Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2016-07-17

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 sc250024 https://github.com/sc250024/openvpn-formula/blob/OpenVPN-NL/pillar.example
00:00 saltstackbot joined #salt
00:00 ninjada joined #salt
00:00 sc250024 openvpn:lookup:conf_dir can be overridden in PIllar, but when writing the state, I don't want to assume that they set that option
00:02 sc250024 in the pillar they would switch openvpn:lookup: pkgs to 'openvpn-nl' which would trigger the install of the repo using pkgrepo.managed
00:02 johnkeates it would make more sense to just make an openvpn:distro key
00:03 sc250024 And then use an if statement to set the conf_dir based on which is chosen?
00:03 hemebond BlackBishop: Having a gander at the trace now.
00:04 hemebond I remember seeing similar behaviour with one of our applications and it was a problem with the connector (in this case minion) just dropping or losing the connection instead of closing it.
00:04 shoemonkey joined #salt
00:12 hemebond I can't see any obvious errors in the log.
00:18 ninjada joined #salt
00:21 badon_ joined #salt
00:28 UForgotten joined #salt
00:33 nyx joined #salt
00:36 shoemonkey joined #salt
00:36 flowstate joined #salt
00:37 KingJ joined #salt
00:39 johnkeates joined #salt
00:43 west575 joined #salt
00:53 flowstate joined #salt
00:58 Nahual joined #salt
01:03 vodik joined #salt
01:18 iceyao joined #salt
01:18 shoemonkey joined #salt
01:19 iggy andi-: I've never found a way sadly :/
01:19 catpigger joined #salt
01:20 andi- iggy: :( I've a list of dictionarys of which I'd like to use the keys and collapse it all to a single list... turns out that 1 line of python can be "impossible" to do in jinja in a clean way..
01:20 hemebond andi-: I thought that was possible.
01:21 iggy {{ dict.keys() }} doesn't work?
01:24 andi- well it is a like this: [ {'a': 1, 'b': 3}, {'e':1,'f'}] and I'd like to iterate through a,b,e,f while still being able to use loop.last etc.
01:28 iggy oh, dict1.update(dict2) ?
01:28 iggy {% do dict1.updated(dict2) %}
01:29 andi- mhm
01:29 iggy update not updated... muscle memory or something
01:29 andi- yeah I could write 2 loops... one that updates a new dict and then a single loop across those keys..
01:30 racooper joined #salt
01:32 onlyanegg joined #salt
01:40 onlyanegg joined #salt
01:46 shoemonkey joined #salt
01:53 flowstate joined #salt
02:05 shoemonkey joined #salt
02:14 edrocks joined #salt
02:15 pcdummy Is that somehow possible with Salt: Provision new machine -> Install salt -> run highstate -> run a state on different host to update the dns -> run another state on different host to update nginx ?
02:15 hemebond pcdummy: Yes.
02:15 pcdummy hemebond: how?  please
02:16 hemebond salt-cloud to provision the machine and install the minion. Either the minion config tells it to highstate OR the salt master listens for the join event and runs the highstate in response.
02:17 pcdummy ok, thats easy.
02:17 pcdummy hemebond: and how do i call a state on different host? With the reactor system?
02:17 hemebond When the highstate completes, or something else on the minion happens, it sends back an event and the master reacts by calling a state on another minion.
02:17 hemebond Yes, reactor.
02:17 pcdummy kk, will have a deeper look into that tech. Thanks a lot hemebond
02:18 hemebond Good luck :-)
02:30 _beardedeagle joined #salt
02:37 ninjada joined #salt
02:44 bastiandg joined #salt
02:47 akoumjian Hey #salt.
02:48 hemebond yo
02:48 akoumjian Okay, so I can't believe I have to ask this question again, in 2016. I have a git state. I want to say "put this git clone exactly at revision/branch, exactly as it is on remote, even if there are local changes"
02:49 akoumjian I have force_checkout, force_reset, force_fetch, AND force_clone all set to True for good measure. Yet I am still getting a failure, to please commit or stash changes.
02:50 Eugene !deploy
02:50 hemebond akoumjian: Can you post your state?
02:50 Eugene Oh, this isn't #git. Nevermind me then
02:50 hemebond akoumjian: Is there any error in the minion log (with debug)?
02:52 flowstate joined #salt
02:54 akoumjian hemebond: Yes, here https://gist.github.com/akoumjian/d464a69fa3b3cce8f0d5ad27a8e6f42c
02:55 akoumjian Using version 2016.3.1 (Boron)
02:56 hemebond Are force_fetch and force_reset okay when used together?
02:57 hemebond Isn't bare: True also useful for what you're doing?
02:59 akoumjian I could try a bare clone, but that wasn't my original intent. Seemed like force_fetch and force_reset would work in tandom, but I could try jsut force_reset
03:00 hemebond Sorry, bare wasn't what I thought it was.
03:00 hemebond force_reset seems to imply just the straight clone of the repo, discarding all changes.
03:02 akoumjian That would be idea, it is exaclty what I want. Discard all local changes, and make sure we've pulled the latest from remote
03:02 akoumjian ideal*
03:02 akoumjian Unfortunately, that is not what is happening as far as I can tell.
03:03 hemebond So it's running a git merge.
03:03 hemebond That seems completely wrong.
03:04 hemebond Or maybe that's the only way.
03:04 hemebond There's no parameter being added to reset.
03:07 akoumjian I've updated the traceback to include all the git commands
03:07 hemebond Oh okay.
03:08 shoemonkey joined #salt
03:09 akoumjian As far as I can tell, it never issues a reset
03:09 hemebond Doesn't look like it.
03:13 hemebond Is the directory empty already? Does it exist?
03:13 hemebond Or is this when you've made changes after the initial clone?
03:13 vodik joined #salt
03:14 akoumjian This is from changes after the initial clone
03:14 _beardedeagle this is going to sound stupid, but when you remove the .git folder does it do what you want?
03:16 akoumjian hemebond: I'm just going to issue a reset before my git.latest state for now. Should I open a ticket?
03:16 hemebond Yes, create a ticket.
03:16 hemebond Try to reduce your state as much as possible.
03:16 hemebond e.g., remove all options except the reset.
03:17 hemebond If that still fails then the issue is purely in that logic branch.
03:17 hemebond The code for that part of the git state is huge. I'm still trying to follow it.
03:17 akoumjian Yes, it is a large set of conditionals
03:22 hemebond Looks like maybe the fast_forward throws it off.
03:23 hemebond if desired_upstream or rev == 'HEAD':
03:25 treaki__ joined #salt
03:25 hemebond If that resolves to True there doesn't seem to be a reset done.
03:26 beardedeagle joined #salt
03:26 akoumjian Here's the ticket: https://github.com/saltstack/salt/issues/34725
03:26 akoumjian Let me know what else I can do to help.
03:26 saltstackbot [#34725][OPEN] `git.latest` with `force_reset` set to `True` does not reset local changes, causing it to fail. | Description of Issue/Question...
03:30 iceyao joined #salt
03:32 om joined #salt
03:39 mohae joined #salt
03:43 DEger joined #salt
03:53 flowstate joined #salt
03:55 onlyanegg joined #salt
03:55 jeddi joined #salt
04:08 vodik joined #salt
04:08 POJO joined #salt
04:08 vodik joined #salt
04:08 POJO joined #salt
04:09 sagerdearia joined #salt
04:12 vodik joined #salt
04:14 vodik joined #salt
04:19 vodik joined #salt
04:39 vodik joined #salt
04:41 vodik joined #salt
04:41 vodik joined #salt
04:52 flowstate joined #salt
05:02 DEger joined #salt
05:04 colegatron joined #salt
05:11 macheck joined #salt
05:23 macheck left #salt
05:24 macheck joined #salt
05:42 shoemonkey joined #salt
05:46 colegatron joined #salt
05:51 badon_ joined #salt
05:52 flowstate joined #salt
06:10 saltstackbot joined #salt
06:13 sagerdearia joined #salt
06:25 Brijesh1 joined #salt
06:29 debian112 joined #salt
06:30 mrBen2k2k2k joined #salt
06:32 Brijesh1 deployment through salt on list of servers is sequential or parallel ?
06:33 hemebond parallel
06:33 Brijesh1 thx
06:38 lempa joined #salt
07:00 ALLmightySPIFF joined #salt
07:18 SpX joined #salt
07:18 childc2 joined #salt
07:25 chamunks joined #salt
07:33 goldielox joined #salt
07:43 shoemonkey joined #salt
07:52 flowstate joined #salt
07:54 alinuxninja joined #salt
08:00 ribx joined #salt
08:04 Shirkdog_ joined #salt
08:09 badon_ joined #salt
08:16 edrocks joined #salt
08:18 DEger joined #salt
08:23 cyborg-one joined #salt
08:26 deniszh joined #salt
08:51 pprkut joined #salt
08:52 flowstate joined #salt
08:54 tyler-baker joined #salt
09:13 wolfpackmars2 joined #salt
09:21 wolfpackmars2 joined #salt
09:23 ALLmightySPIFF joined #salt
09:31 oida joined #salt
09:42 deniszh1 joined #salt
09:42 oida joined #salt
09:44 shoemonkey joined #salt
09:49 fracklen joined #salt
09:53 flowstate joined #salt
09:54 pfallenop joined #salt
09:56 deniszh joined #salt
10:06 ALLmightySPIFF joined #salt
10:17 Brijesh1 joined #salt
10:31 KingJ joined #salt
10:33 _JZ_ joined #salt
10:49 mavhq joined #salt
10:52 flowstate joined #salt
11:22 mikecmpbll joined #salt
11:45 shoemonkey joined #salt
11:53 flowstate joined #salt
11:54 hemebond Any idea if Salt would actually want a PR for Pillar variable interpolation?
11:55 hemebond I know a few users have asked for it.
11:56 babilen What do you refer to exactly?
11:58 hemebond Being able to reference Pillar ... nodes? ... in other Pillar values.
11:59 hemebond e.g., 'test': 'My string ${varname:foo:bar} is cool'
12:03 babilen Why wouldn't they want it?
12:04 babilen It is such a common request and shortcoming of the pillar system
12:07 whytewolf would love to have that feature. beats some of the nasty work arounds.
12:10 whytewolf {% set value = salt.pillar.get('default_pillar_key',salt.pillar.get('lookup:pillar_key','true_default_value')) %} so much ugly :(
12:10 hemebond That works?
12:11 whytewolf why wouldn't it?
12:11 hemebond Because you're referencing the Pillar in Jinja.
12:11 hemebond And the Pillar compilation isn't... what's the word.
12:11 hemebond Determinate?
12:11 hemebond Consistent?
12:12 whytewolf oh this wouldn't be in pillar. it tells jinja in a state or file to reference a lookup value as a default
12:12 hemebond Ooooh.
12:12 babilen hemebond: Did you implement what you call "pillar variable interpolation" ?
12:13 hemebond Doing so now.
12:13 whytewolf oh wait. that is wrong. missed a step
12:13 hemebond Interpolation is the right term for it, no?
12:13 hemebond I googled and that seemed to be the term for resolving variables within strings.
12:14 whytewolf {% set value = salt.pillar.get('default_pillar_key',salt.pillar.get(salt.pillar.get('lookup:pillar_key'),'default_pillar_value') %} so much ugly :(
12:14 whytewolf gah still missing a ). oh well
12:14 hemebond Missed a closing ) I think :-)
12:15 whytewolf thats why it is ugly. so many ways to mess it up
12:15 hemebond Agreed.
12:15 whytewolf it works and makes the pillar end of it simple. but yeah if we could just call pillars directly from pillar
12:18 hemebond Oh poop. Need to figure out OrderedDicts.
12:18 edrocks joined #salt
12:19 DEger joined #salt
12:25 lionel joined #salt
12:33 babilen hemebond: How do you want them to behave? How would you ensure that there are no cycles or that the expansion terminates eventually?
12:34 hemebond Right now it just falls over if there's too much recursion.
12:35 hemebond Right now I'm just getting the main logic in place then will try to make it robust, though if you can point me in a direction that'd be great.
12:37 hemebond In my old scripts and stuff that used to do this kind of thing I didn't care how fragile it was; I wanted it to fall over if I botched the data.
12:38 babilen Well, you would essentially have to enforce them to be in a specific format. One could allow regular pillar languages by ensuring that they are left or right recursive or ensure that they are context-free
12:38 hemebond context-free?
12:38 babilen I mean this is the underlying problem with "self-referential pillars" -- You are essentially allowing for unbounded expansion.
12:39 babilen https://en.wikipedia.org/wiki/Chomsky_hierarchy
12:39 saltstackbot [WIKIPEDIA] Chomsky hierarchy | "Within the fields of computer science and linguistics, specifically in the area of formal languages, the Chomsky hierarchy (occasionally referred to as Chomsky–Schützenberger hierarchy) is a containment hierarchy of classes of formal grammars.This hierarchy of grammars was described by Noam Chomsky..."
12:39 hemebond Right now, and probably at the end, it'll just be string variable interpolation.
12:40 babilen As soon as you say "symbol A is replaced by symbol B" and B can expand into terminal symbols (a, b, ...) and non-terminals (those that expand again) you are defining a formal grammar
12:40 hemebond Sorry, all that's over my head.
12:41 hemebond Oh. If  I understand you, it'll only be strings.
12:41 hemebond Terminal symbols
12:42 babilen You wouldn't have lookups then
12:43 babilen (unless you only allow "lookups" of terminal symbols which is a possible restriction)
12:43 hemebond What do you mean by lookups? Are you talking about the Salt formula lookups?
12:44 babilen No, pillar references (interpolation)
12:47 babilen https://www.refheap.com/121654 is an example of a lookup cycle that would never terminate during compilation
12:48 hemebond Ah, yeah.
12:48 hemebond The recursion would eventually cause the whole thing to fall over.
12:48 hemebond I don't know how to prevent that yet.
12:51 whytewolf the way that works most of the time is to throw an error after x recursion levels.  where x is a large number that no sane human would ever actualy code
12:51 hemebond Yeah, that's what it currently does.
12:52 babilen And how would you deal with ambiguities?
12:52 babilen (that is: if the strings depend on expansion order)
12:53 hemebond Can you give an example?
12:53 flowstate joined #salt
12:55 babilen Well, think of a something that has a "A → BC, B → aAC, C → bA" grammar. You keep on expanding A to generate a couple of "a" and never any "b" until you hit your recursion limit
12:55 babilen Or you alternate between expansing B and C to generare "ababababababab....."
12:55 babilen Or you only expand "C" to generate "bbbbbbbbbb"
12:56 babilen (and variations of "aaaabbbaababbaabbbbbbbb")
12:56 hemebond Unfortunately those problems are likely to be far too difficult for me.
12:56 babilen The end result would be a complete mess
12:56 hemebond If your data creates a circular dependency I don't know how to solve or avoid that.
12:57 hemebond Well, there might be a way to prevent it.
12:57 babilen Pillarstack solves this by only allowing lookups of values "higher in the stack" (that is terminal symbols, hence no recursion)
12:57 hemebond But not solve it.
12:57 hemebond Ah okay.
12:58 hemebond So does pillarstack already allow in-pillar lookups?
12:58 hemebond Oh I see.
12:59 hemebond (reading the github for it now)
13:00 babilen Not quite "pillar lookups", but a very specific "extension" formalism that is modelled in "layers"
13:00 babilen But you understand the problem I am referring to now, don't you?
13:01 babilen I mean we could say "Only terminal symbol lookups are allowed"
13:01 hemebond Yes. That's the thing I ignored when I previously did this kind of thing :-D
13:01 babilen Well, you can't just ignore it. It is an inherrent problem of that domain :)
13:01 hemebond Letting it fall over because of recursion depth had no consequences at the time.
13:01 hemebond But here it's different.
13:01 babilen https://github.com/saltstack/salt/issues/23910 -- that's the "only be able to lookup terminal symbols" idea
13:01 saltstackbot [#23910][OPEN] Please implement static pillars | Hi,...
13:05 shoemonkey joined #salt
13:06 hemebond That example by msciciel is similar to how I currently do "static" pillars and lookups.
13:07 hemebond I don't believe my additions would help with your targeting.
13:12 babilen The ambiguity problem is the real issue as it means that depending on your expansion order you'd get different results ..
13:12 permalac joined #salt
13:12 babilen So, if you were to tackle this you will probably only allow for expansion to terminal symbols and throw an error otherwise
13:12 hemebond With the example you posted, my method would fail.
13:13 oida joined #salt
13:13 babilen Yeah, sorry for being so pesky about this, but these problems are the issues that arise once you allow for "pillar interpolation" / "self-refrential pillars" / ...
13:14 hemebond It's fine, really. These are the kinds of things I was worried about (as well as the quality of my code).
13:15 hemebond It's been asked for for years now, so obviously not an easy thing to implement.
13:35 mrBen2k2k2k joined #salt
13:36 A||SySt3msG0 joined #salt
13:40 iceyao joined #salt
13:42 oida joined #salt
13:51 flowstate joined #salt
14:00 kevinquinnyo1 joined #salt
14:17 brd joined #salt
14:20 skogg joined #salt
14:25 pcdummy How do saltstack developer document exceptions and return values for methods?
14:25 pcdummy s/developer/developers/
14:28 pcdummy s/for/of/
14:38 XenophonF pcdummy: that's a great question
14:39 XenophonF i've mostly learned them from reading sources
14:39 XenophonF i don't recall coming across documented calling conventions anywhere
14:39 XenophonF there are docs like https://docs.saltstack.com/en/latest/ref/modules/
14:44 hoonetorg joined #salt
14:46 mirko i'm having the weird issue, that salt-ssh doesn't return from an error. it just "hangs". when specifying "-l all" for debug output, i can see what's going on (e.g. "permission denied", "host key unknown", etc.)
14:46 mirko the typical green success messages, once it returns from success, are shown
14:49 mirko for example the last lines from debug output:
14:49 mirko [DEBUG   ] SHIM retcode(254) and command: The host key needs to be accepted, to auto accept run salt-ssh with the -i flag:
14:49 mirko [DEBUG   ] Child Forked! PID: 805  STDOUT_FD: 9  STDERR_FD: 11
14:49 mirko [DEBUG   ] Terminal Command: /bin/sh
14:49 mirko [TRACE   ] $
14:49 mirko but it doesn't return
14:50 johnkeates joined #salt
14:50 XenophonF mirko: what version of salt?
14:51 mirko 2016.3.1+ds-1 from your repo
14:51 mirko deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main
14:51 flowstate joined #salt
14:52 mirko s/your repo/the official salt debian repo/
14:53 XenophonF not my repo
14:53 XenophonF :)
14:53 johnkeates #NotMyRepo
14:53 johnkeates sounds like a feminist line
14:53 johnkeates or anti-war
14:54 johnkeates or anti-wallstreet
14:54 debian112 joined #salt
14:54 XenophonF as an aside: i really hate saltstack having separate repos for their packages
14:54 XenophonF why don't they submit packages to the appropriate o/s repo?
14:54 mirko should i open a ticket?
14:54 XenophonF yeah, that's a good idea
14:54 XenophonF not sure why you're seeing that behavior, mirko
14:54 johnkeates has to do with speed of acceptance
14:54 XenophonF did you try running salt-ssh with the -i flag?
14:55 mirko for intractive? the point is, yes, the example i gave opens a prompt
14:55 mirko but it also doesn't return that way, if e.g. the key doesn't match (which issues the mitm warning)
14:55 XenophonF no that's the ignore-host-keys knob
14:56 mirko i don't want to ignore the host key :)
14:57 hasues joined #salt
14:57 hasues left #salt
15:01 amcorreia joined #salt
15:02 mrBen2k2k2k joined #salt
15:11 babilen XenophonF: salt is packaged in Debian (by me and some others)
15:11 babilen XenophonF: wheezy-backports: 0.17.5+ds-1~bpo70+1; jessie: 2014.1.13+ds-3; jessie-backports: 2016.3.0+ds-1~bpo8+1; stretch: 2016.3.0+ds-1; sid: 2016.3.1+ds-1
15:11 babilen Those are the current versions. Once .1 hits stretch we will backport it to jessie.
15:17 mirko ticket for the above described issue: https://github.com/saltstack/salt/issues/34729
15:17 saltstackbot [#34729][OPEN] salt-ssh doesn't return from error | I'm experiencing the weird behaviour, that salt-ssh doesn't return from an error....
15:17 mirko ah
15:17 mirko :P
15:17 GtN joined #salt
15:17 GtN left #salt
15:18 babilen Does the same happen with .0 ?
15:24 nyx joined #salt
15:26 mirko babilen: doesn't seem to be on the servers anymore
15:26 mirko ah, wait
15:26 mirko "archive/"
15:29 mirko yes, same behaviour
15:30 pcdummy iggy: about the "cli input parsing" question yesterday, it works if provide VALID yaml!
15:31 pcdummy iggy: so this works for me: salt '*' lxd.profile_create shared_mounts devices="{shared_mount: {type: 'disk', source: '/home/shared', path: '/home/shared'}}"
15:31 pcdummy +you
15:32 Pulp joined #salt
15:38 deus_ex joined #salt
15:41 ronnix joined #salt
15:44 joom joined #salt
15:48 colegatron joined #salt
15:49 dyasny joined #salt
15:51 west575 joined #salt
15:52 flowstate joined #salt
16:10 jtang joined #salt
16:11 ALLmight_ joined #salt
16:21 DEger joined #salt
16:22 iggy pcdummy: so the problem was you were just passing bad data... well, that's promising
16:23 iggy XenophonF: because you'd never get a new version of Salt into an old version of debian/ubuntu/rhel/etc
16:28 RandyT joined #salt
16:29 LotR would be nice if salt let you know the yaml wasn't valid..
16:30 iggy PR's welcome :trollface:
16:35 DEger joined #salt
16:37 alinuxninja joined #salt
16:40 alinuxninja joined #salt
16:42 alinuxninja joined #salt
16:43 alinuxninja joined #salt
16:43 amcorreia joined #salt
16:46 alinuxninja joined #salt
16:48 catpig joined #salt
16:52 flowstate joined #salt
16:57 om2 joined #salt
16:59 POJO joined #salt
17:02 thejrose1984 joined #salt
17:05 kawa2014 joined #salt
17:18 onlyanegg joined #salt
17:20 ALLmightySPIFF joined #salt
17:29 riftman joined #salt
17:31 ALLmight_ joined #salt
17:31 quup joined #salt
17:32 aw110f joined #salt
17:32 quup Is there some constant-time string comparision function available in templates by default?
17:32 babilen What kind of comparison?
17:33 quup babilen: {% if incoming_token == expected_token %
17:33 quup }
17:34 babilen exactly
17:34 babilen That's it
17:35 quup is that constant-time by default?
17:35 aw110f_ joined #salt
17:36 babilen quup: I'd expect string comparison to be O(n) not O(1)
17:37 quup babilen: I mean in the sense of preventing timing attacks
17:38 babilen I have the feeling as if you might like to provide a little more information. What kind of timing attacks and how are they related to string comparison or salt?
17:41 quup relation to salt: I'm using the reactor system with webhooks and legit requests have a token. what it is: https://codahale.com/a-lesson-in-timing-attacks/   with normal string comparision 'guessedtoken' == 'valid_token' will return fast becouse the first character differes, for instance 'va_guessed_token' == 'valid_token' would be slower, this can be used to find the token relatively quickly
17:43 babilen My expectation would be that string comparison is equally short-circuited. Feel free to randmomise the return time.
17:44 Jarus joined #salt
17:45 honestly I don't think it's a good idea to have salt as a direct attack surface, it just isn't built with that in mind
17:45 ALLmightySPIFF joined #salt
17:45 quup honestly: oh ok, i'll try and rework my setup instead :)
17:46 babilen Are you feeding salt-api requests to the reactor system?
17:46 quup yea
17:47 quup sort of like this: https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#salt.netapi.rest_cherrypy.app.Webhook.POST
17:47 quup with webhook_disable_auth: True
17:48 honestly quup: I would delegate authentication to something like an nginx with ssl termination that checks client certs
17:48 s_kunk joined #salt
17:49 honestly Simple and fool-proof once you get past setting up easy-rsa
17:49 quup yea, I'll see if I can work that in, otherwise I'll probably just set up an ssh-tunnel and have salt-api only listen on localhost
17:50 edrocks joined #salt
17:51 flowstate joined #salt
17:58 iggy or if you know where the webhooks are coming from restrict access to those IPs
17:58 iggy (f.ex. github publishes it's IP space for such purposes)
18:05 upb babilen: "Feel free to randmomise the return time." is the wrong solution btw
18:05 ninjada joined #salt
18:07 iggy I think the gist of that statement was "you should probably solve the problem yourself since salt doesn't do anything special for that case"
18:08 upb ?
18:09 ALLmightySPIFF joined #salt
18:20 babilen upb: Why? If measurements were truly random regardless of string overlap timing attacks shouldn't be able
18:22 babilen But then .. if we *really* want to investigate the attack vector of timing attacks to salt-api, I'd very much like to read the article first and investigate the issue myself
18:22 babilen upb: What would be a better way in your opinion?
18:27 nyx_ joined #salt
18:27 upb well, how do you plan to randomize the return time? by adding a random delay, right? :)
18:29 upb a better way would be to code a constant time string compare
18:29 honestly s/code/use from a crypto lib/
18:30 upb well, if you can do that from a jinja template
18:34 ageorgop joined #salt
18:45 dyaln joined #salt
18:46 xenoxaos joined #salt
18:51 flowstate joined #salt
18:55 Pulp joined #salt
18:55 blueelvis joined #salt
18:59 mohae joined #salt
19:01 cyborg-one joined #salt
19:02 M-MadsRC joined #salt
19:13 hlub joined #salt
19:13 tuxx_ joined #salt
19:13 twiedenbein joined #salt
19:13 oyvindmo joined #salt
19:13 daemonkeeper joined #salt
19:13 saltsa joined #salt
19:13 leev joined #salt
19:13 duckfez joined #salt
19:13 mirko joined #salt
19:13 pfallenop joined #salt
19:13 ze- joined #salt
19:13 poiuasdf joined #salt
19:13 emid joined #salt
19:13 shadoxx joined #salt
19:13 SpX joined #salt
19:13 Qwazerty joined #salt
19:13 __number5__ joined #salt
19:13 joshin joined #salt
19:13 joshin joined #salt
19:13 tehsu joined #salt
19:13 alxchk joined #salt
19:13 fannet joined #salt
19:13 emaninpa joined #salt
19:13 djinni` joined #salt
19:13 Veers joined #salt
19:13 nahkiss joined #salt
19:13 fxhp joined #salt
19:13 pcn joined #salt
19:14 samkottler joined #salt
19:14 eightyeight joined #salt
19:14 ageorgop joined #salt
19:14 komputes joined #salt
19:14 whatevsz joined #salt
19:14 _W_ joined #salt
19:15 marcinkuzminski joined #salt
19:17 Cidan joined #salt
19:26 DEger joined #salt
19:26 onlyanegg joined #salt
19:26 iggy {% salt['mycryptomodule.constant_string_cmp'](str1, str2) %}
19:36 iggy interesting read, but it seems like it'd be hard to do in reality (the original paper assumes perfect knowledge of everything except the secret, etc)
19:37 iggy but still... don't expose salt to the entire internet is a good general rule of thumb
19:43 llua is there a module that can manage files that contain shell variables formatted text? like rc.conf/periodic.conf? i used to be able to use ini.options_present but that inserts spaces around the = now.
19:52 flowstate joined #salt
20:03 _W_ joined #salt
20:06 KingJ joined #salt
20:11 writtenoff joined #salt
20:16 ALLmightySPIFF joined #salt
20:24 flowstate joined #salt
20:34 pcdummy llua: just use a jinja template? why you use a module for that.
20:34 babilen upb: How would constant string comparisons work ?
20:44 babilen I mean you will always have some factor that is bound by the string length. One could just disable the short circuit evaluation, but that wouldn't be constant for all strings, but just constant for strings of the same length
20:45 babilen That should mitigate the aforementioned problem though
20:48 babilen You just won't get O(1)
20:50 pppingme joined #salt
21:07 west575 joined #salt
21:08 ALLmight_ joined #salt
21:22 flowstate joined #salt
21:23 ALLmightySPIFF joined #salt
21:25 ribx joined #salt
21:37 rem5 joined #salt
21:42 mpanetta joined #salt
21:47 nebuchadnezzar joined #salt
21:51 Rumbles joined #salt
22:03 jtang joined #salt
22:04 skeezix-hf joined #salt
22:05 flowstate joined #salt
22:24 flowstate joined #salt
22:25 flowstate joined #salt
22:29 rem5 joined #salt
22:32 _JZ_ joined #salt
22:41 ronnix joined #salt
22:49 ninjada joined #salt
22:51 flowstate joined #salt
23:06 pfallenop joined #salt
23:07 ninjada joined #salt
23:07 writtenoff joined #salt
23:07 ninjada joined #salt
23:19 colegatron joined #salt
23:32 om joined #salt
23:37 west575 joined #salt
23:40 DEger joined #salt
23:50 rem5 joined #salt
23:51 flowstate joined #salt
23:53 edrocks joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary