Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2017-09-07

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:07 NV whytewolf: just got it out of the other guy that he might have accidentally installed the rhel6 repo first beforehand haha
00:08 whytewolf lol
00:08 whytewolf that would do it
00:08 noraatepernos joined #salt
00:13 NV yup...
00:13 zerocoolback joined #salt
00:22 ninjada joined #salt
00:45 dxiri joined #salt
00:51 GMAzrael joined #salt
00:55 doggity223 joined #salt
00:55 doggity223 left #salt
01:10 phileus joined #salt
01:33 Bock joined #salt
01:53 Church- joined #salt
01:54 ilbot3 joined #salt
01:54 Topic for #salt is now Welcome to #salt! <+> Latest Versions: 2016.11.7, 2017.7.1 <+> Support: https://www.saltstack.com/support/ <+> Logs: http://irclog.perlgeek.de/salt/ <+> Paste: https://gist.github.com/ <+> See also: #salt-devel, #salt-offtopic <+> We are volunteers and may not have immediate answers
02:07 Shirkdog joined #salt
02:16 oida joined #salt
02:20 zerocoolback joined #salt
02:21 zerocool_ joined #salt
02:23 zerocoolback joined #salt
02:25 vexati0n ugh. i have to deploy salt to all of our solaris 10 machines. got started today and all i know is that logging into Solaris is like taking a time machine to 1994. what garbage.
02:29 * whytewolf used to enjoy solaris back when i worked at the paper. years ago
02:39 vexati0n So I've been messing around with syndic/multi-master and shared minion data cache. After applying some PRs locally that are in line for 2017.7.2, i got cache sharing working (more or less). But there's a problem where targeting a subset of minions returns correctly for those minions, but every other minion returns "false" which causes false positives if you're calling salt through something that monitors the exit code (like Bamboo)
02:39 vexati0n is that expected? because it really shouldn't behave that way.
02:40 whytewolf no, they shouldn't return false.
02:43 dxiri joined #salt
02:47 vexati0n that's what I thought. anyway, issue submitted
02:47 spuder joined #salt
02:47 vexati0n I'm lighting up this github thing lately, i feel bad
02:52 pppingme joined #salt
02:52 whytewolf well, puting in issues help find the issues so they can be worked on
02:52 armyriad joined #salt
02:55 pcn joined #salt
02:56 tiwula joined #salt
03:17 michelangelo joined #salt
03:24 doubletwist So I can see how to do it as one off for a given specific package but is there a graceful way to handle a longer list of 'common' packages to be installed while handling some package name differences between OS families?
03:25 doubletwist And would that be something to do in pillar or in a state?
03:41 Uni imo you would put the grain based logic (osnames etc) in a pillar, and define a list of packages there
03:42 Uni using a loop in the state you can iterate through the list
03:42 gmoro joined #salt
03:43 Uni https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html
03:43 Uni has some examples of for loops jic
03:48 Bad joined #salt
03:58 dxiri joined #salt
04:04 WesleyTech_ joined #salt
04:05 marcaurele joined #salt
04:18 ecdhe joined #salt
04:19 Angleton joined #salt
04:20 ninjada_ joined #salt
04:20 dh joined #salt
04:20 Angleton joined #salt
04:20 Lionel_Debroux_ joined #salt
04:21 chadhs joined #salt
04:21 armyriad joined #salt
04:22 cliluw joined #salt
04:22 coldbrewedbrew_ joined #salt
04:22 gareth_ joined #salt
04:22 swa_work joined #salt
04:23 carmony joined #salt
04:25 hammer065 joined #salt
04:25 gtmanfred joined #salt
04:26 ekkelett joined #salt
04:26 v0rtex joined #salt
04:27 omie888777 joined #salt
04:29 flebel joined #salt
04:31 wryfi joined #salt
04:35 brent joined #salt
04:36 johnj joined #salt
04:41 renaissancedev[m joined #salt
04:41 evle joined #salt
04:41 gomerus[m] joined #salt
04:42 benjiale[m] joined #salt
04:42 psychi[m] joined #salt
04:48 Diaoul joined #salt
04:51 spuder joined #salt
04:55 monokrome joined #salt
04:57 doubletwist I feel like I'm missing something stupidly obivous - but this doesn't seem to be working:
04:57 doubletwist {% if grains['os_family'] == 'Debian' and grains['osmajorrelease'] == '8' %}
05:00 sh123124213 joined #salt
05:00 doubletwist for that matter even just {% if grains['os_family'] == 'Debian' %} isn't working.In a state file
05:04 berto- joined #salt
05:04 honestly doubletwist: can you see if the state listed as an example here works? https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html#using-grains-in-sls-modules
05:04 honestly also use -l debug to see the rendered sls in the output
05:05 doubletwist hrm, targeting if os = Debian worked though
05:05 doubletwist lemme look
05:09 oida_ joined #salt
05:34 tellendil joined #salt
05:38 tellendil joined #salt
05:54 Church- joined #salt
06:11 GMAzrael joined #salt
06:23 felskrone joined #salt
06:25 felskrone joined #salt
06:26 msn joined #salt
06:29 ninjada joined #salt
06:37 impi joined #salt
06:42 oida joined #salt
06:50 oida_ joined #salt
06:51 aldevar joined #salt
07:06 Ricardo1000 joined #salt
07:18 jas02 joined #salt
07:20 Hybrid joined #salt
07:21 jas02_ joined #salt
07:29 jas02 joined #salt
07:44 vb29 joined #salt
07:45 pbandark joined #salt
07:47 pualj joined #salt
07:48 oida joined #salt
07:48 jas02 joined #salt
07:51 johnj joined #salt
07:51 pbandark joined #salt
08:02 mbologna joined #salt
08:03 pbandark joined #salt
08:04 mbologna joined #salt
08:05 _KaszpiR_ joined #salt
08:10 mikecmpbll joined #salt
08:12 Ricardo1000 joined #salt
08:12 GMAzrael joined #salt
08:13 RDV_ joined #salt
08:14 vb29 left #salt
08:14 nku um. i use peer communication, but i have a setup with syndics, and the peer communication seems to stop at the syndic master? how do i communicate with minions connected to a different syndic?
08:15 ereslibre left #salt
08:15 Ricardo1000 joined #salt
08:16 preludedrew joined #salt
08:17 RDV_ Hello! I've a minion in a really strict network, where I cannot even reach the master at the port 4505. Is there any workaround I can use?
08:17 Rumbles joined #salt
08:18 nku RDV_: masterless salt?
08:18 RDV_ with master
08:18 nku well, obviously you need to communicate with the master
08:18 nku but you can tunnel the traffic or do whatever else you like
08:18 RDV_ How can I do that? I'm not an expert on networking topics
08:18 coredumb A syndic setup could help you as well
08:19 nku syndics bring more problems than benefits..
08:19 nku RDV_: man ssh, see -R or -L
08:20 RDV_ and what ports do I forward? 80 to 4505 and 4506?
08:21 nku you could forward 4505 to 4505, and 4506 to 4506, and just tell the minion localhost is the master
08:22 RDV_ but how does that work when I cannot reach the 4405 of the master? I do a nc and no answer
08:22 RDV_ (only from that machine, I've some other minions connected to the master and it's working fine)
08:22 nku RDV_: for an ssh tunnel, you need an ssh connection from one machine to another
08:23 nku or, i guess you could forward the port to any other machine that minion can reach
08:23 nku or just talk to the networking guys?
08:24 RDV_ would it work to forward in the amster from 80 to 4505 and 80 to 4506 and tell the minion to connect to 80?
08:26 nku i don't think so
08:27 pualj_ joined #salt
08:32 Mattch joined #salt
08:32 _KaszpiR_ joined #salt
08:38 RDV_ well this machine doesn't reach anything else. seems it only reaches port 80
08:43 Naresh joined #salt
08:44 chowmein__ joined #salt
08:46 michelangelo joined #salt
08:48 zerocoolback joined #salt
08:48 schasi joined #salt
08:59 ibro joined #salt
09:10 johnj joined #salt
09:24 zerocoolback joined #salt
09:40 ChubYann joined #salt
09:55 zerocoolback joined #salt
09:58 jas02 joined #salt
09:58 RDV_ joined #salt
10:05 RDV_ Hello! I've a minion in a really strict network, where I cannot even reach the master at the port 4505. Is there any workaround I can use?
10:08 zerocoolback joined #salt
10:14 GMAzrael joined #salt
10:16 marcaurele joined #salt
10:25 impi joined #salt
10:35 johnj joined #salt
10:38 marcaurele joined #salt
10:48 babilen RDV_: You could change the port the master listens on, create tunnels/VPNs, change your firewall configuration to suit your needs (https://docs.saltstack.com/en/latest/topics/tutorials/firewall.html), configure port mapping/forwarding, ...
10:49 Ricardo1000 joined #salt
10:52 RDV_ I think I can only reach port 80. Can I replace 4505 and 4506 by port 80?
10:53 babilen You could, not sure if that's a great idea ..
10:53 babilen So your network only allows traffic to port 80?
10:56 RDV_ I've machine all over different universities, which have the most strict network policies. I don't want to tailor made a solution for each of them so. Pretty sure they all have port 80 open at least.
10:59 babilen So you can't even SSH to them?
11:00 Church- joined #salt
11:01 Church- joined #salt
11:03 RDV_ nope
11:03 RDV_ I enter thru teamviewer
11:03 RDV_ but it's a pain in the ass
11:03 RDV_ that's why I'm moving to salt
11:04 coredumb RDV_: you enter directly on the machine through teamviewer?
11:05 RDV_ yup
11:05 RDV_ which is horrible
11:06 jas02 joined #salt
11:07 coredumb seems like someone failed at "strictness" policy then >_<
11:10 RDV_ teamviewer uses port 80
11:13 Angleton joined #salt
11:15 Church- joined #salt
11:16 Angleton joined #salt
11:18 Church- joined #salt
11:23 GMAzrael joined #salt
11:31 Angleton joined #salt
11:32 Church- joined #salt
11:34 marcaurele joined #salt
11:36 johnj joined #salt
11:39 pualj joined #salt
11:39 ninjada joined #salt
11:40 ninjada_ joined #salt
11:41 Church- joined #salt
11:44 oida joined #salt
11:54 slugfish anyone ever have issues switching from a proxytype : junos to a proxytype: napalm ?
11:55 usernkey joined #salt
11:59 oida joined #salt
12:01 GMAzrael joined #salt
12:01 WKNiGHT joined #salt
12:02 evle joined #salt
12:03 jas02 joined #salt
12:07 jas02 joined #salt
12:11 jas02 joined #salt
12:16 oida joined #salt
12:18 slugfish maybe my yamal is borked.....
12:21 jas02 joined #salt
12:27 zerocoolback joined #salt
12:28 zerocoolback joined #salt
12:33 she joined #salt
12:37 johnj joined #salt
12:50 jas02 joined #salt
12:50 GMAzrael joined #salt
12:51 gh34 joined #salt
12:59 tada joined #salt
13:01 dxiri joined #salt
13:02 q1x joined #salt
13:04 jas02 joined #salt
13:09 tada left #salt
13:11 tata217 joined #salt
13:11 tata217 hi
13:11 tata217 hey guys, i try to write a python-script(use the api), to get all the minions and their grains! I finished to get all minions and print them out but i dont know how i get to the grains of each minion. my script: https://pastebin.com/XazeK3ai
13:15 ssplatt joined #salt
13:15 mchlumsky joined #salt
13:16 dunz0r tata217: You'll have to ask all the minions for their respective grains, not go via the salt-key interface
13:17 tata217 with salt.client.LocalClient() ?
13:19 dunz0r tata217: Like this: https://pastebin.com/myHamKxm
13:20 dunz0r That'll give you the output as json
13:20 dunz0r I want to set a grain in a state only if it isn't set yet, how can I do that?
13:20 dunz0r Just noticed that the way I originally did it didn't actually work, it sets it regardless
13:22 WesleyTech_ joined #salt
13:22 tata217 okay, thanks! i also tried this way :(
13:23 dunz0r tata217: That way works, I use it.
13:25 dunz0r {% if not salt['grains.get']('patch_group', None) %} doesn't work, it sets it regardless of it being set originall or not
13:25 dunz0r (where patch_group is what I want to set)
13:32 numkem joined #salt
13:33 racooper joined #salt
13:37 jas02 joined #salt
13:37 johnj joined #salt
13:45 bushelofsilicon joined #salt
13:46 jas02 joined #salt
13:47 bushelofsilicon any idea when 2017.7.2 is going to be released?
13:51 Yoda-BZH joined #salt
13:51 Yoda-BZH joined #salt
13:55 OliverUK joined #salt
13:56 OliverUK Hello all, how would I go about ordering how the states are applied?  For example I need to make sure the ssh_server package is installed before I make sure it is started or before it tries to change the config files?
13:56 mbologna joined #salt
14:06 dxiri joined #salt
14:07 coredumb OliverUK: check "require" in the documentation
14:14 cgiroua joined #salt
14:15 OliverUK coredumb: That is probably what I was looking for but couldn't hit the correct search term.  Thank you for your help :-)
14:18 _JZ_ joined #salt
14:20 coredumb you're welcome :)
14:22 daks joined #salt
14:26 promorphus joined #salt
14:32 daks joined #salt
14:33 daks joined #salt
14:34 pualj joined #salt
14:34 daks joined #salt
14:39 Rumbles joined #salt
14:39 johnj joined #salt
14:48 Church- joined #salt
14:55 marcaurele joined #salt
14:59 Brew joined #salt
15:01 tapoxi joined #salt
15:02 omie888777 joined #salt
15:06 Cottser joined #salt
15:06 gh34 joined #salt
15:07 fannet joined #salt
15:07 fannet hi everyone
15:07 fannet since upgrading to 2017.7.1 on my salt master + minions highstates now take about 10-20 times longer than before
15:27 bushelofsilicon I'm having an issue trying to send a long string from pillar into a managed file. I keep getting 'Rendering SLS failed: could not found expected ':' any tips?
15:28 marco_exoscale joined #salt
15:34 bushelofsilicon oh, I guess I should be using > instead of |
15:34 ikarpov_ joined #salt
15:39 johnj joined #salt
15:44 ssplatt has anyone reconstructed a dictionary/mapping in jinja before? for instance, i am looping through my pillar in a jinja template file {% for k,v in config|dictsort %}.  if k is a mapping, i need it to render at the very end of the file so i want to store that specific k,v in another var to use later. i’ve been trying {% do blockgroup.update({ {{ k }}: {{ v }} }) %)  which gives me an error expected token ':', got '}';
15:47 tiwula joined #salt
15:49 ssplatt even {% do blockgroup.update({'test': {{ v }} }) %} isn’t working but the internet says it should. anyone have a working example?
15:49 ssplatt i also put {%- set blockgroup = {} -%} at the top of the file.  i tried {%- set blockgroup = dict() -%} previously too
15:49 woodtablet joined #salt
15:50 zerocoolback joined #salt
15:51 astronouth7303 how do people deal with local deploy scripts?
15:52 astronouth7303 things like "IF this file has changed on the salt master, kill the service, wait for it to die, copy the file, bring the service back up"
15:52 ssplatt oh duh.  not {{ k }}.  just k.
15:56 bluenemo joined #salt
16:01 jas02 joined #salt
16:04 babilen astronouth7303: You'd use file.managed to manage the file and watch/listen to trigger the service restart when there are changes
16:06 spuder joined #salt
16:12 marcaurele joined #salt
16:15 ikarpov_ joined #salt
16:16 cyteen joined #salt
16:18 sarcasticadmin joined #salt
16:20 promorphus joined #salt
16:21 philip__ joined #salt
16:22 phileus0 joined #salt
16:24 impi joined #salt
16:25 numkem joined #salt
16:27 marcaurele joined #salt
16:28 numkem joined #salt
16:40 Lionel_Debroux_ joined #salt
16:40 johnj_ joined #salt
16:43 noraatepernos joined #salt
16:58 J0hnSteel joined #salt
17:00 phileus0 joined #salt
17:01 Reverend joined #salt
17:02 numkem joined #salt
17:02 phileus0 joined #salt
17:03 phileus0 joined #salt
17:04 Epx998 joined #salt
17:05 nledez joined #salt
17:09 phileus0 joined #salt
17:10 sh123124213 joined #salt
17:10 phileus0 Hi...I'm having a heck of a time setting up salt-api
17:10 phileus0 Please see the following: https://gist.github.com/anonymous/6f3431d0f5218c15b1aced2fdf73d68b
17:10 sh123124213 hmm, weird thing I noticed today. if there is not eth0 dev configured I get some connection error ( centos6 )
17:11 phileus0 https://gist.github.com/anonymous/e92564d9fa5cd3cea233d64bf7d1b204
17:12 schemanic joined #salt
17:13 phileus0 Here's my versions-report: https://gist.github.com/anonymous/108f335b66c26139fa5e3715c205c7e5
17:14 phileus0 Anyone out there...been banging my head on this for 2 days now..
17:14 whytewolf you have external_auth commented out ...
17:16 phileus0 whytewolf: Sorry this was one my hacks to try to remove TLS from the equation.  I have uncommented, restarted, and still same issue.
17:16 whytewolf also, is svcuser a real user in the system?
17:17 phileus0 whytewolf: yes it is...I am able to log in over ssh.
17:18 whytewolf does salt -a pam '*' test.ping
17:18 whytewolf work
17:18 phileus0 whytewolf: https://gist.github.com/anonymous/e7d171f0c5972492006228ff17b2b6c5
17:18 phileus0 No..not working...
17:19 phileus0 whytewolf: I spent some time looking at the source code....an empty token is being returned in the source code.  I got lost at the async part.  Almost seems like it's not even getting talking to the PAM modules.
17:20 whytewolf humm, unforchantly i never ran salt-api on that old of version
17:20 jbailey joined #salt
17:20 phileus0 whytewolf: Which version did it work on?  I upgraded to 2016.6 as well, and it still didn't work.
17:21 whytewolf when you made the changes you restarted the salt-master then salt-api [and honestly for the -a pam on the cli just the salt-master needs to be restarted]
17:21 whytewolf the 2 versions i have worked on salt-api were 2014.x and now 2017.7
17:21 whytewolf i know others have used it on other versions though
17:21 jbailey_ joined #salt
17:22 phileus0 whytewolf: yes to both...I am running salt-api and salt-master in debug mode manually.
17:23 phileus0 Anyone know any other debug steps I can take to see if PAM is actually being accessed.
17:24 whytewolf check the pam logs
17:25 nixjdm joined #salt
17:26 phileus0 whytewolf: Which one are those?  I checked /var/log/auth.log..I see nothing...
17:28 schemanic When pillars are set to merge, how are lists handled? I have three pillars each structured the same, each with a 1 item list. My understanding is that the pillar would render a 3 item list if the only things different are the list items
17:29 whytewolf phileus0: on ubuntu i am unsure. in centos they are in /var/log/security
17:29 whytewolf also check /var/log/syslog
17:32 GMAzrael joined #salt
17:37 phileus0 whytewolf: I'm looking at /var/log/auth.log..I see nothing for the user when issuing the commands from salt.
17:38 whytewolf then you most likely are not hitting pam like you suspect
17:39 phileus0 whytewolf: As I posted above, it just gives me a generic authentication failure...with no token returned in the source code.
17:39 whytewolf well. if it can't auth that is what it gives
17:41 marcaurele joined #salt
17:41 johnj_ joined #salt
17:42 whytewolf do you have any python libs that talk to pam?
17:43 whytewolf also, is salt-master being run as root?
17:44 phileus0 whytewolf: Yes salt-master is being run as root.
17:44 phileus0 whytewolf: Which PAM library does Salt use to talk to PAM?
17:45 phileus0 whytewolf: Perhaps that is what is off.
17:45 whytewolf oh, never mind. looking at the salt code it looks like it loads the clibs for talking to pam
17:46 phileus0 whytewolf: is that the problem?
17:46 whytewolf no, that should be fine
17:46 csmule joined #salt
17:48 csmule Is it good practice to be adding saltenv=blah to my salt commands, or should I configure this all in the top.sls?
17:49 phileus0 This code returns an empty token: https://gist.github.com/anonymous/cadda6992abdc477234f87ac45de02c4
17:49 whytewolf it should be configured in your top.sls [although cli commands that don't use top will still need saltenv]
17:50 whytewolf phileus0: ignore the cherry api. you are not even to that point until you get the eauth working
17:50 phileus0 whytewolf: What code should I start looking at to debug the eauth?
17:51 whytewolf https://github.com/saltstack/salt/blob/v2015.8.10/salt/auth/pam.py
17:51 phileus0 whytewolf: Thanks...I will start with that..and come back in a bit...
17:55 lbv joined #salt
17:56 lbv joined #salt
17:57 pbandark1 joined #salt
17:59 inetpro joined #salt
17:59 Rumbles joined #salt
18:05 Epx998- joined #salt
18:07 _KaszpiR_ joined #salt
18:10 sh123124213 joined #salt
18:13 jas02 joined #salt
18:16 sarlalian joined #salt
18:17 mikecmpbll joined #salt
18:21 pbandark1 joined #salt
18:23 wavded joined #salt
18:23 Epx998- left #salt
18:23 Epx998 joined #salt
18:31 oida_ joined #salt
18:31 Akkarin joined #salt
18:39 nixjdm joined #salt
18:41 Akkarin joined #salt
18:42 johnj_ joined #salt
18:45 schemanic joined #salt
18:45 schemanic Hello
18:46 schemanic Does anyone know how to merge pillars? I have several pillar files each containing parts of the same pillar dictionary, but only one is 'winning' and showing up on my minion
18:50 schemanic Anyone?
18:51 schemanic joined #salt
18:51 astronouth7303 check the pillar docs.
18:51 astronouth7303 there's things you can do to improve merging
18:54 schemanic I'm looking at it right now, but I'm not sure If I've done what it says can be merged or not
18:54 peterloron joined #salt
18:55 astronouth7303 i assume that you mean you have a dictionary under the pillar key `spam` and you want the dictionary to be merged from several places?
18:55 astronouth7303 honestly, i found it easier to move the various bits out into seperate keys
18:56 marcaurele joined #salt
18:59 stewart311 joined #salt
18:59 peterloron joined #salt
19:01 peterloron Howdy. I'm having trouble getting the dockerng module to authenticate to a private dockerhub repo. Can any kind soul lend a hand?
19:01 stewart311 joined #salt
19:02 schemanic whats the best way to iterate through a dictionary that's been imported to your state file?
19:02 schemanic I'm seeing examples of .items()
19:03 astronouth7303 it's python-ish, so .items() is probably the simplest
19:05 stewart311 left #salt
19:06 marcaurele joined #salt
19:08 Hybrid joined #salt
19:11 sh123124213 joined #salt
19:14 numkem joined #salt
19:15 stewart379 joined #salt
19:16 schemanic Okay, so the lesson seems to be : Pillar can merge dictionaries, not lists.
19:16 schemanic So write states to iterate through key/value pairs in dictionaries
19:16 schemanic I guess
19:16 Eugene Yup.
19:17 schemanic Eugene, what are examples of where to use lists properly?
19:17 noraatepernos joined #salt
19:18 Eugene When that is the behaviour that you want?
19:19 Eugene I use them in my Pillar as such https://github.com/EugeneKay/srv-salt/blob/pepper/pillar/example.sls
19:19 ProT-0-TypE joined #salt
19:22 WildPikachu joined #salt
19:24 marcaurele joined #salt
19:25 edrocks joined #salt
19:26 schemanic mmm
19:26 schemanic Okay new question
19:26 schemanic I'm using the users formula from the main repo
19:26 Akkarin joined #salt
19:27 schemanic but I have other states/formulas I'm writing that set up per-user config files in user root directories
19:27 schemanic what's the *right* way to set this up? Should I adapt the users formula to create these config files for users, or should I make states that put those config files in user home directories
19:29 Epx998- joined #salt
19:29 Hybrid joined #salt
19:31 Epx998_ joined #salt
19:32 astronouth7303 is anyone else having problems with windows minions being inconsistent?
19:33 astronouth7303 like, i do manage.status and test.ping pretty regularly. my linux minions are always spot-on 100%, but the windows minions often go "down" for mysterious reasons.
19:41 skatz joined #salt
19:41 nixjdm joined #salt
19:41 cyborg-one joined #salt
19:41 high_fiver joined #salt
19:43 johnj_ joined #salt
19:45 skatz I'm using gitfs/git_pillar and setting "environment: production" in the minion conf file, and "top_file_merging_strategy: same" in the master conf file. For all of my minions except for one it works (i.e. it uses only the production branch on github as expected). On one minion however I get a bunch of errors about "Detected conflicting IDs, SLS IDs need to be globally unique." Here's top.sls: https://gist.github.com/phsteve/69dc4b60a25
19:45 WildPikachu joined #salt
19:46 skatz Any idea why only that particular minion is complaining about conflicting id's? Seems like the salt master is not using "top_file_merging_strategy: same" for that minion in particular.
19:46 astronouth7303 is its pillar environment set?
19:46 astronouth7303 (saltenv is not necessarily the same as pillar environment)
19:46 skatz yep pillar environment is base
19:47 skatz right yeah we're only using environments on the gitfs/saltenv side, not pillar
19:48 sjorge joined #salt
19:50 skatz It's not set in the minion conf file though if that's what you're asking. All the other minions (and presumably this one too) default to the 'base' pillarenv since it's not specified. We only list the master pillar branch in the master conf file
19:50 sjorge joined #salt
19:53 promorphus joined #salt
19:58 Hybrid joined #salt
20:00 mavhq joined #salt
20:06 doubletwist So other than https://github.com/saltstack-formulas/iptables-formula, which seems to be out of date/broken, are there any decent iptables formulas out there?
20:25 fatal_exception joined #salt
20:32 Eugene None that I have found. I have this. https://github.com/EugeneKay/srv-salt/blob/pepper/states/service/firewall/init.sls
20:34 noraatepernos joined #salt
20:36 sh123124213 joined #salt
20:38 oida joined #salt
20:40 nixjdm joined #salt
20:40 Rumbles joined #salt
20:41 Epx998 joined #salt
20:41 doubletwist Is this a reasonable way to set a list of 'base-packages' which should be installed on all systems, with slight difference in package names based on OS? This would be in a pillar ie pillar/packages/init.sls  http://paste.lopsa.org/204
20:41 doubletwist Or is there a better/cleaner way to do that
20:44 johnj_ joined #salt
20:47 michelangelo joined #salt
20:51 pbandark1 joined #salt
20:53 ProT-0-TypE joined #salt
20:53 Rumbles joined #salt
20:54 astronouth7303 anyone else seeing problems where the supervisord execution module doesn't work from orchestrate but does work when called manually?
20:56 smead joined #salt
20:56 astronouth7303 (2016.11)
20:57 omie888777 joined #salt
20:57 sh123124213 joined #salt
20:58 csmule joined #salt
20:58 csmule new to saltstack. So grains OK to use to "label" servers, and then use grain selectors or compound selectors in the top.sls file...?
20:58 csmule larry king: viable?
21:00 astronouth7303 csmule: i use grains to label servers with role/environment, but there's potential security implications to that
21:01 astronouth7303 lots of people use pillar for that
21:01 astronouth7303 or encode it in the minion id
21:02 csmule Meaning, use the minion-id so I can wildcard select etc...
21:02 astronouth7303 yup
21:03 csmule new question. Trying to use an include file, it seems I had to put it at the top level of my environment dir. That normal?
21:04 csmule Oh, nm, I just needed to fully qualify it.
21:05 csmule Do you guys commonly use a single salt master to manage prod/dev?
21:05 astronouth7303 This fails, but running `sudo salt -C "G@role:app and G@env:dev" supervisord.stop` succeeds. https://www.irccloud.com/pastebin/mbKZdDde/orch.sls
21:07 numkem joined #salt
21:11 aldevar joined #salt
21:16 Edgan schemanic: You can control merging in a map.jinja
21:18 Edgan schemanic: https://storage.cygnusx-1.org/formula.txt
21:18 fatal_exception joined #salt
21:24 ProT-0-TypE joined #salt
21:25 Edgan schemanic: https://storage.cygnusx-1.org/pillars.txt  This is a new idea I am working on for pillars. By using grains['id'] you can secure do grain like matching in pillars/top.sls.
21:26 DanyC joined #salt
21:30 basepi joined #salt
21:30 Sarphram joined #salt
21:32 Edgan schemanic: Taking it to the next level I would add a new form of advanced minion matching that would let you directly match against jinja variables something like 'J@component':  .
21:33 Rumbles joined #salt
21:34 Epx998 left #salt
21:35 hatifnatt Hi. I have multiple hosts, each host need it's own certificate. I don't want use large pillar with multiple certificates and later select certificate in state (it's not secure, right?). But also I don't want to specify "host: pillar" pairs for each host in top file. Is there right way way to accomplish this task?
21:35 aldevar left #salt
21:36 schemanic Heya Edgan. I *would* really like a secure way of doing grain matching without having to do an ext pillar
21:36 whytewolf grain matching is never secure
21:36 whytewolf and by nature could never be secure
21:36 Edgan whytewolf: Mine is only grain like, and they hard coded grains['id'] to salt-key name
21:37 Edgan whytewolf: So it is secure
21:37 whytewolf Edgan: grains['id'] is only hard coded on the master side not the minion side
21:37 Edgan whytewolf: exactly :)
21:38 csmule joined #salt
21:38 whytewolf i would still opt for opts.id over grains['id']
21:38 nixjdm joined #salt
21:38 Edgan whytewolf: That is a minor change, and I am pretty sure what I am doing works either way
21:38 Edgan whytewolf: have a look
21:40 Edgan schemanic: Grains are computed minion side, so they can't be trusted.
21:40 whytewolf yeap which is why i flinch any time says grains matching in pillar
21:41 Edgan schemanic: I normally turn the fqdn into grains and then use them in the formula top only. This way I turn them into jinja variables and then "match" then in the pillar top.sls.
21:41 whytewolf but that doesn't look to bad with the recent change to grains['id']
21:41 schemanic mm
21:41 schemanic how can i make file.managed create subdirs if they don't exist?
21:42 whytewolf you mean like the -p switch to mkdir?
21:42 whytewolf - makedirs: true
21:44 whytewolf hatifnatt: 2 options i can think of off the top of my head. both are ext_pillars
21:44 johnj_ joined #salt
21:45 whytewolf pillar stack and file_tree
21:45 tapoxi joined #salt
21:48 phileus0 joined #salt
21:50 hatifnatt whytewolf: never used any of that before, looks like it's time for new knowledge :)
21:50 csmule joined #salt
21:51 csmule If a tool is installed via curl/wget, is it possible to make it work with pkg.installed?
21:52 csmule or just want a way to ensure the app is installed.
21:52 whytewolf csmule: does it run a script or is it is it just a rpm [or deb]
21:53 csmule script, that does install a .deb
21:53 smead Hey all, I'm dealing with some cloud nodes that are really transient.  I'm setting them up, installing some packages, enforcing some configs and then expect them to get torn down in 24 hours or so.  It's kind of an auto-scale thing
21:54 csmule it's a monitoring agent. I'd like it installed on all my systems.
21:54 smead I'm using salt-cloud from a node that's behind a firewall, I'd like to be able to provision the node (salt-cloud) and have it run a state.  but, I don't want to create a salt master in the VPC that they can talk to
21:54 whytewolf csmule: ew. if it installs a deb it should just be a deb install. there shouldn't be hand wavyness.
21:55 smead Because, it's a bunch of overhead.  I'd really like to just have salt-ssh run the state for me.  Is it possible to do this automatically from salt-cloud, or, do I need to write some 'handoff' code that takes over after the salt-cloud run ?
21:55 csmule whytewolf: I think it tries to be clever and identify the OS, etc.. one of those secure curl | sh.
21:55 csmule So no clean way?  I just am doing a test for a file as the indicator if it's installed or not.
21:56 csmule if not salt['pkg.version']('chtcollectd')
21:56 csmule not a file, was using that^
21:56 whytewolf csmule: then pkg.installed is not what you want. you would need cmd.script most likely with a creates set to a file that the script or deb creates.
21:56 ProT-0-TypE joined #salt
21:57 whytewolf smead: what cloud system are you hitting [please say aws, please saw aws]
21:57 whytewolf s/saw/say
21:59 csmule thanks whytewolf
21:59 Edgan smead: Salt-cloud, as is, is a very incomplete tool. I wrote my own tool to do vpc creation, vpc peering, route53 zone files, security groups, instances, ELBs, and ALBs. For instances I have it use the salt api to pull a salt key securely. Then I feed it via user data to cloud-init to write it for the minion.
22:00 _KaszpiR_ joined #salt
22:00 Edgan smead: There is a working group working on rewriting salt-cloud to use the boto modules to do more.
22:00 whytewolf agreed. if it was aws i wwas going to sugest useing the boto states/modules for creating the instances.
22:01 whytewolf not just the boto modules. but also create more modules like the boto modules. for say things like openstack GCE and the like.
22:01 smead aws
22:01 Edgan whytewolf: I am using straight boto3 in python3, not the boto modules. I know someone who wrote their own custom boto module wrapper salt stuff. That thing was going to be a work in progress for months or more.
22:01 smead whytewolf, AWS :)
22:02 whytewolf Edgan: I'm on that salt-cloud team. months is an understantment :P
22:02 Edgan smead: The problem with using boto modules to do all the things is it gets fairly opinionated fairly fast.
22:02 smead whytewolf, Edgan : Thank you.  That helps big time
22:04 smead So, it sounds like either custom user-data or a custom bootstrap script could deal with this.  Maybe a custom bootstrap that installs a minion, then dumps it into masterless mode, pulls the states from somewhere (github?) and runs them ?
22:04 whytewolf that would be what i would do. gitfs a masterless minion
22:05 Edgan smead: I think master mode is the way to go. I use salt-ssh for provisioning and deployment. I might be able to convert my style of deployment into master mode, but salt-ssh is definitely awesome for provisioning initial instances.
22:05 Edgan whytewolf: Wouldn't masterless gitfs pillars equal no pillar security?
22:07 _KaszpiR_ joined #salt
22:07 smead Edgan, In that case, I would have a salt-master running behind my firewall, run salt-cloud to setup the nodes.  Take the output from salt-cloud to build a roster, then run salt-ssh against those minions?
22:08 whytewolf kind of on edge about that. on one hand you could just shuvel the pillar data into the minion through other means. so that it only get's it's own pillar data. if only user-data wasn't so limited in the amount of space it holds.
22:08 Edgan smead: You could do that, but I like my tool written with boto3 way better than salt-cloud.
22:08 Edgan I also like master mode for reporting, and use foreman to have a salt master dashboard.
22:09 smead Edgan, with salt-ssh, the minions don't need to speak to the salt-master?
22:09 Edgan Mass automatic configuration management without a dashboard is insanity IMHO
22:09 smead +1
22:10 Edgan smead: salt-ssh runs from where ever you run it, like Ansible, no master. Salt-ssh is really a ssh into the instance, copy the salt code into a /tmp directory, and run salt-call script.
22:10 DoomPatrol indeed and somewhat slower
22:11 Edgan Mostly in the extra copying of the code. Execution once started should be the same.
22:11 smead Ahh, okay, so I just build my roster and go, as long as I have my states somewhere it can find them
22:11 smead on my local machine
22:12 Edgan That it is masterless might also enable you to do it from a distance, or across a VPN. It will be more latency sensitive. So if you are in California, but your region is us-east-1, you will feel the latency.
22:12 Edgan smead: Also the roster is the biggest pain
22:13 Edgan smead: You really want a dynamic EC2 roster. I looked into taking the dyanmic Ansible roster and making it work with salt-ssh. It was going to take a Salt pull request to work.
22:13 Edgan smead: I got a working proof of concept working, once.
22:13 smead Edgan, sure... as long as my states are smallish and I don't have a ton of junk to sync up, I should be okay.  Most of the stuff I'm doing is actually native package installation anyway
22:15 hatifnatt whytewolf: looks like ext_pillar not very portable because I need to modify master config. Also I think it doesn't work with salt-ssh, am I wrong?
22:15 Edgan smead: You have no file server. So if you do any debs or anything outside an apt repo, it will slow you down. I was doing debs outside apt repos to avoid apt-get dist-upgrade from getting things out of sync with Salt with pkg.installed version locking.
22:16 whytewolf hatifnatt: ext_pillars should work with salt-ssh
22:17 whytewolf https://github.com/saltstack/salt/issues/16413
22:22 ProT-0-TypE joined #salt
22:30 mikecmpbll joined #salt
22:32 csmule Thanks whytewolf, I used cmd.script and the "unless" option. Better than how I ws doing it.
22:33 ninjada joined #salt
22:34 NotBobDole joined #salt
22:35 NotBobDole Hey all. I'm trying to pass in a list of arguments to an orchestration through the pillar function of salt-run
22:36 NotBobDole salt-run state.orch orch.example pillar='{"args": "-C"}'
22:36 NotBobDole oh wait. It's working now.
22:36 NotBobDole What
22:37 NotBobDole It WAS erroring that "There is no such argument -C" and etc
22:37 NotBobDole Whatever. Thanks!
22:38 nixjdm joined #salt
22:45 johnj_ joined #salt
22:53 lionel joined #salt
23:07 ProT-0-TypE joined #salt
23:07 hatifnatt whytewolf: I can't find in docs, is it possible to specifi multiple environments for ext_pillar file_tree?
23:08 whytewolf i don't know
23:08 hatifnatt ok, thanks
23:09 justanotheruser joined #salt
23:19 tellendil_ joined #salt
23:21 justanotheruser joined #salt
23:30 hatifnatt looks like ext_pillar file_tree doesn't support multiple environments :(
23:34 dstensnes this breaks some of my files: https://github.com/saltstack/salt/issues/33669
23:34 dstensnes anyone knows if we can expect a fix?
23:35 fatal_exception joined #salt
23:44 ahrs joined #salt
23:46 johnj_ joined #salt
23:53 honestly dstensnes: it sounds like you're misusing it - ini files are not shell files

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary