to print the conntent of a variable for debug ?
07:42 darxmurf sweet, it works, thanks !
07:42 iggy I usually use `salt-call -l debug state.sls <state> test=True` it shows the rendered output
07:42 ravenx joined #salt
07:42 lero joined #salt
07:43 ravenx despite having a 'watch' directory in my salt state, i can't get supervisord to restart
07:43 ravenx whenever i run highstate.
07:43 fooma joined #salt
07:43 beardedeagle I use test=True as a substitute to serverspec ¯\_(ツ)_/¯
07:43 ravenx i need that so that it ensures my latest binary is running.
07:46 teatime ravenx: if a service is watching a directory it will not restart unless the directory state is modified
07:47 teatime changes to the actual directory on-disk aren't enough
07:48 teatime like, creating a file.managed state that depends on the directory -> restart.  but using file.managed to create a file inside the directory, w/ no dependency in the .sls, -> no restart.  I think.
07:48 jagguli joined #salt
07:52 fredvd joined #salt
07:55 flowstate joined #salt
07:55 beardedeagle that teatime, he is a &wizard;
07:55 slav0nic joined #salt
07:57 ravenx teatime: let me give that shot
08:00 teatime ravenx: dunno if this will be relevant, but since vaguely related:  I did figure out how to enforce a directory that's empty-except-what-salt-manages, and also demonstrates some requisites on a dir:  https://gist.github.com/anonymous/97e39e412eba4fdc1a15
08:02 kliquori joined #salt
08:02 teatime ravenx: if the directory has a watch_in for a service, then modifications to the files should bubble up to restarting the service, I think.
08:03 anmol joined #salt
08:03 kawa2014 joined #salt
08:03 ravenx since i have a file.directory which creates a dir, FOR the git.latest to copy. is it better tow atch file or git?
08:04 teatime you may be able to watch the git.latest from the service (or watch_in the service from the git.latest)
08:04 jagguli joined #salt
08:07 ravenx one thing i am interestd to know, is how is the 'watch' different from ths mod_watch here: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.supervisord.html
08:09 orion joined #salt
08:11 teatime tbh I do not know what mod_watch is.
08:12 GreatSnoopy joined #salt
08:13 AndreasLutro mod_watch is the function that gets called under the hood when you have a watch arg in a state
08:13 teatime ravenx: this is generally good to read, and goes into it a bit:  https://docs.saltstack.com/en/latest/ref/states/requisites.html
08:21 anmol joined #salt
08:21 hajhatten joined #salt
08:23 RandyT joined #salt
08:23 cpowell joined #salt
08:23 west575 joined #salt
08:24 mohae joined #salt
08:24 ravenx thanks AndreasLutro and teatime
08:25 ravenx >  "directory state is modified, changes to the actual directory on-disk aren't enough"
08:25 ravenx then what makes it enough?  aren't all changes to a dir, going to reflect on the disk?
08:27 remyd1 joined #salt
08:27 sk_0 joined #salt
08:28 ajw0100 joined #salt
08:28 sauvin joined #salt
08:28 cro joined #salt
08:28 Heartsbane joined #salt
08:28 Heartsbane joined #salt
08:31 teatime yes, but not all changes on disk come from your states.
08:31 ravenx 1
08:31 teatime let me find it in the docs for you
08:34 s_kunk joined #salt
08:35 my50c joined #salt
08:35 Salty-salter joined #salt
08:35 ajw0100 joined #salt
08:35 cro joined #salt
08:36 Salty-salter Hey, is it possible to tell salt to install package A when machine name is A_id and package B when machine name is B_id?
08:36 ravenx yeah i think you can use grains
08:36 kliquori joined #salt
08:36 debian112 joined #salt
08:36 ravenx oops nvm
08:36 ravenx that's for differing package names.
08:37 babilen Salty-salter: You could also target the right states at each machine or provide suitable data in pillars.
08:38 babilen Naturally you can write states that check the host name and run different states based on that, but that appears to be a cumbersome approach. I'd try to write states that do not rely on a host naming scheme.
08:38 Salty-salter What does it mean? im trying to use salt with aws autoscale, and i want it to install nginx on the web_id machines and mysql on the sql_id machine...for example
08:38 babilen I'd say you want to target the state that installs A to A_id and the state that install B to B_id
08:40 babilen You would use suitable targeting for those boxes and have them run a highstate: https://docs.saltstack.com/en/latest/topics/targeting/index.html + https://docs.saltstack.com/en/latest/topics/targeting/compound.html
08:40 rsys joined #salt
08:40 Salty-salter Thanks
08:41 babilen https://github.com/saltstack/salt-contrib/blob/master/grains/ec2_info.py and https://github.com/saltstack/salt-contrib/blob/master/grains/ec2_tags.py might come in handy too
08:42 teatime ravenx: cannot find a good explanation.  suffice it to say that watches watch salt states, not their artifacts (files, packages, whatever).  if your config continues to not work, just ask again + pastebin your state files.
08:44 _mel_ joined #salt
08:49 ravenx teatime: thanks
08:50 M0nte0 joined #salt
08:55 flowstate joined #salt
09:01 punkoivan joined #salt
09:01 auzty joined #salt
09:01 ronnix joined #salt
09:02 punkoivan joined #salt
09:03 punkoivan joined #salt
09:06 punkoivan joined #salt
09:07 ronnix joined #salt
09:08 punkoivan joined #salt
09:09 kshlm joined #salt
09:09 punkoivan joined #salt
09:10 jrklein joined #salt
09:14 Eugene joined #salt
09:14 vaelen joined #salt
09:14 impi joined #salt
09:14 rodr1c joined #salt
09:19 elsmo joined #salt
09:34 mavhq joined #salt
09:36 ronnix joined #salt
09:39 cro joined #salt
09:40 bluenemo joined #salt
09:47 LostSoul Hi
09:47 LostSoul I have question about minion grain - "host", what is it based on?
09:47 LostSoul As it doesn't match one from hostname
09:47 rsys joined #salt
09:50 ronnix_ joined #salt
09:51 LostSoul And I was wondering wth is going on :)
09:53 teatime LostSoul: if you're expecting the first part of the FQDN, it may be the largely-unrelated system hostname aka nis/yp hostname.  or, if you're expecting the system hostname, it may be the first the component of the FQDN obtained via the resolver / DNS.
09:54 teatime on *nix those are pretty much the only two conceptions of hostname.
09:55 LostSoul teatime: So you say it might be DNS?
09:55 LostSoul That cause this issue?
09:55 teatime LostSoul: see what `hostname`, `hostname -s`, and `hostname --fqdn` return on the minion in question.
09:56 teatime LostSoul: it's kindof complicated how the named are determined; DNS is involved, yes.
09:56 teatime but usually people configure /etc/hosts in such a way that `hostname --fqdn` stays consistent w/o needing [to contact] DNS.
09:57 flowstate joined #salt
09:57 LostSoul I don't know where it came from
09:58 teatime LostSoul: see what `hostname`, `hostname -s`, and `hostname --fqdn` return on the minion in question.
09:58 elsmo Morning all. I'm having problems with the GPG renerder- salt logs that gpg itself is unavailable, and looking at the code it tries to find the gpg command with something akin to 'which'. However, the gpg command is available and on the users path of both the salt minion and master (This is in pillar data so i guess its the master that renders it)
09:58 LostSoul Salt was working and ~2 weeks ago stopped due to grain name change
09:58 LostSoul I don't know where it came from (this host value) as hostname is different
09:59 teatime it would help a lot to know what value you expect vs. what you're seeing, and how it compares to the output from those commands ^^
10:00 LostSoul It's strange
10:00 LostSoul on minion host has proper value
10:00 LostSoul How to refresh master cache?
10:00 teatime looking at the code, 'host' is the first component of `hostname --fqdn`, so yes it will be affected by reverse DNS if your /etc/hosts is not setup properly.
10:01 ThierryR joined #salt
10:02 LotR LostSoul: if you want people to help you, you're going to have to give them the information they ask for
10:03 teatime I gotta go to sleep anyway.  take it easy #salt.
10:03 elsmo salt 2015.8.1 on master and 2015.8.3 on minion
10:03 LostSoul I don't know what happened but it's fine now
10:03 LostSoul Still I get info that rendering jinja failed: failed: Jinja variable 'dict object' has no attribute 'network'
10:04 LostSoul I had tried everything with pillar in init.sls, in additional file
10:04 salty-salter joined #salt
10:04 LostSoul It was working and now sth is going crazy
10:04 LostSoul Proably due to hostname
10:06 LostSoul Now it worked.. I don't get it
10:07 LostSoul Nvm me, I'm just wondering where that strange hostname came from
10:07 LostSoul I have never changed everything
10:08 plop_ joined #salt
10:09 LostSoul Ok, I have sth, thanks ;)
10:10 mavhq joined #salt
10:10 plop_ Hi everyone
10:11 plop_ I was wondering how to create multiples interfaces with LXC because i can only configure one with lxc.network_profile :(
10:11 plop_ thanks in advance
10:12 ravenx for my git.latest, i have been getting this error:  error: Your local changes to the following files would be overwritten by merge:
10:12 LostSoul If anyone is interested
10:12 ravenx Please, commit your changes or stash them before you can merge.
10:12 fooma joined #salt
10:12 LostSoul I had revDNS set to some name
10:12 ravenx but that's supposed to happen...upstream changes something and i clone the new one.
10:12 ravenx how do i get this to go away?
10:12 ravenx there does not seem to be a force_merge option
10:12 LostSoul When I get on server with hostname full name with domain it went crazy ..
10:13 plop__ joined #salt
10:14 wnkz joined #salt
10:20 zer0def joined #salt
10:21 elsmo ravenx: force_checkout might do what you want?
10:22 ravenx elsmo: thanks, i will look into that
10:23 calculon2 joined #salt
10:26 ravenx one thing i'm confused about is that, in my salt state, when i spin up a virtualenv for my project
10:27 ravenx and pip install my project via:   pip install .      (in the same folder as my setup.py)
10:27 ravenx the files in: ./venv/lib/python2.7/site-packages/ty/super-app/    doesn't seem to get updated
10:28 ravenx there is still old .py files/code in there
10:32 elsmo ravenx: There is a command to clear out a virtual env and re-install packages into it if that would help?
10:33 elsmo ravenx: virtualenv_mod.managed set clear to True
10:33 ravenx elsmo: i just ran a reinstall command, that works!
10:33 ravenx elsmo: thanks a ton.
10:34 ronnix joined #salt
10:34 elsmo ravenx: no problem
10:35 ravenx next qusetion is that, if i run 'pip install .' on the command line, pip is smart enough to pick up the setup.py
10:35 ravenx however, is there a way of passing that into a pip state
10:35 ravenx i mean, my package isn't on the pypi, so giving it a name will not help
10:35 ravenx i suppose i could do it via cmd.run, but i miss out on all the options and flags pip_state has to offer.
10:37 kliquori joined #salt
10:38 elsmo you can state the directory the command is run in, which might catch it
10:39 ravenx gonna give that a shot
10:39 elsmo ravenx: the cwd argument, which i think lots of states use.
10:42 ravenx however, in the pip.state doc, i dont see the cwd option
10:42 irctc369 joined #salt
10:46 dendazen joined #salt
10:50 elsmo ravenx: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pip_state.html#installation-of-python-packages-using-pip
10:50 elsmo ravenx: its in the list of arguments that installed takes, but i think as its a common one its not explictly mention in the description.
10:51 elsmo ravenx: ahh, it is there infact
10:52 mpanetta joined #salt
10:52 ravenx elsmo: the one under "installed_options"?
10:54 punkoivan joined #salt
10:54 quasiben joined #salt
10:55 ronnix joined #salt
10:55 punkoivan joined #salt
10:56 elsmo ravenx: not sure where you are looking, but on closer inspection might not do what you want as you say you have to give it a name, unless you cwd into the parent folder, and give the name of the folder that contains the setup.py :S
10:57 ravenx yeah
10:57 ravenx that's what i thought
10:57 flowstate joined #salt
10:57 kliquori joined #salt
10:57 elsmo ravenx: if this project is brought in from git however, I think you can give the pip state the git URL and it will go and fetch and install it itself.
10:57 ravenx i believe that you have to give it a name :/
10:57 ravenx elsmo: yeah it is brought in from git
10:57 ravenx however, i have to do a whole song and dance, building this building that before i can install it.
10:58 ravenx it might not be wise to do everything there
10:58 elsmo Hmmm. Maybe you can setup your venv, use a pip state to install bit and the song and dnace tec, and the afterwards have another state that fetches it from git?
10:59 ravenx hmm, i suppose that that might work.
11:02 mavhq joined #salt
11:04 amcorreia joined #salt
11:08 ravenx is it possible to do bash substitution
11:08 ravenx in .sls files
11:09 ravenx such as pip install $(python setup.py --name)
11:09 salty-salter how do i make salt automatically install nginx on new accepted machines?
11:09 elsmo Can anyone think why salt might not be able to find gpg when it is install and accessible as the salt user?
11:09 elsmo ravenx: only if you made a custom renderer but you might be able to do what youre trying to do in jinja?
11:12 elsmo salty-salter: something like https://docs.saltstack.com/en/develop/topics/reactor/index.html#passing-event-data-to-minions-or-orchestrate-as-pillar would be a good start
11:13 jagguli- joined #salt
11:15 jagguli- joined #salt
11:17 jagguli_ joined #salt
11:21 jagguli joined #salt
11:23 TyrfingMjolnir joined #salt
11:23 fracklen joined #salt
11:24 fracklen joined #salt
11:24 babilen salty-salter: Just run appropriate states when the minion comes online. If you want to run them when they are accepted you have to use a reactor that listens to key events (cf. https://docs.saltstack.com/en/latest/topics/reactor/)
11:25 babilen You might consider triggering a highstate on startup (cf. https://docs.saltstack.com/en/latest/ref/states/startup.html) also.
11:25 _Cyclone_ joined #salt
11:26 babilen If you really only want to install nginx when the minion is accepted a reactor on key add that triggers the nginx state via state.sls is the right approach.
11:26 punkoivan joined #salt
11:27 plop__ Hi
11:28 punkoivan joined #salt
11:28 plop__ How do i add a 2nd network interface to a LXC container with the network_profile ?
11:29 punkoivan joined #salt
11:30 punkoivan joined #salt
11:31 ronnix joined #salt
11:32 mavhq I've generated part of a sls file with a script, can I include that fragment in an sls file easily?
11:33 jagguli joined #salt
11:35 mavhq joined #salt
11:35 Valfor I'm curious; if I've got a laptop (which is mobile), and my salt master lives elsewhere (static), is it possible to install a native client on my laptop which can talk direct to the master, and work/run as the master? Or do I have to SSH into the master in order to be able to do this?
11:39 ronnix_ joined #salt
11:40 ThierryR very interesting question, and curious for the answers
11:41 inire joined #salt
11:42 darxmurf in my top.sls file I'm setting some custom grains but the next steps in the file does not take care of those new grains, is there a way to force a reload or something ?
11:43 darxmurf else I have to run twice my highstate to finish my config
11:45 jagguli- joined #salt
11:51 fracklen @darxmurf, I'd go about it using orchestration... Would that fit your usecase?
11:54 darxmurf hmm don't know it yet but maybe :)
11:55 salty-salter thanks babilen
11:56 flowstate joined #salt
12:01 jagguli joined #salt
12:02 vilitux joined #salt
12:03 aw110f joined #salt
12:04 xmj moin
12:05 xmj how can i have a service be restarted if a package has been re-installed/upgrade and-or its configfiles changed?
12:06 AndreasLutro salt sure doesn't make it easy to accept a minion public key across multiple masters
12:06 aw110f_ joined #salt
12:07 darxmurf xmj: using "watch"
12:07 darxmurf like here https://docs.saltstack.com/en/latest/topics/tutorials/states_pt2.html
12:09 xmj great, tyvm
12:10 xmj darxmurf: trick question. on a distribution that always starts newly installed packages.. is there a "service.restarted" thing to match?
12:10 rem5 joined #salt
12:10 xmj hm, that may just not be necessary.
12:11 fracklen joined #salt
12:11 fracklen joined #salt
12:15 xmj next noob question: do - file arguments in watch: require the absolute path to file, or can i give it the top-level yaml description of said file?
12:15 abednarik joined #salt
12:20 xmj darxmurf: service.running isn't exactly what does the needful, it seems
12:21 hightekvagabond joined #salt
12:28 xmj it will, nevermind me!
12:29 TooLmaN joined #salt
12:30 _Cyclone_ joined #salt
12:34 DammitJim joined #salt
12:34 ThierryR joined #salt
12:35 XenophonF joined #salt
12:38 scoates joined #salt
12:39 nyx_ joined #salt
12:39 scoates joined #salt
12:41 dyasny joined #salt
12:42 kliquori joined #salt
12:43 dendazen joined #salt
12:44 s00b4u joined #salt
12:47 s00b4u When I run "salt-cloud --list-images myprovider" and got Error: There was an error listing images: No cloud providers matched 'myprovider'. Available selections:
12:47 s00b4u I looked up on the internet, it says I need to call salt module "directly"..
12:48 s00b4u How can I call Salt Module Directly? (Sorry for asking naive question. I am new to SaltStack)
12:48 AndreasLutro I think your internet lookup failed, because that advice makes no sense
12:50 s00b4u ok. I am trying to connect to a Proxmox machine which is on a remote location. May be that machine is down
12:50 s00b4u checking now
12:51 AndreasLutro that's not the issue, your issue is that the provider "myprovider" doesn't exist in your configuration
12:54 mschiff when should I use salt['pillar.get']('foo:bar') and when pillar.get(foo:bar) ?
12:54 mschiff is there any difference in practice?
12:54 josuebrunel joined #salt
12:54 favadi joined #salt
12:56 numkem joined #salt
12:57 fracklen joined #salt
12:57 AndreasLutro mschiff: the latter won't work
12:57 fracklen joined #salt
12:59 mschiff AndreasLutro: ah I see, you only need salt[... if you want to get a non root-branch of pillar data
12:59 zer0def joined #salt
13:01 XenophonF mschiff: the `pillar.get("foo:bar")` doesn't work because the .get() method there is the standard python dictionary .get() method
13:01 mschiff XenophonF: ah... thx
13:01 s00b4u I have proxmox.conf file in /etc/salt/cloud.providers.d
13:01 s00b4u The contents of that file are:
13:01 s00b4u my-proxmox-config:
13:01 s00b4u # Set up the location of the salt master
13:01 s00b4u #
13:01 s00b4u minion:
13:01 s00b4u master: localhost
13:01 s00b4u # Set the PROXMOX access credentials (see below)
13:01 s00b4u #
13:02 s00b4u user: root
13:02 s00b4u password: password
13:02 s00b4u # Set the access URL for your PROXMOX host
13:02 s00b4u #
13:02 s00b4u url: https://192.168.2.245:8006
13:02 s00b4u driver: proxmox
13:02 edrocks joined #salt
13:02 XenophonF s00b4u: i love you but please use paste.debian.net or gist.github.com or something
13:03 s00b4u XenophonF, I am sorry. I will be do that from now.
13:03 XenophonF it's cool
13:03 XenophonF when you run salt-cloud, you're using "my-proxmox-config" for the provider ID, right?
13:03 ThierryR joined #salt
13:04 s00b4u Yes
13:05 XenophonF would you mind posting the exact command and error message to paste.debian.net or gist.github.com or something?
13:05 XenophonF make sure to strip out anything sensitive
13:06 XenophonF but something like `salt-cloud --list-images=my-proxmox-config` should work
13:06 subsignal joined #salt
13:07 tkharju joined #salt
13:09 edrocks joined #salt
13:10 s00b4u I tried  `salt-cloud -l debug --list-images=my-proxmox-config`... but now I am getting a different error. It seems I am missing some configuration files
13:10 s00b4u here is the console output: https://gist.github.com/anonymous/b219e365e014dc7385ee
13:11 nyx_ joined #salt
13:12 digitalhero joined #salt
13:14 XenophonF the actual error is `LocationParseError: Failed to parse: Failed to parse: https:`
13:14 XenophonF i assume you elided the URL following `https:`
13:15 XenophonF maybe a bug in the proxmox driver?
13:15 zer0def joined #salt
13:15 s_kunk joined #salt
13:15 flowstate joined #salt
13:20 akhter joined #salt
13:21 digitalhero joined #salt
13:22 ron11 joined #salt
13:22 ron11 Hi All,What is the right way to check if I already have an minion in my list?
13:23 s00b4u could be a bug with Proxmox driver. I will log it with Proxmox.. let's see what do they say
13:25 ravenx left #salt
13:27 flowstate joined #salt
13:29 akhter joined #salt
13:30 XenophonF joined #salt
13:31 akhter_1 joined #salt
13:32 metalseargolid joined #salt
13:32 subsigna_ joined #salt
13:34 mpanetta joined #salt
13:35 racooper joined #salt
13:38 ron11 joined #salt
13:38 winsalt .
13:40 teryx510 joined #salt
13:42 quix joined #salt
13:42 fxhp joined #salt
13:43 jschoolcraft joined #salt
13:44 ronnix joined #salt
13:45 nyx_ joined #salt
13:47 Guest8365 joined #salt
13:51 mavhq joined #salt
13:52 nZac joined #salt
13:54 ron11 joined #salt
13:56 Brew joined #salt
13:56 hasues joined #salt
13:58 mpanetta joined #salt
13:59 dyasny joined #salt
13:59 hasues left #salt
14:01 jerredbell joined #salt
14:01 harkx ron11, salt-key -L ?
14:07 akhter joined #salt
14:08 ron11 I don't want to use grep
14:08 ron11 I can't use it
14:08 ron11 I am asking if there is a specific command with salt
14:08 ron11 Thank for your answer
14:13 digitalhero joined #salt
14:15 rburkholder joined #salt
14:19 andrew_v joined #salt
14:19 elsmo Anyone got salt working with gpg-agent?
14:19 harkx ron11, weird... you can salt 'minion' test.ping
14:21 mschiff a multiline pillar value (foo: |) gets into the resulting file like "line1\n\tline2\n" any idea someone why this might be?
14:24 ronnix_ joined #salt
14:28 AndreasLutro mschiff: are you using tabs for indentation in your pillar yaml sls file?
14:28 akhter joined #salt
14:29 kawa2014 joined #salt
14:29 mschiff AndreasLutro: no I am using twp spaces. However this only happens when I pass data via "defaults:", and if the template gets data from pillar on its own, it works as expected
14:30 mschiff looks like some encoding/decoding/escaping issue in defaults:  in file.managed to me
14:32 AndreasLutro can you show the state file?
14:32 akhter joined #salt
14:32 ageorgop joined #salt
14:34 mschiff AndreasLutro: its a very basic file.managed with the line "- defaults: {{ pi }}"
14:34 AndreasLutro and pi is what? a dict? a string?
14:34 mschiff AndreasLutro: a dict, sorry
14:35 akhter joined #salt
14:35 AndreasLutro try {{ pi | yaml }}, see if that makes a difference
14:35 fracklen joined #salt
14:36 quix joined #salt
14:36 AndreasLutro if not then I'd look at how you're setting the pi variable
14:36 mschiff AndreasLutro: yes it does! with |yaml it works as expected.. strange
14:37 akhter joined #salt
14:37 akhter joined #salt
14:38 mschiff AndreasLutro: or do you have an explanation for that?
14:39 nicksloan left #salt
14:39 AndreasLutro {{ pi }} is the same as print(pi) in python, which may or may not do odd things to your values making them behave oddly in yaml
14:40 AndreasLutro just make it a rule to always use | yaml for dicts/lists
14:42 ronnix joined #salt
14:42 mschiff AndreasLutro: ok, will remember that. Thank you
14:43 punkoivan left #salt
14:43 sab3r Im trying to use file.line to add a line after a line which has "export PATH". Do you know should the regex in - after:  -option be inside " " or without them
14:43 sab3r it seems to fail
14:43 sab3r ?
14:43 akhter joined #salt
14:51 inno joined #salt
14:52 inno hi. does anyone have a salt-cloud provider and profile configuration template that works, that they can share?
14:52 inno I'm having connectivity issues
14:52 inno and am not sure how to fi
14:52 inno x
14:57 akhter joined #salt
15:00 elsmo Just FYI have submitted a suspect gpg bug https://github.com/saltstack/salt/issues/32207
15:00 saltstackbot [#32207]title: salt gpg decrypt fails when trying to open a tty | Trying to use gpg to encrypt pillar data as described in the docs....
15:00 ronnix joined #salt
15:00 akhter joined #salt
15:01 s00b5u joined #salt
15:02 AndreasLutro elsmo: sounds like it's trying to read input - does your gpg key have a password?
15:02 elsmo AndreasLutro: It does!
15:03 inno joined #salt
15:03 AndreasLutro I'm not sure if salt supports that
15:03 elsmo AndreasLutro: I thought there was a way it can ask you for the password using a gpg-agent
15:03 elsmo ahh :/
15:04 AndreasLutro https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html states "Do not supply a password for your keypair"
15:04 elsmo AndreasLutro: hmm, good spot :(
15:05 jean-michel joined #salt
15:05 berserk joined #salt
15:06 fletcher_ joined #salt
15:07 elsmo AndreasLutro: thanks!
15:08 akhter joined #salt
15:09 jean-michel good morning.  I'm trying to bring up a salt api server with 2015.8.8 (cherrypy) and am getting the following message when I try to authenticate: https://www.refheap.com/116502
15:10 jean-michel the username, host, port and password are correct, and I have a similar configuration working with 2014.7.x
15:10 fletcher_ Hello! Does anyone see anything wrong with: http://pastebin.com/mkZja6F6 The pillar data all exists and is correct according salt when I print it as json..
15:10 _JZ_ joined #salt
15:11 heaje joined #salt
15:11 jean-michel relevant portion of /etc/salt/master: https://www.refheap.com/116503
15:12 AndreasLutro fletcher_: your error clearly says the pillar data doesn't exist - you can try a saltutil.refresh_pillar to be sure that it's updated
15:13 fletcher_ AndreasLutro: I did that, and as I said, when I view the pillar data from the command line, that data exists
15:14 toddnni joined #salt
15:14 AndreasLutro then my theories are you're not checking the pillar on the right minion, or you're not checking the right pillar keys
15:17 aharvey joined #salt
15:19 beardedeagle joined #salt
15:22 akhter_1 joined #salt
15:24 kliquori joined #salt
15:25 salty-salter joined #salt
15:26 salty-salter Hey guys, how can i configure in .sls file to manage a directory? instead of file.managed something like directory.managed.
15:31 akhter joined #salt
15:31 AndreasLutro salty-salter: file.recurse
15:32 evle1 joined #salt
15:32 hightekvagabond joined #salt
15:36 punkoivan joined #salt
15:36 salty-salter like so? nginx:   pkg:     - installed   service:     - running     - watch:       - pkg: nginx       - file: /etc/nginx  /etc/nginx:   file.recurse:     - source: salt://nginx     - user: root     - group: root     - mode: 640
15:38 punkoivan joined #salt
15:38 Eugene I would not do the entire /etc/nginx/ directory. I would have a file.managed on /etc/nginx/nginx.conf, and then drop per-site files inside of /etc/nginx/conf.d/ with a file.managed per-site
15:39 punkoivan joined #salt
15:40 salty-salter no i can't, thats the issue
15:40 salty-salter i got a lot of conf files that i need
15:41 onlyanegg joined #salt
15:41 punkoivan joined #salt
15:42 punkoivan joined #salt
15:44 punkoivan joined #salt
15:46 punkoivan joined #salt
15:47 kshlm joined #salt
15:47 Eugene I would put them in the conf.d/, rather than the /etc/nginx/. There's a lot of things that get dropped in there by the packages, and you probably really don't want to second-guess those
15:48 Eugene Including conf.d/*.conf is a standard way to do things
15:53 hightekvagabond joined #salt
15:53 patarr joined #salt
15:54 digitalhero joined #salt
15:58 Fiber^ joined #salt
16:00 mpanetta joined #salt
16:01 rm_jorge joined #salt
16:02 akhter joined #salt
16:04 Ashald given a 'minion query' like 'test*' is there is a way to exapnd/resolve it with some execution module inside sls?
16:08 babilen Ashald: Resolve it to what?
16:08 babilen What are you really trying to do?
16:09 Ashald let's say I have minions called test1 and test2
16:09 impi joined #salt
16:09 babilen You could fire off a test.ping with cmd.run, but that is not necessarily what you are after
16:09 Ashald given a query 'test*' how I can get a list of test1 and test2?
16:10 babilen Of their names?
16:10 Ashald ids
16:11 babilen I'd maintain those in the salt mine and use mine.get with a suitable target expression.
16:11 Ashald hm, nice idea, thanks
16:13 babilen In fact you could just include the entire core grains dict in the mine and then retrieve what you require. For IP addresses I'd use network.ip_addrs with suitable cidr masks as mine function aliases.
16:14 Netwizard joined #salt
16:16 kevinqui1nyo what's the best way to get a specific pillar from all 'web*' minions from within a state?
16:16 orion For those of you who use Kerberos, how do you deploy new servers with, say, salt-cloud and have the keytab automatically generated and deployed?
16:21 digitalh_ joined #salt
16:22 cyborg-one joined #salt
16:23 onlyanegg joined #salt
16:24 cyborglone joined #salt
16:25 DammitJim joined #salt
16:25 MadHatter42 joined #salt
16:27 bluenemo How do I put 'string' into an not yet existing list [] in one line in jinja? :)
16:27 bluenemo I think .append does only work on existing lists
16:30 andrew_v_ joined #salt
16:32 mavhq joined #salt
16:32 akhter joined #salt
16:32 flowstate hmph. So I can salt-call --local pip.install no problem, but when I try to run a pip.installed state via highstate, I get a failure
16:32 flowstate " An importable pip module is required but could not be found on your system."
16:34 ronnix joined #salt
16:36 writtenoff joined #salt
16:39 flowstate I upgraded pip on the minion as well, didn't seem to have any effect
16:39 beardedeagle would anyone find a formula for installing and configuring rancher useful?
16:39 akhter joined #salt
16:42 akhter joined #salt
16:43 murrdoc joined #salt
16:43 quasiben joined #salt
16:44 mpanetta joined #salt
16:48 ageorgop joined #salt
16:49 nZac joined #salt
16:49 murrdoc joined #salt
16:51 zer0def joined #salt
16:51 slav0nic joined #salt
16:53 onlyanegg joined #salt
16:54 manifold joined #salt
16:54 akhter joined #salt
16:56 subsignal joined #salt
16:57 akhter joined #salt
16:59 akhter_1 joined #salt
16:59 fracklen joined #salt
17:01 TheBigNoob joined #salt
17:02 _JZ__ joined #salt
17:02 Eugene Never heard of it. No reason not to toss it on Github though
17:02 notnotpeter joined #salt
17:04 hillna_ joined #salt
17:04 RandyT_ joined #salt
17:04 impi joined #salt
17:04 Jimlad_ joined #salt
17:05 londo_ joined #salt
17:06 invalidexceptio- joined #salt
17:06 alias joined #salt
17:06 beardedeagle well right now it is just a state, was gaging interest to see if I should put in the time
17:06 llua` joined #salt
17:06 adrienr_ joined #salt
17:06 erjohnso_ joined #salt
17:06 Shirkdog_ joined #salt
17:06 baffle_ joined #salt
17:06 beardedeagle because I have SOOOO much time lol
17:06 tkeith_ joined #salt
17:06 beardoLU__ joined #salt
17:06 arcleo_ joined #salt
17:06 nahamu_ joined #salt
17:07 arapaho_ joined #salt
17:07 txmoose_ joined #salt
17:07 asyncsrc1 joined #salt
17:07 saltsa_ joined #salt
17:07 gchao_ joined #salt
17:07 saltstackbot joined #salt
17:07 skrobul joined #salt
17:07 seblu joined #salt
17:07 berto- joined #salt
17:07 ajolo_ joined #salt
17:07 tedski_ joined #salt
17:07 lz-dylan_ joined #salt
17:07 rubenb joined #salt
17:07 akhter joined #salt
17:07 kuromagi joined #salt
17:07 evilrob_ joined #salt
17:07 seblu joined #salt
17:07 v0rtex joined #salt
17:07 zifnab06 joined #salt
17:07 al joined #salt
17:07 colegatron joined #salt
17:07 mavhq joined #salt
17:07 ZombieTwiglet joined #salt
17:07 djinni` joined #salt
17:07 izibi joined #salt
17:08 netzvieh joined #salt
17:08 onlyanegg joined #salt
17:08 baoboa joined #salt
17:08 west575 joined #salt
17:08 dmaiocchi joined #salt
17:08 armyriad joined #salt
17:08 JPT joined #salt
17:08 bebehei joined #salt
17:08 analogbyte joined #salt
17:08 systeem joined #salt
17:08 jasondotstar joined #salt
17:08 paolo joined #salt
17:08 synical joined #salt
17:08 hexa- joined #salt
17:08 davisj joined #salt
17:08 winsalt does anyone know if you can have a whitelist for which modules salt loads up?
17:09 M-MadsRC2 joined #salt
17:10 godlike joined #salt
17:10 godlike joined #salt
17:11 Muchoz joined #salt
17:12 ]V[ joined #salt
17:13 akhter joined #salt
17:13 toddnni_ joined #salt
17:14 eliasp joined #salt
17:14 XenophonF i'm a little frustrated with salt-formula
17:15 SteamWells joined #salt
17:15 beardedeagle A wild XenophonF has a appeared!
17:15 Phtes joined #salt
17:15 XenophonF yeah
17:15 akhter joined #salt
17:15 XenophonF so i'm trying to patch up some pathnames referenced across it
17:16 XenophonF lots of "/etc/salt"
17:16 bmcorser joined #salt
17:16 amcorreia joined #salt
17:17 XenophonF problem is, map.jinja uses the slspath variable, which means if i try to import map.jinja into a config file, like a salt-cloud config file, rendering breaks
17:17 trave joined #salt
17:17 XenophonF b/c the file isn't an SLS
17:17 smakar joined #salt
17:18 shawnbutts joined #salt
17:18 lkannan joined #salt
17:19 bstaz joined #salt
17:19 ramblinpeck joined #salt
17:19 mikepea joined #salt
17:19 wiqd joined #salt
17:19 Ryan_Lane joined #salt
17:19 ashb joined #salt
17:19 linovia joined #salt
17:21 fracklen joined #salt
17:21 OliverMT joined #salt
17:21 XenophonF i think i've got it
17:22 akitada joined #salt
17:24 XenophonF ok - here's another curiosity about salt-formula
17:24 XenophonF it tries to install salt-cloud stuff via pip instead of using o/s packages
17:25 m0nky joined #salt
17:25 moy joined #salt
17:26 XenophonF ich verstehe nicht
17:26 AndreasLutro lol
17:27 mavhq joined #salt
17:29 AndreasLutro still feel like I made the right choice never bringing in any of the formulas :p
17:32 XenophonF they're really useful, but they all need maintenance
17:32 baweaver joined #salt
17:32 XenophonF in some cases, rewrites
17:34 XenophonF i'm willing to submit patches
17:34 XenophonF just need to find the time
17:34 cyborg-one joined #salt
17:35 XenophonF another one is postgresql-formula, which i wish was on par feature-wise with mysql-formula
17:36 fracklen joined #salt
17:36 XenophonF although that's going to require contributions to salt itself, whose postgresql support isn't as good as mysql
17:36 AndreasLutro what's missing?
17:38 onlyanegg joined #salt
17:40 XenophonF mysql-formula can configure databases, users, grants, etc.
17:40 XenophonF last i looked postgresql-formula couldn't do all that
17:40 XenophonF and last i looked at the docs, the various postgresql states couldn't accomplish those tasks, either
17:41 XenophonF it's been 6 months since i looked last, so i'm sure things have changed since
17:43 AndreasLutro not grants but everything else should be in place
17:43 AndreasLutro I don't bother with grants, just a single user per database is all I need anyway
17:44 penguin_dan joined #salt
17:45 hellertime joined #salt
17:45 zer0def joined #salt
17:46 SpX joined #salt
17:46 hellertime when installing masterless salt minions, is there a way to ignore some unmet deps, such as msgpack? or the requests library?
17:50 UtahDave joined #salt
17:50 josuebrunel joined #salt
17:53 XenophonF i wonder why salt-formula calls out to pip in the salt.cloud SLS
17:54 XenophonF on freebsd at least, the various dependencies get installed along with salt
17:54 digitalhero joined #salt
17:57 AndreasLutro a lot of the "optional" dependencies of salt can be out of date in official packages
17:58 flowstate joined #salt
17:58 akhter joined #salt
18:02 XenophonF oh that makes sense
18:04 ronnix joined #salt
18:04 flowstate joined #salt
18:06 llua joined #salt
18:09 digitalhero joined #salt
18:09 akhter joined #salt
18:12 feld joined #salt
18:14 edrocks_ joined #salt
18:14 baweaver joined #salt
18:17 forrest joined #salt
18:18 jfindlay hopefully that dependency debt is not as bad as it used to be now that we do our own packaging
18:18 onlyanegg joined #salt
18:19 * AndreasLutro would appreciate a pygit2 package
18:20 baweaver joined #salt
18:20 forrest AndreasLutro, You could always package it up and submit it to whatever public repos you use for your distro.
18:21 fracklen joined #salt
18:21 freelock joined #salt
18:24 akhter joined #salt
18:25 AndreasLutro I'm having enough troubles building debian packages locally, nevermind trying to submit them to the official repositories
18:25 XenophonF thank you gravyboat
18:26 XenophonF regarding salt-formula, i could add a if/grains test, but it's going to make a mess of salt/cloud.sls
18:26 XenophonF er, i mean, add another if/grains test
18:27 forrest XenophonF, Yeah no problem, I honestly think that solution is fine.
18:27 XenophonF ok then, let me test it out
18:28 forrest Okay. If you can keep it from getting messy that's great, but the formula is already kind of messy anyways ;)
18:28 ageorgop joined #salt
18:29 onlyanegg joined #salt
18:30 XenophonF :)
18:31 brianfeister joined #salt
18:34 morissette joined #salt
18:41 aqua^c_ joined #salt
18:42 akhter joined #salt
18:43 MindDrive http://paste.pound-python.org/show/HAz0daZoLftgKilceIuk/ - so really not getting anywhere with this '__virtual__ returned False' issue here.  I know for a fact the four modules it fails to load are NOT needed for this to work, as it is working on other systems.
18:46 pan joined #salt
18:46 MindDrive '$ python2.6 /var/cache/salt/minion/files/base/_modules/tds.py offenders-finder 153' - this actually succeeds.
18:47 AndreasLutro the other modules failing to load have nothign to do with your custom module __virtual__ returning false
18:48 whytewolf the modules that fail before the tds module have nothing to do with why tds would be failing. they are other modules that failed to load.
18:48 onlyanegg joined #salt
18:49 MindDrive I was being pre-emptive because I've had people tell me before "looks like you're missing modules".  The fact remains that I'm getting ZERO useful information back on what's failing.
18:49 whytewolf well with out knowing whats in the tds module. not much we can do
18:51 AndreasLutro considering you wrote the tds module yourself...
18:51 AndreasLutro I mean it explains itself doesn't it? __virtual__() returned false, if you want more info you'll have to put in logging in __virtual__
18:53 MindDrive http://paste.pound-python.org/show/luEGxITUqvdOF8s4JwMh/ - have at it.  The module actually works on 80% of the systems it's used on and only recently started failing after some changes in our environment.
18:53 MindDrive (Note: I don't use __virtual__ anywhere in the code.)
18:53 AndreasLutro oh that's interesting
18:54 akhter_1 joined #salt
18:55 whytewolf humm, I would put in a __virtual__ that returns the name of the function. never really been sure but i thought since lazyloading went in not having a __virtual__ could result in unknown behavour.
18:55 whytewolf https://docs.saltstack.com/en/latest/ref/modules/#virtual-function
18:55 MindDrive http://paste.pound-python.org/show/NXR38BUHQ6GMZEzDDqCv/ - for completion, this is the code that actually calls that module from the main Python application.  And I'll look at that doc right now...
18:56 s_kunk joined #salt
18:57 edrocks joined #salt
18:58 edrocks joined #salt
19:00 MindDrive *sigh* I think I may have found the problem.  During the 'sync_modules' that gets regularly run, I see this in the logs:
19:00 MindDrive 2016-03-27 02:38:59,485 [salt.loader.dsalt01.int.module.saltutil  ][INFO    ][4663] Copying '/var/cache/salt/minion/files/base/_modules/tds.py' to '/var/cache/salt/minion/extmods/modules/tds.py'
19:01 MindDrive However, the '/var/cache/salt/minion/extmods/modules/tds.py' does not exist on the box it's failing on, and does exist on the boxes it's working on. :(
19:01 whytewolf um, well that would cause issue.
19:02 whytewolf by why is sync not working
19:02 MindDrive I can't find anything in the logs that would explain why the copy is failing (or the file is being deleted afterwards).
19:02 ajw0100 joined #salt
19:02 whytewolf selinux?
19:03 whytewolf [goto excuse to random things failing that have 0 reason]
19:03 whytewolf and it is scarey how often turning off selinux has fixed things that didn't make sense
19:04 whytewolf such as a seg 11 in python? turn of selinux. boom 100% fixed.
19:04 ageorgop joined #salt
19:05 MindDrive We have selinux disabled everywhere - verified via 'getenforce' on the box.
19:05 MindDrive I can see that /var/cache/salt/minion/extmods exists on the failing system, but not /var/cache/salt/minion/extmods/modules
19:05 aw110f joined #salt
19:06 whytewolf modules should exist.... and it should be created by the minion on start up
19:06 whytewolf since it is in the cache directory.
19:07 MindDrive I wonder why that's failing.  Manually creating it worked.
19:09 MindDrive And running 'refresh_modules' after the directory creation allows the file to be copied.  Qu'est-ce que f**k...
19:09 spankalish joined #salt
19:10 jfroot joined #salt
19:10 spankalish Hi I am trying to get the reactor systen up and running. I am creating an event, but it is failing each time saying that Warnings: 'new' and 'data' are invalid keyword arguments for 'event.wait'.
19:10 GermanJaber joined #salt
19:10 GermanJaber hello
19:11 GermanJaber Is there a way to overwrite settings of a salt-cloud profile from the command line?
19:11 spankalish That is my my event https://gist.github.com/Spankalish/30a3e410e905ced9d07021c8fff4b179
19:11 MindDrive 2016-03-27 03:09:00,561 [salt.loader.dsalt01.int.module.saltutil  ][INFO    ][7007] Creating module dir '/var/cache/salt/minion/extmods/modules' - it LIES.  *sigh*
19:12 onlyanegg joined #salt
19:12 spankalish I'm watching the nginx service as it restarts once a config change is done, so I want the server to come ofline once this happens and I need an eevnt to make that happen
19:15 sjorge joined #salt
19:15 sjorge joined #salt
19:15 whytewolf spankalish: - data will work until carbon however it is tossing a warning for that. also you need 2 more spaces for the line under data
19:16 spankalish whytewolf: 2 more spaces?
19:16 whytewolf yes.
19:17 whytewolf it is odd but for some things like -data you need 4 space indentation not 2
19:17 spankalish Oh
19:19 spankalish whytewolf: so just indent the "id: {{ salt['grains.get']('host') }}" 2 spaces?
19:19 whytewolf spankalish: yes, 2 more then you currently have
19:20 spankalish I did that and still getting the same responce
19:20 whytewolf which is?
19:21 whytewolf is it failing or warning?
19:21 spankalish Oh no that's just the warning about data and carbon
19:24 spankalish whytewolf: can I ask what does the "- wait" do? I'm new enough to salt
19:25 sjorge joined #salt
19:25 sjorge joined #salt
19:26 hightekvagabond joined #salt
19:27 MindDrive *CHOKE* [from an strace]: 10951 rmdir("/var/cache/salt/minion/extmods/modules") = 0   - WHAT THE HELL, SALT, YOU NEED THAT DIRECTORY.  *sighs and slams his head repeatedly against the wall*
19:28 babilen Pearls of IRC - Chapter 4
19:29 hightekvagabond joined #salt
19:29 alvinstarr joined #salt
19:29 berserk_ joined #salt
19:29 quasiben1 joined #salt
19:32 digitalhero joined #salt
19:32 GreatSnoopy joined #salt
19:33 onlyanegg joined #salt
19:33 patrek joined #salt
19:34 linjan joined #salt
19:35 AndreasLutro you sound...... salty
19:36 spankalish Is there anyway to view triggered events from when you run a .sls file?
19:37 rem5 joined #salt
19:39 aqua^c joined #salt
19:41 baweaver joined #salt
19:42 mowntan joined #salt
19:42 spankalish babilen: When setting up the reactor on the master the first file under the reactor is the name of the event "- salt/states/base/nginx:" ?
19:42 spankalish first line, not file
19:43 quasiben joined #salt
19:45 spankalish Anyone want to help me out with events and the reactor system?
19:50 spankalish https://gist.github.com/Spankalish/398cb86573140054df3fddfea8f1c16fDoes that look right?
19:51 punkoivan joined #salt
19:52 Pie_Mage joined #salt
19:52 punkoivan joined #salt
19:54 punkoivan joined #salt
19:56 punkoivan joined #salt
19:57 baweaver joined #salt
19:58 nZac_ joined #salt
19:58 amcorreia joined #salt
19:58 punkoivan joined #salt
20:00 punkoivan joined #salt
20:01 punkoivan joined #salt
20:02 ageorgop joined #salt
20:03 berserk joined #salt
20:04 UtahDave spankalish: I think that looks right.   You can view the events coming through by running this on your salt master:     salt-run state.event pretty=True
20:04 kevinqui1nyo if you create an ext_pillar, do you still need a <pillar_roots>/top.sls file?
20:04 forrest Alright this will be the last time i say this for a while since I figure by Tuesday everyone is back. If your company is looking for a remote devops engineer to work on your salt infra please let me know.
20:04 akhter joined #salt
20:04 kevinqui1nyo and how does the <pillar_roots>/top.sls interact with your ext_pillar
20:05 UtahDave kevinqui1nyo: your ext_pillar doesn't use the top.sls at all
20:05 UtahDave I'd generally recommend having a top.sls, even if it doesn't do anything.
20:06 kevinqui1nyo ok that makes more sense UtahDave because I'm wanting to make api calls to a remote service (an internal rest api that i'm building) to determine what pillar data what minion gets
20:06 kevinqui1nyo so i can just handle all of that myself then
20:06 kevinqui1nyo UtahDave: why would you recommend that, and what would it have in it?
20:06 hightekvagabond joined #salt
20:07 kevinqui1nyo "*:\n - *" or something?
20:10 spankalish UtahDave: Thanks, but it's not doing what I want. I don't know what's wrong
20:11 quasiben joined #salt
20:15 oida joined #salt
20:17 onlyanegg joined #salt
20:18 dmaiocchi joined #salt
20:18 rm_jorge joined #salt
20:19 polyidus joined #salt
20:21 MindDrive whytewolf: So after digging through the Salt code, I tested out a theory that the gitfs setup was the problem, and guess what? :)  Public access to the repo had been turned off and it looks like if gitfs is in use, it tries to determine through it what the proper remote files are, and that was failing, so it was just removing the file again after copying it.  I turned public access to the repo back on and restarted salt-minion on the boxes,
20:21 MindDrive and the file is there now.
20:26 PeterO joined #salt
20:37 ajw0100 joined #salt
20:39 spankalish Can any one tell me what does the "-wait" command do in an event?
20:40 spankalish There does not seem to be great documentation on it anywhere
20:40 whytewolf spankalish:
20:40 whytewolf https://docs.saltstack.com/en/latest/ref/states/all/salt.states.event.html#salt.states.event.wait
20:40 whytewolf - event: - wait is just the long form of event.wait
20:41 aqua^c joined #salt
20:41 whytewolf Fire an event on the Salt master event bus if called from a watch statement
20:43 spankalish whytewolf: I've never used it before, I just seen it been used and was trying it. I googled it and couldn't find any decent documentation on it. That documented you posted look good, I'll have a read through that
20:48 jfroot_ joined #salt
20:50 spankalish whytewolf: The event is firing, but it does not seem to be executing the .sls file I have it linked to
20:51 whytewolf did you restart the master after putting in the reactor information in the master file?
20:52 spankalish whytewolf: Hummm rookie mistake :)
20:52 spankalish whytewolf: I'll do that now
20:53 ronnix joined #salt
20:55 spankalish whytewolf: Still no go, would the .sls that is being fired be displayed in the state run?
20:56 whytewolf no
20:56 whytewolf it is being run seperatly
20:56 spankalish whytewolf: It's not disabling the web servers anyway
20:57 UtahDave kevinqui1nyo: I generally will have a top.sls with a base environment with a '*' match with an  - empty.sls where the sls file is actually empty.  I've run into a few places where Salt needed to figure out a Salt environment for a minion and didn't like that it couldn't find one
20:58 UtahDave kevinqui1nyo: I might be overreacting...
20:58 kevinqui1nyo thanks for the tip UtahDave
20:58 UtahDave sure
21:00 polyidus joined #salt
21:01 spankalish In the disable server in haproxy the command line argument will be run on the LB host using the minions id after the backend right? https://gist.github.com/Spankalish/398cb86573140054df3fddfea8f1c16f
21:01 whytewolf spankalish: can you run that cmd.run work exactly like that through salt? salt 'LB' cmd.run echo "disable server here/%s | socat stdio /etc/haproxy/haproxysock"|format(data['id'])
21:02 whytewolf you didn't put data into jinja so it is being passedas data['id]'
21:02 spankalish whytewolf: There is the problem
21:03 ageorgop joined #salt
21:03 spankalish whytewolf: The command should be 'LB' cmd.run echo "disable server here/minion1 | socat stdio /etc/haproxy/haproxysock"
21:04 Netwizard joined #salt
21:04 spankalish whytewolf: where minion1 is the web server the event is being fired from, but the above command needs to be executed on the load balancer
21:05 whytewolf well you are just missing a pair of {{  }}
21:06 liskl joined #salt
21:06 whytewolf {{ "disable server here/%s | socat stdio /etc/haproxy/haproxysock"|format(data['id']) }}
21:07 titilambert HellO !
21:07 whytewolf also does it work correctly from the command line like you discribe?
21:08 whytewolf salt 'LB' cmd.run echo 'disable server here/minion| socat stdio /etc/haproxy/haproxysock'
21:08 spankalish yes
21:09 titilambert I'm using salt 2015.5.8 on centOS with gitfs. When i run "salt-run fileserver.update" I see my formulas downloaded in "/var/cache/salt/master/gitfs". BUT a few second after that command is finished, I see all my formulas deleted from  "/var/cache/salt/master/gitfs" ...
21:10 UtahDave titilambert: are they not available when you run   salt-call cp.list_states    on your minion?
21:10 flowstate joined #salt
21:11 titilambert UtahDave: no ! I don't see my formulas  :/
21:11 titilambert in fact
21:11 titilambert hum !
21:12 titilambert wait a second !
21:13 dmaiocchi joined #salt
21:14 titilambert UtahDave: in fact I see only
21:14 titilambert local:
21:14 titilambert ...
21:16 UtahDave titilambert: can you pastebin a sanitized version of the gitfs portion of your master config?
21:16 flowstate joined #salt
21:19 baweaver joined #salt
21:19 akhter joined #salt
21:19 titilambert UtahDave: https://gist.github.com/titilambert/df7275dbd2393dca33a2f6c19c539e36
21:20 titilambert UtahDave: can you see it ?
21:20 UtahDave yeah
21:21 UtahDave ok, stop the salt-master daemon, then run it in the foreground like this:     salt-master -l debug
21:21 UtahDave Tell me if you see any errors or tracebacks
21:21 rm_jorge suerte!
21:22 UtahDave hola, jorge
21:23 titilambert UtahDave:  when I do that, salt-call cp.list_stat is working ... :/
21:24 UtahDave Hm.  And you're not seeing any errors?
21:25 titilambert nop :(
21:25 titilambert and now when I run salt master with system all is working :(
21:25 UtahDave ok. hit ctrl-c to stop the salt master and then start up the salt master daemon again.
21:25 titilambert now when I run salt master with system all is working :(
21:26 titilambert UtahDave: do you have an idea for a better workaround ?
21:26 akhter joined #salt
21:26 titilambert I'm trying to automize salt-master installation ...
21:26 UtahDave titilambert: I'm not clear.  Is it working now when the salt-master is running as a daemon?
21:27 titilambert UtahDave: yes
21:27 titilambert I see all my formulas ...
21:27 UtahDave Ok, maybe you just needed to restart the salt-master daemon.  A restart is required after editing most master config items
21:27 titilambert :)
21:28 brianfeister joined #salt
21:28 titilambert maybe a stop-start is better than a restart ?
21:28 babilen Shouldn't be
21:28 UtahDave service salt-master restart      should do the trick
21:28 UtahDave or    systemctl restart salt-master.service       or whatever your system uses'
21:29 titilambert usually adding git repo in remotegitfs imply salt-master restart ?
21:29 UtahDave yes
21:29 titilambert UtahDave: thanks !
21:29 titilambert Retrying !
21:29 UtahDave you're welcome!
21:30 babilen titilambert: You might like to use https://github.com/saltstack-formulas/salt-formula/ for managing your master
21:31 titilambert babilen: I'm already using it
21:31 dmaiocchi joined #salt
21:32 babilen That should automatically restart the master if you change its configuration.
21:34 titilambert babilen: UtahDave: It seems working ! thanks !
21:37 VSpike joined #salt
21:37 UtahDave titilambert: great!
21:37 hemebond joined #salt
21:38 VSpike I was looking at packer for creating image for autoscaling on AWS, but I see that it only supports masterless salt .. anyone know why, out of interest?
21:38 UtahDave VSpike: I don't at all, but i would imagine it's just for simplicity's sake.
21:39 AndreasLutro VSpike: it's hard to automate accepting/generating keys, especially with multimaster
21:40 VSpike Ah, yeah. That could be it. It has provisioners for chef, puppet and ansible remote so I wondered why not SAlt
21:41 flowstate in general, what is the actual security vulnerability of auto_accept?
21:41 flowstate I mean, I get it, as a principal
21:41 flowstate but if your network access security is on point
21:41 flowstate I guess a user could get access to pillars
21:41 flowstate a malicious user* I mean
21:42 VSpike So given that I've never used salt-masterless, how would I take my existing salt master states/pillar tree and use it to set up a minion in a masterless fashion?
21:42 AndreasLutro then again I guess the puppet provisioner is just the same...
21:42 UtahDave flowstate: they could view the entire contents of your file_roots
21:42 VSpike All the masterless examples I've seen are rather trivial
21:42 AndreasLutro flowstate: we use salt to manage the salt master - so if we accepted a minion that said it was a salt master, it'd have access to all pillar data
21:42 flowstate VSpike, google ryan d lane provisioning
21:43 hlub joined #salt
21:43 flowstate ahhh, okay, that makes sense
21:43 UtahDave VSpike: modify your minion config and add in the same file_roots and pillar_roots config items as your current master
21:44 flowstate beeteedubs, just saw that the develop branch has a new property in boto_lc.cloud_init called boothooks
21:44 flowstate anyone know what that does? It's not documented anywhere I could find it
21:44 Ryan_Lane the nice thing is that in general your config management will be pretty trivial if you do masterless :)
21:44 Ryan_Lane it's way less complex
21:44 Ryan_Lane but it's also a bit more limiting
21:44 flowstate haha, there's the man himself
21:44 Ryan_Lane (I personally like the limitations)
21:45 hemebond I've never understood how masterless is less complex.
21:45 flowstate one thing I don't dig too much about it is that if you follow Ryan's exmaples (which I basically have memorized at this point), you have to clone each app's full repo just to get at the salt code
21:46 flowstate as opposed to having a central salt repo which is used by the master to configure all the minion types
21:46 forrest hemebond, Set up a style of pillar per type of device, push that on provision, push the salt code and run it, done.
21:46 Ryan_Lane we have salt code in our repos
21:46 forrest I prefer masterless now after having used both.
21:46 Ryan_Lane you're deploying that code out to the nodes anyway, right?
21:46 Ryan_Lane otherwise, what is your node doing?
21:46 forrest Yep exactly
21:46 flowstate no, just the artifacts
21:46 salty_solution joined #salt
21:46 Ryan_Lane yeah, so have the salt code as part of the artifacts
21:47 Ryan_Lane you don't need the git history
21:47 flowstate oh. I like that a lot
21:47 Ryan_Lane no matter what you do you need to deploy code
21:47 salty_solution How do you force a variable to be lowercase in salt?
21:47 Ryan_Lane we have two artifacts for every node
21:47 Ryan_Lane "base" and "service"
21:47 VSpike I was thinking youd probably deploy the whole state tree to the instance, and then a customised subset of the pillar
21:47 Ryan_Lane base is common for all services
21:47 Ryan_Lane service is the service, obviously :)
21:48 flowstate I'm in the weird position of greenfielding all my company's orch and provisioning code, but having to live alongside what's currently there, so stuff like git flow becomes super important
21:48 flowstate yeah
21:48 Ryan_Lane our minion config includes both base and common
21:48 hemebond forrest: Sorry I didn't understand what you said.
21:48 VSpike But could be a pain, in that I have everything set up for masterful salt, pillar included, so unless I want to ditch my current setep
21:49 Ryan_Lane the nice thing about masterless is you can use grains however you want
21:49 Ryan_Lane VSpike: yeah, that's the problem :)
21:49 flowstate yep
21:49 forrest hemebond, When I provision my machines the system has the pillar data that is required for the app dropped on from a secure location, then I Just have it pull in my app repos and the salt code lives inside those repos and it's all set to go.
21:49 VSpike .. setup and go fully masterless I have to create a mechanism to extract the relevant bits from the pillar
21:49 Ryan_Lane we designed from the get-go with masterless
21:49 Ryan_Lane we're exceptionally masterless. our orchestration is fully masterless too
21:49 Ryan_Lane (it also uses saltstack)
21:49 flowstate yeah, same here.
21:50 VSpike Which is why it would be really nice if Packer suported salt with master
21:50 flowstate I use basically that boto stuff you added to salt via jenkins jobs
21:50 flowstate jenkins is just another salt-minion
21:50 Ryan_Lane VSpike: see, that's another good reason to have masterless :)
21:50 Ryan_Lane flowstate: yep. that's a good approach :)
21:50 VSpike Ryan_Lane: "you wouldn't want to be starting from here" :)
21:51 flowstate the only other thing you need to think about ahead of time if you change over is your reactor stuff
21:51 flowstate if you have any
21:51 flowstate it's definitely solvable, but should be considered early on
21:51 flowstate Ryan, did you guys add the cloud_init.boothooks stuff in the boto_lc develop branch docs?
21:52 flowstate it's not documented yet, but piqued my interest when I saw it
21:52 Ryan_Lane boothooks?
21:52 flowstate yeah, one sec, I'll link
21:52 Ryan_Lane huh. I have no idea what that is
21:52 flowstate http://docs.saltstack.cn/ref/states/all/salt.states.boto_lc.html
21:52 Ryan_Lane oh
21:52 flowstate look at the big snippet up top
21:52 Ryan_Lane it's just another part of cloud-init
21:53 VSpike Actually, my top.sls is a python file that just works out what pillar files to include based on the structured host name, plus sets some pillar items by parsing the host name. I could easily create a version of that which takes a hypothetical machine and outputs the resulting pillar set
21:53 Ryan_Lane the cloud_init section should ideally support everything that's supported by cloud-init
21:53 teatime how do you have a python top.sls?
21:53 Ryan_Lane VSpike: yep
21:53 salty_solution Would you guys recommend using a masterless setup rather than a master/minion setup?
21:53 flowstate ah, gotcha
21:53 Ryan_Lane salty_solution: I do, but I'm biased
21:54 xmj salty_solution: depends on the scale.
21:54 Ryan_Lane I'd say the higher the scale the more you want masterless
21:54 VSpike teatime: https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.py.html
21:54 Ryan_Lane and if you're doing things like auto-scaling, then masterless is *way* easier
21:54 UtahDave joined #salt
21:54 salty_solution Good to know thanks
21:54 hemebond Ryan_Lane: How does that even work? I'm truly baffled.
21:54 flowstate the cool thing is that the migration is actually not that hard
21:54 teatime VSpike: I did not realize you cuold do thatf or top.sls
21:54 Pie_Mage joined #salt
21:54 Ryan_Lane the downside is you miss out on remote execution, master/minion reactors, etc.
21:54 teatime VSpike: that makes a lot of neat things possible
21:55 flowstate but remote execution can be accomplished with a bit of business logic and salt-ssh
21:55 VSpike teatime: it doens't make it very clear but that works fine with top.sls and pillar as well
21:55 Ryan_Lane hemebond: you base your system on the idea that everything is eventually consisteny
21:55 hemebond Why would adding more server want you to discard the thing that lets you easily manage them all?
21:55 Ryan_Lane consistent*
21:55 hlub joined #salt
21:55 flowstate especially if you're using structured stack naming
21:55 Ryan_Lane if all you need to do is deploy to make a change.... :)
21:55 Ryan_Lane if you double the number of nodes you have, will the master be able to handle that?
21:55 hemebond Is there a detailed blog post on your process?
21:56 Ryan_Lane what happens if you have 3 AZs in AWS and the one with your master dies?
21:56 flowstate google ryan d lane orchestration
21:56 hemebond Cheers, doing it now.
21:56 Ryan_Lane http://ryandlane.com/blog/2015/04/02/saltconf15-masterless-saltstack-at-scale-talk-and-slides/
21:56 Ryan_Lane that's a talk I gave at last SaltConf
21:56 flowstate the other thing no one talks about with masterless
21:56 flowstate is that, if you use Ryan's repo structure
21:56 hemebond Oh, I watched you.
21:56 flowstate onboarding new engineers is epic
21:56 hemebond (on youtube)
21:57 Ryan_Lane here's a bonus one about sequential ordered states (http://ryandlane.com/blog/2015/04/02/saltconf15-sequentially-ordered-execution-in-saltstack-talk-and-slides/)
21:57 salty_solution Ryan_Lane: what would you consider a large scale?
21:57 flowstate they get a rounded understanding of not only the app code, but the orchestration and configuration, just by looking through the git repo
21:57 Ryan_Lane anything over 1000 nodes
21:57 Ryan_Lane for the purposes of config management, anything over 1000 nodes is difficult to deal with
21:57 salty_solution I cant wait for this coming saltconf
21:58 Ryan_Lane I'll be giving another masterless talk this year :D
21:58 flowstate I got to go to elasticon, so no saltconf for me
21:58 salty_solution I will attend
21:59 VSpike teatime: sorry, I misremembered. My top.sls is a standard one, but pretty much all it does is include the pillar.sls python file for all nodes
22:00 flowstate I've kinda been forced to go down the masterful route.. just migrated to it. Funny thing is that Ryan's masterless stuff is really the only end-to-end salty AWS guide I've found
22:00 baweaver joined #salt
22:00 flowstate I'm going to be doing a big write up on my setup, but I was shocked that there weren't a ton of them out there
22:00 Ryan_Lane flowstate: well, I did write most of the AWS support :)
22:01 flowstate fair point, haha
22:01 Ryan_Lane in fact, here's a fun example: https://github.com/lyft/confidant/tree/master/salt
22:01 flowstate now I'm thinking about failover and split-brain issues with a cluster of masters... dammit
22:01 Ryan_Lane I should really make that fully operational at some point :)
22:02 teatime Ryan_Lane: this battlestation?
22:02 flowstate how do you handle deletes?
22:02 Ryan_Lane that confidant example works to launch confidant in multiple environments and multiple regions
22:02 flowstate do you have a sister orchestration state that just does absents?
22:02 Ryan_Lane flowstate: reapers
22:03 Ryan_Lane creations are frequent and deletions are infrequent
22:03 flowstate are they ... grim? at least ill-tempered?
22:03 flowstate sorry
22:03 Ryan_Lane I name AWS resources with prefixes
22:03 Ryan_Lane so everything is named like: service_name-environment-region-<resource>
22:03 flowstate yep, I have the same setup
22:03 Ryan_Lane so a dynamo table for production confidant would be confidant-production-useast1
22:03 Ryan_Lane err
22:04 Ryan_Lane well, yeah, for confidant that would be accurate, because it only has one table :)
22:04 Ryan_Lane so if you want to kill off confidant, remove the code, reap everything that starts with confidant-production-useast1
22:04 flowstate interesting
22:04 flowstate so you script against the naming scheme
22:05 Ryan_Lane that also makes things like IAM policy and service discovery way easier
22:05 flowstate I'm looking forward to doing that once my orchestration is in place
22:05 Ryan_Lane because for the most part you won't need service discovery
22:05 Ryan_Lane what's my dynamodb table name? it's my own service's name
22:05 flowstate the one really nasty thing I contend with is that half of my lower environments use stacks that are in-place upgraded
22:05 Ryan_Lane IAM permissions for the dynamo will be prefixed on the service's name
22:05 flowstate so I have a mix of pets and cattle
22:05 Ryan_Lane etc.
22:06 flowstate yep, it really does simplify things.
22:06 Ryan_Lane we don't do red/black deploys
22:06 Ryan_Lane we upgrade in place
22:06 flowstate oh that's right
22:06 flowstate you do the next/current symlinkiness
22:06 Ryan_Lane yeah
22:06 Ryan_Lane we're dockerizing a lot of this and so a lot of the config management is going away from salt
22:06 Ryan_Lane which is a little sad
22:06 flowstate what are you using to bake the boxes?
22:07 Ryan_Lane salt/packer :D
22:07 flowstate oh, nice!
22:07 Ryan_Lane and salt does all the ochestration
22:07 Ryan_Lane the docker images are unfortunately docker files
22:07 Ryan_Lane https://github.com/cookbrite/flyingcloud <-- that's an interesting approach I'd like to eventually use
22:08 flowstate oh, that's shiny
22:08 Ryan_Lane hopefully I'll meet them at SaltConf, because I have a lot of feedback/ideas for them :)
22:09 flowstate I've got such a long tail for these things, since I'm the only ops guy, so I don't get to try different approaches as often as I'd like
22:09 flowstate but we are moving to microservices, so hopefully it's in the roadmap
22:12 mTeK If I install a package that installs mysql with it, dbcommon asks me to setup root password and password for new user if I do it from the cli, how do I add these passwords so salt has them?
22:12 snc joined #salt
22:15 mTeK This is what my zpoller\init.sls looks like https://gist.github.com/tricksol/60669584d55fcf7df8e2d2be6d066796
22:15 RandyT joined #salt
22:17 polyidus joined #salt
22:17 UtahDave mTeK: have you looked how it's being done here?  https://github.com/saltstack-formulas/mysql-formula
22:17 VSpike If I wasn't using packer, and I took the approach of creating an instance that connects to the master, running state.highstate on it, copying the website data from s3, and then baking an AMI from it...
22:17 mTeK It's over my head :0
22:17 kliquori joined #salt
22:17 VSpike I can't see how I'd handle the issue of hostnames and minion IDs in the autoscaling group anyway :/
22:18 nZac joined #salt
22:18 mTeK Not really sure what i need, looked at it but thought I'd ask
22:18 UtahDave mTeK: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.mysql_user.html#module-salt.states.mysql_user
22:19 mTeK oh I'm sorry I think were looking at this different
22:22 mTeK I can add users and db's with the mysql-formula but in debian distros if you install zabbix-proxy-mysql it installs mysql and asks if you would like to use dbcommon, tab to yes, add root password, add user password. I guessing that I can't do it this way huh
22:24 UtahDave mTeK: Hm. You'd have to find out if there's a way to pass in options some other way.  Depends on how their installer was set up.
22:24 hemebond mTeK: If you're on Debian there is a way to seed package configurations.
22:25 mTeK I will look into that, it will save me in the long run.
22:30 ahammond I'm using the saltstack/rhel6 repo. I'm getting: Error unpacking rpm package python-six-1.9.0-2.el6.noarch
22:30 ahammond error: unpacking of archive failed on file /usr/lib/python2.6/site-packages/six-1.9.0-py2.6.egg-info: cpio: rename
22:30 ahammond python-six-1.9.0-0.x86_64 was supposed to be removed but is not!
22:30 ahammond thoughts?
22:32 fredvd joined #salt
22:34 UtahDave ahammond: did that just start happening?
22:35 ahammond @UtahDave well, we are just starting to migrate to the saltstack repo, so yeah.
22:35 UtahDave ok, let me check
22:39 UtahDave ahammond: is this for the salt-minion?
22:39 ahammond @UtahDave yes
22:39 sagerdearia joined #salt
22:39 gimpy2938 joined #salt
22:39 ahammond I haven't moved the salt master yet. :)
22:39 UtahDave are you following the instructions here?  https://repo.saltstack.com/#rhel
22:40 zenlot joined #salt
22:41 hightekvagabond joined #salt
22:41 UtahDave ahammond: Hm.  It just worked for me.
22:41 UtahDave ahammond: amd64?
22:41 gimpy2938 How can loops be used in Jinja?  https://gist.github.com/jwhite530/62d073021ad6e6d9291cbc2a8a742bed
22:42 ahammond gimpy2938 you're trying to render when you're already in a jinja context.
22:42 ahammond {% if grains["ip4_interfaces"][ interface_name ].startswith("10.110.3.") %}
22:42 ahammond get rid of the extra {{ }}
22:43 ahammond @UtahDave yup
22:43 UtahDave ahammond: was python-six already installed on those minions?
22:44 gimpy2938 ahammond: thanks, that did it
22:44 ahammond yeah, from our ugly old custom build
22:44 ahammond I was trying to get raet working.
22:45 ahammond so, probably that package is a little funky
22:45 UtahDave Hm. seems like there's a package conflict.
22:45 ahammond (hence my desire to move to the saltstack repo and builds)
22:45 UtahDave Yeah, can you remove that package first?
22:46 UtahDave wait, I guess that would mess up your current salt-minion
22:46 ahammond yup
22:46 UtahDave is salt-ssh an option for you?  That might be a way to uninstall and reinstall
22:46 jab416171 how do salt pillars work with environments?
22:48 ahammond @UtahDave that'd uninstall some stuff we really don't want uninstalled. Hmmm. What in salt is using python-six?
22:49 cheus joined #salt
22:50 UtahDave It's used in quite a few places for compat between python 2 and 3
22:50 manji joined #salt
22:54 ahammond well... apparently doing rpm --nodeps -e python-six; yum install python-six is ok.
22:54 ahammond I wonder if I can salt this?
22:56 flowstate joined #salt
22:56 polyidus joined #salt
23:03 murrdoc yes we can
23:04 jab416171 can I target minions based off their pillarenv?
23:07 GreatSnoopy joined #salt
23:09 UtahDave jab416171: no, not really.  You can target based of pillar values.   The main problem is that a minion can pull data from multiple pillar environments
23:09 UtahDave jab416171: so your best bet would probably be to set a unique variable in each pillar environment and match off that.
23:11 jab416171 UtahDave, I don't want a minion to be able to pull from multiple environments. Is there no way to limit that?
23:12 UtahDave well, I mispoke
23:12 UtahDave When a minion requests it's pillar data the master scans the pillar top file and evaluates each match statement
23:13 UtahDave if the minion in question matches the match statement, then all the pillar sls files under that match statement are loaded into a python dictionary, which is then encrypted and sent down to the minion
23:13 UtahDave So your match statements in your pillar top file determine what data the minion receives.
23:15 jab416171 so, here's all of my pillar files.
23:15 jab416171 https://gist.github.com/jab416171/e6ac91b254e9a5ced24f78c4fee03116
23:15 jab416171 how can I make it so minions in the dev environment/pillarenv only get the dev pillar sls, same for qa, and everything else gets base?
23:15 jab416171 I'm using git_pillar
23:16 UtahDave jab416171: well, first I would recommend only having a top.sls in your base environment.  It can handle all the environments.
23:17 brianfeister joined #salt
23:17 jab416171 UtahDave, I just added my git pillar conf
23:17 polyidus joined #salt
23:17 jab416171 to that same link
23:17 UtahDave jab416171: Next, you need to make your matches more specific.  Since they all match on '*' then a minion will attempt to load all the versions of test.sls and probably have data conflicts
23:17 sagerdearia joined #salt
23:17 jab416171 alright, what should the top.sls in base look like?
23:17 jab416171 how do I match on environment or pillarenv?
23:18 UtahDave let me put together an example
23:20 UtahDave ok, I added a comment with an example
23:21 jab416171 I need to match with environment or pillarenv, not with a grain or hostname
23:21 jab416171 is that not possible?
23:21 jab416171 right now pillarenv and environment are both set to qa, or dev, or base
23:22 UtahDave where are you setting those?
23:22 jab416171 /etc/salt/minion.d/environment.conf
23:22 UtahDave for pillar data the master is in control and the pillar top file decides what the minion receives.
23:23 gimpy2938 How can I check the length of a list in Jinja?  I'm tripping over empty lists and just want to skip them.  https://gist.github.com/jwhite530/9aee4b96f8df76973752bf63fcfc83c2
23:24 jab416171 so I have to target by grain or hostname?
23:24 teatime I beleive empty lists are false so you can just do {% if list %}
23:25 UtahDave jab416171: You have to target by any of the many ways Salt lets you target.  I'm not sure you can target based off an option in the minion config
23:26 gimpy2938 teatime: hmm, not the most obvious but it works
23:26 jab416171 UtahDave, if I run salt-call --local pillar.items from the minion, "pillarenv" is one of the returned values.
23:26 jab416171 so can I target by pillar?
23:26 jab416171 https://docs.saltstack.com/en/latest/topics/targeting/compound.html
23:26 jab416171 ah, that's what I was looking for
23:26 UtahDave I don't think you can target by pillar in your pillar top.sls.   Kind of a chicken and egg problem
23:28 Nazca joined #salt
23:29 teatime maybe if you have something like ext_pillar_first
23:29 baweaver joined #salt
23:29 jab416171 all of my pillars are external
23:30 hemebond Just out of curiosity, why does the example on https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.py.html make every line its own dict?
23:30 jab416171 heh
23:35 teatime hemebond: that's the same structure as:
23:35 teatime file.managed:
23:35 teatime - source: blah
23:35 hemebond Oh yeah
23:35 hemebond Each line is a separate list item.
23:35 teatime I dunno why salt seems to require that, but it does right?
23:35 hemebond Yeah it does.
23:35 hemebond Always seemed odd to me too.
23:35 UtahDave yaml requires that
23:36 teatime UtahDave: I mean, only if you want to duplicate param names
23:36 teatime UtahDave: nested dicts work fine in yaml
23:36 teatime also to clarify I am not arguing
23:37 teatime I'm wanting you to enlighten me :)
23:37 UtahDave that's a list of dicts in that example
23:37 teatime where does salt run into the conflict that leads them to needing the list of dicts
23:37 teatime UtahDave: yes, it is.  and so also it is in my yaml above.
23:37 teatime UtahDave: the question is why doesn't file.managed: take a dict, instead of a list of dicts
23:38 UtahDave teatime: It's probably a design decision made years ago that is too difficult to change now.
23:38 teatime fair enough
23:38 teatime it's not terrible either
23:38 teatime you can think of it as a list of pairs / list of two-tuples instead of a list of dicts
23:39 UtahDave Yeah, but it can be inconvenient because you can have two file.managed calls under one ID declaration
23:39 teatime and it gives you somthing like an OrderedMultiDict (which I just made up)
23:39 UtahDave true
23:39 UtahDave well, I have to head home.  catch you all later!
23:40 brianfeister joined #salt
23:41 cpowell joined #salt
23:42 mosu_ joined #salt
23:45 hemebond Did UtahDave mean you "can't" have two file.managed calls under one ID?
23:45 hemebond I thought you could only have one of each module.function under an ID.
23:50 sagerdearia joined #salt
23:54 ahammond I have an opts.id = foo123. I want to pull out the 123 in jinja and modulo into it.
23:55 flowstate joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary