Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2017-02-11

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:01 sh123124213 is there anyway to create rootfs without restart master ?
00:01 iggy sh123124213: nope
00:02 sh123124213 how hard can that be ?
00:02 sh123124213 since salt already updates grains etc ..
00:02 iggy grains and config are totally different
00:02 sh123124213 both files right ?
00:04 sh123124213 iggy: can you elaborate ? :)
00:04 sh123124213 I know there is a ticket about salt not being able to reload config
00:06 sh123124213 I'm guessing its complicated to go and update config for all the modules that have been loaded
00:06 teclator joined #salt
00:07 sh123124213 but maybe they can look into a cache file just like they do for grains
00:11 jas02 joined #salt
00:11 teclator joined #salt
00:13 MTecknology oooooh...... shhhhiiii*
00:14 MTecknology I've been busting my brain on this silly exercise for a few days now and I'm now realizing yaml is giving me an unsorted dictionary and I actually need it sorted.
00:16 MTecknology now I get to turn things into a list and figure out how to tweak the template to be uglier without breaking... yay
00:16 stooj joined #salt
00:21 iggy sh123124213: yeah, it would basically require a complete reload of the salt master (modules, pillars, grains, etc)... at that point, just restart the master
00:29 g3cko joined #salt
00:35 oida joined #salt
00:38 jimklo_ joined #salt
00:47 cyanidechef joined #salt
00:51 DEger joined #salt
00:53 cyanidechef left #salt
01:10 jas02 joined #salt
01:40 swa_work joined #salt
01:56 swa_work joined #salt
02:04 catpigger joined #salt
02:08 DEger joined #salt
02:09 sh123124213 joined #salt
02:11 jas02 joined #salt
02:16 khaije1 joined #salt
02:16 ssplatt joined #salt
02:18 shoemonkey joined #salt
02:22 heyimawesome joined #salt
02:23 Nahual joined #salt
02:24 FiveBroDeepBook joined #salt
02:30 tapoxi joined #salt
02:33 jas02 joined #salt
02:37 edrocks joined #salt
02:38 shoemonkey joined #salt
02:46 puzzlingWeirdo joined #salt
02:49 viq joined #salt
03:05 FiveBroDeepBook joined #salt
03:06 shoemonkey joined #salt
03:07 edrocks_ joined #salt
03:12 jas02 joined #salt
03:14 jeffspeff joined #salt
03:30 FiveBroDeepBook joined #salt
03:48 rpb joined #salt
03:52 sp0097 joined #salt
04:04 cacasmacas_ joined #salt
04:10 swa_work joined #salt
04:16 amagawdd joined #salt
04:31 puzzlingWeirdo just a quick question if anyone is here: is it possible to configure master->minion and not minion->master (ps. i don't know anything about saltstack). I'm thinking of a possible solution that doens't expose a management system socket to untrusted systems (minions)
04:32 hemebond puzzlingWeirdo: No, minion always connects to master.
04:32 hemebond If you don't want untrusted servers connecting to your master then use a firewall to restrict access.
04:34 puzzlingWeirdo hemebond: okaym th eproblem with that is the salt server still needs to be exposed
04:34 puzzlingWeirdo and thanks for the quick reply :)
04:35 hemebond Well you either expose two ports on one server to servers you know, or you expose all your other servers :-)
04:36 puzzlingWeirdo hemebond: yes that's true, but it's in a network I fully control - it's a number of VMs. Plus, the idea was to set up an SPA firewall (like knockd but with a signed packet)
04:36 hemebond Then I don't understand the concern over exposing two ports on the master.
04:37 puzzlingWeirdo the VMs are untrusted, if compromised an attacker could pivot to the salt master - he could then potentially change the configuration of the entire network
04:38 hemebond How would they do that?
04:38 puzzlingWeirdo well im not exactly sure of the ins and outs of salt (i'm just weighing up possible solutions) but doesn't a salt master have complete control over the state of minions?
04:40 hemebond The master just puts jobs into a queue for the minions to pick up. The minions do the compiling, etc.
04:40 hemebond The master servers up files too.
04:41 puzzlingWeirdo so if the master is comprimised it could serve up malicious jobs?
04:41 puzzlingWeirdo compromised*
04:44 puzzlingWeirdo hemebond: perhaps i misunderstand
04:44 hemebond No, that's correct. If your master is compromised so are your minions.
04:44 hemebond But how would your master be compromised?
04:46 puzzlingWeirdo the exposed socket, i don't know much about salt but I'm assuming it's written entirely in python. there could be an 0day with the python interpreter (although unlikely)
04:47 hemebond The socket is either ZeroMQ or Tornado. Both are huge projects that are used a lot.
04:47 hemebond Yes, there might be some security flaw somehow/somewhere in the listener.
04:47 hemebond But you can minimise the chance of a compromise by restricting access to the master.
04:48 hemebond I mean, any open port is a possible security hole.
04:48 hemebond For any software.
04:49 puzzlingWeirdo hemebond: i'd rather a minion was compromised - but that's just me. my ideal setup would be fore administration VMs to have no open sockets. Okay, i'm resigned to having an open socket - can you clairfy on what you mean on restricting access?
04:50 puzzlingWeirdo you mean just disallow minions access to the master?
04:50 hemebond Well if you really don't want a master then you could go masterless or use salt-ssh.
04:50 hemebond I mean using a firewall to only allow connections from known servers.
04:50 hemebond A whitelist.
04:53 puzzlingWeirdo hemebond: salt-ssh is less powerful?
04:54 hemebond You miss out on the event bus and stuff.
04:54 hemebond e.g., when a minion comes up it sends an event to the master that the master can react to in some way.
04:55 puzzlingWeirdo ahh, well, i might just harden the python interpreter. salt-ssh is an option. something to think about. I don't want to take up all your time. thanks for your help. :)
04:56 hemebond Good luck ????
04:56 puzzlingWeirdo thanks. :)
05:06 ekristen joined #salt
05:11 sh123124213 joined #salt
05:13 jas02 joined #salt
05:50 fracklen joined #salt
06:04 mk-fg joined #salt
06:08 edrocks joined #salt
06:21 DEger joined #salt
06:40 jimklo joined #salt
06:54 iggy use a VPN/ipsec/etc and don't actually have the master open to anything other than private network
06:55 iggy also, if you don't trust your minions, you're in for a world of hurt
06:56 iggy (i.e. the master sends commands to all minions and the minions decide what to act on... so you've probably already got a huge data leak there)
06:56 iggy salt isn't really designed for multi-tenancy (or whatever you want to call it)
06:58 puzzlingWeirdo thanks iggy, but these vms will be on a LAN, i'm not worried about external clients, just potentially untrusted minions (one will be running a tor proxy server, irc bnc client etc - they're probably okay, but I don't trust them 100%)
06:59 djgerm joined #salt
07:04 iggy yeah, a tor node, I'd use salt-ssh
07:04 preludedrew joined #salt
07:05 PatrolDoom joined #salt
07:14 sh123124213 joined #salt
07:16 colttt joined #salt
07:18 stooj joined #salt
07:22 colttt joined #salt
07:28 puzzlingWeirdo that's certainly an option, but i'm now thinking of doing something fancy with the vm images - similar to qubes
07:31 bocaneri joined #salt
07:34 viccuad joined #salt
07:56 nethershaw joined #salt
08:04 cyborg-one joined #salt
08:16 armyriad joined #salt
08:22 ProT-0-TypE joined #salt
08:48 rubenb Hi. I'm getting some (probably phishing) emails from a sketchy domain and Rhett Glausner the Saltstack VP of Marketing.
08:48 rubenb Has a database or something been leaked/hacked?
08:50 rubenb Where do I report this?
08:50 hemebond You're not a member of any Salt related mailing lists?
08:51 rubenb Hm, maybe they could have gotten the email from github. Checking..
08:52 mk-fg joined #salt
08:54 rubenb Not on the mailing list, github uses another e-mail address, have mailed with marketing a while back.
08:55 rubenb And I assume legitimate marketing email should not come from [random_address]@bodyworxvitality.com.
08:56 hemebond Probably not ☺
09:31 puzzlingWeirdo joined #salt
09:31 ivanjaros joined #salt
09:42 teclator_ joined #salt
09:59 jas02 joined #salt
10:03 gaghiel left #salt
10:09 jas02 joined #salt
10:10 edrocks joined #salt
10:19 jas02_ joined #salt
10:25 jas02 joined #salt
10:29 saltsa joined #salt
10:39 stooj joined #salt
10:47 armyriad joined #salt
10:54 diagnostuck joined #salt
11:15 jas02 joined #salt
11:18 jas02 joined #salt
11:19 fgimian joined #salt
11:46 jas02 joined #salt
11:53 jas02_ joined #salt
12:03 evle joined #salt
12:05 jas02 joined #salt
12:06 jas02 joined #salt
12:06 abednarik joined #salt
12:10 hoonetorg joined #salt
12:14 jas02 joined #salt
12:22 stooj joined #salt
12:24 jas02 joined #salt
12:24 diagnostuck joined #salt
12:40 whytewolf rubenb: Rhett is a real person at salt, however the emails are spam. see topic of the channel. someone earlyer today seems to have hacked his email account. he has since changed his password.
12:40 stooj joined #salt
12:42 rubenb whytewolf: Nasty, but good that it's a known issue.
12:42 whytewolf i really should go to bed
12:43 rubenb Also, I should have looked at the topic.
12:51 stooj joined #salt
12:55 abednarik joined #salt
12:56 mavhq joined #salt
13:00 stooj joined #salt
13:02 sh123124213 joined #salt
13:06 Trauma joined #salt
13:11 stooj joined #salt
13:16 ccuz joined #salt
13:17 stooj joined #salt
13:24 stooj joined #salt
13:25 jas02 joined #salt
13:37 mk-fg joined #salt
13:45 jas02 joined #salt
13:52 stooj joined #salt
14:06 theblazehen joined #salt
14:07 diagnostuck joined #salt
14:10 stooj joined #salt
14:26 jas02 joined #salt
14:50 netcho_ joined #salt
14:56 mavhq joined #salt
14:57 abednarik joined #salt
15:18 bbrelin1 joined #salt
15:18 bbrelin1 Hello all
15:19 bbrelin1 I'm having a problem with salt-cloud.
15:19 bbrelin1 When I run salt-cloud to provision an Amazon AWS instance, it's not providing the AWSAccessKeyID in the request URL.  Even though it's set in the provider.conf file.
15:20 diagnostuck joined #salt
15:21 Inveracity joined #salt
15:27 jas02 joined #salt
15:51 jas02 joined #salt
16:08 scsinutz joined #salt
16:11 stooj joined #salt
16:20 diagnostuck joined #salt
16:24 armyriad joined #salt
16:30 scsinutz joined #salt
16:35 DEger joined #salt
16:44 DEger joined #salt
16:48 ivanjaros joined #salt
16:58 shoemonkey joined #salt
17:06 bluenemo joined #salt
17:14 Tanta joined #salt
17:22 swa_work joined #salt
17:23 swa_work joined #salt
17:27 netcho_ joined #salt
17:29 diagnostuck joined #salt
17:29 heyimawesome joined #salt
17:30 swa_work joined #salt
17:36 swa_work joined #salt
17:37 stooj joined #salt
18:06 stooj joined #salt
18:15 edrocks joined #salt
18:22 netcho_ joined #salt
18:23 Nahual joined #salt
18:34 theblazehen joined #salt
18:37 jeffspeff joined #salt
18:37 diagnostuck joined #salt
18:42 stooj joined #salt
18:46 Edur joined #salt
18:55 cyborg-one joined #salt
19:02 amcorreia joined #salt
19:13 icebal joined #salt
19:14 Nahual joined #salt
19:25 shoemonkey joined #salt
19:29 swa_work joined #salt
19:29 icebal joined #salt
19:34 jas02_ joined #salt
19:34 onlyanegg joined #salt
19:43 icebal joined #salt
19:43 stooj joined #salt
19:49 diagnostuck joined #salt
20:01 stooj joined #salt
20:32 shoemonkey joined #salt
20:46 ronnix joined #salt
21:07 jas02 joined #salt
21:09 diagnostuck joined #salt
21:24 swa_work joined #salt
21:27 jas02 joined #salt
21:30 icebal joined #salt
21:38 skinkitten joined #salt
21:38 skinkitten_ joined #salt
21:45 jas02 joined #salt
21:49 onlyanegg joined #salt
22:14 DEger joined #salt
22:17 edrocks joined #salt
22:21 fgimian joined #salt
22:29 jas02 joined #salt
22:35 sagerdearia joined #salt
22:37 onlyanegg joined #salt
22:37 viccuad joined #salt
22:38 viccuad Hi folks. I suppose there's no state for user services, instead of root ones, is it? thanks in advance
22:40 diagnostuck joined #salt
22:42 DEger joined #salt
23:01 onlyanegg joined #salt
23:02 shoemonkey joined #salt
23:17 swa_mobil joined #salt
23:21 jagguli hi, has anyone had luck with scheduling runner custom functions
23:21 jagguli https://github.com/saltstack/salt/issues/39333
23:21 saltstackbot [#39333][OPEN] Not Available error - Scheduling custom runner functions  | Description of Issue/Question...
23:24 whytewolf jagguli: first thing to ask is can you run the runner by hand?
23:30 jas02 joined #salt
23:33 scsinutz joined #salt
23:35 icebal joined #salt
23:37 stooj joined #salt
23:38 emperor joined #salt
23:39 onlyanegg joined #salt
23:42 netcho_ joined #salt
23:42 emperor Hi, I have a pretty basic question concerning the usage of salt: What's the recommended way to autoremove packages from minions that are no longer present in the respective state?
23:43 emperor To be clear: I'm talking about packages that are no longer required by the state, not unsalting minions.
23:44 whytewolf there is no automatic way to do it. i typically make a remove state file that i call on a system to remove anything to do with said state
23:44 whytewolf like this https://github.com/whytewolf/salt-phase0-states/blob/master/mysql/remove.sls
23:47 viccuad what is the correct way to get the user name specified by the pillar `users` from the user formula? {% set user = salt['pillar.get']('user') %}
23:48 emperor Thanks a lot @whytewolf, although that's not what I was hoping to hear...
23:48 CeBe viccuad: pillar.user
23:48 CeBe viccuad: wait, how exactly did you specify it in pillar?
23:49 CeBe if you have   user: example  in pillar, you would get it like {% set user = pillar.user %}
23:50 viccuad CeBe: as said for the users formula, like this: https://github.com/viccuad/salt-configs/blob/master/pillar/role/workstation.sls
23:50 viccuad so I suppose it is a list?
23:50 jagguli whytewolf: Yes the runner runs by it self
23:50 whytewolf that is a dict
23:51 whytewolf {users:{vic:{fullname: <blah>,uid:1001,ect,ect,ect}}}
23:51 viccuad it is
23:51 CeBe viccuad: as whytewolf said, it's a dict, what do you want to do? iterate over the items to create the users?
23:51 viccuad CeBe: I just want to read the user login name, to use it in states
23:52 CeBe viccuad: in that case there is not one user but possibly many users
23:53 viccuad true. I suppose I could filter by users that are in user group `users`
23:53 viccuad but that doesn't solve much, there could be several also
23:54 CeBe viccuad: in a state file you could have something like this: {% for username, user in pillar.users.iteritems() %}  ... {% endfor %}
23:54 CeBe and then create some states in the for loop for each user
23:55 whytewolf the designer of that pillar really should have used the index as a label and added a username: field in it
23:55 CeBe username would be "vic" and user would be the dict with all configs
23:57 viccuad that seems like a good solution. The problem happens when my states inherit other pillars from other roles, and I have several users, yet I only want to act on 1
23:57 CeBe viccuad: you should redesign your pillar then
23:58 viccuad and that means redesigning the users formula
23:58 whytewolf or not using the users formula ;)
23:58 CeBe :)
23:59 viccuad :C

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary