Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2016-09-22

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 edrocks joined #salt
00:04 hasues joined #salt
00:05 hasues left #salt
00:10 woodtablet left #salt
00:12 flowstate joined #salt
00:23 skeezix-hf joined #salt
00:25 pjs joined #salt
00:38 dendazen joined #salt
00:38 pipps joined #salt
00:40 foundatron joined #salt
00:42 fannet joined #salt
00:43 spuder joined #salt
00:44 spuder_ joined #salt
00:48 zither joined #salt
01:06 edrocks joined #salt
01:07 RickLee joined #salt
01:08 RickLee joined #salt
01:08 RickLee joined #salt
01:09 RickLee joined #salt
01:10 flowstate joined #salt
01:10 RickLee joined #salt
01:11 RickLee joined #salt
01:12 kus_ubuntui686 joined #salt
01:13 Nahual joined #salt
01:18 k_sze[work] joined #salt
01:27 skeezix-hf joined #salt
01:31 catpigger joined #salt
01:36 sjorge joined #salt
01:36 amcorreia joined #salt
01:47 ilbot3 joined #salt
01:47 Topic for #salt is now Welcome to #salt! | Latest Versions: 2015.8.12, 2016.3.3 | Support: https://www.saltstack.com/support/ | Logs: http://irclog.perlgeek.de/salt/ | Paste: https://gist.github.com/ (please don't multiline paste into channel) | See also: #salt-devel, #salt-offtopic | Ask with patience as we are volunteers and may not have immediate answers
01:51 systo_ joined #salt
01:53 cyborg-one joined #salt
02:08 mpanetta joined #salt
02:11 flowstate joined #salt
02:20 dendazen joined #salt
02:22 mikecmpbll joined #salt
02:22 Brew joined #salt
02:23 MTecknology How hard would it be to have salt manage only the first line in a file?..
02:24 hemebond Is there something special about the first line?
02:24 hemebond Salt can manage individual lines.
02:24 MTecknology is this particular file format, line order is significant and I'm trying make sure the first line is something specific
02:25 hemebond Can't manage the entire file?
02:26 MTecknology nope, because line two and three are managed by an application
02:26 MTecknology every other line that doesn't start with X should be removed...
02:27 MTecknology sounds more like I should write a custom module
02:27 hemebond Well, why you have https://docs.saltstack.com/en/latest/ref/states/all/salt.states.augeas.html
02:27 MTecknology I could do this easily with a module and it's an odd enough thing that having to write a module for it doesn't seem crazy
02:27 hemebond And you have https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.line
02:33 netcho joined #salt
02:33 * MTecknology grumbles
02:33 MTecknology yup, this one calls for a module; to do what I want with file.line, it'd take a crazy amount of logic
02:33 MTecknology or ten lines of python
02:34 hemebond That seems odd.
02:35 MTecknology because, deep down, I really want to enforce the other things in the file too
02:35 mpanetta joined #salt
02:35 MTecknology I could feed the module one line and let it enforce the other bits pretty easily by keeping track of what line it's on
02:36 MTecknology That's what you get when you treat a text file like a database and require automated management of credentials
02:37 MTecknology hemebond: I still need to read up on those things you shared; file.line looks tricky
02:52 bastiandg joined #salt
03:03 daxomati1 joined #salt
03:08 edrocks joined #salt
03:09 flowstate joined #salt
03:17 _JZ_ joined #salt
03:24 k_sze[work] joined #salt
03:50 MTecknology heh... just did a git push, now I wait five minutes for it to fan out
03:50 MTecknology well, I guess I could exercise a bit
03:50 hemebond ?
03:53 MTecknology hemebond: I set it up so any push to one of a few git repos will set a timer, After five minutes, if no new push comes in, an orch.highstate runs, after it runs, there's a ten minute delay before the timer can be reset
03:53 MTecknology not sure if I like those numbers, but they seem to be working well so far
03:53 hemebond orch.highstate means you just highstate your minions?
03:54 MTecknology pretty much, ya
03:54 MTecknology it does saltutil.sync_all and state.highstate on all boxes
03:55 hemebond Is saltutil.sync_all required? I thought we found that was only for master-less minions.
03:55 MTecknology no idea, didn't seem like it'd hurt
03:56 hemebond Ah, no, it just has different behaviour on master-less minions.
03:57 hemebond It's definitely useful.
03:57 hemebond I think the issue was that pillars are not refreshed.
03:59 MTecknology I was hoping it synchronized mine data as well, but didn't look yet
04:06 ThomasJ joined #salt
04:07 bastiandg joined #salt
04:18 DEger joined #salt
04:24 DEger_ joined #salt
04:32 spuder joined #salt
04:33 netcho joined #salt
04:39 Criggie joined #salt
04:40 Criggie Has anyone managed to get salt-minion installed on Xenserver 7 ?   I thought it'd be easy cos the base OS is centos7, but as usual Citrix has messed with versions.
04:41 Criggie Error: Package: salt-2016.3.3-2.el7.noarch (saltstack-repo)     and the required package is "systemd-python"
04:45 cetanu joined #salt
04:45 cetanu Greetings
04:45 Criggie gidday.
04:46 cetanu I need some help with something... Trying to set up an external pillar with cmd_yaml. I must be missing something.
04:46 cetanu This is on my salt-master, it doesn't have the salt client installed, not sure if that's needed.
04:46 Criggie heh I'd help if I could, I'm stuck at getting the RPM dependancies right.
04:46 cetanu For installing salt?
04:47 Criggie yeah - xenserver7 is dicked-over centos7
04:47 jenastar hah
04:47 cetanu Sounds... completely unknown to me
04:47 Criggie cetanu: ahh well you ask your question and see if anyone knows.
04:48 cetanu Well essentially I have this in my master config: ext_pillar: [cmd_json: 'echo {\"arg\":\"value\"}']  as a test
04:48 cetanu I would have thought I'd be able to see the pillar data with salt-call --local pillar.ls
04:48 cetanu But... alas I am here
04:51 daxomati1 joined #salt
04:52 spuder joined #salt
05:09 flowstate joined #salt
05:10 edrocks joined #salt
05:16 krazyj joined #salt
05:16 krazyj hi all… i’m noticing that, when i apply my iptables rules on a minion, i need to restart the minion before test.ping will work again on it… any ideas what this might be?
05:16 krazyj restart the minion === reboot the host
05:18 krazyj for the curious, here are the iptables rules: https://gist.github.com/anonymous/e8ab0fdf3318ee69c9a59b9edb73cca6
05:21 impi joined #salt
05:24 subsignal joined #salt
05:25 jimklo joined #salt
05:28 shalkie joined #salt
05:29 notnotpeter joined #salt
05:33 bocaneri joined #salt
05:37 badon joined #salt
05:39 jimklo_ joined #salt
05:40 moos3 joined #salt
05:41 xenoxaos joined #salt
05:43 Deliant joined #salt
05:45 felskrone joined #salt
05:56 ronnix joined #salt
06:01 xenoxaos joined #salt
06:03 DarkKnightCZ joined #salt
06:04 rdas joined #salt
06:05 shalkie joined #salt
06:09 __newb joined #salt
06:10 flowstate joined #salt
06:18 ronnix_ joined #salt
06:28 raspado joined #salt
06:29 haam3r joined #salt
06:34 netcho joined #salt
06:36 MTecknology I just got state.highstate on my rpi (73 states) from 7 minutes to 2
06:38 MTecknology I can't do math, but still 50%
06:39 shalkie joined #salt
06:39 daxomati1 joined #salt
06:42 Rumbles joined #salt
06:44 Klas slightly less than 30% actually
06:46 sgo_ joined #salt
06:48 haam3r Hi…I'm trying to configure a slack returner but can't seem to find the place where to put the configuration for it
06:57 keimlink joined #salt
06:57 subsignal joined #salt
07:03 jxm_ joined #salt
07:05 toanju joined #salt
07:09 flowstate joined #salt
07:12 edrocks joined #salt
07:12 spudpnds joined #salt
07:14 spudpnds Hello Salt folks! I have a question about targeting using grains. When I target like G@os:Debian, does salt ask all the minions "hey, report in if you have this grain", or does the saltmaster consult some grain DB it previously collected and return you a list of minions that have that grain?
07:16 rdas joined #salt
07:16 notnotpeter joined #salt
07:17 DEger joined #salt
07:18 AndreasLutro spudpnds: there is definitely some caching involved but I'd assume the master asks each minion every time
07:21 spudpnds Ok. So it seems like making a complicated grain target query is like a distributed DB lookup.
07:23 dariusjs joined #salt
07:23 spudpnds THe caches are stored on the individual minions, the info isn't cached on the master I take it.
07:24 spudpnds I have an application where I'd like to use salt's targeting feature just to return me a list of hosts.
07:25 AndreasLutro right. I don't think there's another way around that than doing a test.ping
07:25 spudpnds I'd like to use the rich targeting syntax in like a graphing application for example.
07:25 spudpnds Cool, thanks for the help!
07:27 spudpnds Ah, I think pillar data is cached on the master.
07:27 spudpnds I'm a total noob :)
07:28 daryl joined #salt
07:30 ronnix joined #salt
07:33 dariusjs joined #salt
07:33 daxomati1 joined #salt
07:34 ronnix_ joined #salt
07:38 debian112 joined #salt
07:40 packetplumber joined #salt
07:42 krymzon joined #salt
07:54 CeBe joined #salt
07:55 fannet joined #salt
07:57 packetplumber hi there. does anyone know if it's possible to hide sensitive information in a pillar from being shown locally on the minion? i have a requirement to create a set of local users on some windows boxes (which will need plaintext passwords in the pillar). i'd like to know if i could hide all these passwords from the minion when doing a "salt-call pillar.items"?
07:57 geomacy joined #salt
07:57 AndreasLutro no
07:58 BlackBishop is there a way to file.append only if that line isn't already there ?
07:58 packetplumber AndreasLutro: thanks, i didn't think so. this is just the way it needs to make the data available to the execution module on the minion i guess right.
07:59 AndreasLutro BlackBishop: I thought that's what file.append already does
08:00 packetplumber AndreasLutro: sorry, was that "no" for me or for BlackBishop?
08:01 AndreasLutro it was for you, packetplumber
08:01 packetplumber thanks
08:02 AndreasLutro the way you'd normally solve this is by storing password hashes, not passwords themselves, but don't know if that's possible with windows
08:03 packetplumber thanks, that was what i thought. coming into a new environment and they're reluctant to put some windows boxes on the domain but are also not wanting the single shared account problem.
08:08 debian112 joined #salt
08:10 flowstate joined #salt
08:12 BlackBishop AndreasLutro: it does, thanks....
08:20 impi joined #salt
08:24 n1ck joined #salt
08:25 n1ck hi , my salt-minion process shutdown randomly
08:25 n1ck the error i got is: "Minion received a SIGTERM. Exiting."
08:25 n1ck Any idea?
08:26 n1ck thanks :)
08:26 felskrone joined #salt
08:27 s_kunk joined #salt
08:27 hemebond n1ck: Something is telling it to stop?
08:28 Rumbles joined #salt
08:29 n1ck hemebond: I guess but I have no clue who..
08:30 n1ck I'm starting the salt-minion with the services utility: service salt-minion start/restart
08:30 n1ck This successfully starts the salt-minion process
08:30 hemebond What if you run it manually in debug mode?
08:30 n1ck than I'm running a python script that talks to salt using salt python api
08:30 hemebond Oooh
08:31 n1ck If I'm running the salt-minion manually everything works fine
08:31 n1ck like salt-minion -l deubg
08:31 n1ck the salt-minion process doesn't shutdown
08:31 hemebond Does it run fine when you're not interacting with it?
08:31 n1ck like salt-minion -d?
08:31 hemebond Have you tried putting the log level to debug for the service?
08:32 n1ck not yet
08:32 hemebond You said you were using a Python script
08:32 hemebond Does it work fine until you use your script?
08:32 n1ck Yeah
08:33 n1ck the salt-minion service shutdown only after I'm using my python script
08:33 AndreasLutro what does your script do
08:33 AndreasLutro service.restart salt-minion? :p
08:33 Salty joined #salt
08:33 n1ck AdreasLutro: tried this many times :)
08:34 Salty Hey, is there a way to change "Shutdown behvaior" with salt at ec2?
08:34 Couch joined #salt
08:34 n1ck The script initialize a LocalClient object and talk to minions using the run_job method
08:35 AndreasLutro and what does it tell the minions to do?
08:35 n1ck Currently the script manage Docker containers creation/shutdown etc'
08:35 netcho joined #salt
08:35 n1ck It mainly use dockerng methods
08:36 AndreasLutro it sounds like your init system (sysinitv/systemd/whatever) is killing your salt minion
08:36 AndreasLutro that's why it doesn't happen when you run the minion manually
08:36 n1ck Sound very likely , any clue why?
08:36 Mattch joined #salt
08:37 AndreasLutro no
08:37 n1ck I'll try what hemebond suggested and restart my salt-minion daemon with debug log level
08:38 n1ck And see if my log contains any meaningful line
08:39 Salty Hey, is there a way to change "Shutdown behvaior" with salt at ec2?
08:39 n1ck hemebond and AndreasLutro: thank you very much for the help! :)
08:39 hemebond Good luck :-)
08:40 J0hnSteel joined #salt
08:50 kbaikov joined #salt
08:50 mikecmpbll joined #salt
08:56 dariusjs joined #salt
08:57 netcho joined #salt
09:04 RandyT_ joined #salt
09:04 notnotpeter joined #salt
09:09 sjorge joined #salt
09:10 flowstate joined #salt
09:12 Tuxick joined #salt
09:14 ozux joined #salt
09:14 edrocks joined #salt
09:15 packetplumber left #salt
09:15 subsignal joined #salt
09:17 fannet_ joined #salt
09:20 arif-ali joined #salt
09:25 dariusjs joined #salt
09:39 debian112 joined #salt
09:40 mikecmpbll joined #salt
09:47 bluenemo joined #salt
09:49 sybix joined #salt
10:05 DEger joined #salt
10:08 edrocks joined #salt
10:09 flowstate joined #salt
10:20 Reverend can one use the nodegroup as a variable in the sls files?
10:20 Reverend that'd be super
10:35 dariusjs joined #salt
10:37 Salty Hey, is there a way to change "Shutdown behvaior" with salt at ec2?
10:37 debian112 joined #salt
10:46 JohnnyRun joined #salt
10:49 teryx510 joined #salt
10:50 DEger joined #salt
10:50 teryx510 joined #salt
10:52 notnotpeter joined #salt
10:59 sfxandy joined #salt
10:59 sfxandy hello all
11:01 debian112 joined #salt
11:03 amcorreia joined #salt
11:06 hoonetorg joined #salt
11:09 flowstate joined #salt
11:09 hlub joined #salt
11:10 teryx510 sfxandy: morning
11:14 Rumbles can you have a state run only if a directory exists? I have added require file, but that still fails, even when the directory exists: https://paste.fedoraproject.org/432472/
11:15 ronnix joined #salt
11:23 AndreasLutro "onlyif"
11:25 Rumbles I was searching for that but it wasn't on the doc page :/
11:25 Rumbles thanks AndreasLutro
11:26 Rumbles thought I was making things up in my head.... again
11:42 numkem joined #salt
11:49 debian112 joined #salt
12:01 silver310 joined #salt
12:01 silver310 Hello, is it possible to get salt to prompt user for credentials when calling a state?
12:03 silver310 I've tried running a bash script the prompt for username and password, this kinda works, it does prompt for credentials, but the screen is empty, like the output is being hidden, so it looks like it's stuck but actually waiting for input.
12:06 netcho joined #salt
12:09 ntropy silver310: it might be possible, but really salt isn't meant to be used interactively like that
12:10 ntropy generally credentials should go into the pillar
12:10 haam3r joined #salt
12:14 barmaley joined #salt
12:17 subsignal joined #salt
12:17 silver310 yeah figured as much
12:18 silver310 I'll probably end up making a system account and storing it's credentials in a pillar
12:20 impi joined #salt
12:22 ronnix joined #salt
12:23 dariusjs joined #salt
12:30 edrocks joined #salt
12:30 raspado joined #salt
12:31 bluenemo joined #salt
12:35 viq {{ salt['grains.get_or_set_hash']('mysql:some_mysql_user') }}  - how do I set the length of the hash to generate instead of default 8?
12:35 viq I know it's the length parameter, but I don't know how to pass it to the function there
12:35 viq https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.grains.html#salt.modules.grains.get_or_set_hash is the module documentation
12:36 AndreasLutro just as it appears in the documentation
12:36 viq AndreasLutro: except it does not for calling from a state
12:36 AndreasLutro get_or_set_hash(name, length=8, chars='abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)')
12:37 AndreasLutro get_or_set_hash('mysql:some_mysql_user', length=16)
12:37 viq Ah, thank you.
12:39 * viq is python n00b
12:41 notnotpeter joined #salt
12:50 ryan8403 joined #salt
12:50 impi joined #salt
12:51 dendazen joined #salt
13:01 pppingme joined #salt
13:02 GordonTX joined #salt
13:03 mpanetta joined #salt
13:03 debian112 joined #salt
13:04 dariusjs joined #salt
13:07 racooper joined #salt
13:10 svg joined #salt
13:12 haam3r joined #salt
13:13 svg joined #salt
13:22 svg joined #salt
13:22 dariusjs joined #salt
13:23 dyasny joined #salt
13:31 Tanta joined #salt
13:35 dariusjs joined #salt
13:36 llua joined #salt
13:36 randomword joined #salt
13:36 randomword goodmorning
13:37 randomword I'm having issue with my salt-cloud after an update to Boron
13:37 randomword saying that my login creds are wrong
13:37 randomword to vcenter using vmware dirver
13:38 randomword worked before... :(
13:39 edrocks joined #salt
13:42 dariusjs joined #salt
13:43 randomword anyone?
13:46 ksk joined #salt
13:47 flowstate joined #salt
13:49 dariusjs joined #salt
13:52 svg joined #salt
13:56 teryx510 joined #salt
13:57 cmarzullo sorry haven't used the vmware driver at all.
13:59 tbrb joined #salt
13:59 bowhunter joined #salt
14:02 raspado joined #salt
14:04 debian112 joined #salt
14:07 flowstate joined #salt
14:10 Brew joined #salt
14:12 llua joined #salt
14:17 subsignal joined #salt
14:31 watersoul joined #salt
14:36 mpanetta joined #salt
14:38 GordonTX joined #salt
14:39 felskrone das the minion support including grains files for example from /etc/salt/grains.d/config1.sls?
14:47 brunopadz joined #salt
14:48 dyasny joined #salt
14:51 armonge joined #salt
14:51 flowstate joined #salt
14:52 debian112 joined #salt
14:53 Hybrid joined #salt
14:56 dyasny joined #salt
14:58 BattleChicken joined #salt
15:00 teryx5101 joined #salt
15:00 hasues joined #salt
15:01 pppingme joined #salt
15:02 BattleChicken left #salt
15:03 BattleChicken joined #salt
15:04 impi joined #salt
15:07 spuder joined #salt
15:07 traph joined #salt
15:07 traph joined #salt
15:08 edrocks joined #salt
15:09 codeape joined #salt
15:12 bluenemo with cmd.run, why is in the default salt renderer stdout and stderr being output into two different sections? This way I can not associate the correct order of the output.
15:15 DammitJim joined #salt
15:22 jschoolcraft joined #salt
15:22 jimklo joined #salt
15:22 tiwula joined #salt
15:24 DEger joined #salt
15:26 pmcg joined #salt
15:28 mohae joined #salt
15:29 beowuff joined #salt
15:29 debian112 joined #salt
15:31 huggy joined #salt
15:38 tbrb joined #salt
15:47 Rumbles I've replaced my salt minion, and now my minions which haven't had the salt-mion restarted aren't responding to requests from the master. Do I have to go on to each one and restart the minion, or will it automatically restart after a given period?
15:48 StolenToast Question about requirements, if I have a state with an "onlyif" directive AND a "require" will the "require" state NOT run if the "onlyif" succeeds?
15:49 StolenToast so if "onlyif" determines this state shouldn't be run will it still invoke the "require" sls?
15:51 Rumbles I would suggest you test it, otherwise it would probably best to have a pastebin of what you are trying out
15:51 Rumbles as it's hard to be sure imo without seeing it
15:51 Ch3LL `Rumbles: What do you mean by you have replaced your salt-minion? did you upgrad minion or delete keys maybe?
15:51 Rumbles sorry
15:51 benjiale joined #salt
15:51 Rumbles I mean I have replaced my salt master
15:51 Rumbles oops
15:52 Rumbles I have moved the HDD of the master to another VM
15:52 StolenToast http://hastebin.com/icoyoziziv.pl
15:53 Ch3LL oh i see okay well the minions should continue to attempt to authenticate with the master. depending on your settings you should see them showing up eventually. Can you checkout the log of one of the minions and see what its trying to do
15:53 Rumbles the ones I have looked at aren't logging anything
15:53 Rumbles I don't think they've noticed the switcharoo yet :)
15:53 Rumbles if they are likely to reconnect after some time, that's fine
15:53 benjiale Hi everyone. Running into a weird issue today on some new boxes... it's the boto_route53.present state, I keep getting a "Reason: 'boto_route53' __virtual__ returned False" reason under failsures. I checked the boto version and it's set to 2.35.0... anyone have any suggestions?  I'm running the minion version 2016.3.3
15:54 Rumbles I just don't want to go on every one of a few hundred machines...
15:54 Ch3LL Rumbles: yes they should what version of salt are you on? and are you using multi-master?
15:54 Rumbles no single master
15:54 Rumbles 2015.5.3+ds-1trusty1
15:54 Ch3LL okay yeah technically teh minions should continue to attempt to re-auth
15:55 Ch3LL oh 2015.5.3 thats a pretty old version. i'm not aware of any issues with that version but i could be wrong
15:55 Rumbles thanks Ch3LL I am happy to wait a day, but if they never come back it could be a pita
15:55 Ch3LL i asked if you were using multi-master because in 2015.8.7 i believe there was issues with multi-master and minions coming back up. but you won't run into that
15:55 Ch3LL i don't think it would be a day Rumbles. i think it would be more like a minute
15:55 Ch3LL unless you changes your settings in the minion config to say differently
15:56 sjmh joined #salt
15:56 felskrone does the minion support including grains files for example from /etc/salt/grains.d/config1.sls? and are they available if i just place them there and run grains.items?
15:56 Rumbles hmmm it's way past a minute and only 1 minion I didn't restart has started responding
15:57 Ch3LL yeah that doesn't sound good. can you just try restarting another minion and see if that auths? just to make sure there is no issues with the copy of files to a new hard drive
15:58 khorben_ joined #salt
15:58 Rumbles yeah just did another one and that's responding straight away
15:58 Rumbles it wasn't before
15:58 Rumbles it wasn't a copy f files, I moved the hdd from one VM to another
16:00 Rumbles oh well, probaby have a fun day planned tomorrow :)
16:00 Ch3LL oh gotchya..hmmm and if the minions aren't logging anything thats not very useful either..hmm let me think
16:00 Ch3LL i think you might be able to do something with salt-ssh
16:00 Rumbles I'm thinkning that they still think the connection is there
16:01 Rumbles frm the logs on debug it is using the internal IP DNS to connect, that DNS entry was pdated
16:01 Ch3LL oh what if you run `salt-call test.ping -ldebug`
16:01 Ch3LL on one of teh broken minions
16:01 Rumbles I'm guessing it only resolves DNS on startup, or during some certain part of the connection
16:01 Rumbles sec
16:01 Ch3LL ahhhh you updated dns...hmmm yeah i'm not sure without diving into the code to see when that would be refreshed
16:02 Rumbles I got True back
16:03 Ch3LL hmmmm yeah it think you are right int that the issue is the dns udpate...somehow the minion has to refresh that entry
16:03 Ch3LL i have never used this before but you might be able to use salt-ssh and the roster cache so you don't have to log into each box: https://docs.saltstack.com/en/latest/ref/roster/all/salt.roster.cache.html#module-salt.roster.cache
16:04 Rumbles thanks Ch3LL
16:04 Rumbles that's a great help
16:04 Rumbles home time now
16:04 toanju joined #salt
16:04 Rumbles so if they're not working in the morning I will be looking at that page :)
16:04 fannet joined #salt
16:04 Ch3LL alrighty good luck
16:06 KingOfFools joined #salt
16:06 beardedeagle joined #salt
16:12 bowhunter joined #salt
16:17 notnotpeter joined #salt
16:17 pipps joined #salt
16:23 codeape joined #salt
16:24 amcorreia joined #salt
16:25 _JZ_ joined #salt
16:29 flowstate joined #salt
16:30 Sarphram joined #salt
16:31 Edgan joined #salt
16:31 notnotpeter joined #salt
16:35 edrocks joined #salt
16:38 ecdhe At home if I follow a tutorial such as on configuring nginx to serve flask on DO, I convert all the bash commands to salt states... `apt-get install FOO' becomes FOO: pkg.installed and whatnot.
16:38 ecdhe Are there any tools for performing these transformations somewhat automatically?
16:39 ecdhe So I could dump a 50 line bash file in and get my 100 lines of more-or-less-usable YAML?
16:41 Lionel_Debroux joined #salt
16:42 kevinqui1nyo ecdhe: I think that would be a very difficult thing to create programatically, since this hypothetical compiler would have to understand everything in the script, for instance a complicated piped expression in the script, like awk .. | sed ... and know the intent, then translate that to salt state modules, etc.
16:42 kevinqui1nyo so no i think it would be almost impossible to create somethign like that, that would work repliably at least
16:43 danlsgiga joined #salt
16:43 ecdhe kevinqui1nyo, most bash tutorials aren't tremendously convoluted.
16:44 ecdhe That is, apt-get -y -q install is interpretable enough.
16:44 armyriad joined #salt
16:45 danlsgiga hey folks... is there anyway I can return a different http code status on the Salt API based on failures from the state execution?
16:45 ecdhe But if I write a tool like this, it's not going to be for bash noobs OR for salt noobs... You'll have to adequately understand the output.
16:45 danlsgiga I've noticed that even getting a python stacktrace the Salt API returns a 200, which is absolutely wrong.
16:46 ecdhe kevinqui1nyo, one thing I spend a lot of time tweaking is the '- requires: file' statements...  A bash script has every command in an order, and some of the orders don't matter, and some of them really do!
16:46 hasues ecdhe: But that's just it,  "apt-get -y -q install" isn't bash.  Those are all separate commands.  You are essentially going to need to know all the commands in the universe and how to interpret them.  The actual bash translation would probably be more apt to what would go in something like JINJA instead of a yaml file.
16:46 woodtablet joined #salt
16:47 hasues ecdhe: If someone gave me that assignment, I would say "I'm going to have salt call your bash script", and move on.
16:47 cmarzullo ^^
16:48 hasues ecdhe: Otherwise, I'm going to dissect what it is you are wanting to do with your bash script and write up formula and such.
16:48 cmarzullo ^^
16:48 ecdhe hasues, most install scripts don't use all the commands in the universe -- there's a limited subset of common actions.  The swiss army knife doesn't have to have a frying pan in order to be useful.
16:49 ecdhe I'm just looking for prior art, I guess.
16:49 cmarzullo most install scripts aren't idempotent either.
16:49 ecdhe hasues, what you just said about writing a formula -- that's exactly what I'm trying to do.
16:49 hasues ecdhe: You mentioned apt, I'm going to have to know how to handle apt.  I'm going to have to know awk...I'm going to have to know sed.  It starts getting expensive quick in terms of making a translator.
16:50 ecdhe I'm just trying to save a few key strokes in a very common domain that I understand well.
16:50 ecdhe MOST days it doesn't require awk
16:51 ecdhe This would be more of a list of common restaurant terms than a 100%, culturally aware, inflection detecting, streaming audio conversational translater.
16:51 ecdhe apt-get install FOO BAR => FOO: pkg.installed, BAR: pkg.installed
16:51 hasues ecdhe: When AI becomes awesome, we can make that happen as essentially the tool you want will go do the web searches you want to figure out what was trying to be accomplished and respectively find out salt methods for achieving them.
16:52 hasues ecdhe: But then IRC will be filled with these AI bots chatting with each other and I won't be able to keep up. :)
16:52 cmarzullo you can already do that. pkg.installed: pkgs: ['foo','bar']
16:52 pipps joined #salt
16:52 ecdhe hasues, I completely agree that a completely correct translator is likely not humanly possible.
16:53 ecdhe I just wanted to make sure there wasn't some prior art I wasn't aware of before I write 20 pages of python for a personal tool.
16:53 XenophonF does ext_pillar disable the default pillar directory stuff?
16:54 XenophonF i kind of assumed that i could have both /usr/local/etc/salt/pillars plus an ext_pillar, and then migrate from one to the other piecemeal
16:57 zer0def joined #salt
16:57 fannet_ joined #salt
16:59 impi joined #salt
17:00 mikecmpbll joined #salt
17:02 XenophonF hm, looks like it matches pillar_roots first
17:02 XenophonF which is good
17:03 XenophonF problem is, if the top.sls in ext_pillar matches, then it looks for the corresponding SLS files in ext_pillar but not in pillar_roots
17:08 Stephen143432 joined #salt
17:11 Salander27 joined #salt
17:12 pipps joined #salt
17:12 pipps99 joined #salt
17:14 armonge joined #salt
17:17 Stephen143432 Is it possible to iterate over all the items in mine data?
17:18 Stephen143432 for example instead of doing salt '*' mine.get '*' grains.item i could so something like salt '*' mine.get '*' '*'
17:23 mpanetta joined #salt
17:29 tvinson i'm using beacons and reactors in a multi-master environment and i'm wondering how to deal with the reactor targeting a different minion from where the beacon was fired. can the reactor state be placed on the master of masters instead of the syndics?
17:30 bunjamins joined #salt
17:32 bunjamins Yo salt dudes, anyone ever install the salt minion through vmware template? vmware restarts the template once during setup before writing the host ID, so If I set salt-minion to autostart then teh minion_id is wrong.  How do I delay salt minion chkconfig from startup until the second startup from the time the vmware template is created
17:33 onlyanegg joined #salt
17:33 bunjamins I was going to write a script to iterate and run at second start, then remove itself from cron and delete itself to clean up, but I was wondering if anyone's already solved this in a more pretty way
17:33 Edgan bunjamins: I use cloud-init in EC2.
17:34 theblazehen_ joined #salt
17:34 Edgan bunjamins: also lets me handle the salt key via userdata and cloud-init
17:35 bunjamins cool edgan, but i don't think i can use that in this case
17:35 bunjamins this is local vmware installation, not aws
17:36 tvinson bunjamins: we use an init script on the template that exits if the hostname is one of the template names or joins satellite, fires off salt if not a template name
17:36 Edgan bunjamins: cloud-init seems to support VMware too
17:36 armin joined #salt
17:37 bunjamins @tvinson: that might be more fault tolerant that what i was planning
17:38 bunjamins @edgan, oic, that might be useful too, going to check it out
17:38 xnavy_ joined #salt
17:44 N-Mi joined #salt
17:44 N-Mi joined #salt
17:45 pipps joined #salt
17:50 wisesp00l joined #salt
17:53 impi joined #salt
17:53 wisesp00l Hello.  We are running 2016.3.1 and are having issues executing orchestrate runners.  Periodically they will get an error and fail to run.  Here is a snippet: salt/run/20160922073003142075/ret       {     "_stamp": "2016-09-22T07:30:03.158166",     "fun": "runner.cloud-created_log-to-sqlite.run",     "jid": "20160922073003142075",     "return": "Exception occurred in runner cloud-created_log-to-sqlite.run: Traceback (most recent call
17:54 haam3r joined #salt
17:54 wisesp00l 2.7/site-packages/salt/client/mixins.py\", line 297, in low\n    for mod_name in six.iterkeys(self.functions):\nRuntimeError: dictionary changed size during iteration\n",
17:55 wisesp00l We have a custom runner that logs some minion information to a SQLite database, but will occasionally fail due to this "dictionary size changed during iteration".
17:55 edrocks joined #salt
17:56 numkem joined #salt
17:57 sp0097 joined #salt
18:00 wisesp00l I don't see any open issues about this---has anyone else here encountered something like this?
18:02 raspado joined #salt
18:06 cmarzullo I have not. sorry m8
18:13 MTecknology wisesp00l: mind sharing the whole error on dpaste?
18:13 mikecmpbll joined #salt
18:13 wisesp00l That pretty much is the whole error, it's grabbed from the event-bus.  I'll dpaste it though
18:14 armonge_ joined #salt
18:14 wisesp00l http://dpaste.com/3T6V63R
18:14 MTecknology seems like there's a bit missing from the stack trace
18:14 wisesp00l That's the error that is returned in the event bus.
18:14 scoates joined #salt
18:15 wisesp00l I can try turning on debug logging and do it again.
18:15 MTecknology wisesp00l: just stick it in dpaste
18:16 MTecknology more than likely you tried to paste a massive pile of junk into IRC and freenode thankfully truncated it :P
18:16 wisesp00l There have been errors similar to this when using six.iterkeys, and in this case it's self.functions.  Other implementations in the same code copies the keys to another buffer to iterate over
18:16 codeape joined #salt
18:18 wisesp00l I'm assuming that it's a thread-safety issue
18:22 tmclaugh[work] joined #salt
18:31 __newb joined #salt
18:34 flowstate joined #salt
18:35 teryx510 joined #salt
18:37 pipps joined #salt
18:38 pipps99 joined #salt
18:39 pipps_ joined #salt
18:41 pipps__ joined #salt
18:44 debian112 joined #salt
18:44 pipps joined #salt
18:47 pipps99 joined #salt
18:52 zer0def joined #salt
18:53 bowhunter joined #salt
19:00 DarkKnightCZ joined #salt
19:03 netcho joined #salt
19:03 haam3r joined #salt
19:03 nicksloan joined #salt
19:11 pipps joined #salt
19:12 schemanic joined #salt
19:12 schemanic Hello
19:14 nidr0x joined #salt
19:15 schemanic Does anyone know what I would do to prove that a minion's configuration hasn't been tampered with?
19:17 pipps joined #salt
19:18 cmarzullo Manage it with salt.
19:19 cscf schemanic, tampered with by what?  Well-meaning users, or malicious?
19:19 BattleChicken schemanic:  what do you mean by that?  that someone hasn't issued conflicting salt comands from your 'base'? or someone going int othe machine and manually changing settings? or..?
19:19 BattleChicken auditing?
19:20 schemanic BattleChicken, yes!
19:20 schemanic let me elaborate
19:20 schemanic I have 4 admins, a salt master, and then my various minions
19:21 schemanic I'm trying to write a series of auditing states to aggregate config files from around the systems so we can review them.
19:22 schemanic My colleagues are proposing the scenario that, one of us could ssh to a minion and tamper with it to report false information back to a highstate
19:23 schemanic so what I'm looking for is a means of being able to reasonably say "Look, this proves that the minion hasn't been tampered with"
19:23 sgo_ joined #salt
19:23 cmarzullo sounds like someone is trying to fight cfg mgmt.
19:23 cscf schemanic, sounds like you have some trust issues in your workplace
19:24 schemanic cscf, this apparently is mandated by SOC
19:24 cmarzullo setup auditd. track all files that you care about. log to external system.
19:24 cscf schemanic, all data returned by a minion can be controlled by that minion, and therefore anyone with root on it.
19:24 cmarzullo same for any other file.
19:24 iggy it sounds like you'd want a system outside of salt to do that...
19:24 cscf But you can premptively monitor such things ^
19:24 DerCed left #salt
19:25 cmarzullo yeah it's a policy thing. So you basically apply the same policy you have for any other configuration file.
19:25 schemanic The audit we are trying to pass apparently states that as admins with equivalent privileges, we need to not trust each other and our systems must reflect this
19:25 cmarzullo auditd
19:25 pipps joined #salt
19:25 schemanic auditd... I can look into this
19:26 schemanic but again, the same question will be asked
19:26 edrocks joined #salt
19:26 schemanic 'how do you know someone hasn't hacked auditd'?
19:26 iggy you could say that forever
19:26 schemanic I agree
19:26 cmarzullo audit has that sorted
19:26 cscf schemanic, you don't.  If admins shouldn't trust each other, then they shouldn't have access to each other's machines
19:27 pipps99 joined #salt
19:27 cmarzullo it becomes immutable. If someone mucks with it the system will panic.
19:27 cscf Why would you give ssh keys in the first place?
19:27 iggy don't let admins login to systems
19:27 cmarzullo You can log anymore. system will shutdown.
19:27 iggy do everything through salt
19:27 cmarzullo auditd is the shizzle.
19:27 cmarzullo schemanic: what os?
19:27 schemanic Amazon linux
19:27 pipps99 joined #salt
19:28 schemanic will auditd allow salt to work with these files?
19:28 cmarzullo close enough to redhat that you follow the CIS hardening guidelines which has all the auditd rules spelt out for you.
19:28 cmarzullo use salt to establish the initial state. Reboot.
19:29 cmarzullo auditd is pretty though.
19:29 keimlink joined #salt
19:29 schemanic cscf, admins dont have access to each other's machines, we all have access to the infrastructural servers
19:29 impi joined #salt
19:29 cmarzullo for example I can intercpt every system exec call and log it to ELK.
19:29 schemanic also, how do we fix problems that happen with our application on a server if admins cant log into systems
19:29 cmarzullo I have nice pie chart showing the most common exec system calls.
19:30 schemanic cmarzullo, can you share it?
19:30 cmarzullo sadly I cannot.
19:30 dilkington joined #salt
19:30 cmarzullo But you can get all the rules from CIS website.
19:31 cmarzullo but I use the auditd public formula.
19:31 cmarzullo I just drop in my own rules.
19:31 Trauma joined #salt
19:31 cmarzullo log any setuid usage. (ping is setuid)
19:31 cmarzullo There's a ton of stuff. Check the CIS website.
19:31 schemanic Thank you for the pointer
19:32 schemanic Have any of you worked on/passed SOC?
19:32 cmarzullo I had a kick start for redhat that hit every single CIS guideline.
19:32 pipps joined #salt
19:32 cmarzullo There were other pieces that fell outside my ballywick. But yeah basically.
19:32 schemanic is that some sort of guide?
19:33 subsignal joined #salt
19:33 cmarzullo Is this your first time working with auditors in this fashion. There's very much an art to dealing with it.
19:34 schemanic Yes, this is my first rodeo
19:34 cmarzullo my heart goes out to you!
19:34 cmarzullo it's a bitch. But gets easier.
19:34 schemanic everyone who's been here tells me that they're not technical enough to know better than we do
19:34 cmarzullo it's very much a dance.
19:35 cmarzullo process over tech.
19:35 cmarzullo It may be enogh to say you log access to configruation files and review them periodically.
19:35 cmarzullo But you gotta make sure you do that.
19:36 schemanic um yeah
19:36 schemanic so the process I inherited
19:36 schemanic the admin wrote a complex series of scripts that no one can read
19:36 schemanic and they're broken now
19:36 schemanic but they're supposed to have been fulfilling our audit requirements
19:36 cmarzullo sounds like he did the dance. :)
19:36 schemanic but since they dont work, we've all been fighting about how to fix them and not getting anywhere
19:37 BattleChicken "that nobody can read" - did they not comment them or...?
19:37 cmarzullo review the policies. Make a spreadsheet for each bullet item. Then do gap analysis. Where we are / where we are supposed to be.
19:37 schemanic BattleChicken, meaning that the architecture of the scripts is so arcane that it's not clear how they work
19:37 cmarzullo ID the most critical ones and address them.
19:37 schemanic I am doing that
19:37 notnotpeter joined #salt
19:38 cmarzullo Having a remediation plan that shows progress is imporatant.
19:38 schemanic thats why Im trying to put these processes into salt
19:38 BattleChicken what are they written in?
19:38 jav joined #salt
19:38 schemanic and all I get from my own team is 'well the auditors said we shouldnt trust each other, so lets ask chicken/egg questions forever about whether everything's been hacked until nothing gets done.'
19:39 cmarzullo oh it looks like CIS has amazon linux benchmarks.
19:39 cmarzullo https://benchmarks.cisecurity.org/downloads/multiform/
19:39 cmarzullo heheh been down that path schemanic
19:40 schemanic which brings me to the original question. What can I do that basically says "Yes, salt works the way it says it does, and it did the things we wanted it to do."
19:40 cmarzullo Yeah you won't get anywhere with that. You can say that about any software.
19:41 schemanic okay, so auditd locks files down and reports activity on them yes?
19:41 cmarzullo yes and way more.
19:41 cmarzullo check the benchmark.
19:42 cmarzullo You also need to do things like intercept date /time changes. password changes. setuid changes. all sorts of good stuff.
19:42 voxpop joined #salt
19:43 schemanic right now we're sshing to servers and vaccuming up files into a repo, then running hg diff on them from the time of last commit to review changes
19:43 cmarzullo oh gawd.
19:43 schemanic Is this... not the way?
19:43 cmarzullo read that policy section carefully.
19:43 cmarzullo I don't know it. so maybe it says you have to do that.
19:43 cmarzullo but seems unlikely.
19:44 schemanic What policy section? in the Amazon Linux benchmark?
19:44 cmarzullo Yeah
19:44 cmarzullo oh also AIDE. which does your filesstem integrity testing
19:44 cmarzullo You hash your filesystem and it'll detect changes.
19:45 schemanic I cant find a section in this document that says 'policy section'
19:45 cmarzullo I mean SOC.
19:45 schemanic Oh, you're talking about the thing the audiors write up themselves
19:46 cmarzullo yeah what does SOC stand for?
19:46 schemanic Service Organization Controls
19:47 cmarzullo Yeah gotta check that.
19:47 schemanic It's all very new to me
19:47 cmarzullo to bring it back to salt. You'll basically use salt to ensure those controls are being met.
19:48 schemanic We've been given a list of tasks to complete and report on
19:48 cmarzullo But it very much unlikey says write a bunch of scripts to do stuff.
19:48 jmedinar joined #salt
19:49 cmarzullo yeah it'll make your head spin fer sure.
19:49 schemanic yes I understand that the auditors want the spirit rather than a letter
19:49 schemanic the problem I'm having comes in the form of people
19:49 cmarzullo 'there are no technical problems, only people problems'
19:50 schemanic I try to ask what the requirements are for this, they bitch and moan about whether we're a ruby or python shop, I try to write an improvement, they get concerned over whether we can trust the very thing I'm introducing to try and fix the problem.
19:50 cmarzullo yeah I know that refrain.
19:51 jmedinar Question... How can I target two regex for different minion groups to execute a state ... Example:
19:51 jmedinar salt -C '*shared* and *csa*' state.sls admin.status.csa
19:51 cscf Ever read the famous essay, "Reflections on trusting trust"?
19:51 jmedinar each alone work just fine
19:51 cscf It's quite a rabbit hole.
19:51 cmarzullo Get the policy. Itemize the things into a spread sheet. do gapalysis then start there.
19:53 iggy jmedinar: or...?
19:53 cmarzullo but the tl;dr for salt is your policy is you only install from offical repos and gpg veryify all packages.
19:53 mikecmpbll joined #salt
19:53 jmedinar need to include them all ... or will exclude
19:54 cmarzullo furthermore you log all access to sensitive files with auditd to an external logging system.
19:54 beardedeagle joined #salt
19:54 dilkington Hi salt people! Anyone mind giving my problem with salt.states.hg a once-over. Don't know if I'm doing something dumb or if this is a bug. Thanks: https://gist.github.com/nilliams/08682c1ff4220f31a060df9b98349336
19:54 jmedinar no actually you where right
19:55 iggy jmedinar: I guess I don't understand what you're trying to do... but have you tried 'or' and it's not doing what you want or you're just guessing?
19:55 jmedinar or worked thanks!
19:55 iggy cool
19:55 schemanic cmarzullo - those last two lines were more what I need - elevator pitch sized explanations for why things are secure
19:55 netcho joined #salt
19:56 schemanic I guess I'll have to learn what official repos and gpg verifying a package is
19:56 cmarzullo ;) that's policy work.
19:56 cmarzullo more microsoft word and less bash.
19:57 cmarzullo There's a great scene in pheonix project where the infosec dude has a breakdown cause everything is goonna explode and only he can save them.
19:57 cmarzullo Turns out he wasn't the final control.
19:58 cmarzullo So the passed the audit and he had a breakdown.
19:58 schemanic hahaha thats awesome
19:58 cmarzullo Yeah great book.
19:58 haam3r joined #salt
19:59 schemanic I'm going to ask my boss to buy it for me
19:59 schemanic hmm
19:59 Rkp joined #salt
19:59 schemanic oh wait its not an oreilly type thing
19:59 schemanic its fiction
19:59 cmarzullo no it's  novel. Basically that dude basically defines devops without saying it.
20:00 schemanic mmm
20:00 cmarzullo It really helped me put words to the feelings I've had for so long.
20:00 schemanic I feel like that's been my whole life since I took over TechOps for our company
20:00 cmarzullo Oh you NEED to read it.
20:01 schemanic We have 0 DevOps, ITOps or NetSec
20:01 cmarzullo let me guess your change mgmt system is busted too right?
20:01 schemanic so when the guy who was supposed to do it got fired, I was like "I want to make us awesome, please give me DevOps and I will fix us."
20:01 schemanic we have none
20:02 schemanic Let me explain what my company saw best for me
20:02 schemanic They gave me the DevOps Engineer role
20:02 cmarzullo yeah brother. read that. It'll go fast. You'll be like 'OMG that's me, and that's dave'
20:02 schemanic and added an earmark to the job description, like fucking politicians, that I also own email/office/cloud collab
20:03 cmarzullo of course
20:03 GordonTX joined #salt
20:03 schemanic so instead of writing salt code for 8 months, like I should have, I've been implementing Office 365 with no training
20:03 schemanic and everything I know about salt I've learned after work on my own time
20:04 cmarzullo this word training. I've never heard of it. lol
20:04 schemanic I wouldn't wish Sharepoint on my worst enemy
20:04 Brew joined #salt
20:07 RandyT joined #salt
20:07 schemanic Well, thank you very much for the advice and the solidarity. I really appreciate it.
20:07 cmarzullo no problem m8. read the book then hit me back up. I'd love to hear what you thought.
20:07 schemanic I will
20:08 cmarzullo also the Tom limocelli books are good too.
20:09 cmarzullo dilkington: wierd. seems like it should go. you running as a wierd user that can't access /root ?
20:09 dyasny joined #salt
20:10 armonge joined #salt
20:12 dilkington nope. well I'm executing 'salt-call --local state.apply' as root
20:13 cmarzullo what's the minion running as?
20:13 dilkington but odd thing is it seems like it's actually taking issue with the --ssh argument altogether
20:14 subsignal joined #salt
20:14 dilkington running masterless so that "'salt-call --local state.apply' as root" is literally how I'm running.
20:15 cmarzullo not sure m8. Haven't really used that state much. have you checked the issues on github?
20:18 dilkington Ta, well nothing obvious. Would you just check the github.com/saltstack/salt repo or is there another one I should check?
20:19 cmarzullo that'd be the one I'd look at.
20:19 cmarzullo Tried to look at code but nothing really jumped out at me.
20:19 haam3r joined #salt
20:19 dilkington Okay cool, I really just needed a sanity check before filing an issue so that helps cheers!
20:19 cmarzullo does the state work without a indenity?
20:19 cmarzullo like to a public repo?
20:19 dilkington Will try ...
20:20 cmarzullo and the perms on the id. I know like ssh gets upset if it's not 600
20:25 hasues left #salt
20:29 dilkington Works with public repo (via https url). Yeah perms are 600.
20:31 dilkington Is there a way to make sure I've cd'd to target before running the state? That's the only thing that isn't really explicit from the output
20:32 cscf dilkington, this is in a bash script?
20:32 dilkington Nope just running manually
20:32 cscf cd dir && run state
20:32 cscf will only continue if 'cd' returns success
20:33 edrocks anyone know a workaround for dockerng port_bindings? https://github.com/saltstack/salt/issues/26100
20:33 saltstackbot [#26100][OPEN] dockerng.running port_bindings does not support "containerPort" specification | The documentation for dockerng.running state, port_bindings property claims to support the following value type:...
20:35 dilkington cscf I guess I mean via salt. I assume (and guess I've tested incidentally) that cding before running 'salt-call --local state.apply' won't make a difference
20:35 cscf dilkington, it shouldn't, no
20:39 nidr0x joined #salt
20:41 viq cmarzullo: +9000, I made people at work read Phoenix Project ;) Need to read up on auditd, have you seen hubblestack? But I'll see your reply in a bit, as it's time to reboot this box ;)
20:43 dilkington I've filed an issue, thanks for your help guys
20:46 debian112 joined #salt
20:49 spudpnds left #salt
20:52 XenophonF anyone on who uses the gpg renderer?
20:52 cmarzullo o/
20:52 XenophonF how far do you go when it comes to encrypting values?
20:52 XenophonF like, passwords, obviously
20:52 cmarzullo turtles all the way down!
20:53 XenophonF shared keys, private keys, duh
20:53 cmarzullo yeah we do passwords. connection strings. whatever.
20:53 cmarzullo yep yep
20:53 XenophonF what about config items like IP addresses?
20:53 cmarzullo naw.
20:53 cmarzullo they may change.
20:53 XenophonF sure
20:54 cmarzullo SSL certs and keys.
20:54 XenophonF certificates, too?
20:54 cmarzullo not always certs. but defo the keys
20:54 mrueg joined #salt
20:54 XenophonF what about things like sudo rules?
20:54 sfxandy joined #salt
20:55 cmarzullo naw. I don't consider them 'sekrit' but that is a good point.
20:55 cmarzullo they are defo sensitive
20:55 XenophonF are pillar key names ever sensitive enough to merit encryption?
20:55 XenophonF and if so, is it possible to encrypt a pillar key name?
20:55 mrueg joined #salt
20:55 XenophonF i haven't read through the gpgp renderer source yet
20:55 roock joined #salt
20:55 XenophonF probably ought to
20:56 cmarzullo You can encrypt a whole block. Basically jsut encrypt the yaml. the renderer will do it's thing correctly. You just have to encode the indent conrrectly.
20:56 XenophonF gotcha
20:56 cmarzullo Like if there's a pillar block than has multiple secrets in it. Just do the whole block instead of each sekrit.
20:57 cmarzullo Like maybe if your http access file or something.
20:57 XenophonF the threat model i have in mind w/r/t GPG is someone with access to my private repo at GitHub/GitLab/CodeCommit/etc.
20:57 cmarzullo yeah.
20:57 cmarzullo internal repos help a bit.
20:58 XenophonF i'm trying to come up with clear rules about what values need to be encrypted
20:58 XenophonF it's harder than i thought it would be
20:58 pipps joined #salt
20:59 XenophonF the lack of decent editor support (beyond something like epa-encrypt-region in Emacs) isn't helping, either
21:00 cmarzullo yeah face that as well. Made little bash things that given input will spit out valid yaml for our common secrets
21:01 cmarzullo But for one offs there's a lot adding indent.
21:03 pipps99 joined #salt
21:03 ozux joined #salt
21:04 scoates joined #salt
21:08 XenophonF Emacs' EasyPG Assistant helps some, but it doesn't grok YAML.
21:08 DEger joined #salt
21:14 viq joined #salt
21:16 cyborg-one joined #salt
21:17 prg3 joined #salt
21:18 geomacy joined #salt
21:21 ozux joined #salt
21:25 DEger joined #salt
21:26 geomacy joined #salt
21:29 krazyj joined #salt
21:29 krazyj does anyone know why, when i apply these iptables rules, my Salt minion will disconnect from Salt master, refuse to reconnect, and only reconnect to the Salt master after i restart the minion host?
21:29 krazyj https://gist.github.com/anonymous/0c958cdc17c8359f69b9b9069b532bf4
21:30 krazyj it would seem none of those should impact an existing outbound connection to a Salt master...
21:31 DEger joined #salt
21:33 GordonTX joined #salt
21:35 cliluw joined #salt
21:37 DEger joined #salt
21:38 west575 joined #salt
21:38 cyborg-one joined #salt
21:38 viq joined #salt
21:38 mrueg joined #salt
21:38 beardedeagle joined #salt
21:38 mpanetta joined #salt
21:38 _JZ_ joined #salt
21:38 khorben joined #salt
21:38 Criggie joined #salt
21:38 ThomasJ joined #salt
21:38 verax joined #salt
21:38 jhauser joined #salt
21:38 q1x joined #salt
21:38 wm-bot4 joined #salt
21:38 oida joined #salt
21:38 adongy joined #salt
21:38 Jarus joined #salt
21:38 Armadillo joined #salt
21:38 ToeSnacks joined #salt
21:38 sknebel joined #salt
21:38 DaveQB joined #salt
21:38 mschiff joined #salt
21:38 adelcast joined #salt
21:38 GnuLxUsr joined #salt
21:38 andi- joined #salt
21:38 wwalker joined #salt
21:38 Vaelatern joined #salt
21:38 Hipikat joined #salt
21:38 flebel joined #salt
21:38 antonw joined #salt
21:38 jerrcs joined #salt
21:38 mattl joined #salt
21:38 Zaunei joined #salt
21:38 rome_390 joined #salt
21:38 robbintt joined #salt
21:38 Freek joined #salt
21:38 futuredale[uf] joined #salt
21:38 tyler-baker joined #salt
21:38 mikepea joined #salt
21:38 czchen joined #salt
21:38 m0nky joined #salt
21:38 supermike_ joined #salt
21:38 voileux joined #salt
21:38 tperale joined #salt
21:38 cb joined #salt
21:38 alrayyes joined #salt
21:38 blackpioter joined #salt
21:38 Corey joined #salt
21:38 ramblinpeck joined #salt
21:38 samkottler joined #salt
21:38 systemdave joined #salt
21:38 bergei joined #salt
21:38 cmarzullo joined #salt
21:38 xmj joined #salt
21:38 yidhra joined #salt
21:38 jgelens joined #salt
21:38 d3c4f joined #salt
21:38 TRManderson joined #salt
21:38 rawzone joined #salt
21:38 harkx joined #salt
21:38 shanemhansen joined #salt
21:38 Arendtsen joined #salt
21:38 izrail joined #salt
21:38 davisj_ joined #salt
21:38 UForgotten joined #salt
21:39 keimlink joined #salt
21:40 jerrcs joined #salt
21:40 nicksloan joined #salt
21:40 N-Mi joined #salt
21:40 Edgan joined #salt
21:40 pmcg joined #salt
21:40 ksk joined #salt
21:40 CeBe joined #salt
21:40 moos3 joined #salt
21:40 MTecknology joined #salt
21:40 jcristau joined #salt
21:40 FreeSpencer joined #salt
21:40 cmek joined #salt
21:40 rodr1c joined #salt
21:40 StolenToast joined #salt
21:40 AndreasLutro joined #salt
21:40 nihe joined #salt
21:40 NightMonkey joined #salt
21:40 lkannan joined #salt
21:40 g3cko joined #salt
21:40 basepi joined #salt
21:40 evilrob joined #salt
21:40 Laogeodritt joined #salt
21:40 cyraxjoe joined #salt
21:40 hexa- joined #salt
21:40 Vye joined #salt
21:40 JamieH joined #salt
21:40 phtes joined #salt
21:40 CaptTofu joined #salt
21:40 hardwire joined #salt
21:40 Dev0n joined #salt
21:40 Twiglet joined #salt
21:40 daks joined #salt
21:40 monokrome joined #salt
21:40 coredumb joined #salt
21:40 jY- joined #salt
21:40 McNinja joined #salt
21:40 packeteer joined #salt
21:40 Nebraskka joined #salt
21:40 emid joined #salt
21:40 Ch3LL joined #salt
21:40 Kruge joined #salt
21:40 mage_ joined #salt
21:40 davromaniak joined #salt
21:40 ventris joined #salt
21:40 lionel joined #salt
21:40 hax404 joined #salt
21:40 JPaul joined #salt
21:40 MikaT_ joined #salt
21:40 coldbrew- joined #salt
21:40 kevc joined #salt
21:40 ajv joined #salt
21:40 coldbrewedbrew joined #salt
21:40 adeschamps joined #salt
21:40 al joined #salt
21:40 zifnab joined #salt
21:40 canci_ joined #salt
21:40 jrklein_ joined #salt
21:40 debian112 joined #salt
21:40 mikecmpbll joined #salt
21:40 notnotpeter joined #salt
21:40 jxm_ joined #salt
21:40 kaak joined #salt
21:40 t0m0 joined #salt
21:40 pfallenop joined #salt
21:40 free_beard joined #salt
21:40 TyrfingMjolnir joined #salt
21:40 dimeshake joined #salt
21:40 Mate joined #salt
21:40 Ashald joined #salt
21:40 aitrus joined #salt
21:40 jab416171 joined #salt
21:40 dwfreed joined #salt
21:40 devster31 joined #salt
21:41 monrad joined #salt
21:41 simmel joined #salt
21:41 jessexoc joined #salt
21:41 GordonTX joined #salt
21:41 dyasny joined #salt
21:41 xnavy_ joined #salt
21:41 jimklo joined #salt
21:41 brunopadz joined #salt
21:41 bluenemo joined #salt
21:41 sjorge joined #salt
21:41 sandro_ joined #salt
21:41 pcdummy joined #salt
21:41 mjimeneznet joined #salt
21:41 fxhp joined #salt
21:41 armguy joined #salt
21:41 telx joined #salt
21:41 SpX joined #salt
21:41 Morrolan joined #salt
21:41 TOoSmOotH joined #salt
21:41 afics joined #salt
21:41 robawt joined #salt
21:41 baffle joined #salt
21:41 gtmanfred joined #salt
21:41 djinni` joined #salt
21:41 Ludo- joined #salt
21:41 douardda joined #salt
21:41 evidence joined #salt
21:42 KingOfFools joined #salt
21:42 sybix joined #salt
21:42 arif-ali joined #salt
21:42 toastedpenguin joined #salt
21:42 thehaven joined #salt
21:42 freelock[m] joined #salt
21:42 infrmnt joined #salt
21:42 synapse joined #salt
21:42 fannet__ joined #salt
21:42 jfindlay joined #salt
21:42 VR-Jack joined #salt
21:42 stooj joined #salt
21:42 pocketprotector joined #salt
21:42 swa_work joined #salt
21:42 daveleigh joined #salt
21:42 carmony joined #salt
21:42 doubletwist joined #salt
21:42 oyvindmo joined #salt
21:42 Derailed joined #salt
21:42 Skaag joined #salt
21:42 ajolo joined #salt
21:42 the_lalelu joined #salt
21:42 stupidnic joined #salt
21:42 unusedPhD joined #salt
21:42 \ask joined #salt
21:42 twork_ joined #salt
21:42 s0undt3ch joined #salt
21:42 babilen joined #salt
21:42 whytewolf joined #salt
21:42 rideh joined #salt
21:42 fullstop joined #salt
21:42 Reverend joined #salt
21:42 dh joined #salt
21:42 garphy`aw joined #salt
21:42 kevinqui1nyo joined #salt
21:42 mattp_ joined #salt
21:42 duckfez joined #salt
21:42 Karunamon joined #salt
21:42 chmod666org joined #salt
21:42 Horgix joined #salt
21:42 utahcon joined #salt
21:42 rmc3 joined #salt
21:43 cyborg-one joined #salt
21:43 DEger joined #salt
21:43 stooj joined #salt
21:45 monokrome joined #salt
21:45 doriftoshoes joined #salt
21:45 voxxit joined #salt
21:48 shanesveller joined #salt
21:48 dtsar hi all - question for anyone using salt in production with a service-oriented/microservice topology
21:49 dtsar how do you manage individual developers creating and destroying local development instances of the services
21:49 dtsar without an onslaught of key requests to a master?
21:50 simonmcc joined #salt
21:50 dtsar i would prefer to NOT have salt files included in the repo of the particular service
21:50 spuder joined #salt
21:51 djural joined #salt
21:51 dtsar i currently use a git repo for the file roots and another git repo for the pillar data for the qa/prod deployments
21:52 dtsar seems like a somewhat "normal" use case, but haven't found a tons of good resources as guides
21:53 AndreasLutro if they're making local instances, just make them git clone your salt stuff and use a masterless minion
21:54 dtsar to play devil's advocate, you lose controlling access to the sensitive pillar data
21:54 shawnbutts joined #salt
21:54 dtsar but i suppose that's only amongst your development team
21:55 DEger joined #salt
21:55 AndreasLutro depends
21:55 AndreasLutro don't put sensitive pillar data in the same git repo
21:55 M-liberdiko joined #salt
21:56 mattl joined #salt
21:56 bmcorser joined #salt
21:56 dtsar i currently have two repos: one for states/files, another for pillar data
21:56 ToeSnacks joined #salt
21:56 dtsar are you suggesting a third repo for _sensitive_ pillar data?
21:57 nahkiss joined #salt
21:57 AndreasLutro or don't put it in a repo at all
21:58 dtsar true
21:58 mikepea joined #salt
21:58 AndreasLutro we have one git repo for generic states/pillars, and store real customer pillar data in a database which we retrieve with an external pillar
21:58 m0nky joined #salt
21:58 dtsar aha!
21:58 dtsar that's smart
21:59 SteamWells joined #salt
21:59 MTecknology AndreasLutro: and wrap it in the gpg renderer?
22:00 AndreasLutro no
22:00 samkottler joined #salt
22:00 samkottler joined #salt
22:00 Awesomecase joined #salt
22:01 dtsar i would imagine it's easier to have developers clone the saltstate/pillar repos locally as opposed to using gitfs for those local instances?
22:01 DEger joined #salt
22:02 supermike_ joined #salt
22:02 AndreasLutro yes we only use gitfs in production
22:02 dtsar would avoid the need to prebake images/boxes with pygit or gitpytyhon
22:02 dtsar awesome
22:02 lkannan joined #salt
22:02 pipps joined #salt
22:03 AndreasLutro can also use salt-ssh to do the initial installation of salt in vagrant vms
22:03 AndreasLutro using the same state/pillar data
22:03 antonw joined #salt
22:03 pipps joined #salt
22:04 GordonTX joined #salt
22:05 ramblinpeck joined #salt
22:06 dtsar awesome
22:06 liviudm joined #salt
22:06 dtsar thanks for the advice
22:07 DEger joined #salt
22:07 catpig joined #salt
22:07 OliverMT joined #salt
22:07 twodayslate joined #salt
22:08 imanc joined #salt
22:08 aljosa joined #salt
22:09 flowstate joined #salt
22:09 WKNiGHT joined #salt
22:11 phtes joined #salt
22:11 kutenai joined #salt
22:14 gazarsgo joined #salt
22:17 Freek joined #salt
22:17 bbhoss joined #salt
22:17 johtso joined #salt
22:18 futuredale[uf] joined #salt
22:18 CaptTofu joined #salt
22:18 DEger joined #salt
22:19 JamieH joined #salt
22:25 heaje joined #salt
22:30 DEger joined #salt
22:31 MTecknology How do I do ssh + sudo in a loop?....
22:31 MTecknology while read host; do ssh <?> 'sudo service salt-minion restart'; done <list
22:32 MTecknology I know -t is needed, but not sure what else
22:33 augg joined #salt
22:33 Edgan MTecknology: I do that something like, ssh -A -o ConnectTimeout=10 -o StrictHostKeyChecking=no -t $SUDO_USER@$HOSTNAME sudo -i ${@:2}
22:35 Edgan MTecknology: you don't need the $SUDO_USER, but it is from this script, https://paste.fedoraproject.org/432984/74583715/
22:35 LostSoul joined #salt
22:35 Edgan MTecknology: which I call sshs, it auto sudos
22:36 MTecknology that worked for the first one in the list :S
22:36 MTecknology http://dpaste.com/11D0J6H
22:37 Edgan Single quotes around service salt-minion restart, maybe
22:38 Edgan and double around the whole ssh command
22:38 MTecknology nope, it's something with the loop
22:40 llua read in the list on a different fd
22:41 Edgan cat x | xargs -i ssh -A -o ConnectTimeout=10 -o StrictHostKeyChecking=no -t {} sudo -i 'service salt-minion restart'
22:41 ajw0100 joined #salt
22:42 MTecknology ah, nice
22:42 DEger joined #salt
22:42 Edgan MTecknology: note, you could use salt-ssh for this
22:43 Edgan MTecknology: I have a prototype of a dynamic roster for ec2
22:43 justan0theruser joined #salt
22:44 Edgan MTecknology: salt-ssh '*' cmd.run 'service salt-minion restart'
22:44 Edgan MTecknology: would be much slower though
22:48 MTecknology looks like all the minions I have access to are back up
22:48 MTecknology Thanks!!!
22:49 DEger joined #salt
22:49 nicksloan joined #salt
22:54 pipps joined #salt
22:54 DEger joined #salt
22:54 rem5_ joined #salt
22:56 armonge_ joined #salt
22:57 DEger joined #salt
23:03 drew__ joined #salt
23:03 GordonTX joined #salt
23:05 ajw0100 joined #salt
23:09 flowstate joined #salt
23:12 edrocks joined #salt
23:17 LostSoul joined #salt
23:19 MTecknology We need a WOL packet for zmq
23:35 Edgan MTecknology: I had to do a like thing when I found one of my salt masters had been down for a while.
23:37 MTecknology I brought up a new master with the wrong key so everything went yellow to red
23:38 MTecknology the process was sitting and waiting to reconnect, but when the wrong key was there they shut down instead
23:39 etangle joined #salt
23:41 etangle have anyone used mysql database as pillar source
23:46 DEger joined #salt
23:49 moos3 joined #salt
23:50 MTecknology etangle: it's been done, yes
23:54 moos3 joined #salt
23:56 rem5 joined #salt
23:58 systo joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary