Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2017-03-03

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 mosen joined #salt
00:05 SaucyElf joined #salt
00:13 shoemonkey joined #salt
00:23 dendazen joined #salt
00:48 shoemonkey joined #salt
00:54 justanotheruser joined #salt
00:58 orionx joined #salt
01:09 Salander27 joined #salt
01:09 saintaquinas[m] joined #salt
01:11 aphor joined #salt
01:15 jerrykan[m] joined #salt
01:16 freelock joined #salt
01:17 ThomasJ|m joined #salt
01:20 leonkatz i'm having an issue running module boto_secgroup, its not recognizing the vpc_id or the vpc_name
01:20 madboxs joined #salt
01:21 leonkatz https://gist.github.com/leonkatz/996d13993ad198be3c350816e1bab73d
01:22 hemebond1 Does it work from the command line?
01:22 leonkatz i haven't tried because i have to pass the auth
01:22 hemebond1 That looks wrong.
01:22 leonkatz do you have an example?
01:23 hemebond1 Why are the args and kwargs not under an args or kwargs parameter?
01:23 hemebond1 Do it from the command line first.
01:23 hemebond1 Then look at how module.run works.
01:23 leonkatz which are the args and which are the kwards
01:23 leonkatz from the command line
01:23 hemebond1 Depends on the function you're calling.
01:24 hemebond1 Right now you're passing am_name and vpc_name to module.run, and that seems wrong.
01:24 hemebond1 Maybe it's correct. I'll have a quick look.
01:25 hemebond1 Compare yours to the cloud.create example on https://docs.saltstack.com/en/latest/ref/states/all/salt.states.module.html#module-salt.states.module
01:26 leonkatz i tried putting everything under the kwards and that just failed
01:27 leonkatz but i didn't json for mat it
01:27 leonkatz format
01:27 hemebond1 Even your top-level module.run parameters look wrong.
01:28 leonkatz wrong how?
01:30 jas02 joined #salt
01:30 avalarion_ joined #salt
01:33 hemebond1 I think it'll be fine if most is just moved to sub-parameters.
01:37 leonkatz i tried to move everything to kwargs
01:37 leonkatz and it complained about no authentication, so i moved the profiles out
01:37 hemebond1 Pasted up?
01:37 leonkatz sorry?
01:37 hemebond1 Tried from the command line?
01:39 leonkatz nope not from the command line
01:39 hemebond1 Try that first
01:43 XenophonF joined #salt
01:44 edrocks joined #salt
01:50 leonkatz i'm getting the same error from the command line the The security group 'test-sg' does not exist in default VPC 'vpc-XXXXXXX'
01:50 hemebond1 There we go.
01:50 leonkatz but the vpc its giving is not the one i'm passing
01:51 leonkatz i also tried vpc_name and that gave the same error
01:51 hemebond1 What version of salt-minion?
01:52 hemebond1 Have you tried vpc_id?
01:52 leonkatz yes both
01:53 leonkatz Salt: 2016.11.3
01:55 mc3520 joined #salt
01:56 mc3520 ..
01:56 hemebond1 I'll see if I can use it.
01:57 leonkatz thanks
01:57 leonkatz any chance where in the order the vpc_id is put makes any difference?
01:58 hemebond1 ugh, I have to configure a minion to use this...
02:00 mc3520 hi
02:01 nafg joined #salt
02:02 nickabbey joined #salt
02:03 hemebond1 leonkatz: Not if you use vpc_id=blah
02:03 nafg I'm getting an error from that I didn't get before: https://gist.github.com/nafg/5fc7150c52d661d91b56ae68323947ec
02:03 nafg in short, it's a cmd.run and it's saying TypeError: run_all() got multiple values for keyword argument 'python_shell'
02:03 leonkatz sorry
02:04 nafg Come to thing of it, maybe this state was never triggered before
02:04 hemebond1 leonkatz: You're using a profile configured on the minion, correct?
02:05 leonkatz right now i am
02:05 leonkatz https://gist.github.com/leonkatz/996d13993ad198be3c350816e1bab73d
02:05 leonkatz just pasted my salt-call
02:05 leonkatz YYYY out the vpc num
02:06 hemebond1 And the error every time is about the secgroup not in the VPC?
02:06 leonkatz yes
02:06 leonkatz same error
02:07 leonkatz does it use boto or boto3?
02:07 hemebond1 uh
02:07 hemebond1 boto I think.
02:08 hemebond1 I can't remember where I had this stuff setup before.
02:10 leonkatz also does it matter if i do apt-get or pip install
02:10 leonkatz ?
02:10 hemebond1 I would use pip
02:10 leonkatz i used pip to get the latest
02:10 leonkatz apt-get was like 2.20 and pip was 2.46
02:11 leonkatz oh i have both
02:11 leonkatz let me remove the apt-get one
02:12 nafg Now I'm really confused
02:12 nafg https://docs.saltstack.com/en/latest/faq.html#linux-unix shows using cmd.run state with python_shell: True
02:12 leonkatz yes
02:12 nafg but https://groups.google.com/d/msg/salt-users/BU0YcxPibDI/h97mj1vJCQAJ says,
02:13 nafg IIRC, `python_shell` is a parameter only on the execution modules, not the state. That's why you get the traceback when you pass that param to the cmd.run state. The state accepts **kwargs and passes them through to the execution module, resulting in multiple values for the same parameter.
02:13 leonkatz no difference
02:13 nafg > And no, there is no `cmd.shell` state. Just use `cmd.run`.
02:13 nafg leonkatz: then how do you explain my error?
02:14 leonkatz nafg sorry i was resonding to something else
02:14 zenchike1 joined #salt
02:15 nafg leonkatz: both times?
02:15 nafg Can someone help?
02:15 hemebond1 "Failed to add rule to security group." that's all I get.
02:15 nafg If only salt was implemented with a typesafe language, I wouldn't keep getting stuck every five minutes...
02:16 leonkatz i'm using salt-call so i can see the error returned by aws
02:16 hemebond1 I'm using salt-call too.
02:16 leonkatz do you have multiple vpc's in your accoutn?
02:16 hemebond1 Yes
02:17 leonkatz and your not adding to the default?
02:17 hemebond1 [DEBUG   ] getting group for sg-ad2e7ad7 in vpc_id vpc-0ff4dd68
02:17 hemebond1 [ERROR   ] Failed to add rule to security group.
02:18 leonkatz i pasted the whole thing into the gist
02:18 leonkatz command and output
02:25 Nahual joined #salt
02:28 keltim joined #salt
02:31 leonkatz https://gist.github.com/leonkatz/996d13993ad198be3c350816e1bab73d
02:31 cyborg-one joined #salt
02:31 leonkatz that is even stranger the debug has the right vpc, but the response is wrong
02:32 leonkatz like its not passing the vpc at all
02:33 gnomethrower joined #salt
02:34 nafg I added a git ext_pillar and salt-master logs:
02:35 nafg Exception ''Error when fetching: fatal: Could not read from remote repository. ' returned with exit code 2' caught while fetching git_pillar remote 'master git@git.[XXX].com:internal/salt-pillar.git'
02:36 icebal_ joined #salt
02:36 sp0097 joined #salt
02:36 jas02 joined #salt
02:36 nafg here's the config in /etc/salt/master:
02:36 nafg ext_pillar:
02:36 nafg - git:
02:36 nafg - master git@git.bitbean.com:internal/salt-pillar.git
02:39 nafg It sounds like it thinks 'master ' is part of the repo name?
02:39 evle joined #salt
02:39 nafg Are the docs wrong again, for the umpteenth time?
02:40 leonkatz hemebond1 i'm looking at the module its not passing a vpc_id when not egress line 457
02:40 leonkatz or am i reading that wrong
02:40 catpiggest joined #salt
02:46 hemebond1 _get_group is where it fetches the security group.
02:46 leonkatz but its failing on add rule
02:46 hemebond1 Oh shit
02:46 hemebond1 I got it.
02:46 leonkatz i'm excited
02:46 hemebond1 eeek, delete delete
02:46 hemebond1 You're passing the group ID as the name. You want group_id
02:46 hemebond1 salt-call boto_secgroup.authorize group_id=sg-
02:46 hemebond1 etc, etc, etc
02:46 leonkatz data_pipeline-project-sg thats my group name?
02:47 hemebond1 I guess so.
02:47 leonkatz and thats what i'm passing
02:47 hemebond1 oh
02:47 fracklen joined #salt
02:47 hemebond1 Ah, I don't know what source_group_name is.
02:47 hemebond1 That's where you're passing that name.
02:48 hemebond1 You've got qa-mgmt-master-sg as the group name.
02:48 leonkatz yes
02:48 leonkatz i'm add one group to another
02:48 hemebond1 Ooooh.
02:48 hemebond1 Dang, okay. So you have the name of the group. You can't use the ID?
02:49 leonkatz i create the group in the state right above this
02:49 leonkatz if i had it would use it i could try to see if that works
02:49 leonkatz but that won't fix where i'm at
02:49 hemebond1 https://github.com/boto/boto/issues/2651
02:49 saltstackbot [#2651][OPEN] get_all_security_groups does not grab sg from non-default VPC when using groupnames | get_all_security_groups() does not grab security group from non-default VPC when specifying the list of groupnames...
02:50 hemebond1 That function is what Salt uses to find groups by name.
02:51 leonkatz been an issue since 2014, and there is a work around?
02:51 leonkatz is there a way for me to pass a value from one state to another?
02:51 leonkatz or just store it as a pillar
02:51 djgerm is there a way to merge pillar values together for disparate keys, rather than the work around.
02:51 djgerm that was badly phrased….
02:51 hemebond1 leonkatz: To be honest I'd probably use a script to do this as a workaround.
02:52 leonkatz if i can get the id when i create it i can use it
02:52 hemebond1 There is a workaround in that issue but that would need to go into the Salt source.
02:52 hemebond1 It actually looks like Salt is moving to boto3.
02:53 hemebond1 There are ways of capturing the output of some states but.... it can be messy.
02:56 nafg Why is "No states found for this minion" an error?
02:56 nafg I just added a minion, I haven't given it any states yet, and I'm trying to update states for another minion (the master)
02:56 nafg No need to make my build red :(
02:57 nafg Ok *now* what's the problem
02:57 leonkatz if i could pass states i could use get_group_id
02:57 nafg The master isn't logging errors but my pillar data isn't showing up
02:57 leonkatz i mean if i could store as pillar
02:58 nafg nothing in sudo salt '*' pillar.items
02:58 hemebond1 leonkatz: pillar data is "static" data you push out from the master.
02:59 hemebond1 Oh... I suppose if you're standalone it's on the minion.
02:59 hemebond1 I'm not sure what the best way forward is here. I suspect this was one of the reasons I stopped trying to use the boto states to do things.
03:00 nafg How can I inspect the state of salt ext_pillars?
03:01 nafg oh now I'm getting errors
03:01 nafg first,
03:01 nafg [WARNING ] git_pillar_global_lock is enabled and checkout lockfile /var/cache/salt/master/git_pillar/bbf64119345b0a3f9e51fdabb0d061c545a9b8b9ba028cb4baf2bf5f91e51166/.git/checkout.lk is present for git_pillar remote 'git@git.[XXX].com:internal/salt-pillar.git'. Process 9661 obtained the lock
03:01 nafg then,
03:01 nafg [ERROR   ] Received bad data when setting the match from the top file
03:02 leonkatz thanks for you help hemebond1, at least i'm not going crazy :)
03:02 nafg repeated every few seconds
03:03 nafg ok that could be my fault...
03:27 mc3520 ..
03:30 leonkatz joined #salt
03:34 mc3520 hi Answers plase..  Salt Version:            Salt: 2016.3.3   Dependency Versions:            cffi: 1.7.0        cherrypy: 3.2.2        dateutil: 2.5.3           gitdb: 0.5.4       gitpython: 0.3.2 RC1           ioflo: Not Installed          Jinja2: 2.8         libgit2: Not Installed         libnacl: Not Installed        M2Crypto: Not Installed            Mako: 0.9.1    msgpack-pure: Not Installed  msgpack-python: 0.4.6    mysql-python
03:34 mc3520 my salt architecture info
03:34 mc3520 salt master : cpu 16 core   /   memory 16G  / HDD SSD 500G
03:35 mc3520 salt minion : windows hyper-v VMs  (windows 2008 Enterprise) -> 12000 minios
03:35 mc3520 configuration :  timeout: 180s
03:35 mc3520 worker_threads: 300   max_open_files: 100000   zmq_backlog: 2000   pub_hwm: 2000   salt_event_pub_hwm: 128000                   event_publisher_pub_hwm: 64000   event_publisher_pub_hwm: 10000
03:35 mc3520 issue : 1. Sometimes -> Minion did not return. [No response]
03:35 mc3520 2. How to Reduce result Time?
03:35 mc3520 solution ?? or Better way??
03:36 mc3520 Answers plase..
03:38 jas02 joined #salt
03:38 DEger joined #salt
03:40 DEger_ joined #salt
03:46 edrocks joined #salt
03:54 cyborg-one joined #salt
04:00 ivanjaros joined #salt
04:00 hemebond1 mc3520: It's the minions that compile and apply the states.
04:00 hemebond1 Make them faster and they will return faster.
04:01 hemebond1 You have 12 thousand minions?
04:21 onlyanegg joined #salt
04:27 mc3520 ok minions 12000
04:27 hemebond1 Wow.
04:27 mc3520 large scale
04:27 hemebond1 Salt working well for you?
04:28 mc3520 no
04:28 hemebond1 Oh :-(
04:28 mc3520 sometimes Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
04:28 mc3520 current worker_threads: 300
04:29 mc3520 total minions 12000   /  linux 10%  / windows 90%
04:30 hemebond1 I wonder if Saltstack ever looked at using something like RabbitMQ for publishing jobs.
04:32 mc3520 no we did not use any public solution.
04:32 hemebond1 Public solution?
04:33 mc3520 like RabbitMQ
04:33 hemebond1 Oh, no I meant the Saltstack team using RabbitMQ instead of writing their own publishing/event system.
04:34 mc3520 we are using ZMQ
04:34 hemebond1 What version of Salt are you using?
04:35 fgimian joined #salt
04:35 mc3520 master  Salt: 2016.11.2    minions is too
04:35 hemebond1 Have you tried out the TCP transport?
04:36 mc3520 yes
04:36 mc3520 we are trying TCP transport.
04:37 mc3520 ZMQ: 4.1.4
04:37 mc3520 we refered the large section of  master configure
04:38 hemebond1 No, not ZMQ, the new TCP/Tornado transport.
04:39 mc3520 Tornado: 4.2.1
04:39 hemebond1 So you're using both 0MQ and TCP transport?
04:40 Sammichmaker joined #salt
04:40 mc3520 yesy
04:40 mc3520 both is using now
04:40 hemebond1 Problem is the same on both transports?
04:41 mc3520 i think that both is not problem
04:42 mc3520 is the master resource expand?
04:43 mc3520 our service is SaaS
04:44 preludedrew joined #salt
04:44 mc3520 has a problem of single master ?
04:44 jas02 joined #salt
04:44 hemebond1 Maybe. If you're updating all 12k minions at once.
04:44 mc3520 i think that this point has a problem (single master)
04:45 hemebond1 Have you tried adjusting the worker_threads?
04:45 mc3520 yes
04:45 mc3520 master thread was updated to 300
04:46 hemebond1 Did it help at all?
04:47 utsysadmin joined #salt
04:47 mc3520 yes. thanks all lot
04:47 mc3520 we try to more
04:54 utsysadmin joined #salt
04:57 onlyanegg joined #salt
05:00 rdas joined #salt
05:05 justanotheruser joined #salt
05:22 nickabbey joined #salt
05:34 cachedout mc3520: Do you get this problem when targeting a smaller set of minions, like only 1,000?
05:34 inad922 joined #salt
05:35 cachedout And when you get this response, have you determined if the missing minions received the publication by examining their logs?
05:36 cachedout Typically when you get that sort of issue, the problem is not with the transport but with the fact that large numbers of minions are attempting to contact the master at once.
05:55 scristian joined #salt
06:11 samodid joined #salt
06:16 ivanjaros3916 joined #salt
06:23 nickabbey joined #salt
06:26 Deliant joined #salt
06:36 mc3520 thanks
06:36 mc3520 I think so too
06:39 mc3520 do you have a good idea?
06:39 mc3520 for solve the not response problem
06:40 mc3520 master logs ->   [salt.utils.verify][CRITICAL][44533] The number of accepted minion keys(8324) should be lower than 1/4 of the max open files soft setting(16384). Please consider raising this value
06:41 mc3520 we see the log sometimes.
06:41 hemebond1 Have you done that?
06:41 miao9611 joined #salt
06:43 mc3520 salt master configuration -> #max_open_files: 100000   disabled
06:43 mc3520 OS ulimit -> 20000
06:43 mc3520 root hard nofile 20000   /  root soft nofile 20000
06:44 mc3520 limits.conf  ubuntu 16.04
06:44 hemebond1 If you run a command in batches, do you get the timeouts?
06:45 mc3520 timeout:180
06:46 mc3520 we get the time out and no response sometimes
06:46 mc3520 almost 100%
06:46 hemebond1 What if you use "--batch-size 10"?
06:46 hemebond1 Or some other number.
06:47 hemebond1 Maybe --batch-size 300
06:47 mc3520 we did not run this option
06:47 hemebond1 salt '*' -b 300 test.ping
06:47 mc3520 i will try now
06:48 mc3520 ][ERROR   ][48458] Error in function _return: Traceback (most recent call last):   File "/usr/lib/python2.7/dist-packages/salt/master.py", line 1591, in run_func     ret = getattr(self, func)(load)   File "/usr/lib/python2.7/dist-packages/salt/master.py", line 1404, in _return     self.opts, load, event=self.event, mminion=self.mminion)   File "/usr/lib/python2.7/dist-packages/salt/utils/job.py", line 67, in store_job     salt.utils.e
06:48 edrocks joined #salt
06:48 mc3520 upper is master log
06:49 hemebond1 oooo
06:49 mc3520 i am trying. plz wait.
06:52 mc3520 below is result
06:52 mc3520 root@SALT-APP:/etc/salt# time salt '*' -b 300 test.ping  real3m42.121s user0m17.496s sys0m0.228s
06:52 hemebond1 That was faster than I thought. Did all the minions return?
06:52 Miouge joined #salt
06:53 mc3520 no.... time is similar before
06:54 mc3520 thanks all lot
06:54 mc3520 i will be back
06:55 jas02 joined #salt
06:57 hemebond1 Faster than I expected I mean.
07:05 orionx joined #salt
07:06 lasseknudsen joined #salt
07:08 Lionel_Debroux_ joined #salt
07:10 Lionel_Debroux_ joined #salt
07:10 hemebond joined #salt
07:12 lasseknudsen2 joined #salt
07:22 DEger joined #salt
07:23 jas02 joined #salt
07:23 onlyanegg joined #salt
07:24 jas02 joined #salt
07:28 aldevar joined #salt
07:32 darioleidi joined #salt
07:39 Inveracity joined #salt
07:45 leonkatz joined #salt
07:48 XenophonF joined #salt
07:48 lasseknudsen joined #salt
07:53 duncanmv joined #salt
08:01 gnomethrower joined #salt
08:07 samodid joined #salt
08:08 mc3520 12,000 minions  Usually this time???
08:08 hemebond ?
08:08 mc3520 real3m42.  times
08:09 mc3520 Is it normal?
08:13 o1e9 joined #salt
08:19 Daemonik joined #salt
08:23 hemebond Depends on how many states you're running and how slow your minions are.
08:24 hemebond Are all your minions returning properly?
08:24 hemebond When you use the batch-size parameter?
08:25 nickabbey joined #salt
08:25 AndreasLutro 12000/300 = 40, assuming each batch takes 5 seconds (not unreasonable) that's 200 seconds, or just over 3 minutes... so yes that seems normal
08:26 mc3520 times normal but no reponse minions
08:27 Daemonik Is RAET used in production yet?
08:27 nafg In the top file, if I specify a state X, where does salt look. Does it have to be a file named X.sls in the same directory?
08:28 nafg (at least the salt virtual filesystem directory)
08:28 AndreasLutro nafg: by default, /srv/salt/X.sls or /srv/salt/X/init.sls
08:29 nafg AndreasLutro: ok I saw that in formulas, didn't know direct states could do that
08:29 AndreasLutro formulas and "regular" states work exactly the same
08:32 nafg AndreasLutro: so is there actually such a "thing" as a formula, or are they just a set of states files that are written in a generic way and that happen to be typically loaded via gitfs that points to that specific set of states files?
08:33 freelock joined #salt
08:33 mc3520 anyway thanks all lot
08:33 mc3520 i will be back b
08:33 AndreasLutro nafg: yeah exactly
08:33 nafg ok that's good to know
08:34 nafg Something in salt are designed very well
08:34 nafg (I wish the rest of them were too ;) )
08:34 nafg AndreasLutro: can pillar also use the name/init.sls pattern?
08:36 nafg Can one key in the pillar reference another one?
08:37 nafg e.g.
08:37 nafg registry: XXX
08:37 nafg image: {{ registry }} /chesednow/disp:refuah311-prod
08:37 AndreasLutro nafg: yes and no, respectively
08:37 nafg :D
08:37 AndreasLutro you can set jinja variables in pillar .sls files though
08:37 nafg oh that's a good idea
08:38 nafg that works
08:39 nafg actually it doesn't serve my needs, but I can just put the burden of composing the pieces on the states
08:39 nafg or templates
08:40 xet7 joined #salt
08:41 AndreasLutro yeah that's what you should usually do, but it's a long-standing feature request to be able to re-use pillar variables in pillars
08:41 AndreasLutro https://github.com/saltstack/salt/issues/23910
08:41 saltstackbot [#23910][OPEN] Please implement static pillars | Hi,...
08:41 ronnix joined #salt
08:42 Salander27 joined #salt
08:42 saintaquinas[m] joined #salt
08:42 jerrykan[m] joined #salt
08:42 ThomasJ|m joined #salt
08:46 Rumbles joined #salt
08:50 teclator joined #salt
08:52 nafg In states and templates, why can't there just be a variable 'pillar' that I could use from jinja?
08:53 nafg writing salt['pillar.get']('docker_image.credentials') is ridiculous
08:53 nafg it's probably the most common thing jinja is used for
08:53 AndreasLutro you can
08:53 AndreasLutro {{ pillar.docker_image.credentials }}
08:53 nafg So how come I never see that?
08:54 AndreasLutro but that will hard-fail if that pillar value doesn't exist
08:54 AndreasLutro whereas salt['pillar.get'] will just return None if the key doesn't exist
08:54 nafg I guess python has no null coalesce operator etc.?
08:55 AndreasLutro indeed
08:55 nafg Also what does hard-fail mean, I assume it means the state using it will be marked failed?
08:55 honestly Use .get()
08:55 AndreasLutro no, the SLS will fail rendering, which will cause the whole highstate to never be ran in the first place
08:55 nafg Also is that only if docker_image doesn't exist or even if credentials doesn't exist?
08:55 AndreasLutro both
08:55 nafg honestly: what do you mean
08:56 nafg AndreasLutro: does that hold even if the jinja is in a template?
08:56 nafg Like for a file.managed
08:57 honestly nafg: .get('key', {}) on dictionaries
08:57 AndreasLutro no
08:57 honestly nafg: You can chain that
08:58 nafg good point. To tell the truth at this point in time (just starting out with very little salt config and 1 minion other than master) I don't mind the hard fail
08:58 samodid joined #salt
08:58 nafg AndreasLutro: does python have a method missing mechanism?
08:58 nafg like ruby's, or scala.Dynamic
08:59 geomacy joined #salt
08:59 AndreasLutro not sure what you mean by that
08:59 nafg cuz theoretically they could make pillar behave like salt['pillar.get']
08:59 AndreasLutro in python, if you do mydict['foo'] and 'foo' doesn't exist in the dict, you get a KeyError
08:59 AndreasLutro not without significant black magic
09:00 nafg AndreasLutro: yeah they could use __getattr__ from what it looks like
09:00 DEger joined #salt
09:01 AndreasLutro the problem is, how do you know if __getattr__ should return None or an empty dict (to allow nested attribute getting)?
09:01 AndreasLutro __getattr__ has no way of knowing if you're doing pillar.foo or pillar.foo.bar
09:01 nafg actually first I have to ask how jinja renders an object, is there like a standard toString method like java and javascript?
09:01 nafg in python
09:01 AndreasLutro {{ foo }} just does print(foo)
09:01 lasseknudsen joined #salt
09:01 AndreasLutro which calls foo.__str__() usually
09:02 nafg ok perfect
09:03 nafg AndreasLutro: Basically you have an empty class that has two methods, __str__ and __getattr__, and a private field that represents the current path, a string. __getattr__ returns a new instance of the same class with '.' and the attribute name appended in its field, and __str__ returns the path field
09:03 nafg unless the parent path is empty, in which case skip the '.'
09:04 nafg Ahem correction,
09:04 honestly https://docs.python.org/3/howto/descriptor.html#descriptor-protocol
09:04 honestly this is not very relevant for salt though
09:04 nafg __str__ would call pillar.get
09:05 AndreasLutro {% for name, db in pillar.databases.items() %} doesn't work with that idea
09:05 AndreasLutro nor does {{ pillar.get('whatever', {}) | json }}
09:05 mikecmpbll joined #salt
09:06 AndreasLutro salt has enough black magic already, I want less, not more of that stuff
09:07 nafg AndreasLutro: you could either implement those in the class, or you could implement .get which calls pillar.get, and __str__ calls .get, then you could do that with just an added .get
09:07 nafg maybe call it safe_pillar
09:07 honestly uh
09:07 orionx joined #salt
09:07 honestly did someone mention salt['pillar.get']('foo:bar:baz')?
09:10 s_kunk joined #salt
09:17 nafg what does that do?
09:17 nafg the :
09:17 Rumbles nested items
09:17 nafg also couldn't it be salt.pillar.get?
09:17 nafg Rumbles: how is it different than . ?
09:17 Reverend joined #salt
09:17 toanju joined #salt
09:18 toanju joined #salt
09:19 toanju joined #salt
09:19 fredvd joined #salt
09:19 honestly https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.pillar.html#salt.modules.pillar.get
09:20 honestly nafg: you can write salt states in pure python
09:20 honestly then you can do whatever python can do
09:21 honestly but typically states are writting as yaml dicts, containing jinja templating code
09:21 honestly jinja template code is not python, although it looks superficially similar and can call into python functions provided to its environment
09:22 nafg I'm not sure what or how you're answering
09:22 babilen Read the explanation in the link
09:22 nafg so far i've seen ., :, and ::
09:22 nafg which explanation? I looked at the link
09:22 babilen pillar.get is, essentially, a convenience function that supports nested lookups
09:22 nafg I get that
09:22 nafg that wasn't the question
09:23 babilen What was the question again?
09:23 nafg what's the difference between salt['pillar.get']('a.b'), salt['pillar.get']('a:b'), and salt['pillar.get']('a::b')
09:23 nafg that was one question
09:24 babilen Did you see/use salt['pillar.get']('a.b') / salt['pillar.get']('a::b') somewhere?
09:25 nafg babilen: @honestly just used the : syntax, and that link has ::
09:25 CeBe joined #salt
09:26 nickabbey joined #salt
09:26 AndreasLutro : isn't syntax
09:26 AndreasLutro it's just an arbitrary delimiter
09:26 babilen nafg: The latter uses "delimiter='|'" as delimiter to show that you can use a different one (which makes :: part of a single key)
09:27 nafg AndreasLutro: not sure which definition of syntax you're using ;)
09:27 nafg babilen: ahh the :: is part of the key's name, thanks
09:27 colegatron joined #salt
09:27 nafg AndreasLutro: so when is : the delimiter and when is . ?
09:27 AndreasLutro : is the delimiter in salt['pillar.get']
09:27 babilen . is never a delimiter unless you specify it to be
09:28 AndreasLutro . is never a delimiter, it's just the python syntax to access an object's attribtues
09:28 babilen Please do not conflate the two
09:28 AndreasLutro or properties rather
09:28 babilen salt['pillar.get'] is a function that was specifically written because Python's .get() still doesn't support nested lookups
09:29 colegatron Hi guys. I need to set the JAVA_HOME for the tomcat7 user and I've thought to just update the value in the /etc/default/tomcat but I that means to hardcode the value, do you know a more elegant way to archive this?
09:30 nafg babilen: funny, I thought I saw '.' used in salt['pillar.get'] calls
09:30 babilen nafg: I haven't, which is why I asked where you've seen it
09:30 nafg I could be wrong
09:31 nafg Does grains.get also default to
09:31 nafg ':' ?
09:31 babilen It does
09:32 nafg then maybe I'm just misremembering
09:32 nafg It would be nice if they provided a shorthand for salt['pillar.get'] though
09:33 nafg question: in file.managed, it says dir_mode - If directories are to be created, passing this option specifies the permissions for those directories. If this is not set, directories will be assigned permissions by adding the execute bit to the mode of the files.
09:33 nafg What does the last part mean? How does adding the execute bit to the file change the permissions of the parent directory?
09:33 nafg state
09:34 AndreasLutro if your file.manage has "mode: 640"
09:34 AndreasLutro any directories will be created with 640 +x (which is 753? or 750 depending on how smart the implementation is)
09:37 nafg AndreasLutro: ah, the wording is confusing. I guess "by" describes the algorithm, not the vehicle
09:42 colegatron there is anyway to take the output of a "module.run alternatives.show_current java" and use it in a jinja template ? the idea is update /etc/default/tomcat JAVA_HOME with the right value instead to hardcode an absolute path
09:43 colegatron (any other more elegant recommendation is welcome) :)
09:45 AndreasLutro {{ salt['alternatives.show_current']('java') }}
09:46 colegatron omg. you're right. how I did not thing on this before? :)
09:46 colegatron thank so much AndreasLutro  :)
09:51 edrocks joined #salt
09:57 Praematura joined #salt
10:03 colegatron AndreasLutro, do you know if there is any module to handle files from /etc/default similar to state.ini_manage ? I tried but it forcibly uses sections and adds spaces between key/values and separator(=)
10:04 AndreasLutro no, I'd just use file.replace or file.line
10:04 AndreasLutro or file.blockreplace if you need a lot
10:05 colegatron I usually do that, but seems not so elegant.
10:05 colegatron tnx :)
10:08 AndreasLutro /etc/default files aren't elegant in the first place
10:09 colegatron I agree. any alternative suggestion? :)
10:10 AndreasLutro add environment variables in the systemd unit file(s)
10:11 colegatron what is the difference? (just to know)
10:12 AndreasLutro systemd unit files can be split up and extended, and you don't rely on the application you're running to know about and read the /etc/default file
10:13 colegatron well, good one. I'll take this approach. thank you!
10:14 jwerak joined #salt
10:28 ChubYann joined #salt
10:47 mikecmpb_ joined #salt
10:55 mikecmpbll joined #salt
11:04 yomilk joined #salt
11:05 yomilk joined #salt
11:09 orionx joined #salt
11:18 inad922 joined #salt
11:22 Rumbles joined #salt
11:27 nickabbey joined #salt
11:32 nfahldieck joined #salt
11:41 oms101_ joined #salt
11:43 evle1 joined #salt
11:54 jas02 joined #salt
12:11 jhauser joined #salt
12:21 impi joined #salt
12:30 gladia2r joined #salt
12:45 candyman88 joined #salt
12:50 dendazen joined #salt
12:53 edrocks joined #salt
13:01 DEger joined #salt
13:05 numkem joined #salt
13:12 orionx joined #salt
13:16 darvon joined #salt
13:23 jwerak` joined #salt
13:28 nickabbey joined #salt
13:30 gladia2r heya, under a file.blockreplace is it possible adding indentation via ' - content' , for a single line ? (and no pillar)
13:31 ronnix joined #salt
13:37 edrocks joined #salt
13:42 Nahual joined #salt
13:47 shoemonkey joined #salt
13:48 candyman88 joined #salt
13:55 ChubYann joined #salt
14:06 varesa left #salt
14:12 Praematura joined #salt
14:17 jdipierro joined #salt
14:20 candyman88 joined #salt
14:24 ssplatt joined #salt
14:27 CrummyGummy joined #salt
14:30 nickabbey joined #salt
14:41 jwerak`` joined #salt
14:42 cyteen joined #salt
14:50 cyborg-one joined #salt
14:59 masber joined #salt
15:00 scoates joined #salt
15:05 rem5 joined #salt
15:06 cachedout joined #salt
15:08 brousch__ joined #salt
15:19 tapoxi joined #salt
15:20 Rumbles joined #salt
15:21 gableroux joined #salt
15:25 onlyanegg joined #salt
15:38 PatrolDoom joined #salt
15:51 dps joined #salt
15:52 icksa joined #salt
15:53 Tanta joined #salt
15:53 _JZ_ joined #salt
15:59 zenchike1 joined #salt
16:02 onlyanegg joined #salt
16:10 impi joined #salt
16:10 onlyanegg joined #salt
16:11 keltim_ joined #salt
16:13 racooper joined #salt
16:14 Praematura joined #salt
16:15 orionx joined #salt
16:24 Bryson joined #salt
16:25 Pluggi joined #salt
16:25 Pluggi Hi, I've got a problem with service.running, it raises               Reason: 'service' __virtual__ returned False: No service execution module loaded: check support for service management on Arch
16:26 Pluggi I found the error message here https://fossies.org/linux/salt/salt/states/service.py, but I don't really know how to fix it
16:26 Pluggi and I am up to date
16:29 sp0097 joined #salt
16:29 brousch__ Pluggi: Here's a little info on service modules. https://docs.saltstack.com/en/latest/ref/states/all/salt.states.service.html
16:30 shoemonkey joined #salt
16:30 babilen Pluggi: Which distribution are you targeting?
16:30 Pluggi Arch Linux
16:32 babilen sysvinit/systemd/upstart/... ?
16:34 Pluggi systemd
16:35 babilen In which case the systemd service module should have been loaded .. Do you get any interesting output when you start salt-minion in debug mode (salt-minion -ldebug)
16:35 babilen What does "salt-call grains.get kernel" give you on the minion?
16:35 Pluggi I'll try in 2 minutes
16:35 Pluggi because I first generate it using a chroot
16:36 Pluggi and then boot it using PXE
16:36 babilen So the system has not actually been booted with systemd when you apply the state?
16:36 Pluggi nope
16:37 babilen But?
16:37 Pluggi wait
16:37 Pluggi I think I failed
16:37 * babilen waits
16:37 Pluggi yeah that's the problem
16:37 Pluggi my bad
16:38 Pluggi yeah, forget about it, I'm just stupid
16:38 babilen You might want to create a mininmal installation, boot that with PXE and register with the salt master then. You could kick of a highstate either from reactors or startup_states
16:39 Pluggi that's my minimal installation :P
16:43 kjsaihs joined #salt
16:45 kjsaihs is there a way to have two separate include statement inside one sls file?
16:48 Pluggi left #salt
16:50 PeterO joined #salt
16:52 samodid joined #salt
16:54 leonkatz joined #salt
17:01 Reverend I take it I can just get a minion to run an SLS from a reactor?
17:01 Reverend like, just run a fucking state? I'm getting tired of trying to write these git-deps in reactors -_-
17:03 aldevar left #salt
17:05 mbologna joined #salt
17:08 Reverend meh, lets try it ang asee.
17:08 Reverend and see*
17:11 KingOfFools joined #salt
17:16 CampusD joined #salt
17:24 Reverend okay so apparently the kwargs thing is fucekd
17:29 kjsaihs joined #salt
17:30 megamaced joined #salt
17:37 Hazelesque_ joined #salt
17:38 daxroc_ joined #salt
17:38 hillna_ joined #salt
17:38 fhh_ joined #salt
17:38 CheckYourSix_ joined #salt
17:38 phtes_ joined #salt
17:38 jrklein_ joined #salt
17:38 seb-solon_ joined #salt
17:38 n1x0n_ joined #salt
17:39 Antiarc_ joined #salt
17:39 ivanjaros joined #salt
17:39 cswang_ joined #salt
17:39 jgelens_ joined #salt
17:39 armin_ joined #salt
17:40 wybczu_ joined #salt
17:40 Kelsar_ joined #salt
17:40 Shirkdog_ joined #salt
17:40 khorben_ joined #salt
17:41 pezus joined #salt
17:41 klippo_ joined #salt
17:41 coldbrew- joined #salt
17:41 iter_ joined #salt
17:41 ThomasJ|d joined #salt
17:41 KingOfFools Sup guys. I'm trying to use salt['mine.get'] in orch state, but getting empty result. Where should I look?
17:41 vaelen_ joined #salt
17:42 swills_ joined #salt
17:42 MeltedLux_ joined #salt
17:42 cb_ joined #salt
17:42 whytewolf KingOfFools: use the runner
17:42 frew- joined #salt
17:42 bofhit joined #salt
17:42 quarcu joined #salt
17:42 UForgotten_ joined #salt
17:42 riftman1 joined #salt
17:42 error_ joined #salt
17:42 whytewolf orchestrations are done on the master so the mine state needs to be run from mine runner
17:42 Salander271 joined #salt
17:42 skr0bul joined #salt
17:43 nixjdm_ joined #salt
17:43 jor_ joined #salt
17:43 relidy_ joined #salt
17:43 McNinja_ joined #salt
17:43 ecdhe joined #salt
17:43 ecdhe joined #salt
17:43 saltstackbot joined #salt
17:43 whytewolf KingOfFools: see the see also here https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.mine.html#salt.modules.mine.get
17:43 kbaikov joined #salt
17:43 KingOfFools whytewolf: I'm running salt-run state.orch statefile. There I have file.managed with template jinja. And in jinja file salt['mine.get'] function
17:43 cscf joined #salt
17:43 NeoXiD joined #salt
17:43 tbrb joined #salt
17:44 frygor joined #salt
17:44 peters-tx joined #salt
17:44 nahkiss joined #salt
17:44 llua joined #salt
17:44 whytewolf KingOfFools: yes. i mean your mine should be run through the runner version of mine
17:45 whytewolf salt['mine.get'] tries using the exacution module version
17:45 dlloyd joined #salt
17:46 TooLmaN joined #salt
17:46 Ryan_Lane joined #salt
17:47 KingOfFools whytewolf: hm, i dont really get what does mean to use runner version of mine and how do that
17:47 whytewolf {% set minion_ips = salt.saltutil.runner('mine.get', tgt='*', fun='network.ip_addrs', tgt_type='glob') %}
17:47 zifnab joined #salt
17:47 ahrs joined #salt
17:48 whytewolf there is a link about this at the bottom of the exacution module function for mine.get
17:49 OliverMT joined #salt
17:49 s_kunk joined #salt
17:50 jdipierro joined #salt
17:51 jdipierro joined #salt
17:51 KingOfFools whytewolf: oh, ok, thanks! didn't see that
17:52 s_kunk joined #salt
17:53 whytewolf it's alright, a lot of people miss it. i think it needs to be added to the generic mine documentation/tutorial.
17:55 KingOfFools whytewolf: is it normal that I get some extra information in result? like fun_args, jid, return, success etc
17:55 nazz joined #salt
17:57 jhauser joined #salt
17:57 whytewolf yes, the return is what you want. the rest is status info about how the runner function ran the module
17:57 Reverend it works. Apparently you need 4 spaces after the `- kwarg:` entry, like this:
17:57 Reverend - kwarg:
17:57 Reverend pillar:
17:57 Reverend which is silly cus it's yaml
17:57 Reverend >_<
17:58 djgerm joined #salt
17:58 sjorge joined #salt
17:58 sjorge joined #salt
17:59 KingOfFools whytewolf: So, example in documentation is kinda inaccurate then :)
18:00 whytewolf it is old
18:00 whytewolf needs updated
18:00 tom29739 joined #salt
18:06 feliks joined #salt
18:07 Reverend "comment": "State 'git.fetch' was not found in SLS 'repo_update'\nReason: 'git.fetch' is not available.\n",
18:07 Reverend any clues? :D hahahaha
18:08 whytewolf does the module git work on that minion?
18:09 Reverend yeah...
18:09 Reverend i'll check anyway
18:09 Reverend yeah we do git stuff every 10 miuntes on those minions :/
18:10 whytewolf okay, let me check the __virtual__ for the state module then
18:10 Reverend say what
18:10 hvn joined #salt
18:10 hvn joined #salt
18:10 Reverend ohhhhhhhh wait a second whytewolf
18:11 Reverend let me fix the git.fetch state first -_-
18:11 Reverend `- name: #####codecommit######` <-- might want to fix that
18:11 hvn hi all, does anyone remember the sites that collects all popular saltstates repo back in old day? (yes it old and they was called states, not formulas)
18:11 Reverend github? :P
18:11 whytewolf ...
18:12 hvn no, there was a site that people add their own link to their github collection of states
18:12 hvn maybe it is dead... so long ago
18:12 Reverend I dunno man :/ I've not been here that long.
18:12 Reverend you might be better just searching github for public repos of stuff
18:12 hvn I was here since 0.11.x :p
18:12 Reverend damn son
18:13 Reverend whytewolf - still broken with the fixed 'name' entry :/
18:14 hvn anyone here really used saltstack-formulas? I skimmed and till page 4, those formulas seem abandonned (no update since 2015)
18:14 hvn yes I meant this https://github.com/saltstack-formulas
18:14 PatrolDoom joined #salt
18:14 SaucyElf joined #salt
18:15 whytewolf hvn, I have never liked formulas. they tend to be bloated and not very well coded for resource sharing.
18:15 systeem joined #salt
18:16 Praematura joined #salt
18:16 hvn whytewolf: yes, I'm kind of looking for solution to make those formulas ... usable
18:16 Reverend whytewolf: couldn't agree more. when you use too many it slows your highstates down SO much
18:16 Reverend we only use centos here, so I end up hacking them up to remove all teh debian / etc stuff to make them quicker
18:17 whytewolf i just code my own state files
18:17 Reverend hvn: what we did here was just write them all from scratch mostly
18:17 hvn yes me too https://github.com/hvnsweeting/states
18:18 hvn we used built a business base on Salt. But not anymore
18:18 Reverend nice man :)
18:18 hvn so I find a way to reuse those things intead of throw away
18:18 ALLmightySPIFF joined #salt
18:20 nazz joined #salt
18:20 Reverend I'd just leave them on github incase you need them in future :)
18:22 hvn spm is something new but I heard it nowhere than in log change. Formulas get up slowly and hard to use. There is nothing that sharable like ansible galaxy (or at least it looks like that)
18:22 ronnix joined #salt
18:26 hvn well I will think more about it and will proposal on maillist to get some official attentions
18:26 hvn thank you Reverend and whytewolf , good night :p
18:26 Reverend tataaaa
18:26 Reverend have a good one HVN
18:26 whytewolf have a good one
18:27 whytewolf personally shareable code almost never meets 50% of work cases, or if it does is to bloated to be useful.
18:28 whytewolf snippets are better. as they just give insite into the problems
18:28 wendall911 joined #salt
18:31 shoemonkey joined #salt
18:32 ssplatt whytewolf: you don’t like formulas or you don’t like the ones in github/saltstack-formulas?
18:33 Edgan joined #salt
18:33 ssplatt we extensively use formulas but never anything from the saltstack repo because they always seem to be a mess and not follow the style we’ve come up with
18:33 ekristen I tend to agree with whytewolf most of the time shareable code either doesn’t meet the use case you want or is so bloated that you are afraid to touch it to make it work.  I like having the saltstack-formulas, but generally I never ever use them, I might take portions of them to make my own.
18:34 ssplatt that’s definitely the case with saltstack-formulas repo
18:34 entil joined #salt
18:34 klaas joined #salt
18:35 klaas joined #salt
18:35 ssplatt some are ok and they definitely do “things” but not quite what we want and not in a format that we want
18:35 ssplatt we’ve found kitchen tests to be invaluable
18:36 Praematura joined #salt
18:36 ipmb joined #salt
18:38 juntalis joined #salt
18:39 jdipierro joined #salt
18:42 ipmb I'm looking at using peer_run to allow minion users to run state.orchestrate on the master. Is there a way I can limit the orchestration states they have access to?
18:43 aphor Anyone using Thorium for anything?
18:43 ipmb like - "state.orchestrate safestates.*"
18:44 whytewolf ssplatt: I don't like formulas in general.
18:45 aphor ipmb: why do you want minions to run orchestration on the master?
18:45 ipmb I want users that don't have ssh access to the master to be able to run a limited set of commands that have to run on the master
18:46 aphor ipmb: I think (but haven't tried it yet) the Salt Enterprise stuff has some delegation and policy rules around who can do what.
18:46 ipmb Need developers to be able to create/destroy test servers (which requires orchestration), but don't want them to do anything else
18:47 aphor ipmb: if the list of tasks you need to delegate to users is small enough, maybe give them wrappers that send events, and then use reactor to kick off the orchestration?
18:47 AndreasLutro ipmb: does it really require orchestration? we facilitated just that by allowing a few specific state.apply lines in /etc/sudoers
18:48 ipmb AndreasLutro I was considering that approach as well
18:48 zer0def joined #salt
18:48 AndreasLutro if that's not good enough you'll have to set up events and reactors I think
18:48 swills_ joined #salt
18:48 AndreasLutro or write some custom app to fire off the salt jobs you need
18:48 ipmb aphor I decided against that because I need the users to be able to see the process and know when it finishes
18:49 aphor ipmb: that's still possible if you are clever in your orchestration.
18:50 ipmb sounds like a lot of work ;)
18:50 keltim_ joined #salt
18:50 aphor ipmb: you want async stuff to work like it's sync, and you want to use the salt command job status polling to accomplish that, but you don't want to give full power of the salt command?
18:50 tapoxi hey guys, can I set ebs' provisioned iops in my salt-cloud map?
18:51 ipmb it's not async at the moment. it runs fine as a blocking command with salt-run
18:51 onlyanegg joined #salt
18:51 ipmb but if I start using the event system, then yes, I need to make async work like sync... that's why I decided against that approach
18:53 aphor can you even do salt-run on a minion to execute a runner on the master?
18:54 ipmb https://docs.saltstack.com/en/latest/ref/peer.html#peer-runner-communication
18:54 aphor I've been trying my hardest to stay in the async event style..
18:54 aphor <reading>
18:57 aphor ok peer_run already has policy to control which minions can peer_run which runners.
18:58 aphor You want to extend that to allow the policy to stipulate which users as well?
19:01 Cottser joined #salt
19:01 ipmb aphor no, which commands I pass to state.orchestrate
19:02 aphor ipmb: the problem I see is how to prevent users from spoofing uid to the master.
19:03 aphor salt doesn't have any facility to authenticate users, which is a prereq for authorizing users.
19:03 ipmb AndreasLutro looked into sudoers more. It's really close, but it looks like I can't specify some arguments to the command and allow the user to pass some
19:03 aphor I think that's a problem even if you were doing things async.
19:04 ipmb aphor at what point would a user be spoofing an ID?
19:04 aphor the master only knows what the minion tells it.
19:04 ipmb yes
19:04 numkem joined #salt
19:04 ipmb I can control access to the minion with ssh
19:04 aphor if you want to add some uid info to the payload, then the master can operate on it.
19:04 ipmb what payload?
19:05 aphor messages the minion sends to the master, either publish, or events.
19:06 ipmb I presume that peer_run and publish.runner do what they say in the docs
19:06 aphor so there needs to be some authentication by privileged process (either minion or otherwise) on the minion.
19:07 ipmb ssh/sudo
19:07 ipmb only root can run salt-call on minion. these users would have access to run salt-call as root on the minion
19:08 aphor ok.
19:08 AndreasLutro ipmb: maybe write a small wrapper script that does exactly what you need, chattr +i on it, and allow users to run that as sudo with any arguments
19:10 ipmb AndreasLutro but the script needs to run the other commands as sudo which will then fail
19:10 aphor if the authorization happens on the minion, you have to push code to do that (whether a wrapper script or magic sudoers command config) to the minion.
19:10 AndreasLutro ipmb: no they won't, because the script is running as root (because sudo)
19:11 aphor +1 on combo of wrapper script and sudoers command config.
19:13 ipmb excellent!
19:14 ipmb I had tested this approach and didn't get it working, turns out I was using sudo inside the script that was already run as sudo :/
19:14 ipmb thx for the help!
19:18 aldevar joined #salt
19:18 swa_work joined #salt
19:23 ipmb AndreasLutro if the file is mode 555, what does setting the immutable bit do for me?
19:23 hasues joined #salt
19:23 * ipmb is failing to see the attack vector there
19:24 aphor immutable means not even root can change it.
19:24 ipmb but root can remove immutability
19:24 aphor In certain secure boot modes, immutable bit cannot be cleared.
19:24 ipmb ah, ok
19:24 invalidexception joined #salt
19:25 aphor I'm not sure how linux enforces that. I learned it when it was only available on BSD.
19:25 aphor I expect its selinux or something.
19:26 ipmb In this scenario, if a malicious user has root access, the contents of those scripts are the least of my worries :)
19:27 aphor Sometimes root access is not root shell access.
19:28 aphor Sometimes a file is opened with write mode and the attacker can only change the filename.
19:28 aphor .. in the root execution context.
19:28 aphor immutable bit protects against that.
19:29 ipmb makes sense
19:29 geomacy joined #salt
19:31 raspado joined #salt
19:32 DEger joined #salt
19:33 AndreasLutro replace or supplement chattr with selinux if you use that
19:35 Awesomecase joined #salt
19:40 whytewolf ahhh the evoloving world of linux filesystem security. first there was chmod, then chattr was quickly introduced. followed by setfacl/getfacl, and then we have selinux, appamour and the like.
19:41 jdipierro joined #salt
19:43 fredvd joined #salt
19:46 djgerm1 joined #salt
19:53 viccuad joined #salt
19:54 viccuad Hi folks. So I tried to file.recurse a bunch of files, and I got an exception because salt cannot handle one of the files containing a "ü"
19:54 viccuad is there any workaround that I can use, that respects modes of the files and dirs, and is stateful and just not cmd.run?
19:57 manji viccuad, just out of curiosity, can you paste th error somewhere?
19:58 viccuad manji: https://paste.debian.net/917873/ (the file is Netzwerkschlüssel.gpg )
20:03 jdipierro joined #salt
20:07 djgerm1 this doesn't seem to be matching properly: {% if 'thingX' or 'thingY' in grains['fqdn'].lower() %}
20:07 djgerm1 it seems to be matching everything…. thoughts?
20:07 djgerm1 a similar statement, {% if 'thingX' in grains['fqdn'].lower() %}, works fine
20:09 sh123124213 joined #salt
20:10 jdipierro joined #salt
20:15 brousch__ if 'thingX' will always be true
20:17 brousch__ Your statement is like:
20:17 brousch__ {% if ('thingX') or ('thingY' in grains['fqdn'].lower()) %}
20:24 ipmb {% if 'thingX' in grains['fqdn'].lower() or 'thingY' in grains['fqdn'].lower() %}
20:25 Tanta joined #salt
20:28 jdipierro joined #salt
20:29 bgdnlp joined #salt
20:30 bgdnlp hi. question, should be simple, but I can't figure out what I'm doing wrong. I want to schedule the minion to pull config from master every 7 minutes.
20:31 bgdnlp one way to do it would be salt-call from cron, I understand that. But from what I'm reading the "new" way to do it is to schedule it in pillar or minion config
20:31 shoemonkey joined #salt
20:31 bgdnlp so I added the following to minion etc/salt/minion:
20:32 bgdnlp schedule:
20:32 bgdnlp highstate:
20:32 bgdnlp function: state.highstate
20:32 bgdnlp minutes: 7
20:33 bgdnlp should this work? because it doesn't. and I don't know why
20:38 tvinson bgdnlp: that looks syntactically correct if your indentation is correct. did you restart the minion after the config change?
20:39 bgdnlp yes
20:39 brousch__ Can you use minutes:? The examples only use seconds:
20:39 bgdnlp indentation is correct, missed a space there
20:39 tvinson I'm using minutes in my environment
20:40 bgdnlp doc says minutes is valid
20:41 _JZ_ joined #salt
20:41 bgdnlp should I see something in the log file when the minion runs highstate?
20:43 tvinson depends on what you've got in highstate and what your logging configuration is, but you should see a lot of somethings
20:48 twork_ joined #salt
20:49 numkem joined #salt
20:50 twork_ i'm baaaack... still trying to figure out how to account for users, while not treating them as users.  latest account of my efforts at: https://gist.github.com/twork/99e3a0a158fe5b485a80c4761c06349c
20:51 orionx joined #salt
20:52 twork_ i feel like i've made some progress, compared to past efforts, but then i'm not even sure i'm coming about this the right way.
20:55 ipmb why import/include instead of a standard {{ pillar.variable_name }}?
20:56 ipmb Put the values in as pillars and then use the top files to determine how you want them included on the minions
20:56 twork_ that might be the clue i need, dunno
20:56 ipmb if you need the same info treated differently on different minions, you could use another pillar variable
20:56 twork_ oh i see what you're asking
20:56 babilen There is no need to override "users", I'd say
20:56 tberc joined #salt
20:57 ipmb customers_are_not_real_users: True
20:58 twork_ ipmb: what's the context?  in teach user account in the pillar?
20:58 ipmb then your state can do: {% if pillar.get('customers_are_not_real_users') %} do some stuff {% else %} create the users {% endif %}
20:58 twork_ ok, but:
20:58 twork_ what will the "users" state do?
20:59 ipmb whatever you need it to do
20:59 ipmb presumably run something like user.present
20:59 twork_ it'll still see that pillar, right?  and it isn't aware of "customers_are_not_real_users"
20:59 ipmb pillars are like variables you can apply to minions
21:00 twork_ it just eats the user account data and does what it always does
21:01 twork_ i guess i could add a test to 'users' that's aware of that element
21:01 ipmb I don't fully understand your problem, but it sounds like you could have 2 pillars defined: admins and customers
21:01 twork_ i do
21:01 ipmb they both contain your "user account data"
21:01 twork_ yes
21:01 ipmb spread that pillar to all your servers
21:01 twork_ yes
21:01 ipmb now you have a state that creates users
21:02 twork_ yep
21:02 ipmb it is also on all your servers
21:02 twork_ yep
21:02 ipmb inside that state test for another pillar "customers_are_not_real_users"
21:02 ipmb if that pillar is set, make your state skip the part where you create users from the customers pillar
21:03 twork_ ok, good idea.  the thing i don't like, though, is that i'm using the "users" formula, and i don't want to risk having my alteration lost when i (or someone) updates the formula from upstream
21:04 ipmb ok, don't use a pillar
21:04 twork_ that's why i'm trying to make different pillars (that look alike but have different names)
21:04 ipmb have two states
21:04 ipmb create_admin_users and create_customer_users
21:04 ipmb only include the second one where you want it
21:05 ipmb (via top)
21:05 twork_ and stop using the formula?
21:06 ipmb not sure what you're referring to as the formula, but I don't think you need it
21:06 ipmb if you mean the import/include part, it doesn't seem necessary
21:07 twork_ i map this formula to all my minions: https://github.com/saltstack-formulas/users-formula
21:08 twork_ i guess i could stop doing that on some of my minions but it'd add a lot of work that i'm trying to avoid
21:09 twork_ ...for starters, takeng that formula out of '*' in top, and keeping track of where it is and isn't used.
21:09 ipmb do you really need to use that formula?
21:09 ipmb For the simple case, creating a user is like 10 lines of YAML
21:09 twork_ not to be flippant, but, do i need to use computers at all?  it saves me a lot of work in most circumstances.
21:10 ipmb in this scenario, it seems to be creating a lot more work for you
21:10 edrocks joined #salt
21:10 twork_ yes, but this is an isolated case.  across most of my network that isn't true.
21:10 twork_ this is an exception.
21:11 ipmb you could look into include as
21:12 twork_ i have been.  it's in my example, i thought.
21:12 twork_ i just don't get the syntax right, that was kind of my oritinal question.
21:13 ipmb {% import 'accounts.yaml' as accounts %}
21:14 twork_ {% import 'account-base.yml' as accounts | replace(users,accounts,1) %}
21:14 twork_ ...draws:
21:14 twork_ Failed to load ext_pillar stack: expected token 'end of statement block', got 'as'
21:14 twork_ sorry for the multi-line.
21:14 ipmb I don't think replace works like that
21:14 twork_ indeed!
21:14 ipmb you don't have a string anymore, you have an object
21:15 ipmb {% set users = accounts %}
21:15 twork_ ahhhh.  that may be the clue i need.
21:16 ipmb but you probably need to do {% set users = accounts.accounts %} or something like that because iirc the import will add the namespace you import it as
21:16 ipmb gotta run... good luck
21:16 twork_ thanks
21:17 orionx joined #salt
21:17 ipmb joined #salt
21:17 ipmb twork_ this might be handy https://docs.saltstack.com/en/latest/topics/jinja/index.html
21:20 catpig joined #salt
21:23 austin_ joined #salt
21:23 austin_ is there any reason right now to transition from cherry to tornado ?
21:24 austin_ are there any real benefits of using tornado?
21:26 fartface joined #salt
21:26 twork_ ftr, that link is in the page i linked to, too.  see, i am trying...
21:27 fartface Hey!  I'm pretty new to SaltStack, but I'm wondering how I handle situations where stdin is expecting input?
21:27 fartface Hey!  I'm pretty new to SaltStack, but I'm wondering how I handle situations where stdin is expecting input?
21:27 fartface How do I handle running commands to minions where it would be expecting input?  If I ran `cmd.run 'apt-get install mariadb-server'`, generally the marinade installer will ask for a root password, but I can't pass that via salt in that command, so it just hangs there
21:27 fartface Sorry not sure why that posted twice
21:29 twork_ fartface: write a script and have cmd.run call that?
21:30 twork_ not exactly as simple as that, but that's the approach i'd take
21:31 mikecmpbll joined #salt
21:31 onlyaneg1 joined #salt
21:34 LotR wouldn't you answer the question with preseeding, and then run apt?
21:37 tvinson fartface: installation using the pkg execution module or state module would already have all the switches to run noninteractively.
21:37 tvinson fartface: and the salt-minion process runs as root by default
21:37 LotR http://terokarvinen.com/2015/preseed-mysql-server-password-with-salt-stack is specifically about this
21:40 utahcon_ joined #salt
21:41 fartface Ah wicked thank you, thats what I needed.  As I said, still very early on in this learning journey haha
21:44 orionx joined #salt
21:45 beardedeagle joined #salt
21:50 leonkatz Is there a reason not use grains to target minions? I keep hearing that from some people.
21:51 Sketch it depends on how much you trust your minions
21:51 Sketch since grains can be set on the minion
21:52 whytewolf it is a discovery attack against pillars. since grains can be set on the minion. a minion compromised minion can change grains to discover pillars that are not meant for that minion
21:52 Sketch yeah, i think that advice is mostly WRT pillar targeting
21:52 Sketch not salt -G
21:53 Sketch though if you are really paranoid, i guess salt -G might be an issue too
22:01 relidy My Jinja foo is weak. Is it possible to pass a variable or two in an import statement? I have a repeated operation (building up a settings collection) that I'm trying to abstract, but it needs a few pieces of info, then should return said collection. Example case: https://gist.github.com/rhoths/fbf1466ee3374790cfab7117831a51c4
22:13 whytewolf relidy: sounds like you want a macro.
22:13 whytewolf http://jinja.pocoo.org/docs/2.9/templates/#macros
22:13 seb-solon_ left #salt
22:14 relidy whytewolf: My understanding is that a macro cannot return a variable, only output rendered text.
22:16 whytewolf oh you are correct.
22:17 relidy I'm probably just approaching this from a totally incorrect angle, I just don't know enough to step back and properly go, "You idiot"
22:17 whytewolf maybe extend. include doesn't work because it is for including "rendered" jinja which will fail since the variable isn't defined until after it is already rendered
22:19 relidy I thought about messing with template inheritance, but couldn't quite see my way through to a solution. I'll keep prodding at this; eventually something will click. Thanks for the thoughts.
22:22 whytewolf it would work if you went the other direction.
22:22 whytewolf settings including test.sls
22:23 relidy whytewolf: Yeah, but with the goal being centralizing some variable building that's used in 3 or 4 states, that doesn't seem all that flexible
22:26 whytewolf have you looked at how map.jinja is typically built?
22:27 whytewolf and defaults
22:30 relidy I have, and that's why I'm betting I'm ultimately just approaching this incorrectly, but I'm trying to flatten down a configuration array, basically, based on a few factors. I'm dealing with installing/configuring multiple versions of PHP on the same machine, so need to alter my configurations written out based on the version and if this is intended for FPM or CGI.
22:31 relidy I have stuff that applies regardless (global), stuff that's dependent on the version, and stuff that's dependent on FPM/CLI (I said CGI a moment ago).
22:32 shoemonkey joined #salt
22:44 Kelsar joined #salt
22:45 djgerm joined #salt
22:46 whytewolf relidy: https://gist.github.com/whytewolf/555176ffac904b6a18a596b10d8eab75
22:47 whytewolf macros DO work
22:48 relidy whytewolf: That ... looks very promising! Thank you so much.
22:49 whytewolf no problem :) just had to fiddle around with it a little
22:49 Kelsar joined #salt
22:52 SaucyElf joined #salt
23:01 nickabbey joined #salt
23:01 raspado joined #salt
23:08 amcorreia joined #salt
23:10 Kelsar joined #salt
23:14 hrumph joined #salt
23:16 twork_ macros do not work.  no no no.  lies lies lies.
23:24 Kelsar joined #salt
23:27 barajasfab joined #salt
23:32 whytewolf twork_: I posted using them :P
23:35 Kelsar joined #salt
23:38 * twork_ plugs ears, shuts eyes, sings
23:43 CmndrSp0ck joined #salt
23:47 CmndrSp0ck joined #salt
23:47 onlyanegg joined #salt
23:48 CmndrSp0ck joined #salt
23:53 DryBreadAddict joined #salt
23:55 shoemonkey joined #salt
23:57 felskrone joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary