| Time |
Nick |
Message |
| 00:00 |
brd |
whytewolf: oh, because there can be an array of dicts returned |
| 00:01 |
whytewolf |
yeah |
| 00:03 |
|
onlyanegg joined #salt |
| 00:03 |
brd |
whytewolf: so something like: {% if interface.bce0.inet[0].address is defined -%} |
| 00:03 |
whytewolf |
in theory ;) |
| 00:04 |
brd |
whytewolf: hah, indeed |
| 00:04 |
brd |
Comment: Unable to manage file: Jinja variable 'dict object' has no attribute 'bce0' |
| 00:05 |
whytewolf |
have you tried just output interface? |
| 00:05 |
whytewolf |
to see what is being output |
| 00:06 |
|
IRCFrEAK joined #salt |
| 00:06 |
|
IRCFrEAK left #salt |
| 00:14 |
|
sharon_so_ joined #salt |
| 00:15 |
sharon_so_ |
Hi, has anyone seen any app/tool that would automatically change variables from a salt config file and redeploy, i am basically looking to automate testing of an salt deployment that has a lot of different variables. |
| 00:15 |
brd |
whytewolf: hah, I figured it out! I needed: interface.bce0.inet.0.address |
| 00:18 |
|
justanotheruser joined #salt |
| 00:21 |
|
DEger joined #salt |
| 00:27 |
gnomethrower |
sharon_so_: try combining Docker and Vagrant, maybe? |
| 00:28 |
sharon_so_ |
gnomethrower: I probably didnt explained myself correctly, I am looking for a way to exercise all deployment variables that are set/hardcoded in a config file. |
| 00:31 |
|
juntalis joined #salt |
| 00:32 |
|
gableroux joined #salt |
| 00:39 |
|
HRH_H_Crab joined #salt |
| 00:41 |
|
hemebond left #salt |
| 00:42 |
Poppabear |
anyone familar with the 'mysql-formula' ? |
| 00:43 |
Poppabear |
for some reason its not giving me results for creating the database or users ? |
| 00:43 |
Poppabear |
and no results nor is it creating the user or database |
| 00:43 |
Poppabear |
everything else "appears" to be working |
| 00:44 |
whytewolf |
Poppabear: what do you have in your top file? |
| 00:49 |
|
cliluw joined #salt |
| 00:49 |
|
hemebond joined #salt |
| 00:51 |
|
jas02 joined #salt |
| 00:52 |
|
mswart left #salt |
| 01:03 |
Poppabear |
whytewolf: i'm not using the formula in the suggested way, i simply use it as a state, so i can call it via state.sls mysql |
| 01:03 |
whytewolf |
so... do you call mysql.user and mysql.database afterwords? |
| 01:07 |
Poppabear |
no, mysql init.sls should though correct ? |
| 01:27 |
whytewolf |
ahh yes it does. calls mysql.server then .database then .user |
| 01:32 |
Poppabear |
but when i run state.sls mysql it doesn't show any results in regards to user or database |
| 01:34 |
whytewolf |
what does your pillar structure look like? |
| 01:40 |
|
dps joined #salt |
| 01:42 |
|
sharon_so_ left #salt |
| 02:03 |
|
jas02 joined #salt |
| 02:07 |
|
jeblair_ joined #salt |
| 02:08 |
|
scsinutz joined #salt |
| 02:08 |
|
scsinutz joined #salt |
| 02:20 |
|
leev joined #salt |
| 02:27 |
|
Tanta joined #salt |
| 02:48 |
|
k_sze[work] joined #salt |
| 02:52 |
|
catpiggest joined #salt |
| 02:57 |
|
onlyanegg joined #salt |
| 02:57 |
|
edrocks joined #salt |
| 03:04 |
|
jas02 joined #salt |
| 03:06 |
|
dxiri joined #salt |
| 03:26 |
|
shef joined #salt |
| 03:27 |
shef |
Hey, has anyone noticed a problem with slow service start times for the latest salt minion on CentOS 6? |
| 03:28 |
hemebond |
shef: I believe people have. |
| 03:28 |
hemebond |
Have you checked the issues on Github? |
| 03:30 |
shef |
With salt-minion-2016.11.1 it it took a a second for the salt-minion to start on a node in our VM test bed, but now it takes more than a minute. |
| 03:30 |
shef |
I haven't. Where do I look ? |
| 03:30 |
hemebond |
https://github.com/saltstack/salt/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20slow%20restart |
| 03:30 |
shef |
I work with Cisco. |
| 03:31 |
hemebond |
With Cisco? |
| 03:31 |
shef |
Cisco Systems |
| 03:32 |
shef |
for Cisco |
| 03:32 |
hemebond |
I've heard of them. Just wondering what you ... |
| 03:32 |
hemebond |
Oh, you work for Cisco. |
| 03:32 |
shef |
yes |
| 03:32 |
hemebond |
Your switches are okay. |
| 03:32 |
shef |
yep, they are |
| 03:33 |
hemebond |
https://github.com/saltstack/salt/issues/39052 |
| 03:33 |
saltstackbot |
[#39052][MERGED] Minion restart very slow since 2016.11.2 | Minion restart is slow since 2016.11.2... |
| 03:35 |
shef |
Thanks, I haven't noticed as much a problem with CentOS 7. |
| 03:36 |
shef |
or very little, haven't timed it yet, but it seemed reasonable |
| 03:37 |
shef |
Also, I saw an issue when updated the salt-minion RPMs. It didn't seem to restart well, even though the RPM post script was a condtional restart. |
| 03:37 |
hemebond |
Didn't restart well? |
| 03:37 |
hemebond |
What happened? |
| 03:38 |
shef |
One second I can try it on another node. I did this the other day and I forget exactly what it said. |
| 03:42 |
|
evle joined #salt |
| 03:47 |
shef |
I'm updating a node from salt-minion-2016.11.1-1.el6 -> 2016.11.2-1.el6. It's talking it's sweet time. |
| 03:48 |
shef |
after about a minute it finished |
| 03:48 |
hemebond |
Sounds okay. |
| 03:49 |
shef |
[root vcos-2 ~]# rpm -Uhv salt-2016.11.2-1.el6.noarch.rpm salt-minion-2016.11.2-1.el6.noarch.rpm warning: salt-2016.11.2-1.el6.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID de57bfbe: NOKEY Preparing... ########################################### [100%] 1:salt warning: /etc/salt/minion created as /etc/salt/minion.rpmnew ########################################### [ 50%] 2:salt-minion |
| 03:49 |
|
onlyanegg joined #salt |
| 03:49 |
shef |
I'm testing to see the status of the minion. It's been thinking about it for 30 seconds or so now |
| 03:49 |
shef |
still thinking about it |
| 03:50 |
shef |
it's running now |
| 03:50 |
shef |
I thought I saw something about a pid file before |
| 03:50 |
shef |
if I see it again I'll post an issue on the git hub |
| 03:50 |
shef |
[rootvcos-2 ~]# rpm -qa |grep salt salt-2016.11.1-1.el6.noarch salt-minion-2016.11.1-1.el6.noarch [rootvcos-2 ~]# time service salt-minion start Starting salt-minion daemon: [ OK ] real0m0.998s user0m0.392s sys0m0.086s |
| 03:51 |
shef |
before the update |
| 03:54 |
shef |
after update |
| 03:54 |
shef |
[rootvcos-2 ~]# time service salt-minion start Starting salt-minion:root:vcos-2 daemon: OK real1m44.996s user0m3.488s sys0m0.837s |
| 03:54 |
shef |
1 minute 44 seconds to start |
| 03:57 |
|
dxiri joined #salt |
| 03:58 |
|
AvengerMoJo joined #salt |
| 03:58 |
|
bbrelin3 joined #salt |
| 03:58 |
bbrelin3 |
Hello all. |
| 03:59 |
|
edrocks joined #salt |
| 03:59 |
bbrelin3 |
Does anyone have any examples of how to access elements of a list created in a pillar file in a state file using jinja? |
| 03:59 |
bbrelin3 |
For example if I have a pillar 'foo' |
| 03:59 |
bbrelin3 |
and I define inside 'foo' the following: |
| 03:59 |
bbrelin3 |
bar: |
| 03:59 |
bbrelin3 |
- baz |
| 03:59 |
bbrelin3 |
- blech |
| 04:00 |
bbrelin3 |
How can I access this inside a state file with jinja? |
| 04:00 |
bbrelin3 |
I've tried the following: |
| 04:00 |
|
ivanjaros joined #salt |
| 04:01 |
|
raspado joined #salt |
| 04:01 |
bbrelin3 |
(% for elem in salt['pillar.get'] ('foo:bar') %} |
| 04:02 |
hemebond |
bbrelin3: That should work. |
| 04:02 |
bbrelin3 |
{{ elem }}: state |
| 04:04 |
bbrelin3 |
I keep getting errors like: mapping values not allowed here |
| 04:04 |
hemebond |
You have an error in your pillar somewhere. |
| 04:05 |
bbrelin3 |
I can't find it. |
| 04:05 |
bbrelin3 |
My actual pillar looks like this: |
| 04:06 |
hemebond |
Don't paste in here. |
| 04:06 |
bbrelin3 |
oh, okay. |
| 04:06 |
bbrelin3 |
How do I show anyone what the data looks like? |
| 04:06 |
hemebond |
http://paste.debian.net/ |
| 04:08 |
|
CustosLimen joined #salt |
| 04:09 |
bbrelin3 |
This is what my pillar looks like: paste.debian.net/915959 |
| 04:10 |
hemebond |
That's all of it? Maybe your state then. Would need to see the full error. |
| 04:11 |
|
jas02 joined #salt |
| 04:11 |
bbrelin3 |
Here's the state file: paste.debian.net/915960 |
| 04:11 |
hemebond |
There's your problem. |
| 04:11 |
hemebond |
Your indentation is all over the place. |
| 04:11 |
hemebond |
Your Jinja code still has to create valid YAML. |
| 04:12 |
bbrelin3 |
Ah, So, i need to keep everything in YAML indentation style? |
| 04:12 |
|
shoemonkey joined #salt |
| 04:12 |
hemebond |
Yes. |
| 04:12 |
bbrelin3 |
Aha. Thanks. I'll try that. |
| 04:12 |
hemebond |
The indentation doesn't matter to Jinja, but the output has to be valid YAML. |
| 04:12 |
hemebond |
I usually keep the {% at the beginning of each line. |
| 04:13 |
hemebond |
And then indent within the {%- %} |
| 04:13 |
bbrelin3 |
I'll give it a go. Thanks |
| 04:13 |
hemebond |
And I use {%- so the jinja doesn't leave empty lines. |
| 04:13 |
|
fhh joined #salt |
| 04:15 |
shef |
Is there a current development version of salt-minion I can test ? |
| 04:17 |
hemebond |
shef: The develop branch of the Git repo. |
| 04:18 |
shef |
ok, thanks, I'll pull it |
| 04:21 |
bbrelin3 |
Hmmm....It's still not rendering correctly...paste.debian.net/915962 |
| 04:21 |
hemebond |
What is apache and postgres? |
| 04:21 |
hemebond |
Are they supposed to be list items? |
| 04:21 |
hemebond |
You're missing : or - |
| 04:22 |
bbrelin3 |
They're state id's |
| 04:22 |
hemebond |
Then they should be list items. |
| 04:22 |
bbrelin3 |
Aha. |
| 04:22 |
hemebond |
So you need - apache |
| 04:22 |
|
scsinutz joined #salt |
| 04:25 |
bbrelin3 |
Still no joy. paste.debian.net/915963 |
| 04:25 |
bbrelin3 |
No YAML gets rendered at all... |
| 04:25 |
hemebond |
You have a space in your _for_ line |
| 04:25 |
hemebond |
salt['pillar.get']('.... |
| 04:26 |
hemebond |
Should be no space between ] and ( |
| 04:27 |
bbrelin3 |
Still doesn't work... |
| 04:27 |
bbrelin3 |
No YAML output at all. |
| 04:27 |
hemebond |
What is your pillar.get actually fetching? |
| 04:27 |
hemebond |
It looks like you're trying to iterate over a list. |
| 04:27 |
|
nebuchadnezzar joined #salt |
| 04:27 |
hemebond |
But then you're using "in" |
| 04:28 |
bbrelin3 |
Yes. |
| 04:28 |
hemebond |
So `system` should be a string. |
| 04:28 |
hemebond |
So you can `in` it. |
| 04:28 |
hemebond |
*can't |
| 04:28 |
bbrelin3 |
Do I need to put the list elements in quotes in the pillar? |
| 04:28 |
hemebond |
Nope. |
| 04:28 |
hemebond |
You need to fix your loop tests. |
| 04:29 |
bbrelin3 |
How do I test if, for example my list element has the string 'web' in it? |
| 04:30 |
hemebond |
Should a server have both apache and postgres states applied if they're in the list? |
| 04:30 |
bbrelin3 |
No. If it's a db server then it does postgres, if it's a web server it does apache. |
| 04:30 |
bbrelin3 |
That's what I thought that I was testing. |
| 04:30 |
bbrelin3 |
I.e. checking the list element name |
| 04:31 |
hemebond |
Then you just want to fetch the list, not iterate over it. |
| 04:31 |
hemebond |
Then you can use the `in` test. |
| 04:31 |
bbrelin3 |
So, I do a jinja set command? |
| 04:31 |
hemebond |
Yeah |
| 04:35 |
bbrelin3 |
I'm still unsure how to then test the different elements. |
| 04:35 |
hemebond |
It's the same as Python. |
| 04:35 |
bbrelin3 |
Well, in Python I'd iterate over the list and do an 'in' test on each element. |
| 04:36 |
bbrelin3 |
Which is was I thought I was doing with the jinja code. |
| 04:36 |
hemebond |
{%- set states = salt['pillar.get']('blah:listname') %}{%- if 'item' in list %} do stuff .... |
| 04:36 |
hemebond |
Well I didn't think the `in` would work. Maybe it will. |
| 04:37 |
hemebond |
It would work in Python but Jinja is a little different. |
| 04:37 |
hemebond |
And has some restrictions. |
| 04:37 |
hemebond |
Paste your latest pillar and state. |
| 04:39 |
bbrelin3 |
paste.debian.net/915968 |
| 04:39 |
bbrelin3 |
Pillar is unchanged. |
| 04:42 |
bbrelin3 |
Is there any way to do debugging print statements so that I can actually see what's going on? |
| 04:42 |
bbrelin3 |
That, to me, is the frustrating bit. I can't actually see what's happening so that I can debug it. |
| 04:42 |
hemebond |
I'm testing now. |
| 04:43 |
hemebond |
Yes, you can debug by using the Jinja2 api. |
| 04:43 |
bbrelin3 |
Are there some examples somewhere? |
| 04:43 |
hemebond |
Google for "from jinja2 import Template" |
| 04:44 |
|
fhh joined #salt |
| 04:44 |
|
CustosLimen joined #salt |
| 04:49 |
hemebond |
Okay, the `in` tests do work. |
| 04:50 |
hemebond |
Show me your pillar top.sls |
| 04:51 |
bbrelin3 |
paste.debian.net/915969 |
| 04:52 |
hemebond |
What if you do salt minion pillar.items |
| 04:52 |
hemebond |
Does it show the pillar data correctly? |
| 04:53 |
hemebond |
Or even salt \* pillar.items |
| 04:53 |
hemebond |
(that indentation looks wrong, btw) |
| 04:54 |
hemebond |
(but might just be the pastebin) |
| 04:54 |
hemebond |
(might pay to double-check that last line. |
| 04:54 |
bbrelin3 |
This is the debug output from the salt master paste.debian.net/915970 |
| 04:54 |
hemebond |
Cool, looks fine. |
| 04:55 |
hemebond |
But what about pillar.items? |
| 04:56 |
bbrelin3 |
paste.debian.net/915971 |
| 04:56 |
hemebond |
Cool. Then the state should work. |
| 04:57 |
hemebond |
Oh wait. |
| 04:57 |
hemebond |
Sorry, you need to change your state back to a for loop. |
| 04:57 |
hemebond |
Then your `in` string comparison should work. |
| 04:57 |
hemebond |
Oh, I see the problem. |
| 04:58 |
hemebond |
salt['pillar.get']('dev_systems') |
| 04:58 |
hemebond |
There is no `system_envs` parent element. |
| 04:59 |
|
cyborg-one joined #salt |
| 04:59 |
bbrelin3 |
Sorry. That must have been an old version. paste.debian.net/915972 |
| 05:00 |
hemebond |
You need to change back to the for loop. |
| 05:00 |
hemebond |
I thought you were checking for `web` or `db` in a list, but you're actually doing substring comparisons. |
| 05:00 |
|
mavhq joined #salt |
| 05:00 |
hemebond |
And it will work if you fix your pillar.get path |
| 05:00 |
bbrelin3 |
Right. |
| 05:00 |
hemebond |
Removing the system_envs |
| 05:02 |
bbrelin3 |
At the moment, I have the systems_envs:dev_systems in the pillar.get path. Do I keep that? |
| 05:02 |
hemebond |
No |
| 05:02 |
hemebond |
Remove the system_envs: |
| 05:02 |
bbrelin3 |
How does salt know where to look for dev_systems? |
| 05:02 |
hemebond |
It's in the pillar. |
| 05:02 |
|
scsinutz joined #salt |
| 05:02 |
hemebond |
You've already applied via top.sls |
| 05:02 |
bbrelin3 |
Ah, okay. |
| 05:02 |
hemebond |
pillar.items shows you the structure of the compiled pillar data. |
| 05:05 |
bbrelin3 |
paste.debian.net/915973 |
| 05:06 |
hemebond |
That's the same. |
| 05:06 |
hemebond |
You need a FOR loop. |
| 05:06 |
hemebond |
{%- for system in salt['pillar.get']('dev_systems') %} |
| 05:06 |
hemebond |
Replace the `{% set` line with that. |
| 05:08 |
bbrelin3 |
That's it!!! |
| 05:08 |
bbrelin3 |
:-) |
| 05:08 |
bbrelin3 |
:-) |
| 05:08 |
bbrelin3 |
Thank you so much for your help!!! |
| 05:08 |
bbrelin3 |
This has been driving me nuts |
| 05:09 |
hemebond |
ðŸâ |
| 05:10 |
hemebond |
Would have been sooner if I'd read the pillar properly. |
| 05:12 |
bbrelin3 |
Dude, you're a rockstar...:-) |
| 05:12 |
hemebond |
â˺ |
| 05:12 |
|
jas02 joined #salt |
| 05:19 |
bbrelin3 |
homebond: Just out of curiosity, my top.sls file in my base directory and the one in my dev directory are identical. (dev is a separate environment). How would I set up my base/top.sls file so that I only put the jinja code into the dev/top.sls? |
| 05:20 |
bbrelin3 |
Or can I do that? |
| 05:20 |
hemebond |
Just move the dev: entry to dev/top.sls |
| 05:20 |
hemebond |
All top.sls files get merged together. |
| 05:21 |
hemebond |
Each of my top.sls files only have an entry for that environment. |
| 05:21 |
bbrelin3 |
So, do I even need a dev: entry in the base/top.sls? |
| 05:21 |
bbrelin3 |
I'm assuming not/ |
| 05:21 |
bbrelin3 |
? |
| 05:22 |
hemebond |
Nope. |
| 05:23 |
bbrelin3 |
got it. Thanks. |
| 05:25 |
flawi |
to continue from yesterday, has anyone here managed to use the orchestrate runner to reboot a set of nodes using grains targeting, and then using wait_for_events to wait for the nodes to reboot? example SLS at https://gist.github.com/Flaw/ad4ce011244c6eb4dc62a61c183e1b05 |
| 05:27 |
flawi |
yesterday we came up with a workaround using salt-mine, but it seems wrong that I'd have to configure the minions to publish information that the master already surely knows |
| 05:31 |
__number5__ |
flawi: why do you need to wait for reboot? |
| 05:31 |
flawi |
I need to install a piece of software that requires a reboot to start working, and I'd like to use that software later on in the orchestration run |
| 05:33 |
|
DEger joined #salt |
| 05:34 |
flawi |
(such is life with windows boxes) |
| 05:34 |
__number5__ |
maybe using reactor will be better? |
| 05:35 |
flawi |
I'll have to read about it, thanks |
| 05:36 |
__number5__ |
so you can do things like: when minion start, ask them if they have the software installed, if not install and reboot, and yes, continue with your rest of states |
| 05:36 |
flawi |
yeah, that sounds like it would work |
| 05:37 |
__number5__ |
and check out custom event too https://docs.saltstack.com/en/getstarted/event/custom.html |
| 05:39 |
flawi |
I will, thanks for the tips |
| 05:42 |
|
baffle joined #salt |
| 05:52 |
|
onlyanegg joined #salt |
| 05:54 |
|
preludedrew joined #salt |
| 06:02 |
iggy |
yeah, we use a mix of reactors and some custom code to do something similar |
| 06:04 |
|
scsinutz joined #salt |
| 06:12 |
|
icebal joined #salt |
| 06:15 |
|
g3cko joined #salt |
| 06:25 |
|
jas02 joined #salt |
| 06:26 |
|
Straphka joined #salt |
| 06:32 |
|
gladia2r joined #salt |
| 06:37 |
|
zulutango joined #salt |
| 06:43 |
|
candyman88 joined #salt |
| 06:50 |
ravi_ |
Hi guys, I'm trying to generate yaml from sls using this command `salt '*' cp.get_template salt://path/to/template /dev/stdout`. But its throwing this error, "Passed invalid arguments: coercing to Unicode: need string or buffer, bool found." Why its giving error. I'm using salt 2016.11.2 in ubuntu:14.04. Thanks |
| 06:52 |
|
jimklo joined #salt |
| 06:56 |
|
scristian joined #salt |
| 07:01 |
|
jas02 joined #salt |
| 07:05 |
|
scsinutz joined #salt |
| 07:13 |
|
fracklen joined #salt |
| 07:23 |
Straphka |
maybe you need to quote a True or False somewhere in your template? |
| 07:41 |
|
Inveracity joined #salt |
| 07:47 |
|
fracklen joined #salt |
| 07:48 |
|
ashokrajar joined #salt |
| 07:58 |
iggy |
ravi_: don't think that's going to work... what are you actually trying to do? |
| 07:59 |
|
ReV013 joined #salt |
| 07:59 |
|
fracklen joined #salt |
| 08:00 |
|
edrocks joined #salt |
| 08:03 |
|
felskrone joined #salt |
| 08:04 |
ravi_ |
iggy: Actually I want lint my sls files. So I want to generate yaml from sls, so I can use yaml linter. |
| 08:04 |
|
ashokrajar joined #salt |
| 08:06 |
|
scsinutz joined #salt |
| 08:06 |
iggy |
the rendering will fail before you can lint the yaml |
| 08:08 |
ravi_ |
How Can we generate yaml and save it to file |
| 08:10 |
iggy |
I mean, the act of rendering it is your best bet as far as "linting" goes |
| 08:10 |
iggy |
do a show_highstate and it either renders or it doesn't |
| 08:11 |
|
samodid joined #salt |
| 08:12 |
ravi_ |
Ok, what's the best way to lint sls files? |
| 08:12 |
|
gmoro joined #salt |
| 08:13 |
iggy |
there is no way! |
| 08:13 |
iggy |
it sucks |
| 08:14 |
|
Hybrid joined #salt |
| 08:18 |
ravi_ |
Ok. Thanks |
| 08:19 |
|
o1e9 joined #salt |
| 08:25 |
|
dariusjs joined #salt |
| 08:28 |
|
JohnnyRun joined #salt |
| 08:28 |
|
netcho_ joined #salt |
| 08:36 |
|
dariusjs joined #salt |
| 08:44 |
|
netcho_ joined #salt |
| 08:56 |
|
krymzon joined #salt |
| 08:56 |
|
netcho_ joined #salt |
| 08:59 |
|
mavhq joined #salt |
| 09:00 |
Reverend |
i take it syncgrains only uses the _grains folder to sync up the custom stuff... and not read the entire highstate for grain changes ? |
| 09:01 |
|
dariusjs joined #salt |
| 09:01 |
|
ashokrajar joined #salt |
| 09:03 |
|
mikecmpbll joined #salt |
| 09:07 |
|
scsinutz joined #salt |
| 09:11 |
|
zulutango joined #salt |
| 09:13 |
|
s_kunk joined #salt |
| 09:17 |
|
zulutango joined #salt |
| 09:19 |
mage_ |
are external pillar loaded on the salt master? I mean if I'm writing an external_pillar should I propagate the file on all minions? |
| 09:22 |
|
Mattch joined #salt |
| 09:25 |
babilen |
mage_: Shouldn't be necessary |
| 09:25 |
babilen |
Is it not working if you don't do it? |
| 09:25 |
Neighbour |
mage_: Yes, No :) |
| 09:26 |
mage_ |
babilen: I'm reading documentation ATM :) |
| 09:26 |
babilen |
Neighbour: I was about to use the wonderful German "Jein" :) |
| 09:26 |
Neighbour |
babilen: but he asked two questions :) |
| 09:27 |
mage_ |
babilen: I want to do this in Saltstack: "take the output of cmd.run my.cmd from minion B and use it as pillar data for minion A" |
| 09:27 |
mage_ |
I'm busy to template the installation of Icinga and the PKI part |
| 09:27 |
Neighbour |
babilen: kudos for the colourful use of the German language though :) |
| 09:28 |
mage_ |
so all the clients should get a "token" from the icinga master, which is obtained by running icinga pki ticket --cn host.name |
| 09:28 |
Neighbour |
mage_: Then you'd either have to use the salt mine, or push a file from the minion back to the master |
| 09:29 |
mage_ |
Neighbour: push a file ? |
| 09:29 |
babilen |
mage_: Wouldn't the peer system allow you to do something like that? Look into the way the https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html is implemented |
| 09:30 |
mage_ |
Neighbour: I don't see how pushing a file would help me ..? |
| 09:30 |
|
achedeuzot joined #salt |
| 09:30 |
mage_ |
I was tlaking about something like: |
| 09:30 |
mage_ |
rooticinga:/usr/local/etc/icinga2 # icinga2 pki ticket --cn foo.lan |
| 09:30 |
mage_ |
3af5df87d6e87968a5ff512dd8c072f1e51f14f6 |
| 09:30 |
babilen |
In fact that module is a good example of how to use the mine for cert retrieval |
| 09:30 |
mage_ |
mmh I'll take a look |
| 09:30 |
babilen |
(or token or whatever) |
| 09:31 |
mage_ |
babilen: so an external pillar is wrong ? |
| 09:31 |
babilen |
I didn't say that |
| 09:31 |
mage_ |
I was thinking about make a call to the Icinga master (whic is also a minion) from the Salt master and populate the other minions that should be monitored |
| 09:32 |
mage_ |
but I'll take a look at the salt mine, maybe it's a better option |
| 09:32 |
babilen |
Read up on the x509 module and state - It was my first association when you mentioned your usecase and I guess that you can copy some of its ideas/infrastructure |
| 09:32 |
|
bbrelin3 joined #salt |
| 09:32 |
babilen |
But, as always with salt: There are various ways to do it :) |
| 09:32 |
bbrelin3 |
Hi all. |
| 09:33 |
mage_ |
ok :) |
| 09:33 |
bbrelin3 |
Quick question. If I want to create a custom grain (just a static yaml file) in /etc/salt/grains, does it need a .sls extension? |
| 09:34 |
mage_ |
babilen: https://github.com/saltstack/salt/blob/develop/salt/modules/x509.py this module ? |
| 09:34 |
babilen |
yeah |
| 09:35 |
|
jas02 joined #salt |
| 09:35 |
bbrelin3 |
So, If I have a grain that looks like this: paste.debian.net/915986, do I just store it as a file called 'roles' in /etc/salt/grains? |
| 09:35 |
bbrelin3 |
Assuming that 'roles' is what I want to call my grain? |
| 09:35 |
babilen |
Ah, grains and roles .. the unsolved bit in salt |
| 09:35 |
babilen |
I should have a look around and figure out the best way to do that these days |
| 09:36 |
bbrelin3 |
Well, I'm just using roles as an example... |
| 09:36 |
bbrelin3 |
Really, I want to make sure that I'm understanding the way to do this. |
| 09:36 |
bbrelin3 |
I've tried doing a saltutil.sync_all, and then a salt grains.ls but I'm not seeing the 'roles' grain in the list. |
| 09:37 |
babilen |
Yeah, sorry .. I didn't mean to derail your question. It's just that grains are, in my opinion, not a great choice for storing minion specific data and are only commonly used for "roles" (and similar use cases) as there is no proper alternative |
| 09:37 |
mage_ |
babilen: https://github.com/saltstack/salt/blob/develop/salt/states/x509.py#L87-L93 found it .. :) |
| 09:37 |
|
dariusjs joined #salt |
| 09:37 |
babilen |
mage_: Yeah |
| 09:38 |
bbrelin3 |
Well, I could call the data 'foo'. :-) |
| 09:38 |
bbrelin3 |
It's not that I'm using roles here. |
| 09:38 |
bbrelin3 |
But for some reason, salt isn't picking up the grain. |
| 09:39 |
|
jas02 joined #salt |
| 09:39 |
babilen |
bbrelin3: Sure, but that holds true for "datacentre" and whatnot .. If you use grains for that you are then facing the problem of managing grains and you are back at square one. Pillars would be perfect, but you obviously want to target pillar data based on those data also which rules out "normal" pillars |
| 09:39 |
|
darioleidi joined #salt |
| 09:40 |
mage_ |
"The Salt Mine is used to collect arbitrary data from Minions and store it on the Master." |
| 09:40 |
mage_ |
mmh I should do the opposite |
| 09:40 |
bbrelin3 |
babilen: It's not the grain data at this point that I care about, I just want to be able to create a grain in /etc/salt/grains and have it picked up when I do a sync_all. |
| 09:40 |
hemebond |
bbrelin3: Don't forget to update your thread on salt-users. |
| 09:40 |
bbrelin3 |
I just want to understand that I'm doing it the right way. |
| 09:41 |
bbrelin3 |
homebond: How do I do that? |
| 09:41 |
babilen |
bbrelin3: So you have a /etc/salt/grains file on the minion with the content you pasted, you restarted the minion (or synced grains) and it is not reporting that data? |
| 09:41 |
|
teclator joined #salt |
| 09:41 |
bbrelin3 |
babilen: That's right |
| 09:41 |
hemebond |
Just reply to say the issue was with your pillar. Maybe post the fixed state (if you pasted it in the thread). |
| 09:41 |
bbrelin3 |
homebond: Will do that today. |
| 09:41 |
bbrelin3 |
Thanks |
| 09:42 |
babilen |
bbrelin3: I'd say that you've done the right thing and that it shouldâ⢠work -- Anything in the (debug) logs about it when you start the minion? |
| 09:42 |
bbrelin3 |
I'll check. |
| 09:43 |
babilen |
So: What is a sensible (and secure!!!) way of assigning 'roles' to minions these days? Do we finally have a way to do this? |
| 09:43 |
hemebond |
top.sls |
| 09:44 |
babilen |
hemebond: I'm afraid I don't quite follow |
| 09:44 |
hemebond |
I just use top.sls to assign "roles" to minions. |
| 09:44 |
babilen |
How so? |
| 09:44 |
hemebond |
Just... put the states in that you want applied. |
| 09:45 |
|
redmage12 joined #salt |
| 09:45 |
hemebond |
Actually... I suppose my minion names are the roles. |
| 09:45 |
babilen |
Right - And target them based on the minion id, core grain value, ... |
| 09:45 |
hemebond |
I don't use grains for targeting. |
| 09:45 |
babilen |
And you exploit a naming scheme to group minions |
| 09:45 |
hemebond |
Yup. |
| 09:45 |
babilen |
Yeah |
| 09:46 |
babilen |
I do the same, but I like a more dynamic approach that doesn't rely on a specific naming scheme and am facing the old "grains are shite" dilemma again |
| 09:46 |
babilen |
Might look into external pillars like pillarstack again |
| 09:46 |
babilen |
(as I also want to target pillar data) |
| 09:48 |
babilen |
brb (ENOCOFFEE) |
| 09:48 |
hemebond |
There's really no secure way to target with grains so you kind of end up with a list of minions, each with a list of roles. |
| 09:48 |
babilen |
Exactly |
| 09:49 |
babilen |
I don't mind maintaining a role <-> id mapping somewhere, but grains are just the wrong place (insecure, distributed, ...) |
| 09:56 |
redmage12 |
Hmm...puzzling. Doing a grains.item roles just returns an empty grain. |
| 09:56 |
redmage12 |
There's no errors in the debug logs. |
| 09:59 |
mage_ |
any idea for [WARNING ] Key 'ext_pillar' with value {u'\u2014\u200aicinga_ticket_pillar': True} has an invalid type of dict, a list is required for this value |
| 09:59 |
mage_ |
? |
| 09:59 |
hemebond |
mage_: Is it a dict? |
| 09:59 |
mage_ |
yes, I have: |
| 09:59 |
mage_ |
641 ext_pillar: |
| 09:59 |
mage_ |
642 ââ¬âââ¬Å icinga_ticket_pillar: True |
| 10:00 |
|
DanyC joined #salt |
| 10:00 |
hemebond |
Well it wants a list. |
| 10:00 |
mage_ |
I followed the documentation https://docs.saltstack.com/en/latest/topics/development/external_pillars.html |
| 10:01 |
mage_ |
I just have a single return {'FOOOOOO' : minion_id} in my ext_pillar function (to test) |
| 10:01 |
hemebond |
Which part of the docs? |
| 10:01 |
|
xet7 joined #salt |
| 10:01 |
hemebond |
Your paste doesn't match the example at the top (under Configuration) |
| 10:02 |
mage_ |
mmh ? :) |
| 10:03 |
hemebond |
You are trying to use a list like `example_b` but also a dict like `example_c` |
| 10:03 |
hemebond |
You need to use one or the other. |
| 10:04 |
mage_ |
I don't get it, I have |
| 10:04 |
mage_ |
ext_pillar: |
| 10:04 |
mage_ |
ââ¬âââ¬Å icinga_ticket_pillar: True |
| 10:04 |
mage_ |
which is example_a, no ? |
| 10:04 |
hemebond |
Oh so it is. |
| 10:04 |
mage_ |
oh maybe it's the kwargs in my ext_pillar fucntion |
| 10:05 |
hemebond |
Well, that's the extent of my ext_pillar knowledge :-D |
| 10:07 |
|
scsinutz joined #salt |
| 10:08 |
AndreasLutro |
mage_: you have a non-breaking space or other weird character after you - |
| 10:08 |
AndreasLutro |
your* |
| 10:09 |
babilen |
The ââ¬â should be - |
| 10:10 |
mage_ |
argh.. that whas that (: |
| 10:10 |
mage_ |
thanks :) |
| 10:10 |
* hemebond |
assumed that was just a paste artifact |
| 10:10 |
Norrland |
(= |
| 10:10 |
mage_ |
ok it works :) sorry for the noise |
| 10:12 |
|
ruxu joined #salt |
| 10:17 |
|
TyrfingMjolnir joined #salt |
| 10:19 |
|
saintpablo joined #salt |
| 10:26 |
|
ashokrajar joined #salt |
| 10:26 |
|
N-Mi_ joined #salt |
| 10:27 |
|
ravenx joined #salt |
| 10:28 |
|
ivanjaros joined #salt |
| 10:29 |
mage_ |
ext_pillar is loaded at then end, right ? |
| 10:30 |
mage_ |
so any idea why in my ext_pillar() function I can't use __salt__['pillar.get']('some:key') ? |
| 10:30 |
|
tharkun joined #salt |
| 10:32 |
mage_ |
ah... I guess it's because it runs on the master |
| 10:32 |
babilen |
mage_: Take a look at https://docs.saltstack.com/en/latest/topics/development/dunder_dictionaries.html |
| 10:32 |
babilen |
And you also can't reference the normal pillar in there |
| 10:32 |
|
degorenko joined #salt |
| 10:32 |
mage_ |
mmh |
| 10:33 |
|
madboxs joined #salt |
| 10:33 |
mage_ |
ok so https://gist.github.com/silenius/41732347bc4fd73bdfe95c2ee255b9dd will never work |
| 10:38 |
|
DanyC_ joined #salt |
| 10:39 |
|
redmage1 joined #salt |
| 10:39 |
babilen |
Indeed |
| 10:40 |
mage_ |
complicated :) |
| 10:41 |
mage_ |
so maybe I should populate the Mine with the icinga master host (on each minion), and retrieve it in my ext_pillar |
| 10:42 |
|
bbrelin3 joined #salt |
| 10:45 |
|
degorenko joined #salt |
| 10:46 |
|
NV joined #salt |
| 10:51 |
mage_ |
so I've added this on my minion https://gist.github.com/silenius/e61a05483cc8cf8b30cd04678dc33a1a |
| 10:52 |
mage_ |
does it looks ok ? |
| 10:53 |
hemebond |
Why would you do that? |
| 10:54 |
hemebond |
You can already access the pillars whenever you want. Why do you want to use the Mine to get it? |
| 10:54 |
|
madboxs joined #salt |
| 10:54 |
mage_ |
hemebond: because I'd like to use it in an ext_pillar |
| 10:55 |
mage_ |
__salt__['pillar.get'] in an ext_pillar is run on the master, so I can't access any minion pillar data |
| 10:57 |
mage_ |
does it sounds weird? |
| 10:57 |
hemebond |
It does. But I don't use ext_pillar so I don't know what you're doing. |
| 11:00 |
mage_ |
for each minion I'm trying to retrieve the icinga master node (from pillar icinga:client:master) to be able to use it in an ext_pillar |
| 11:01 |
mage_ |
so that in my ext_pillar I can run a command "icinga2 pki ticket --cn minion_id" on this icinga master node and retrieve a token |
| 11:02 |
|
edrocks joined #salt |
| 11:03 |
hlub |
what is that "range cluster" mentioned the docs of compound matchers? |
| 11:03 |
mage_ |
mmh but maybe I could simple use a mine function on the icinga master with all the minion |
| 11:03 |
hlub |
cant find any explanation for that. |
| 11:04 |
mage_ |
is the Salt mine "secure"? I mean is there a way to say "only minion foo and bar are able to access it" ? |
| 11:06 |
hlub |
mage_: no, afaik |
| 11:06 |
hlub |
mage_: but when using public/private keys, you can use mine to distributre public keys efficiently. |
| 11:08 |
ravenx |
after launching the job and using --show-jid |
| 11:08 |
ravenx |
is there anyway of using salt, or salt-run command to check the current status |
| 11:08 |
ravenx |
like what it's currently executing? |
| 11:08 |
|
scsinutz joined #salt |
| 11:09 |
hlub |
ravenx: I think that id does not automatically fire events for any intermediate states of a job. |
| 11:09 |
hlub |
and that would be necessary to retrieve such info. |
| 11:10 |
ravenx |
ah i see |
| 11:10 |
ravenx |
so from what i notice it's either an all or nothing for salt |
| 11:10 |
ravenx |
either it goes (with the jid) all the steps in my formula at once |
| 11:10 |
ravenx |
and it finishes, and returns a yes/no |
| 11:10 |
|
evle1 joined #salt |
| 11:10 |
ravenx |
is my understandign correct? |
| 11:11 |
|
inad922 joined #salt |
| 11:11 |
|
dps joined #salt |
| 11:12 |
hlub |
if you run highstate for instance, it returns a lot of information about the run states but that data is available only after the whole highstate is executed. |
| 11:13 |
ravenx |
i see |
| 11:13 |
ravenx |
i am running it via state.apply tho |
| 11:14 |
hlub |
ravenx: have you read this: https://docs.saltstack.com/en/latest/ref/runners/all/salt.runners.jobs.html |
| 11:15 |
ravenx |
of course i haven't :D |
| 11:15 |
|
madboxs joined #salt |
| 11:15 |
|
fracklen joined #salt |
| 11:16 |
ravenx |
well okay, it does list jobs |
| 11:16 |
ravenx |
but i suppose what i'm looking for is incremental output @ each stage |
| 11:16 |
ravenx |
i would like to know where in my formula it is at a given time. |
| 11:17 |
hlub |
that is implicitly impossible as I pointed out earlier. of course you can fire your own events within your formula to inform about some specific points of exectuion. |
| 11:17 |
ravenx |
oh, i can? |
| 11:18 |
hlub |
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.event.html |
| 11:21 |
ravenx |
WHOA |
| 11:21 |
ravenx |
this. may. be. game. changing. |
| 11:21 |
|
redmage12 joined #salt |
| 11:24 |
|
fracklen joined #salt |
| 11:25 |
ravenx |
wait, this doesn't print on stdout |
| 11:25 |
ravenx |
i'm trying to understand this, it gets sent to the master |
| 11:25 |
ravenx |
....and then i imagine i have to poll something? |
| 11:30 |
|
Xk joined #salt |
| 11:32 |
|
toanju joined #salt |
| 11:33 |
mage_ |
in fact I could also use the cache.pillar runner in my ext_pillar function, rather than the mine |
| 11:34 |
hlub |
ravenx: if you wish to execute something on master when an event fires, then use reactors. If you just want to see what events are being fired, use salt-run state.event pretty=True |
| 11:35 |
ravenx |
aaah i see |
| 11:35 |
ravenx |
beautiful. i am now writing a reactor :) |
| 11:36 |
|
madboxs joined #salt |
| 11:38 |
mage_ |
is there a runner to run a function on a minion ? |
| 11:39 |
|
mritchie joined #salt |
| 11:41 |
ravenx |
FROM the minion? |
| 11:41 |
mage_ |
no, I'd like to execute a cmd.run on minion "foo" from an ext_pillar function, so it's run on the master |
| 11:42 |
mage_ |
found it, saltutil.cmd :p |
| 11:47 |
ravenx |
hmmm reactor is not picking up my events. |
| 11:47 |
ravenx |
i will deal with it after lunch |
| 11:52 |
|
X-K joined #salt |
| 11:56 |
|
andris987654321 joined #salt |
| 11:57 |
andris987654321 |
hey |
| 11:57 |
andris987654321 |
join #13A pasw 123 |
| 11:57 |
andris987654321 |
lets troll |
| 11:57 |
|
andris987654321 left #salt |
| 11:57 |
|
mritchie joined #salt |
| 12:01 |
mage_ |
babilen: following work perfectly https://gist.github.com/silenius/b551d9f94f601be1a425282eed80ac7f |
| 12:01 |
mage_ |
what do you think ? |
| 12:04 |
|
fracklen joined #salt |
| 12:06 |
mage_ |
and maybe I could skip the mine.get part with the cache.pillar runner |
| 12:08 |
|
_JZ_ joined #salt |
| 12:09 |
|
scsinutz joined #salt |
| 12:09 |
|
mikecmpbll joined #salt |
| 12:12 |
|
lasseknudsen joined #salt |
| 12:12 |
|
Guest23454 joined #salt |
| 12:15 |
|
onlyanegg joined #salt |
| 12:15 |
|
delpanto93 joined #salt |
| 12:17 |
|
Guest23454 left #salt |
| 12:17 |
|
sagerdearia joined #salt |
| 12:20 |
|
netcho_ joined #salt |
| 12:30 |
|
Kelsar joined #salt |
| 12:36 |
|
Kelsar joined #salt |
| 12:39 |
|
fracklen joined #salt |
| 12:40 |
|
cryptolukas joined #salt |
| 12:41 |
cryptolukas |
Why don't work this if clause in my state.sls? https://gist.github.com/LukasDoe/f7df65e950d30845eb4b1e72c0ab4883 |
| 12:42 |
cryptolukas |
How can I fix it :D |
| 12:43 |
|
Rumbles joined #salt |
| 12:46 |
babilen |
cryptolukas: Probably because if grains['virtual'] == 'kvm' is false |
| 12:47 |
babilen |
(in which case you want an empty list) |
| 12:47 |
babilen |
In fact, why don't you wrap the entire state ? |
| 12:47 |
cryptolukas |
why empty list? |
| 12:49 |
cryptolukas |
My Goal.. I use only virtualized servers. lxc and kvm. This state doesn't work on lxc because, containers haven't a system locale. So I want that this state will only executed with a kvm system. |
| 12:49 |
babilen |
Because you end in a colon |
| 12:49 |
babilen |
You could target this state by 'virtual' grain rather than to all boxes |
| 12:50 |
babilen |
(or wrap the entire state in the conditional) |
| 12:50 |
babilen |
I'd probably just go for the targeting approach in top.sls |
| 12:51 |
|
redmage1 joined #salt |
| 12:51 |
cryptolukas |
its only one def. |
| 12:52 |
cryptolukas |
Which colon it's critical for salt? |
| 12:52 |
babilen |
Line 4, end |
| 12:53 |
babilen |
How many states do you require before a SLS qualifies for inclusion in top.sls ? |
| 12:53 |
babilen |
How do you target State.sls now? |
| 12:54 |
cryptolukas |
fill minion_id and spefici states no wildcards atm |
| 12:54 |
|
sfxandy joined #salt |
| 12:55 |
cryptolukas |
ahh yes i understand. i am so stupid. |
| 12:55 |
cryptolukas |
i wraped the state in the whole condition. surprise. it works xD |
| 12:56 |
babilen |
You only want it on minions with grains['virtual'] == 'kvm' .. I'd really just solve that with targeting |
| 12:56 |
babilen |
(rather than targeting it to every minion and including logic if it should really have been targeted) |
| 12:57 |
cryptolukas |
how would you target this? |
| 12:57 |
|
madboxs joined #salt |
| 12:57 |
babilen |
"'Gvirtual:kvm': - match: compound" for example |
| 12:58 |
babilen |
https://docs.saltstack.com/en/latest/topics/targeting/compound.html |
| 12:58 |
|
mritchie joined #salt |
| 12:59 |
cryptolukas |
its a good idea to change it! |
| 13:00 |
babilen |
Yes, that's why I suggested it |
| 13:00 |
sfxandy |
hi everyone. question regarding Salt (and I guess Python in general) and what SSL key/trust stores it uses by default. does anyone know by default where Salt will look for its key and trust stores. my first stab was at /etc/ssl/certs/ca-bundle.trust.crt but not certain thats the right place |
| 13:02 |
sfxandy |
am getting an error...[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed |
| 13:02 |
sfxandy |
before anyone says, skipping verirication isnt an option |
| 13:10 |
|
scsinutz joined #salt |
| 13:13 |
ravenx |
i can send an event to myself, but for some reason, reactor is not running my file.sls |
| 13:14 |
ravenx |
do i need to include its path in the file_roots |
| 13:14 |
ravenx |
i have passed the absolute path in the config file though. |
| 13:18 |
|
edrocks joined #salt |
| 13:18 |
|
numkem joined #salt |
| 13:18 |
|
Tanta joined #salt |
| 13:21 |
|
netcho_ joined #salt |
| 13:26 |
|
numkem joined #salt |
| 13:30 |
|
netcho_ joined #salt |
| 13:34 |
ravenx |
oh so reactor.state.sls files are slightly different. |
| 13:34 |
ravenx |
now i see. |
| 13:38 |
|
dendazen joined #salt |
| 13:39 |
|
mritchie joined #salt |
| 13:39 |
|
madboxs joined #salt |
| 13:44 |
|
entil joined #salt |
| 13:44 |
entil |
hi guys! I'd need to have HOME set when running states on minions, that is, currently the minion's salt process doesn't have a $HOME |
| 13:44 |
entil |
how would I go about enabling that? |
| 13:45 |
entil |
or hacking something together to make it work |
| 13:45 |
|
ssplatt joined #salt |
| 13:53 |
XenophonF |
entil: which operating system are you using that you need this? |
| 13:53 |
XenophonF |
and what operations are you performing that need this? |
| 13:54 |
entil |
XenophonF: pkg.installed with etckeeper installed; without $HOME, etckeeper's git backend can't find the user.name and user.email settings, causing an invalid exit |
| 13:54 |
entil |
XenophonF: the installation is ubuntu 14.04lts |
| 13:54 |
XenophonF |
well, damn, i was hoping for something easy ;) |
| 13:55 |
XenophonF |
does ubuntu 14.04 use upstart or systemd? i can't remember |
| 13:55 |
entil |
it's been a while since I last used salt, but I'm sure I had this working years ago |
| 13:55 |
rylnd |
i am trying to use "client.cmd('Grole:dc and Gpod:podname', 'test.ping', timeout=5, expr_form='compound')" in a custom runner, but i always get 'no minions matched the target'. it works fine when i run salt -C on the command line. can anyone point me into the right direction? |
| 13:55 |
entil |
XenophonF: a bit of both, upstart and systemd-services is installed, is that relevant? |
| 13:56 |
XenophonF |
might be - maybe we can tell the init program to set up the user's environment ahead of running salt-minion |
| 13:56 |
Dev0n |
hey, any know if it's possible to pass in logdriver params to the dockerng state? |
| 13:56 |
Dev0n |
doesn't seem to be listed here: https://docs.saltstack.com/en/2016.3/ref/states/all/salt.states.dockerng.html#salt.states.dockerng.running |
| 13:57 |
entil |
XenophonF: ok, I was thinking of an approach that pkg.installed would know about the environment or something |
| 13:57 |
|
LondonAppDev joined #salt |
| 13:58 |
entil |
I actually have no idea how to pull any of this off, though |
| 13:59 |
XenophonF |
well it's a kludge but I'd start with modifying the systemd unit file for salt-minion |
| 13:59 |
XenophonF |
add something like `Environment="HOME=/root"` |
| 13:59 |
XenophonF |
https://www.freedesktop.org/software/systemd/man/systemd.exec.html |
| 14:00 |
XenophonF |
i'm not a systemd expert but that's where i'd start |
| 14:00 |
XenophonF |
but let's take a look at the etckeeper code in salt |
| 14:00 |
XenophonF |
maybe this is a bug? |
| 14:01 |
izibi |
are there any tools for distributing and renewing shared secrets between services? |
| 14:01 |
entil |
there actually isn't any etckeeper code in salt, it's installed in the bootstrap phase, when the vm is provisioned |
| 14:02 |
|
brousch__ joined #salt |
| 14:03 |
XenophonF |
so how does this all work, entil? |
| 14:03 |
XenophonF |
walk me through it |
| 14:03 |
entil |
XenophonF: when the vm is provisioned, cloud-init installs git and etckeeper, does mojo to have etckeeper use git (instead of bazaar) and configure a username and email for root |
| 14:03 |
entil |
XenophonF: this ties into dpkg so when packages are installed, the confs are automatically commited |
| 14:04 |
XenophonF |
that's pretty cool |
| 14:04 |
entil |
XenophonF: when salt applies pkg.installed, it calls dpkg, but the environment doesn't have $HOME so no git config is found -> BOOM |
| 14:04 |
XenophonF |
so when apt/dpkg get called later... |
| 14:04 |
entil |
but! |
| 14:04 |
entil |
<3 |
| 14:04 |
entil |
I just realized if I add /etc/.git/config |
| 14:04 |
entil |
then it can find the user, there's no real reason for it to be global |
| 14:05 |
XenophonF |
oh well that sounds a lot better than anything i've told you to try! |
| 14:05 |
entil |
and I ran a preliminary experiment here on the side and it appears to work :> |
| 14:05 |
|
raspado joined #salt |
| 14:05 |
XenophonF |
brb |
| 14:05 |
entil |
yeah, I forget about this stuff, I haven't done devops-y things in almost five years |
| 14:05 |
entil |
hell, I can't even apply a highstate, the whole thing is entirely broken unless I name the state I want to apply |
| 14:05 |
entil |
though that's literally tutorial part 1 |
| 14:11 |
|
scsinutz joined #salt |
| 14:12 |
|
dxiri joined #salt |
| 14:14 |
XenophonF |
is .git/config saved in the repo, so that cloning it later restores it? |
| 14:17 |
XenophonF |
izibi: i generate shared secrets myself and distribute them to minions via pillar data |
| 14:18 |
XenophonF |
in theory you could use some combo of orchestration + salt mine to generate them on a minion and re-distribute them to other minions |
| 14:19 |
XenophonF |
i don't (yet) use orchestration or salt mine, myself |
| 14:19 |
XenophonF |
it's on my list of things to learn in my Copious Free Time(tm) |
| 14:20 |
|
fracklen joined #salt |
| 14:22 |
|
inre joined #salt |
| 14:23 |
|
mbologna joined #salt |
| 14:23 |
entil |
XenophonF: the config itself is not tracked in the repo, as it's repo configuration |
| 14:23 |
entil |
XenophonF: but this is ok, I started working on the highstate thing, and I got the config done just fine |
| 14:28 |
|
sgo_ joined #salt |
| 14:29 |
entil |
XenophonF: the main thing is to ensure that top.sls places the config in there before any pkg.installed can be applied |
| 14:29 |
izibi |
XenophonF: yeah, I use pillars at the moment, but I'd like to have fully automatic rollover of these secrets |
| 14:30 |
XenophonF |
izibi: i've considered something like that, but using sdb or vault for secret storage, plus a separate secret manager |
| 14:31 |
XenophonF |
the manager handles key rollover events, updates sdb/vault, and then signals the master via the salt message bus |
| 14:31 |
XenophonF |
with reactor handling the response |
| 14:31 |
XenophonF |
or at least that's the design |
| 14:31 |
XenophonF |
i don't trust my minions enough to let them do it |
| 14:31 |
XenophonF |
what if one gets hacked? |
| 14:32 |
izibi |
trust them to do what exactly? |
| 14:33 |
XenophonF |
to manage keymat |
| 14:33 |
|
fracklen joined #salt |
| 14:33 |
XenophonF |
maybe it's my paranoia talking but i don't trust on minion to generate keying material that will be used by another |
| 14:34 |
XenophonF |
s/on minion/one minion/ |
| 14:36 |
|
inre joined #salt |
| 14:36 |
|
netcho joined #salt |
| 14:36 |
|
fracklen_ joined #salt |
| 14:49 |
|
abednarik joined #salt |
| 14:49 |
|
abednarik joined #salt |
| 14:53 |
|
redmage12 joined #salt |
| 14:53 |
|
nickabbey joined #salt |
| 14:54 |
|
LondonAppDev joined #salt |
| 14:55 |
mage_ |
any comment on this https://gist.github.com/silenius/b0982076c21931ded660f12e5d033dfb ? |
| 14:56 |
mage_ |
can I use __salt__['saltutil.cmd']( ... ) in an external pillar like I did ? |
| 14:56 |
|
numkem joined #salt |
| 14:56 |
cmarzullo |
I dunno. Pillar being compiled on the master makes me think you'll get the master's grains. |
| 14:56 |
cmarzullo |
but I dunno |
| 14:57 |
|
fracklen joined #salt |
| 14:57 |
mage_ |
__salt__['saltutil.cmd'](..., 'pillar.get') != __salt__['pillar.get'] |
| 14:57 |
|
ponyofdeath joined #salt |
| 15:00 |
|
mpanetta joined #salt |
| 15:04 |
|
mpanetta joined #salt |
| 15:04 |
Reverend |
where are ext pillars added for minions? |
| 15:05 |
Reverend |
my master is going bonkers about something but i canneh see it |
| 15:10 |
|
dxiri joined #salt |
| 15:10 |
mage_ |
I don't understand the "Assuming this minion is a master, execute a salt command" for the saltutil.cmd |
| 15:11 |
|
scsinutz joined #salt |
| 15:12 |
cmarzullo |
Reverend: external pillar is done on the master. |
| 15:12 |
Reverend |
i found it :D turns out it was ebcause I renamed my minion |
| 15:12 |
Reverend |
derp |
| 15:12 |
Reverend |
thanks anyway cmarzullo |
| 15:12 |
cmarzullo |
hehe |
| 15:14 |
|
jas02 joined #salt |
| 15:25 |
|
LondonAppDev joined #salt |
| 15:30 |
mage_ |
I love Salt but the documentation is really poor sometimes ... :( |
| 15:32 |
|
impi joined #salt |
| 15:33 |
ravenx |
?! |
| 15:34 |
ravenx |
i found salt to be one of the better ones |
| 15:34 |
babilen |
"better" doesn't necessarily mean "good", but I agree .. comprehensive documentation |
| 15:36 |
mage_ |
I don't understand why this doesn't work https://gist.github.com/silenius/b0982076c21931ded660f12e5d033dfb |
| 15:36 |
mage_ |
it looks like the problem is line 22-26 |
| 15:37 |
mage_ |
should I clear some cache when I update an ext_pillar function ? |
| 15:38 |
mage_ |
refresh_pillar works, but then pillar.items just "hangs" |
| 15:42 |
|
sarcasticadmin joined #salt |
| 15:44 |
|
dps_ joined #salt |
| 15:45 |
|
madboxs joined #salt |
| 15:46 |
mage_ |
any idea how to debug this 2017-02-21 16:45:41,832 [salt.pillar ][CRITICAL][67594] Pillar render error: Failed to load ext_pillar icinga_ticket_pillar: 'backup.lan' |
| 15:50 |
|
tiwula joined #salt |
| 15:56 |
|
candyman88 joined #salt |
| 15:57 |
mage_ |
ok I'll forget ext_pillar.. it doesn't work at all |
| 15:57 |
|
muxdaemon joined #salt |
| 16:00 |
|
fracklen joined #salt |
| 16:01 |
|
madboxs joined #salt |
| 16:04 |
|
debian112 joined #salt |
| 16:04 |
|
racooper joined #salt |
| 16:05 |
|
CrummyGummy joined #salt |
| 16:08 |
|
armyriad joined #salt |
| 16:08 |
|
kojiro joined #salt |
| 16:11 |
|
nickabbey joined #salt |
| 16:12 |
|
scsinutz joined #salt |
| 16:13 |
|
WesleyTech_ joined #salt |
| 16:14 |
cmarzullo |
mage_: to backup. |
| 16:15 |
cmarzullo |
you are trying to query incinga for stuf ya? why not just query it directly? |
| 16:15 |
cmarzullo |
from your external pillar |
| 16:15 |
cmarzullo |
lemme look at your gist again. |
| 16:15 |
|
jimklo joined #salt |
| 16:15 |
cmarzullo |
In a nut shell what is that gist supposed to do? |
| 16:16 |
cmarzullo |
give you a token? |
| 16:17 |
hexa- |
I want to expose prometheus exporters through grains and the mine as a list, however I don't quite understand how to handle a list in grains |
| 16:17 |
|
madboxs joined #salt |
| 16:17 |
cmarzullo |
you should just be able to query the icinga api directly and get your pki token. |
| 16:17 |
hexa- |
if I want to add an element to the list it must already exist, where would be the place to create the list? |
| 16:17 |
|
wnkz joined #salt |
| 16:24 |
cmarzullo |
dunno hexa- I usally avoid grains. |
| 16:24 |
cmarzullo |
and I'm scared of the mine. |
| 16:24 |
hexa- |
hehe |
| 16:24 |
hexa- |
it's the only sane way to share host information between hosts |
| 16:25 |
cmarzullo |
I've been more comfortable using external pillar |
| 16:25 |
hexa- |
each host exposes what it needs to have monitored and the monitoring can properly iterate over all these things and reconfigure itself |
| 16:25 |
cmarzullo |
with the mine if you lose themessage bus. you lose all the values in the mine. Which may take some time to repopulate |
| 16:26 |
cmarzullo |
(as I understand it) |
| 16:26 |
cmarzullo |
In your case, if you lose the mine. your montiring system will drop all the things. and you'll be monitoring nothing until the mine repopulates. |
| 16:26 |
|
nickabbey joined #salt |
| 16:26 |
cmarzullo |
that's too scary for me. |
| 16:27 |
cmarzullo |
I have systems check into an inventory system. Then the monitoring system checks the inventory system. |
| 16:31 |
|
WesleyTech__ joined #salt |
| 16:31 |
cmarzullo |
Better yet would be to have the systems being monitored contact your monitoring api and enroll themselves directly. |
| 16:32 |
|
swills joined #salt |
| 16:33 |
|
Rumbles joined #salt |
| 16:35 |
|
Heartsbane joined #salt |
| 16:35 |
|
Heartsbane joined #salt |
| 16:35 |
|
hasues joined #salt |
| 16:37 |
brd |
with Jinja is it possible to nest variables? |
| 16:40 |
X-K |
Hi, quick question about doc : https://docs.saltstack.com/en/latest/topics/eauth/index.html#usage. It is not clear if you can do the same using CLI for runner/job/wheel or if the @runner (for example) in external_auth make it available only in salt-api |
| 16:41 |
|
seanz joined #salt |
| 16:43 |
|
cyborg-one joined #salt |
| 16:45 |
|
Cottser joined #salt |
| 16:47 |
kojiro |
Hi, I'm trying to get to the bottom of a weirdness. When I run any salt-ssh command, it takes about 10 seconds just to get started. time salt-ssh --help > /dev/null outputs "real 0m10.412s". If I create a new virtualenv and install salt-ssh in it, it takes 0m0.309s. |
| 16:47 |
kojiro |
I tried deleting Saltfile and config, but it didn't change anything |
| 16:47 |
cmarzullo |
DNS? |
| 16:47 |
kojiro |
for --help? |
| 16:47 |
cmarzullo |
ok you got me there :) |
| 16:48 |
cmarzullo |
real 0m0.881s |
| 16:48 |
cmarzullo |
on my prod box |
| 16:48 |
brd |
still might be doing a dns lookup |
| 16:49 |
kojiro |
brd: can you suggest a syscall to look for, in particular? |
| 16:49 |
kojiro |
this is on os x and I'm trying to learn how to use dtruss, but it isn't the strace I'm used to |
| 16:49 |
brd |
hmm, it might be gethostbyname, but not sure |
| 16:50 |
cmarzullo |
was about to suggest strace. |
| 16:50 |
brd |
kojiro: tcpdump might be better.. |
| 16:50 |
honestly |
will almost certainly do a dns-lookup if run under sudo |
| 16:50 |
kojiro |
a dns lookup for what? |
| 16:51 |
cmarzullo |
#macoslyfe |
| 16:51 |
cmarzullo |
I've only run salt in a virtual env on mac. |
| 16:55 |
|
djgerm joined #salt |
| 16:55 |
kojiro |
dtruss only records about 497ms of stuff happening, total |
| 16:56 |
kojiro |
but the operation (sudo dtruss salt-ssh --help) took 16 real seconds |
| 16:57 |
|
samodid joined #salt |
| 16:59 |
cmarzullo |
have your tried running as root. and not through sudo? |
| 17:03 |
honestly |
Definitely sounds like a dns lookup |
| 17:03 |
honestly |
Sudo looks up the machine's hostname |
| 17:04 |
honestly |
Because sudo can be configured based on hostname |
| 17:04 |
|
scsinutz joined #salt |
| 17:04 |
honestly |
If that times out you'll see delays |
| 17:10 |
|
mikecmpbll joined #salt |
| 17:12 |
|
ivanjaros joined #salt |
| 17:13 |
|
sgo_ joined #salt |
| 17:18 |
|
relidy joined #salt |
| 17:18 |
|
jrklein joined #salt |
| 17:19 |
|
hasues left #salt |
| 17:23 |
|
abednarik joined #salt |
| 17:29 |
|
edrocks joined #salt |
| 17:33 |
|
kojiro joined #salt |
| 17:41 |
|
NeoXiD joined #salt |
| 17:44 |
|
swills joined #salt |
| 17:47 |
|
gmoro joined #salt |
| 17:48 |
|
gmoro joined #salt |
| 17:55 |
|
raspado joined #salt |
| 17:59 |
|
nickabbey joined #salt |
| 18:05 |
|
mikecmpbll joined #salt |
| 18:08 |
|
Praematura joined #salt |
| 18:11 |
|
sdemura joined #salt |
| 18:11 |
sdemura |
I've been using salt-cloud w/ vmware for months, but today I'm getting this message. Any ideas?: "The vCenter Server is unable to decrypt passwords stored in the customization specification" |
| 18:11 |
sdemura |
^ no configuration changes in salt or vsphere |
| 18:17 |
|
cryptolukas joined #salt |
| 18:18 |
|
SaucyElf joined #salt |
| 18:22 |
|
dyasny joined #salt |
| 18:23 |
|
muxdaemon joined #salt |
| 18:26 |
djgerm |
did you vcenter user password expire? |
| 18:27 |
|
juntalis joined #salt |
| 18:27 |
|
Patrick_ joined #salt |
| 18:27 |
Patrick_ |
Hey, I am new to SaltStack and I need help with a state. |
| 18:28 |
|
Aleks3Y joined #salt |
| 18:28 |
sdemura |
@djgerm -- figured out my problem. Password didn't change but apparently I need "plain_text: true" in my windows profiles. Haven't needed it before. Docs don't say when the feature was added. though |
| 18:30 |
|
mavhq joined #salt |
| 18:31 |
|
nl joined #salt |
| 18:31 |
djgerm |
Well that sounds scary. Glad you found it! |
| 18:33 |
|
madboxs joined #salt |
| 18:35 |
cmarzullo |
Patrick_: just ask |
| 18:38 |
|
nickabbey joined #salt |
| 18:38 |
|
jas02 joined #salt |
| 18:43 |
|
jas02 joined #salt |
| 18:44 |
|
systeem joined #salt |
| 18:46 |
|
madboxs joined #salt |
| 18:47 |
|
SaucyElf joined #salt |
| 18:48 |
|
DammitJim joined #salt |
| 18:51 |
|
Rumbles joined #salt |
| 18:58 |
DammitJim |
silly question |
| 18:58 |
|
madboxs joined #salt |
| 18:58 |
DammitJim |
how do I use a regular expression to find a line like this: /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0 |
| 18:58 |
DammitJim |
I'm trying to comment it out using file.comment |
| 19:01 |
|
SaucyElf joined #salt |
| 19:03 |
|
edrocks joined #salt |
| 19:05 |
|
DammitJim joined #salt |
| 19:07 |
|
s_kunk joined #salt |
| 19:11 |
|
madboxs joined #salt |
| 19:13 |
honestly |
DammitJim: well how specific does it need to be? |
| 19:14 |
DammitJim |
not very.... probably just fd0 |
| 19:14 |
cmarzullo |
he gone |
| 19:14 |
honestly |
cmarzullo: you wrong |
| 19:14 |
honestly |
DammitJim: how familiar are you with regular expressions? |
| 19:14 |
cmarzullo |
doh! saw the quit but not the rejoin |
| 19:14 |
DammitJim |
some |
| 19:15 |
honestly |
well so |
| 19:15 |
|
st8less joined #salt |
| 19:15 |
DammitJim |
just confused about how salt needs it specified in the regex line of the state |
| 19:15 |
honestly |
I'd just put '^/dev/fd0' |
| 19:15 |
brd |
the leading ^ is not needed |
| 19:15 |
whiteinge_ |
X-K: salt-run has a `-a` flag to use eauth at the CLI |
| 19:16 |
honestly |
brd: the documentation disagrees with you |
| 19:16 |
honestly |
brd: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.comment |
| 19:17 |
brd |
honestly: oh, for uncomment it is removed |
| 19:18 |
DammitJim |
WHAT???? |
| 19:18 |
cscf |
To make it easier to flip between comment and uncomment |
| 19:19 |
cscf |
you wouldn't normally want to uncomment the line starting with a non-comment character, that wouldn't really make sense |
| 19:20 |
DammitJim |
so, if I wanted to match /dev/fd0 <more stuff> |
| 19:20 |
DammitJim |
regex: ^\/dev\/fd0.+ |
| 19:21 |
DammitJim |
would that do it? |
| 19:21 |
cscf |
not sure about .+ there |
| 19:21 |
DammitJim |
what is the equivalent of * wildcard for as many characters |
| 19:22 |
|
cacasmacas joined #salt |
| 19:23 |
cscf |
I think it will match the substring if you just leave it out, but not sure in this case |
| 19:23 |
|
oaken_chris joined #salt |
| 19:23 |
honestly |
you don't need that DammitJim |
| 19:23 |
|
madboxs joined #salt |
| 19:23 |
DammitJim |
ugh |
| 19:24 |
honestly |
also I don't think you need to escape the / |
| 19:24 |
DammitJim |
I need the $ for the end? |
| 19:24 |
honestly |
you don't |
| 19:25 |
DammitJim |
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' |
| 19:25 |
DammitJim |
regex: ^/dev |
| 19:26 |
cscf |
DammitJim, put the regex in quotes ' ' |
| 19:26 |
|
tapoxi joined #salt |
| 19:26 |
cscf |
Always quote strings, especially with special characters |
| 19:26 |
|
cyborg-one joined #salt |
| 19:27 |
honestly |
what's wrong with what I originally suggested? xD |
| 19:27 |
honestly |
'^/dev/fd0' |
| 19:27 |
|
scsinutz joined #salt |
| 19:30 |
DammitJim |
- regex: '^/dev' |
| 19:30 |
DammitJim |
gives me that error: TypeError: unsupported operand type(s) for +: 'NoneType' and 'str' |
| 19:31 |
honestly |
either you did something else very wrong, or this is salt wonkiness |
| 19:31 |
tapoxi |
possible to set ip via salt-cloud ec2? |
| 19:32 |
DammitJim |
honestly, like what? |
| 19:32 |
honestly |
show the whole state |
| 19:33 |
DammitJim |
http://pastebin.com/9XE312QL |
| 19:34 |
honestly |
get rid of the char |
| 19:34 |
honestly |
yeah |
| 19:34 |
honestly |
that's the problem here |
| 19:34 |
DammitJim |
what??? |
| 19:34 |
honestly |
line four in the paste. |
| 19:34 |
honestly |
get rid of it. |
| 19:34 |
DammitJim |
are you serious? it says it in the docs! |
| 19:34 |
DammitJim |
I though... |
| 19:34 |
honestly |
the char is already # by default |
| 19:35 |
honestly |
but # is also the comment character for yaml |
| 19:35 |
honestly |
so what you did was specify null for char |
| 19:35 |
honestly |
leading to the error |
| 19:35 |
DammitJim |
oh |
| 19:35 |
DammitJim |
dammit |
| 19:35 |
DammitJim |
thanks! |
| 19:35 |
DammitJim |
brb |
| 19:36 |
|
sjorge joined #salt |
| 19:36 |
|
sjorge joined #salt |
| 19:37 |
|
onlyanegg joined #salt |
| 19:41 |
|
Renich joined #salt |
| 19:49 |
|
edrocks joined #salt |
| 19:50 |
|
gableroux joined #salt |
| 19:51 |
|
Guest79771 joined #salt |
| 19:52 |
|
gableroux joined #salt |
| 19:56 |
|
oida joined #salt |
| 19:56 |
|
inad922 joined #salt |
| 19:59 |
|
tkojames joined #salt |
| 20:04 |
|
icebal_ joined #salt |
| 20:09 |
|
DammitJim joined #salt |
| 20:11 |
|
Guest79771 joined #salt |
| 20:16 |
|
Guest79771 joined #salt |
| 20:17 |
|
Trauma joined #salt |
| 20:21 |
|
Guest79771 joined #salt |
| 20:26 |
|
Guest79771 joined #salt |
| 20:27 |
|
scsinutz joined #salt |
| 20:30 |
|
ChubYann joined #salt |
| 20:31 |
|
abednarik joined #salt |
| 20:37 |
|
madboxs joined #salt |
| 20:39 |
|
snergster joined #salt |
| 20:47 |
|
jhauser joined #salt |
| 20:50 |
|
_JZ_ joined #salt |
| 21:03 |
|
tkojames_ joined #salt |
| 21:04 |
|
dxiri joined #salt |
| 21:09 |
|
nZac joined #salt |
| 21:14 |
|
seanz joined #salt |
| 21:19 |
|
debian_ joined #salt |
| 21:23 |
|
TheoSLC joined #salt |
| 21:24 |
|
debian_ joined #salt |
| 21:27 |
|
fracklen joined #salt |
| 21:27 |
|
sagerdearia joined #salt |
| 21:30 |
|
tkojames_ joined #salt |
| 21:32 |
|
joe__ joined #salt |
| 21:37 |
|
nZac_ joined #salt |
| 21:38 |
|
madboxs joined #salt |
| 21:38 |
|
Edgan joined #salt |
| 21:48 |
|
madboxs joined #salt |
| 21:52 |
|
oaken_chris joined #salt |
| 21:56 |
|
noob_ joined #salt |
| 21:57 |
|
shalkie joined #salt |
| 21:58 |
|
raspado joined #salt |
| 21:58 |
|
madboxs joined #salt |
| 22:02 |
|
mikecmpbll joined #salt |
| 22:04 |
|
aarontc joined #salt |
| 22:04 |
|
Kelsar joined #salt |
| 22:05 |
|
mswart joined #salt |
| 22:05 |
|
fracklen joined #salt |
| 22:05 |
|
swa_work joined #salt |
| 22:06 |
DammitJim |
what is the best way to pass mysql credentials to do something in mysql on a minion? |
| 22:07 |
DammitJim |
for example, I need to create a user |
| 22:08 |
whytewolf |
well if it is a quick thing the module supports just passing in creds. other wise i perfer pillar settings |
| 22:08 |
manji |
DammitJim, if you are on debian |
| 22:08 |
|
madboxs joined #salt |
| 22:09 |
manji |
create /etc/salt/minion.d/mysql.conf |
| 22:09 |
manji |
and put mysql.default_file: /etc/mysql/debian.cnf |
| 22:09 |
DammitJim |
whytewolf, set the stuff on pillar to pass that through the state, right? |
| 22:09 |
manji |
it will use the debian maintenance user to create users and stuff |
| 22:09 |
whytewolf |
manji: don't need to edit minion config files for mysql settings. |
| 22:09 |
DammitJim |
interesting |
| 22:09 |
whytewolf |
mysql module uses config.get |
| 22:10 |
whytewolf |
mysql.default_file: /etc/mysql/debian.cnf in a pillar on the minion does the same thing and saves the minion restart |
| 22:10 |
DammitJim |
mysql. state also, whytewolf ? |
| 22:10 |
whytewolf |
DammitJim: mysql state uses the mysql module |
| 22:10 |
manji |
whytewolf, that is interesting |
| 22:11 |
DammitJim |
duh for me |
| 22:11 |
DammitJim |
so, the credentials go in pillar... plain text, right? |
| 22:11 |
whytewolf |
yes |
| 22:12 |
manji |
DammitJim, well if you can have this mysql.default_file: /etc/mysql/debian.cnf |
| 22:12 |
manji |
as pillar data |
| 22:12 |
manji |
you save yourself from that |
| 22:12 |
DammitJim |
manji, mysql-server 5.7 screwed up some stuff |
| 22:12 |
DammitJim |
I don't know if I can go that route |
| 22:12 |
whytewolf |
yeah if your debian defintly use the debian mant creds [which is what that file is] |
| 22:12 |
DammitJim |
looking into pillar with creds |
| 22:13 |
DammitJim |
it's Ubuntu... same as Debian in this case? |
| 22:13 |
whytewolf |
yes |
| 22:13 |
manji |
yes |
| 22:13 |
|
fracklen joined #salt |
| 22:13 |
manji |
unless cannonical decided to rediscover the wheel or something |
| 22:13 |
DammitJim |
hold on |
| 22:13 |
DammitJim |
so, I need to do a file.managed of /etc/salt/minion.d/mysql.conf |
| 22:14 |
whytewolf |
DammitJim: no |
| 22:14 |
DammitJim |
push that file to the minion? |
| 22:14 |
manji |
DammitJim, as whytewolf said, it will require a minion restart |
| 22:14 |
DammitJim |
I'm fine with the minion restart |
| 22:14 |
DammitJim |
but how do I manage this from salt? |
| 22:14 |
DammitJim |
do I push something to the minion? |
| 22:14 |
manji |
file.managed: |
| 22:15 |
manji |
- name: /etc/salt/minion.d/mysql.conf |
| 22:15 |
manji |
- contents: | |
| 22:15 |
manji |
mysql.default_file: /etc/mysql/debian.cnf |
| 22:15 |
manji |
that is my config |
| 22:15 |
DammitJim |
whoa |
| 22:15 |
whytewolf |
trying to find the gist i used to use for this on ubuntu |
| 22:15 |
DammitJim |
and then in my states for doing stuff like creating or granting a user, I don't have to do anything? |
| 22:16 |
manji |
yes |
| 22:16 |
manji |
but I'd go with the way whytewolf said |
| 22:16 |
DammitJim |
manji, you are confusing me now |
| 22:16 |
manji |
I will try it, because you can't restart the minion service during a state |
| 22:16 |
DammitJim |
I was going to use your state |
| 22:16 |
manji |
DammitJim, do that for starters, and then try what whytewolf said, as it sounds better :p |
| 22:16 |
whytewolf |
basicly the pillar way is faster and avoids a restart which in a highstate can be disrupting |
| 22:17 |
manji |
both ways work :p |
| 22:17 |
whytewolf |
but other wise yeah either way works |
| 22:17 |
DammitJim |
oh crap, I'm doing the pillar (which is what I wanted to do originally) |
| 22:17 |
manji |
whytewolf, I as scratching my head over this btw |
| 22:18 |
|
madboxs joined #salt |
| 22:18 |
whytewolf |
DammitJim: thought i had a better example but this is the short and skinny of what i used to do when i was on ubuntu https://gist.github.com/whytewolf/1e942a1b982000b9d315 |
| 22:19 |
|
abednarik joined #salt |
| 22:20 |
DammitJim |
whytewolf, dude, stop confusing me |
| 22:20 |
DammitJim |
I'm just going to do the pillar ;) |
| 22:20 |
whytewolf |
ohhhhhh, what i have a better example of is the debconf stuff for first installing mysql |
| 22:20 |
whytewolf |
lol DammitJim that is what the gist is :P |
| 22:20 |
DammitJim |
lol... I already got that |
| 22:20 |
DammitJim |
it's a mess, btw |
| 22:21 |
whytewolf |
that example? |
| 22:22 |
whytewolf |
well look at the bright side. ubuntu/debian is WAY easier then centos for installing mysql |
| 22:22 |
manji |
whytewolf, have you found a way to set the root pass with debconf |
| 22:22 |
whytewolf |
manji: https://gist.github.com/whytewolf/ad31700f4ebd2b9a5b05 |
| 22:22 |
manji |
without having it plaintext ? |
| 22:23 |
whytewolf |
oh.. well you could use gpg rendering with pillar |
| 22:23 |
manji |
hm right, |
| 22:23 |
manji |
damn I will have to do that at some point for certificate keys etc |
| 22:26 |
manji |
whytewolf, lol you dead with java crap too mate? :p |
| 22:26 |
whytewolf |
lol |
| 22:27 |
whytewolf |
needed it for elasticsearch |
| 22:27 |
manji |
we all need it for something :p |
| 22:27 |
|
mswart left #salt |
| 22:27 |
DammitJim |
I don't get it... I don't see an option to have salt pass a connection_user or password for a grant :( |
| 22:28 |
|
shalkie joined #salt |
| 22:28 |
DammitJim |
or are those defaults? |
| 22:28 |
|
madboxs joined #salt |
| 22:29 |
whytewolf |
DammitJim: the /etc/mysql/debian.cnf file in ubuntu/debian is a connection file used by the operating system for maintaince tasks it has all the username and password stuff |
| 22:29 |
DammitJim |
whytewolf, I'm using pillar |
| 22:29 |
DammitJim |
nothing with debian.cnf |
| 22:29 |
whytewolf |
... |
| 22:29 |
whytewolf |
/etc/mysql/debian.cnf has nothing to do with salt it is in mysql |
| 22:29 |
DammitJim |
oh, but why are you telling me about that? ;) |
| 22:30 |
whytewolf |
your pillar tells salt to use that file for it's connection info |
| 22:30 |
whytewolf |
mysql.default_file: /etc/mysql/debian.cnf |
| 22:30 |
whytewolf |
thats the whole pillar |
| 22:31 |
whytewolf |
no muss no fuss |
| 22:31 |
DammitJim |
oh, what? |
| 22:31 |
DammitJim |
so, you are NOT passing connection_user info from pillar |
| 22:31 |
whytewolf |
no |
| 22:32 |
DammitJim |
we are just managing that file and then salt will just run everything with that info from that file? |
| 22:32 |
whytewolf |
connection_user is an override |
| 22:32 |
whytewolf |
you are not even manageing the file |
| 22:32 |
whytewolf |
mysql puts it there |
| 22:32 |
DammitJim |
ok, so, one more time |
| 22:32 |
DammitJim |
first step... go to the minion? |
| 22:33 |
* whytewolf |
sighs |
| 22:33 |
whytewolf |
is mysql installed? |
| 22:33 |
DammitJim |
yes |
| 22:33 |
whytewolf |
okay. go to the minion |
| 22:33 |
DammitJim |
I see a debian-sys-maint user |
| 22:33 |
DammitJim |
and a password for it |
| 22:33 |
DammitJim |
in /etc/mysql/debian.cnf |
| 22:33 |
whytewolf |
exactly |
| 22:33 |
DammitJim |
what's next? |
| 22:34 |
whytewolf |
on the master set up a pillar for the minion that is 'mysql.default_file: /etc/mysql/debian.cnf' |
| 22:34 |
manji |
DammitJim, do you have something like: pillars/mysql/init.sls ? |
| 22:34 |
DammitJim |
yes |
| 22:34 |
manji |
greate |
| 22:35 |
manji |
great* |
| 22:35 |
DammitJim |
so, I go to /srv/pillar/mysql/init.sls |
| 22:35 |
DammitJim |
edit the file and do what? |
| 22:35 |
manji |
go to the beginning of the file |
| 22:35 |
DammitJim |
got it |
| 22:35 |
manji |
and add mysql.default_file: /etc/mysql/debian.cnf |
| 22:35 |
manji |
(you are doing that in a staging environment, yes?) |
| 22:35 |
DammitJim |
yes |
| 22:35 |
DammitJim |
OMG, that's it? |
| 22:36 |
DammitJim |
I just added that long string to the beginning of the line |
| 22:36 |
DammitJim |
now? |
| 22:37 |
whytewolf |
push the pillar and enjoy connectivity |
| 22:37 |
whytewolf |
[well as long as no one has done something stupid like remove the maintence user not knowing what it was] |
| 22:38 |
DammitJim |
salt <server> saltutil.refresh_pillar |
| 22:38 |
DammitJim |
? |
| 22:38 |
whytewolf |
yeap |
| 22:38 |
manji |
that would help yes |
| 22:38 |
DammitJim |
now, you are saying, I should be able to just create a user? |
| 22:38 |
|
madboxs joined #salt |
| 22:39 |
whytewolf |
yeap, without connection user stuff. to double check you can salt 'server' config.get mysql.default_file |
| 22:40 |
* whytewolf |
wishes some of the internal stuff used config.get |
| 22:40 |
DammitJim |
woot? |
| 22:41 |
DammitJim |
thanks guys |
| 22:41 |
DammitJim |
I'll have to test this tonight |
| 22:41 |
DammitJim |
I've been breaking my head trying to figure out how to pass credentials for creating users and managing databases |
| 22:41 |
DammitJim |
blah |
| 22:41 |
DammitJim |
*sigh*thanks thanks thanks |
| 22:41 |
whytewolf |
no problem. and i get it sometimes when something sounds too easy i give it a what reaction also |
| 22:42 |
whytewolf |
also like i said be glad you are on ubuntu for this. centos is a pain in the ass to fix the root password for |
| 22:44 |
DammitJim |
I'm about to start working with centos servers *sigh* |
| 22:44 |
|
onlyanegg joined #salt |
| 22:44 |
DammitJim |
and that's only because I don't have the money for red hat |
| 22:44 |
|
dxiri joined #salt |
| 22:44 |
whytewolf |
same issue with redhat anyway |
| 22:44 |
DammitJim |
oh man |
| 22:44 |
DammitJim |
Access denied |
| 22:45 |
DammitJim |
someone has been messingw ith debian-sys-maint |
| 22:45 |
whytewolf |
ugh |
| 22:45 |
|
jerrcs joined #salt |
| 22:45 |
DammitJim |
oh.... there isn't such user if I look in mysql with: select * from mysql.user; |
| 22:46 |
whytewolf |
then someone removed it... |
| 22:46 |
whytewolf |
debian puts it there by default |
| 22:46 |
DammitJim |
I take that back... it's right there |
| 22:46 |
DammitJim |
| localhost | debian-sys-maint | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
| 22:46 |
DammitJim |
| Y | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password | |
| 22:46 |
DammitJim |
blah, sorry |
| 22:47 |
DammitJim |
weird, the password doesn't work |
| 22:47 |
DammitJim |
that's weird |
| 22:48 |
whytewolf |
you are trying to get in by localhost right? |
| 22:48 |
whytewolf |
[it is a localhost only account] |
| 22:48 |
DammitJim |
yeah, I mean, I logged on to the server via ssh |
| 22:48 |
DammitJim |
then used the debian user for mysql like: mysql -u debian... -p |
| 22:48 |
|
madboxs joined #salt |
| 22:49 |
whytewolf |
okay, then maybe someone changed it for "reasons" |
| 22:49 |
DammitJim |
hhhmmmm... the password is different when I look at the hash |
| 22:49 |
DammitJim |
should I update the password? |
| 22:50 |
whytewolf |
i would. |
| 22:50 |
DammitJim |
it sounds like it's not doing anything anyways |
| 22:50 |
DammitJim |
ok, gotta run |
| 22:50 |
DammitJim |
baseball |
| 22:50 |
DammitJim |
good evening, I'll let you know how it goes... |
| 22:54 |
|
st8less_ joined #salt |
| 22:56 |
|
st8less_ joined #salt |
| 23:01 |
|
dendazen joined #salt |
| 23:04 |
|
madboxs joined #salt |
| 23:10 |
|
nidr0x joined #salt |
| 23:11 |
|
Aleks3Y joined #salt |
| 23:21 |
|
hasues joined #salt |
| 23:26 |
pcn |
has anyone tried the dockerng sttes with AWS's ECS? |
| 23:43 |
|
raspado joined #salt |
| 23:55 |
|
scsinutz1 joined #salt |
