Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2016-10-04

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:03 edrocks joined #salt
00:10 XenophonF state.apply is most of the way there, i guess i want something like pillar.apply, too
00:12 whytewolf like saltutil.pillar_refresh?
00:13 pipps joined #salt
00:14 XenophonF no
00:14 whytewolf Doug_: about your question about how to retrieve the grain from orchestration the answer could be as simple as mine.get runner
00:14 XenophonF i want to use a given list of states with a given list of pillars from a given environment
00:15 XenophonF let's say i have pillar and state data in git, and i have staging and production branches in each git repo
00:15 XenophonF i want to be able to pick states and pillar data from those repos' staging branches and apply them to the minions
00:16 XenophonF where normally they'd get the same from the production branch
00:16 XenophonF post-state/pillar application, i want to run acceptance tests
00:16 XenophonF if those pass, i'll merge from each repo's staging branch to their respective production branch
00:16 whytewolf but... pillar isn't meant to be mutable
00:16 XenophonF if those tests fail, i'll just re-run a highstate to return to the original production config
00:17 XenophonF what do you mean, it's not supposed to be mutable?
00:17 XenophonF i mean deploying config changes as a sysadmin
00:17 whytewolf changable.... it is kind of meant to be static configs.
00:17 XenophonF but what if i want to change my production config?
00:18 whytewolf at least as often as what you are sugsting
00:18 XenophonF that really depends on the business
00:19 whytewolf no business should be changing configs that often
00:19 KyleG I manage my microservices API/nginx configs via pillars
00:19 XenophonF e.g., in the scenario i'm imagining, i have a shibboleth idp where i need to manage attribute release to different partner institutions
00:19 KyleG so if you want to turn a feature/plugin/endpoint on or off you update a pillar, we probably touch them at least once per week
00:19 KyleG not totally unusual
00:19 XenophonF those have to be tweeked occasionally
00:19 XenophonF let's say quarterly at least
00:19 whytewolf once a week isn't with in the realm of what he is asking
00:20 whytewolf he is saying basicly auto fallback
00:20 KyleG ah interesting
00:20 jas02 joined #salt
00:20 XenophonF i want changes to both states and pillar data to get merged to (and deployed from) staging branches
00:21 XenophonF so reverting broken changes that somehow managed to slip through QA becomes "salt-call state.highstate"
00:21 Doug_ whytewolf: that sounds promising.  What is the Jinja syntax to do that though since a target host needs to be specified?
00:22 XenophonF like a GitHub Flow change model, where the master branch (or "production" or whatever you want to call it) always reflects what's running in production right now
00:22 XenophonF i'm there with states
00:22 whytewolf Doug_: pass the data[id] through as pillar to orchestration. then use that in the mine.get as the target
00:22 XenophonF state.apply + saltenv does exactly what i want
00:22 XenophonF what i want next is to apply the same technique to pillar data
00:24 whytewolf XenophonF: you might accomplish something with orchestration. basicly change the config reload the minion and then force a pillar refresh. but it will never be easy.
00:26 Doug_ whytewolf: I have passed the data[id] through, if I have something like this, where do I specify the id  in the if statement?  {% set data = salt.pillar.get('event_data') %} {% if not salt.mine.get('bootstrapdone', False) %}
00:27 Doug_ whytewolf: also right now this is a custom grain where bootstrapdone is set to True after the highstate rather than pillar
00:27 XenophonF whytewolf: at this point i think that i need to modify state.apply to do what i want
00:27 XenophonF it takes as arguments everything except a list of pillar IDs
00:28 promorphus joined #salt
00:28 whytewolf XenophonF: state.apply. is essentually 2 lines
00:28 whytewolf you would need to modify state.highstate AND state.sls
00:29 dps joined #salt
00:30 whytewolf might even need to dig in't some of the utility stuff
00:30 whytewolf this ... is state.apple
00:30 whytewolf if mods:
00:30 whytewolf return sls(mods, **kwargs)
00:31 whytewolf return highstate(**kwargs)
00:31 fannet joined #salt
00:33 whytewolf Doug_: would say you need to save to a variable. but you would also use a runner. since this is in orchestration which is master rendering. so salt.saltutil.runner('mine.get',tgt=data[id],fun='get_grain')
00:33 whytewolf see https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.mine.html#salt.modules.mine.get
00:34 whytewolf wouldn't copy word for word. I'm sure i missed some quoting
00:37 cliluw joined #salt
00:38 jimklo_ joined #salt
00:44 Doug_ whytewolf: Thanks, I'll try that out, much appreciated.
00:56 Nahual joined #salt
01:00 guerby joined #salt
01:09 kwilke joined #salt
01:19 schemanic joined #salt
01:21 jas02 joined #salt
01:22 RandyT joined #salt
01:23 stickman joined #salt
01:23 stickman anyone notice any quirks with the gpg module?
01:25 stickman i'm having issues with gpg.receive_key and usernames > 8 chars.
01:41 sebastian-w joined #salt
01:46 hungoversignal joined #salt
01:56 John_Kang joined #salt
02:04 edrocks joined #salt
02:05 DEger joined #salt
02:17 netcho joined #salt
02:18 DEger joined #salt
02:22 jas02 joined #salt
02:27 raspado joined #salt
02:28 raspado i have a sudoers file
02:28 raspado if I add jinja if statement, will salt by default pick it up?
02:28 evle joined #salt
02:28 hemebond raspado: If it's a template of sorts used with file.managed you will likely have to tell file.managed that you want to use Jinja in it by specifying the template parameter.
02:28 stickman joined #salt
02:29 raspado its not really a template, its just in files/sudoers
02:30 raspado but theres just one line i want to add where if the grain matches, then add the line to the config file
02:30 hemebond Anything is a template if you use a template language in it.
02:30 raspado ah okay cool
02:31 hemebond But you will likely have to tell file.managed to run it through Jinja.
02:33 raspado by passing - template: jinja ?
02:33 hemebond Correct.
02:40 auzty joined #salt
02:44 _JZ_ joined #salt
02:46 hungoversignal joined #salt
02:55 promorphus joined #salt
02:58 bryang joined #salt
03:11 jaybocc2 joined #salt
03:14 systo joined #salt
03:23 jas02 joined #salt
03:24 raspado thx hemebond
03:24 hemebond ????
03:32 promorphus joined #salt
03:36 jimklo joined #salt
03:40 AlexLau joined #salt
03:50 systo joined #salt
03:54 onlyanegg joined #salt
04:04 bworth joined #salt
04:05 bworth left #salt
04:07 edrocks joined #salt
04:10 oliver_are joined #salt
04:15 DarkKnightCZ joined #salt
04:17 hungoversignal joined #salt
04:18 justan0theruser joined #salt
04:18 netcho joined #salt
04:19 rdas joined #salt
04:23 jas02 joined #salt
04:27 om joined #salt
04:29 om joined #salt
04:56 jaybocc2 joined #salt
04:59 hungoversignal joined #salt
05:01 jimklo joined #salt
05:02 ivanjaros joined #salt
05:05 DarkKnightCZ joined #salt
05:07 jimklo joined #salt
05:18 catpig joined #salt
05:24 jas02 joined #salt
05:28 systo joined #salt
05:31 mosen joined #salt
05:39 DEger joined #salt
05:41 DEger joined #salt
05:49 oliver_are joined #salt
05:49 felskrone joined #salt
05:58 jaybocc2 joined #salt
05:58 DEger joined #salt
06:00 hungoversignal joined #salt
06:01 sgo_ joined #salt
06:02 om2 joined #salt
06:03 bocaneri joined #salt
06:06 watersoul joined #salt
06:08 bocaneri joined #salt
06:09 edrocks joined #salt
06:18 haam3r joined #salt
06:19 netcho joined #salt
06:25 jas02 joined #salt
06:26 yuhlw____ joined #salt
06:28 ivanjaros joined #salt
06:33 mpanetta joined #salt
06:49 armyriad joined #salt
06:57 q1x joined #salt
06:59 jeddi joined #salt
06:59 chutzpah joined #salt
06:59 chutzpah joined #salt
07:02 cyteen joined #salt
07:13 narfology joined #salt
07:25 Couch joined #salt
07:26 jas02 joined #salt
07:28 jaybocc2 joined #salt
07:31 zee joined #salt
07:31 zee hello
07:41 Reverend does pillar data need to be unique?
07:41 Reverend i.e. if I have 'vhosts' > 'vhost' > name: something
07:41 Reverend there's going to be multiple 'vhost' entries.
07:42 AndreasLutro yaml dictionary keys need to be unique
07:42 Reverend blerp
07:42 Reverend is that per level?
07:42 AndreasLutro yeah. use http://yaml-online-parser.appspot.com/ to test things out
07:42 Reverend oh sweet, noice.
07:42 AndreasLutro I'd recommend making "something" the key instead of using the "name: "
07:43 Reverend no, i mean that's the name of the vhost.
07:43 Reverend OH
07:43 Reverend you mean, use the key
07:44 Reverend can you retrieve that to use as a vaiable then? :S
07:44 AndreasLutro yeah. then you can do {% for name, vhost_info in pillar.vhosts.items() %}
07:44 Reverend yeah - I just saw that with the nested for's. loop over the names, then loop over vhost['names']
07:45 Reverend thanks AndreasLutro :)
07:52 Rumbles joined #salt
07:53 infrmnt joined #salt
07:56 krymzon joined #salt
07:59 joshin joined #salt
08:05 netcho joined #salt
08:10 edrocks joined #salt
08:15 geomacy joined #salt
08:17 kbaikov joined #salt
08:17 hungoversignal joined #salt
08:18 toanju joined #salt
08:22 ronnix joined #salt
08:24 ptitdoc joined #salt
08:24 kbaikov joined #salt
08:24 ptitdoc Good morning everybody
08:26 haam3r joined #salt
08:26 jas02 joined #salt
08:27 lero joined #salt
08:28 kbaikov good morning
08:28 ptitdoc I struggle making a proxy module working in salt 2016.3.3.
08:28 ptitdoc Maybe somebody already faced this error:
08:29 jas02_ joined #salt
08:29 ptitdoc [ERROR   ] Proxymodule esxi is missing an init() or a shutdown() or both. Check your proxymodule.  Salt-proxy aborted.
08:30 ptitdoc I try to analyse debugging logs and to add additionnal debuging since this week end but I cannot figure out what is wrong even after browsing the doc, open and closed issues ...
08:32 ptitdoc It looks like the module is not loaded properly because init and shutdown are present in the esxi.py code.
08:32 ptitdoc Any idea ?
08:37 DEger joined #salt
08:38 ptitdoc The funny thing is that I can see the user logon event on the vsphere server, so apparently my pillar configuration is right and the module is somehow loaded
08:41 haam3r joined #salt
08:46 Reverend boys and girls....
08:47 Reverend it it normal for a jinja template to work through a yml file -backwards-
08:47 Reverend my pillar data is being read in reverse order -_-
08:47 AndreasLutro Reverend: be more specific, how do you know it's being "read in reverse order"?
08:48 manji in pillar data I don't think that order matters anyway
08:48 Reverend lemme paste bin ya
08:49 Reverend http://pastebin.centos.org/54846/
08:49 Reverend okay, so my output is at the top...
08:49 Reverend and the pillar is at the bottom.... and it's constructing it all backwards....
08:49 Reverend :S
08:50 manji Reverend, it shouldnt matter
08:50 Reverend manji: it will if it's not consistent.
08:50 manji the goal is to have a dict
08:51 manji vhosts, hosts
08:51 Reverend manji: I'm incrimenting a number after each cycle of the for loop to define a port number starting at 50000.
08:51 Reverend if this -isn't- consistent, varnish won't be able to connect to nginx.
08:51 Reverend or it will connect to the wrong backend.
08:51 s_kunk joined #salt
08:52 AndreasLutro you should probably either define the port in the pillar, or use the "dictsort" filter to ensure the same order every time
08:52 Reverend AndreasLutro - thanks.
08:52 manji hmm, this sounds like having a rand() in a master-slave repllication and expect data consistency :p
08:53 Reverend manji - not at all. Would you expect programming language to 'randomly' read dictionaries/arrays?
08:53 jas02_ joined #salt
08:53 AndreasLutro you would in the case of python
08:53 AndreasLutro python dicts are unordered
08:53 manji what AndreasLutro said
08:54 AndreasLutro salt uses OrderedDict to ensure *consistent* order throughout a single salt run, but yaml parsing is hard so I wouldn't be surprised if the order got messed up in the process
08:55 Reverend AndreasLutro - but if you printed the dictionary in two scripts, you'd expect the same output. right?
08:56 Reverend not necessarily ordered, but the same.
08:56 AndreasLutro I guess
08:56 AndreasLutro but I've learned never to expect sane behaviour from software
08:57 DEger joined #salt
08:58 Reverend well, apaprently there's a reverse option in dictsort. that might do the trick
09:01 zulutango joined #salt
09:01 manji Reverend, I can't know what you are trying to do, so what I will say might not be valid
09:01 manji but you could generate a list of ports in the begining of your yml using jinja
09:02 manji and then have something line test5 -> portlist[4]
09:02 manji test server 4 will take the 4th element form the port list
09:02 manji erm
09:02 manji yes
09:03 Rasathus joined #salt
09:04 martoss joined #salt
09:11 eseyman joined #salt
09:17 DEger joined #salt
09:17 Reverend manji: Thanks for your input. It's not really a problem of each vhost being assigned the same port every time.
09:17 Reverend let me explain, as it might be somethiung you
09:17 Reverend re interested in
09:17 cyborg-one joined #salt
09:18 Reverend we run varnish and nginx on the same server, and nginx proxies reqests to a load balancer in AWS. Nginx listens on a different port for eac 'client', so each has it's own server block, and just incriments from 50000 atm. However, Varnish needs to send data to a specific nginx vhost via that same port number for each 'client'
09:19 Reverend i.e. if someone visits example.com, they hit varnish, which says 'you need X backend' and hands off on port 50002
09:19 Reverend someone else visits thiswebsite.com to which varnish says 'that's on this backend' and hands of on port 50301 to nginx
09:20 Reverend so the ports need to be consistent for each URL / client between nginx and varnishcache.
09:20 Reverend so, the order in which the vhosts come out isn't an issue, it's just that the port incriments vs dict output in the nginx tempalte need to be the same as the port incriments vs dict outputs in the varnish template, orhterwise you'll end up at the wroing nginx vhost.
09:21 Reverend does that make sense? :S
09:21 AndreasLutro all the more reason to put the port in the pillar
09:21 manji or the lists of ports
09:22 manji it makes somesense, if I understand correctly you need nginx and varnish to know the port of  example.com
09:22 manji ?
09:27 jas02 joined #salt
09:27 ronnix joined #salt
09:29 haam3r joined #salt
09:29 jaybocc2 joined #salt
09:31 Reverend manji: they just need to be consistent. the same in both files. TBH, i think it'll jsut make sense to define the port in the pillar. that was it gives us some versatility aswell with where it points to
09:31 * Reverend shrugs
09:31 manji yep
09:32 Reverend thanks guys.
09:32 Reverend appreciated
09:32 ronnix joined #salt
09:33 ronnix joined #salt
09:36 lovecraftian_ joined #salt
09:36 ptitdoc Any help or hints with the error "module esxi is missing an init() or a shutdown() or both" when trying to run a proxyminion
09:36 ptitdoc ?
09:39 jaybocc2 joined #salt
09:44 _W_ joined #salt
09:47 ksa joined #salt
09:48 jaybocc2 joined #salt
09:49 coredumb joined #salt
09:50 JPT joined #salt
09:53 Reverend manji - AndreasLutro ; quick FYI - that's working a treat. thanks chaps. It's still coming out backwards for some reason, but it's now guarnateed to be consistent between the two modules :) <3
09:54 Reverend sorry if I sound pissy btw. I'm stacked out here and mad tired today :( been a long week.
10:02 DEger joined #salt
10:12 edrocks joined #salt
10:19 manji Reverend, no worries mate :)
10:19 hungoversignal joined #salt
10:21 N-Mi joined #salt
10:27 DEger joined #salt
10:28 jas02 joined #salt
10:31 sgo_ joined #salt
10:35 infrmnt joined #salt
10:43 TSP_ joined #salt
10:47 teryx510 joined #salt
10:49 ronnix joined #salt
11:19 manji I have a weird problem with salt-ssh and custom grains
11:20 manji it appers that I can't do a grains.get for custom grains
11:21 AirOnSkin joined #salt
11:21 Reverend with pillars, if the module needs a certain pillar and can't find it, because it hasn't been assigned to the minion, does it just err?
11:21 amcorreia joined #salt
11:21 AndreasLutro manji: grains aren't finished loading yet, so naturally you can't get any grains
11:22 manji hangon I am pasting it
11:22 renoirb joined #salt
11:22 manji http://pastebin.centos.org/54861/
11:23 manji I have two custom grains, roles and applications
11:23 manji and I want to go through the applications grain list
11:25 manji AndreasLutro, what do you mean by that ?
11:25 dariusjs joined #salt
11:25 AndreasLutro that's not a custom grain
11:26 manji no?
11:27 AndreasLutro anyway that's a bit odd, but I wouldn't be surprised if salt['grains.get'] was unavailable in salt
11:27 manji what is more weird is that I get this error when I run state.highstate
11:27 manji if I run the state via state.sls
11:27 manji it works
11:27 AndreasLutro heh
11:28 AndreasLutro file a github issue for it if you can't find an existing one
11:28 AndreasLutro salt-ssh does some weird shit
11:28 AndreasLutro in your case you can try to just replace salt['grains.get'] with grains.get('application'
11:28 AndreasLutro in your case you can try to just replace salt['grains.get'] with grains.get('applications', [])
11:28 AndreasLutro damn slippery return key
11:28 manji hehe
11:29 manji let me have a go
11:29 jas02 joined #salt
11:29 manji oh shit that worked
11:30 manji wtf
11:30 manji doesn't salt['grains.get'] and   grains.get
11:30 manji call the same function?
11:31 AndreasLutro not really. salt['grains.get'] is an advanced module function that allows recursive getting of items. grains.get is just a plain python dict method
11:32 mcpop28 joined #salt
11:35 manji AndreasLutro, I am not sure I am understanding the difference
11:35 manji could you point me to an example ?
11:35 manji or something to read about it
11:36 AndreasLutro https://docs.saltstack.com/en/latest/topics/pillar/#pillar-get-function
11:36 AndreasLutro same thing with grains
11:42 manji AndreasLutro, many thanks
11:47 Pintonium joined #salt
11:47 ozux joined #salt
11:49 jaybocc2 joined #salt
11:51 patrek joined #salt
11:57 LostSoul joined #salt
11:57 numkem joined #salt
12:00 Lionel_Debroux joined #salt
12:05 aidin joined #salt
12:05 promorphus joined #salt
12:14 edrocks joined #salt
12:14 mpanetta joined #salt
12:16 jeddi joined #salt
12:17 numkem joined #salt
12:21 hungoversignal joined #salt
12:23 gmoro joined #salt
12:25 fredvd joined #salt
12:26 tpaul joined #salt
12:26 mpanetta joined #salt
12:26 ohhai joined #salt
12:27 tpaul left #salt
12:28 edrocks joined #salt
12:29 jas02 joined #salt
12:31 GreatSnoopy joined #salt
12:35 _JZ_ joined #salt
12:37 numkem joined #salt
12:38 ronnix joined #salt
12:45 Tanta joined #salt
12:45 kbaikov joined #salt
12:46 drawsmcgraw left #salt
12:47 DEger joined #salt
12:52 sjorge joined #salt
12:53 GreatSnoopy joined #salt
12:53 kbaikov joined #salt
12:56 sjorge joined #salt
12:57 promorphus joined #salt
12:58 sjorge joined #salt
12:59 JohnnyRun Hi all. I can't get the mine "backup_server" from a minion. https://gist.github.com/johnnyrun/9a01a799c68c5518486e47ef714c8e62
13:00 JohnnyRun test.ping and  network.interfaces work, but backup_server not...
13:00 JohnnyRun where is my mistake?
13:02 JohnnyRun found... a "salt '*' saltutil.refresh_pillar" fixed.. sorry
13:02 jY joined #salt
13:02 nickd_ joined #salt
13:03 nickd_ hello guys, what is the canonical way of running a task on a different minion or a master? I need to install vpn keys on a minion X but i have to generate them on minion Y. Is this possible at all?
13:05 XenophonF i don't understand why cmd.run_all is prompting me for a password
13:07 XenophonF i'm using the runas flag - maybe that's what's calling su?
13:07 marie1972 joined #salt
13:08 cosmefulanito joined #salt
13:08 DammitJim joined #salt
13:10 marie1972 left #salt
13:11 dariusjs joined #salt
13:11 permalac joined #salt
13:13 DEger joined #salt
13:14 Reverend joined #salt
13:14 ptitdoc @nickd_ Check the salt mine system (mine.get). maybe it can help you
13:14 ptitdoc but be aware that it is probably not very safe as all minion will be able to access to it
13:15 ptitdoc however it is usable to create keys and csr on minionx and sign the certificate on minion y
13:15 Cottser joined #salt
13:15 ptitdoc Finally you can push back the signed certificate on minionx. this way, the keys dont leave minionx
13:18 DEger_ joined #salt
13:18 aagbds joined #salt
13:18 XenophonF maybe salt's calling su using the gnu flags instead of the bsd ones?
13:18 blue_ joined #salt
13:18 amontalban joined #salt
13:18 amontalban joined #salt
13:19 XenophonF man, i really wish salt would close standard input when running shell commands
13:20 nickd_ thanks @ptitdoc i will check that
13:21 sjorge joined #salt
13:21 sjorge joined #salt
13:22 hungoversignal joined #salt
13:23 XenophonF weird, this is how it's calling su: `su - www -c /bin/csh -c /usr/local/bin/python2.7`
13:24 XenophonF i'm actually not sure how that's working, because when i try to run su, it tells me that the www account isn't currently available
13:24 mavhq joined #salt
13:25 XenophonF and the -c flag sets the login class
13:26 XenophonF it ought to be running the command like `su -m www -c /usr/local/bin/python2.7`
13:29 XenophonF hm, how to write that bug report...
13:30 Reverend anyone ever tried installing google MFA with salt? :P
13:30 jas02 joined #salt
13:34 cmarzullo yes
13:34 DEger joined #salt
13:35 tapoxi joined #salt
13:35 racooper joined #salt
13:35 cmarzullo we created a pam formula that combined with our users formula does the needful.
13:37 sagerdearia joined #salt
13:39 hasues joined #salt
13:39 hasues left #salt
13:43 XenophonF anyone ever tried using SAML ECP with salt?
13:44 XenophonF (the whole pam authentication thing sucks, btw, especially if running or accessing salt from unprivileged processes)
13:44 doemeli joined #salt
13:46 doemeli left #salt
13:46 cmarzullo It's sub-optimal for sure. But that's security for you.
13:46 cmarzullo Getting a token is a little easier.
13:50 jaybocc2 joined #salt
13:50 XenophonF security countermeasures that break things are a pet peeve of mine. i call him "tommy".
13:50 XenophonF saml ecp support is on my mind lately b/c i'd like to use federated identities with my saltstack infrastructure
13:51 cmarzullo Yeah I'm pretty fed up with security folks these days. It's not really a tech problem generally.
13:52 XenophonF oh man, this is weird - if i sudo to root and run `salt-call cmd.run "echo hello world" runas=www`, it runs the command without prompting me for www's password
13:52 XenophonF like it's supposed to
13:52 XenophonF but if i am logged into my regular Unix account and run `sudo salt-call cmd.run "echo hello world" runas=www`, i get prompted for www's password by su
13:55 XenophonF i wonder if it's a bug in sudo, where the effective UID gets set to 0 but not the real UID?
13:55 cosmefulanito_ joined #salt
13:55 XenophonF yup, it's sudo
13:56 XenophonF this command `sudo su - www -c echo hello world` ends up prompting me for www's password
13:56 XenophonF so not a salt bug
13:58 DEger joined #salt
13:58 edrocks joined #salt
14:04 edrocks joined #salt
14:05 bowhunter joined #salt
14:05 Zaunei joined #salt
14:06 jdipierro joined #salt
14:08 DEger joined #salt
14:12 jdipierr_ joined #salt
14:14 demize XenophonF: No, that's su prompting you for the root password.
14:15 demize Because you ran `su -` (which is short for `su --login`)
14:16 Pintonium Hello, I'm having some trouble setting up an external pillar (in mongo)
14:16 Pintonium it doesn't seem like the master is polling the db for new information (no new connections are seen in the log)
14:16 scoates joined #salt
14:17 Pintonium I also can't seem to find anything in a debug log when I run salt-master -ldebug and try running a refresh_pillar command
14:18 Brew joined #salt
14:18 amontalb1n joined #salt
14:22 ivanjaros joined #salt
14:25 XenophonF demize: that's not right - the su prompt is literally 'www@IRTNOG.NET's Password:'
14:26 demize XenophonF: Then su on that machine is configured to use the users password instead
14:26 demize Either way, it's because of the - on the line that it prompts even when root.
14:26 XenophonF no
14:26 XenophonF this is BSD su, not GNU
14:27 XenophonF ultimately, salt needs to call su using "-m" on BSD
14:28 xmj does it?
14:28 drawsmcgraw joined #salt
14:28 xmj XenophonF: which bsd were you using, btw?
14:28 XenophonF FreeBSD
14:28 xmj right
14:29 XenophonF er, 10.2-RELEASE-p20
14:29 XenophonF tbh i'm not sure how `su - www ...` works at all b/c the default shell for www is /usr/sbin/nologin
14:29 daemonkeeper In a custom salt module, how can I resolve a salt:// path? My Google-fu is failing me to find the right keywords.
14:30 AndreasLutro daemonkeeper: check out the cache module
14:30 AndreasLutro erm sorry
14:30 AndreasLutro cp.cache_file
14:30 AndreasLutro brainfar
14:30 AndreasLutro t
14:31 jas02 joined #salt
14:33 daemonkeeper thanks AndreasLutro, looks like salt.utils.url is what I look for
14:35 armonge joined #salt
14:35 WKNiGHT joined #salt
14:35 Pintonium did a little more troubleshooting, it looks like the salt master is trying to connect to localhost, rather than the mongo.host I have defined in the master config file
14:37 demize XenophonF: Booted up a clean FBSD 11 machine, and `sudo su - www -c echo hello world` doesn't prompt for the www user's password there, which is strange, hmm.
14:37 XenophonF yeah, i'm similarly confused
14:37 XenophonF `sudo -i su - www -c 'echo "hello world"'` gives me "This account is currently unavailable"
14:38 Pintonium heres the relevant master config: http://pastebin.com/yhZWuC81
14:38 Pintonium any ideas?
14:38 XenophonF changing "su -" to "su -m" works fine
14:38 demize XenophonF: Ah, that's because the www user doesn't have a valid shell set though.
14:38 XenophonF so with "sudo -i" i don't get a login prompt from su
14:38 XenophonF right
14:39 demize But yeah, that's weird indeed.
14:39 demize Why would it being a login shell change su's behaviour for you.
14:39 XenophonF that's a great question
14:39 demize Maybe I should spin up a 10.2 instance instead.
14:40 TSP_ joined #salt
14:42 DEger joined #salt
14:45 cscf joined #salt
14:45 XenophonF i wonder... that logon prompt is asking for the password of a kerberos principal, www@IRTNOG.NET not www
14:49 ronnix joined #salt
14:51 om2 joined #salt
14:55 XenophonF i commented out pam_krb5 in /etc/pam.d/* but i'm still getting the kerberized logon prompt from su
14:55 XenophonF apropos of previous discussion regarding authentication: i hate pam
14:55 lovecraftian joined #salt
14:55 lovecraftian joined #salt
15:02 DEger joined #salt
15:02 ronnix_ joined #salt
15:07 ronnix joined #salt
15:07 dariusjs joined #salt
15:08 heaje joined #salt
15:12 DEger joined #salt
15:12 Reverend joined #salt
15:13 BattleChicken joined #salt
15:18 fxdgear joined #salt
15:20 DEger joined #salt
15:21 ecdhe I'm configuring an RPI with salt for a home project.  Normally, I like to mount the SD card as ready-only to avoid corruption  from write-fatigue on the SD card.  If I do that, salt can't modify the system...  how can I get salt to mount / as 'rw', run highstate, and then mount as 'ro' afterward?
15:23 ecdhe I may possibly need a reboot between those steps.
15:23 hungoversignal joined #salt
15:23 tvinson ecdhe: have you looked at aufs?
15:24 tvinson ecdhe: the other option would be https://docs.saltstack.com/en/latest/ref/states/ordering.html
15:25 armin joined #salt
15:25 ecdhe tvinson, I'm looking at aufs.
15:26 ronnix_ joined #salt
15:27 armin joined #salt
15:27 ecdhe tvinson, with ordering, you'd set mount rw as order 1, all the states as order 2, and mount ro as order 3?
15:29 Sketch anyone know how to get http.query to show output in a state?
15:32 jas02 joined #salt
15:32 tvinson ecdhe: either that or schedule an orchestration state that mounts rw, runs highstate, mounts ro for that node
15:33 ronnix joined #salt
15:34 woodtablet1 joined #salt
15:35 hungoversignal joined #salt
15:37 DEger joined #salt
15:38 Reverend is static data secure in pillars?
15:38 Reverend as in, if I select a nodegroup, will the pillars ONLY end up on that nodegroups?
15:38 Reverend nodegroups minons*
15:39 ptitdoc joined #salt
15:39 cscf Reverend, if you don't assign a minion a given pillar file in top, it can't see it.
15:41 jaybocc2 joined #salt
15:41 edrocks joined #salt
15:41 Reverend oh sick
15:41 Reverend that's perfec.t thanks cscf
15:42 ronnix joined #salt
15:45 ronnix joined #salt
15:50 DEger joined #salt
15:55 onlyanegg joined #salt
16:01 keltim joined #salt
16:02 BattleChicken1 joined #salt
16:03 t0m0 joined #salt
16:07 netzvieh joined #salt
16:08 ronnix joined #salt
16:09 t0m0 joined #salt
16:09 jdipierro joined #salt
16:11 bltmiller joined #salt
16:12 bltmiller joined #salt
16:13 RealMurphy joined #salt
16:17 RealMurphy Hi all, our 2015.8.12 instance of salt seems to easily run out of RAM while doing "staggered" state.apply to our cluster (currently we target 42 servers at a time) and RAM usage skyrockets pretty quickly and is never freed again - ideally I would like to apply our O(4000) states to our O(2000) servers at some point. Thus my question, if there are known memory leaks in 2015.8.12 or if I should simple expect the
16:17 RealMurphy workes to grow over time.
16:17 pipps joined #salt
16:18 RealMurphy https://gist.github.com/carsten-AEI/5275eddd893d07f284e2a5c0336a17b9 for salt-versions. We use standard pillar, a bit of jinja and two external pillars (file_tree and sqlite3)
16:22 ronnix joined #salt
16:23 DEger joined #salt
16:26 jimklo joined #salt
16:28 ronnix joined #salt
16:28 mpanetta joined #salt
16:31 ronnix joined #salt
16:32 DEger joined #salt
16:32 jas02 joined #salt
16:33 jimklo joined #salt
16:35 sgo_ joined #salt
16:36 lero joined #salt
16:36 Reverend where the sweet bloody jhesus is the aslt master logs.
16:37 Reverend /var/log/salt/master says 'look in the master log files for more info' :P
16:38 ronnix joined #salt
16:38 subsignal joined #salt
16:39 RealMurphy Reverend: What is stated in your config file(s)? E.g. /etc/salt/master
16:40 RealMurphy Reverend: E.g. grep -r log_file /etc/default/salt-master.environment /etc/salt/master* (or /etc/sysconfig on a RH system, if that still exists there)
16:40 scoates joined #salt
16:41 jimklo joined #salt
16:41 ronnix_ joined #salt
16:43 DEger joined #salt
16:47 zer0def joined #salt
16:48 TSP_ joined #salt
16:53 Aleks3Y joined #salt
16:53 sjmh hm, bummer that you can't use salt_token id's for salt-api auth..
16:55 DEger joined #salt
16:55 FroMaster joined #salt
16:55 pipps joined #salt
16:56 bltmiller joined #salt
16:57 geomacy joined #salt
17:00 pipps99 joined #salt
17:00 Edgan joined #salt
17:01 pipps joined #salt
17:04 subsignal joined #salt
17:04 jimklo joined #salt
17:04 pipps joined #salt
17:07 beardedeagle joined #salt
17:11 Edgan joined #salt
17:11 jaybocc2 joined #salt
17:12 edrocks joined #salt
17:13 heewa joined #salt
17:20 Cottser joined #salt
17:21 Reverend currently trying to put some multiline files in a pillar... any clues?
17:21 Reverend key: |
17:21 Reverend line1
17:21 Reverend line2
17:21 Reverend doesn't work
17:22 regretio is there a way to safely reference a different state and still execute independantly? e.g. a base state that installs cron and another state that requires that package (without having to duplicate package installs to multiple states)
17:23 Reverend like, including one state from another?
17:23 regretio not including a specific state but not the whole file
17:23 regretio err
17:23 regretio including a specific state but not the whole file
17:23 Reverend oh. so you want to do a specific task in the referenced state, but not ehw hole state ?
17:24 regretio i mean probably no huge issue to include the whole file
17:24 regretio yeah base state might install atd, cron, syslog etc
17:24 regretio then other states that need those so including a require: pkg: cron etc
17:25 Reverend so you have State-A that say, makes 2.txt and installs cron. You want to include state-A but only make it create 2.txt?
17:25 regretio i assume the easiest way is to just throw them into a separate sls, have both base and other states include that file?
17:25 Reverend I would guess so
17:26 Reverend but if you put it in 'base', you wouldn't need to include it on the other state
17:26 regretio as always there is probably the way that just works and the "more correct" way
17:26 Reverend as it would be in base :)
17:26 Reverend regretio: ofcourse :P
17:26 Reverend can you do: '- state.sub-thing' ?
17:27 regretio yeah i'd probably just have to add a include: - core.base_packages or the like
17:27 Reverend mebeb
17:27 Reverend unsure. Interesting question though! +1
17:29 fxdgear anyone notice that after a while the salt-master needs to be rebooted. running a `test.ping` eventually slows down and takes a while for each minion to respond.
17:29 fxdgear but after a reboot of salt-master they seem to fly by...
17:30 Reverend nope
17:30 Reverend sounds like a memory leakj though :P haah
17:30 jdipierro joined #salt
17:33 jas02 joined #salt
17:37 Cottser joined #salt
17:38 foundatron joined #salt
17:40 manji fxdgear, did you press ctrl+c while you were running a state?
17:41 regretio fxdgear: depends how soon after restarting you try, it could be related to random reauthentication interval
17:41 edrocks joined #salt
17:44 lightbane joined #salt
17:47 sqwishy joined #salt
17:48 sqwishy I scheduled something with salt but it says on the minion that it isn't a valid function. It's valid on the master because I wrote a .sls thing for it. I guess the minion doesn't have that and I have no idea where in the documentation it says how functions are shared to minions
17:53 Cottser joined #salt
17:54 Trauma joined #salt
17:57 jaybocc2 joined #salt
17:58 Cottser joined #salt
17:58 pipps joined #salt
18:01 TSP_ joined #salt
18:01 KyleG joined #salt
18:01 KyleG joined #salt
18:02 pipps99 joined #salt
18:06 pipps joined #salt
18:07 cscf sqwishy, do your master and minion versions match?
18:07 fxdgear @manji @regretio nope no ctrl-c. maybe? it seems like maybe the queue gets clogged. I'm running 100+ minions and trying to use them for some load testing scenarios... so I run a lot of commands and custom modules.
18:08 Tanta joined #salt
18:10 heewa joined #salt
18:11 manji fxdgear, there was a mem leak bug for ctrl+c
18:12 DEger joined #salt
18:13 fxdgear manji ahh thanks for the heads up. I'll keep that in mind.
18:13 sqwishy cscf: Yeah I think so. This is a salt function I wrote. Or a salt state or something. I have no idea.
18:13 stooj joined #salt
18:13 cscf sqwishy, probably a state.  Can you pastebin the state and the error?
18:13 fxdgear other question... when I get a 500 response from salt-api. How can i view the logs?
18:15 pipps joined #salt
18:15 sqwishy cscf: http://paste.fedoraproject.org/443478/60494114/
18:16 heewa joined #salt
18:18 swa_work joined #salt
18:21 toastedpenguin joined #salt
18:22 cscf sqwishy, ok, that looks like a state.  How are you running it?
18:27 sqwishy cscf: With salt I ran schedule.add job1 function='wat'
18:29 armyriad joined #salt
18:30 jas02 joined #salt
18:30 cscf sqwishy, ok, so schedule.add is for functions, not states
18:31 cscf If you want to schedule your command, you would do it directly: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.schedule.html
18:33 sqwishy cscf: Isn't that what I did? That page of the documentation gives examples for using schedule.add. I'm just trying to use it with my own function/state/command thing.
18:33 cscf sqwishy, well, in the 2nd example there, they schedule cmd.run, not an .sls file
18:34 cscf salt '*' schedule.add job2 function='cmd.run' job_args="['hostname']" seconds=60
18:35 cscf As for writing your own modules, I'm not familiar with tat
18:35 cscf hat*
18:35 cscf that* grr
18:35 cyborg-one joined #salt
18:45 sh123124213 joined #salt
18:45 sh123124213 where does saltmaster store info about minion?
18:45 ws2k3 joined #salt
18:46 mk-fg joined #salt
18:47 babilen sh123124213: Which information?
18:48 sh123124213 salt minion info
18:48 babilen Various places, depends on what you are looking for
18:48 sh123124213 mines
18:48 babilen Guess you are looking for /var/cache/salt
18:48 sh123124213 I wanted to know if I can store this info in a database so I can query them
18:49 sh123124213 I'm looking for info like : last contacted minion
18:49 sh123124213 saltstack enterprise has something similar
18:50 sh123124213 dunno how it does it
18:50 babilen https://docs.saltstack.com/en/latest/ref/returners/
18:50 Reverend joined #salt
18:54 viq joined #salt
18:55 lawnmowerlatte joined #salt
18:56 sh123124213 babilen : you have any pocs and real world examples on how to use them ? How would I get when was the minion last contacted ?
18:59 TSP_ joined #salt
19:00 swa_work joined #salt
19:03 sh123124213 anyway, thnx
19:04 babilen I am not aware of a method to get that information in every case .. you could probably get it out of the job cache
19:07 woodtablet1 left #salt
19:09 sh123124213 how would I use : salt.returners.redis_return.get_fun(fun) ?
19:10 lawnmowerlatte Is there a way to have Salt preinstalled via ISO so upon first boot it immediately checks in with the master? I've tried a few Debian specific tools, but I'm having trouble getting it to pull down from repo.saltstack.com.
19:11 onlyanegg I use packer
19:11 onlyanegg lawnmowerlatte
19:11 onlyanegg it builds various images and can configure them via kickstart and salt
19:12 lawnmowerlatte Thanks onlyanegg, that looks promising!
19:13 onlyanegg np
19:13 demize Alternatively, using the official salt bootstrap script
19:13 babilen lawnmowerlatte: You can kick of the salt install from preseed
19:13 babilen (e.g. by using the bootstrap)
19:15 pipps joined #salt
19:16 demize (And setting the BS_SALT_MASTER_ADDRESS env var to the proper master.)
19:18 RealMurphy lawnmowerlatte: we use Debian's FAI and tell the minions to run "highstate" once started
19:18 lawnmowerlatte babilen, demize, I'm new to preseed too unfortunately, but I'll investigate.
19:19 lawnmowerlatte RealMurphy, FAI also looks like a possiblity. Seems like less work to get running
19:19 babilen https://www.debian.org/releases/jessie/example-preseed.txt → d-i preseed/late_command string
19:19 babilen call bootstrap there
19:20 bltmiller joined #salt
19:21 lawnmowerlatte babilen, thanks! Do you know of any good tutorials for building an ISO with d-i?
19:22 babilen As in an image you burn on CD?
19:23 sh123124213 babilen : can I store mine data somewhere else ?
19:23 babilen We primarily do PXE installs or use the normal Debian ISOs, but let me dig up the image creation documentation if you need to
19:24 babilen sh123124213: Probably, but I would have to investigate how as well. You might want to write to the mailing list.
19:24 mavhq joined #salt
19:25 babilen lawnmowerlatte: https://wiki.debian.org/DebianCustomCD
19:25 lawnmowerlatte babilen, thanks
19:25 babilen https://wiki.debian.org/Simple-CDD
19:26 babilen https://d-i.alioth.debian.org/doc/internals/ch04.html
19:27 sgo_ joined #salt
19:27 pipps joined #salt
19:29 adelcast joined #salt
19:29 blue_ joined #salt
19:33 dyasny joined #salt
19:38 jas02 joined #salt
19:42 teryx510 joined #salt
19:43 RealMurphy Hmm, does anyone know a way to debug/watch a sls file how it looks like after jinja is done with it? We have a relatively compact state file, but depending on how much data it receives via an external pillar it will become quite large
19:44 mavhq joined #salt
19:44 armin joined #salt
19:46 demize RealMurphy: Doesn't show the raw yaml output, but state.show_sls
19:46 demize Will have the rendered and parsed output.
19:46 DEger joined #salt
19:47 RealMurphy demize: thanks, just found the same on the web, that should help
19:47 DEger joined #salt
19:47 armin joined #salt
19:49 toanju joined #salt
19:50 Edgan RealMurphy: The real fun is when you want to see the data structure in map.jinja
19:50 jdipierro joined #salt
19:56 sh123124213 how would I be able to save the state of a server dynamically in mine or somewhere else ? example server_status : 'problem' if server has a problem or server_status : "OK'
19:59 _beardedeagle joined #salt
20:05 heewa joined #salt
20:07 doug1 joined #salt
20:16 dyasny joined #salt
20:16 armonge_ joined #salt
20:18 Tanta joined #salt
20:18 mohae joined #salt
20:18 abonilla joined #salt
20:18 jimklo joined #salt
20:26 bluenemo joined #salt
20:29 mpanetta joined #salt
20:36 woodtablet joined #salt
20:36 Joe630 joined #salt
20:37 Joe630 is there a simple way to take a list of servers and operate on them?  salt 'servera serverb serrverc' test.ping
20:37 Joe630 I know I can put an | between thm but I'm wondering if there is another way without that
20:38 hemebond Joe630: Node groups?
20:39 sp0097 joined #salt
20:39 dendazen joined #salt
20:39 Joe630 thats more effort than I wanna make - I have a few scripts that just output a list of machines, I'd like to use that list as input to salt
20:40 Joe630 don't wanna refactor everything back
20:40 v0rtex Joe630: salt -L servera,serverb,serverc test.ping
20:40 Joe630 commas are easy
20:40 Joe630 thanks
20:40 Tanta salt 'server*' test.ping
20:40 hemebond Oh, I assumed you'd already looked at the list thing.
20:40 Joe630 tanta: that will test.ping serverd
20:41 Tanta or salt -E 'server[a-c]' test.ping
20:41 eradman joined #salt
20:41 Joe630 I didn't even see the -L thing
20:41 Joe630 it is exactly what i need.
20:41 Joe630 "take a comma or space delimited list of servers.
20:41 Joe630 derp
20:42 Joe630 thanks v0rtex
20:42 v0rtex np
20:45 Cottser joined #salt
20:48 viq sh123124213: sounds like you're looking for a monitoring solution, salt is not necessarily that - but some service discovery like etcd or consul can do that
20:48 viq I'm not sure I'd trust mine for that
20:51 Rumbles joined #salt
20:54 mavhq joined #salt
21:02 pipps joined #salt
21:05 geomacy joined #salt
21:17 TSP_ joined #salt
21:19 s_kunk joined #salt
21:26 jdipierro joined #salt
21:27 tercenya joined #salt
21:35 ponyofdeath hi, how can i get the eth1 ip address inside my sls state? tried {{ network.eth1.address }} but no go :)
21:36 whytewolf {{ salt.network.interface('eth1') }}
21:36 whytewolf https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.network.html#salt.modules.network.interface
21:36 ponyofdeath whytewolf: ty ty
21:37 toanju joined #salt
21:45 teryx510 joined #salt
21:54 cliluw joined #salt
21:54 babilen ponyofdeath: I know I'm always saying that: But do you *really* care about the address on that interface as opposed to the address in a certain network or just "public" vs "private" ?
21:58 joe joined #salt
22:03 pipps joined #salt
22:04 om2 joined #salt
22:06 whytewolf babilen: this is true. most often people only care about {{salt.network.ip_addrs(cird='10.x.x.x/24'}|last}}
22:07 whytewolf Grrr damn dyslexia cidr not cird
22:08 Criggie cider *nod*
22:11 babilen whytewolf: That function takes a type='public' / 'private' argument even (hence my question)
22:11 whytewolf oh yeah, forgot type='public'
22:12 whytewolf but if not dealing with cloud cird is useful
22:12 babilen Sure
22:13 babilen Sometimes interfaces are useful as well .. it's just that i've seen to many 'eth0' instances in code that will be broken by https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ soon :)
22:14 justanotheruser joined #salt
22:14 whytewolf soon as in nowish?
22:15 whytewolf I own 1 system that still has eth naming
22:15 whytewolf all the others are mostly enp
22:19 dendazen joined #salt
22:19 TSP_ joined #salt
22:19 jdipierro joined #salt
22:20 tercenya joined #salt
22:24 pipps joined #salt
22:25 jdipierro joined #salt
22:27 pipps joined #salt
22:28 pipps99 joined #salt
22:30 jimklo joined #salt
22:30 jas02 joined #salt
22:32 jimklo joined #salt
23:00 hemebond joined #salt
23:00 mosen joined #salt
23:02 pipps joined #salt
23:03 jdipierro joined #salt
23:05 woodtablet1 joined #salt
23:10 woodtablet joined #salt
23:19 ponyofdeath hey guys, trying to figure out why running salt-cal state.apply hangs on removing /var/cache/salt/miniton/proc/xxxx
23:24 ponyofdeath Bad load from minion: AuthenticationError: message authentication failed this is what i see on master
23:25 hemebond Is your minion authenticated with your master?
23:25 hemebond Can you test.ping from the master?
23:25 ponyofdeath hemebond: sec i did salt-key -a hostname to add it
23:25 hemebond Oh, there you go.
23:26 ponyofdeath hemebond: yup test ping returns true
23:26 hemebond Does the salt-call still fail?
23:26 hemebond What if you run it from the master?
23:26 hemebond (run the command I mean, not actual salt-call)
23:27 hemebond (e.g., salt 'hostname' state.apply)
23:27 ponyofdeath hemebond: ok that works
23:27 ponyofdeath weird
23:27 dendazen joined #salt
23:27 ponyofdeath calling from master started it
23:28 hemebond Isn't salt-call only for masterless minions?
23:28 whytewolf no
23:28 whytewolf salt-call can be used for debugging
23:28 hemebond So it's just for starting things locally?
23:28 hemebond Okay.
23:28 whytewolf yeah
23:28 hemebond I've never used it so not familiar with its uses at all.
23:29 ponyofdeath yeah worked on my ubuntu hosts this one is centos
23:29 ponyofdeath gonna check versions
23:29 whytewolf hemebond: one of the basic debugging things is to use salt-call --debug on a minion to see what the minion is doing
23:29 whytewolf errrr salt-call -l debug
23:30 hemebond Ah. I just use salt-minion --log-level debug for that.
23:30 whytewolf that takes restarting the minion salt-call happens without restarting the minion
23:37 babilen joined #salt
23:44 TSP_ joined #salt
23:55 amontalban joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary