Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2017-10-26

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:04 fallenour_ joined #salt
00:07 user-and-abuser joined #salt
00:07 fallenour_ left #salt
00:07 bhosmer joined #salt
00:07 fallenour joined #salt
00:07 fallenour o/
00:08 zulutango joined #salt
00:08 fallenour Is there a way to get a kvm instance to rejoin a salt minion to the salt master? I do believe it would be with virt rescue, but im not sure
00:10 Zachary_DuBois joined #salt
00:11 pppingme joined #salt
00:15 bhosmer joined #salt
00:28 bhosmer joined #salt
00:29 user-and-abuser joined #salt
00:38 fallenour Is there a way to get a kvm instance to rejoin a salt minion to the salt master? I do believe it would be with virt rescue, but im not sure
00:48 benhosmer joined #salt
00:48 iggy no
00:50 benhosmer joined #salt
00:54 fallenour_ joined #salt
01:22 nomeed joined #salt
01:29 teratoma joined #salt
01:35 jeffspeff joined #salt
01:56 ilbot3 joined #salt
01:56 Topic for #salt is now Welcome to #salt! <+> Latest Versions: 2016.11.8, 2017.7.2 <+> Support: https://www.saltstack.com/support/ <+> Logs: http://irclog.perlgeek.de/salt/ <+> Paste: https://gist.github.com/ <+> See also: #salt-devel, #salt-offtopic <+> We are volunteers and may not have immediate answers
02:17 pipps joined #salt
02:20 bryan joined #salt
02:39 tiwula joined #salt
02:43 evle2 joined #salt
02:49 justanotheruser joined #salt
02:55 masber joined #salt
02:57 masber joined #salt
03:00 ivanjaros joined #salt
03:37 XenophonF wouldn't it be nice if there was a |shell_squote filter?
03:39 XenophonF nothing in salt.utils.stringutils :(
03:40 XenophonF I tried grepping for "quote" and "escape"
03:41 XenophonF hm, shlex.quote in Python 3, backported to Python 2 as shellescape?
03:44 user-and-abuser joined #salt
03:55 LocaMocha joined #salt
03:58 user-and-abuser joined #salt
04:02 masber joined #salt
04:02 gnomethrower_ left #salt
04:03 aneeshusa joined #salt
04:04 ibro joined #salt
04:04 masber joined #salt
04:26 justanotheruser joined #salt
04:34 maestropandy joined #salt
04:34 maestropandy left #salt
04:38 SkyRocknRoll joined #salt
05:00 usernkey joined #salt
05:05 justanotheruser joined #salt
05:12 yuhl joined #salt
05:15 fracklen joined #salt
05:31 maestropandy joined #salt
05:31 maestropandy left #salt
06:07 ivanjaros joined #salt
06:12 gnomethrower joined #salt
06:17 Miouge joined #salt
06:18 gmoro joined #salt
06:28 maestropandy joined #salt
06:35 maestropandy left #salt
06:41 SkyRocknRoll joined #salt
06:44 do3meli joined #salt
06:44 do3meli left #salt
06:48 fracklen joined #salt
06:50 fracklen_ joined #salt
06:55 Ricardo1000 joined #salt
06:58 obitech joined #salt
07:11 Ricardo1000 joined #salt
07:19 aviau joined #salt
07:24 jas02 joined #salt
07:30 robman joined #salt
07:41 fracklen joined #salt
07:46 darioleidi joined #salt
07:52 DanyC joined #salt
07:58 pualj joined #salt
08:02 pbandark joined #salt
08:14 mikecmpbll joined #salt
08:19 XenophonF joined #salt
08:22 fracklen joined #salt
08:25 toanju joined #salt
08:36 Mattch joined #salt
08:40 Hybrid joined #salt
08:43 maestropandy joined #salt
08:44 absolutejam Guys, what's the standard way of returning an error from an execution module?
08:44 maestropandy left #salt
08:44 absolutejam Is something like: return { 'Error': msg } okay?
08:44 absolutejam I find some modules just spit a stack trace which is awful for the end-user
08:47 _KaszpiR_ joined #salt
08:48 fracklen joined #salt
08:48 exegesis joined #salt
08:48 omie888777 joined #salt
08:48 N-Mi joined #salt
08:48 N-Mi joined #salt
08:59 gmoro joined #salt
09:07 fracklen joined #salt
09:19 absolutejam or, say i wanted to return that a HTTP API had been successfully updated
09:23 darioleidi_ joined #salt
09:25 Johbe joined #salt
09:26 fracklen joined #salt
09:35 maestropandy joined #salt
09:48 Mogget joined #salt
09:58 Naresh joined #salt
10:00 lompik joined #salt
10:05 jhauser joined #salt
10:11 felskrone joined #salt
10:12 zer0def joined #salt
10:21 fracklen joined #salt
10:35 dxiri joined #salt
10:42 maestropandy left #salt
10:49 jas02_ joined #salt
10:50 fracklen joined #salt
10:58 dxiri joined #salt
10:59 jas02 joined #salt
11:02 jas02_ joined #salt
11:04 jas02_ joined #salt
11:12 jas02 joined #salt
11:19 jas02 joined #salt
11:22 zer0def joined #salt
11:22 masber joined #salt
11:23 fracklen joined #salt
11:25 stooj joined #salt
11:27 dxiri joined #salt
11:29 jas02_ joined #salt
11:32 exegesis joined #salt
11:33 Reverend joined #salt
11:33 Reverend afternoon, ladies and gents
11:34 robman hello
11:35 robman :)
11:36 obitech hey guys
11:37 dxiri joined #salt
11:37 obitech It might have been buried but I'm quite interested in absolute jam's question as well: is there a standard way or best practice to return error messages or codes from custom execution models?
11:45 dxiri joined #salt
11:49 babilen obitech: ret['result'] = True/False, ret['comment'] = "FUBAR", ret['changes'] = "World burned", ....
11:50 babilen absolutejam: ^
11:50 obitech thanks babilen!
11:50 babilen If only I could find where that's documented ...
11:57 Nirmal joined #salt
11:58 yuhl left #salt
12:00 cyborg-one joined #salt
12:04 Nageswar13 joined #salt
12:06 _aeris_ joined #salt
12:06 Nageswar joined #salt
12:06 major joined #salt
12:08 Nages joined #salt
12:09 jas02 joined #salt
12:09 dxiri joined #salt
12:10 Nages hello
12:10 Nages salt-call state.show_lowstate -l debug --retcode-passthrough
12:11 Nages is passing return code 0 even if state rendering fails
12:12 Nages can anyone advice?
12:12 Nahual joined #salt
12:15 maestropandy joined #salt
12:15 maestropandy left #salt
12:15 Nages left #salt
12:15 Nages joined #salt
12:24 jas02_ joined #salt
12:34 jas02 joined #salt
12:35 jas02 joined #salt
12:38 dxiri joined #salt
12:47 jas02 joined #salt
12:48 bryan joined #salt
12:53 dxiri joined #salt
12:55 dxiri joined #salt
12:59 exegesis joined #salt
13:01 pualj joined #salt
13:03 jas02 joined #salt
13:07 exegesis joined #salt
13:08 dxiri joined #salt
13:10 jas02 joined #salt
13:14 sploenix joined #salt
13:14 jas02 joined #salt
13:15 daemonkeeper joined #salt
13:19 jas02 joined #salt
13:22 dxiri joined #salt
13:29 jas02 joined #salt
13:29 edrocks joined #salt
13:30 Brew joined #salt
13:32 sjorge joined #salt
13:34 maestropandy joined #salt
13:37 user-and-abuser joined #salt
13:37 justanotheruser joined #salt
13:39 maestropandy left #salt
13:40 KingJ joined #salt
13:43 gh34 joined #salt
13:51 KingJ joined #salt
13:58 toanju joined #salt
13:59 racooper joined #salt
14:01 mchlumsky joined #salt
14:07 filthyG joined #salt
14:07 Reverend anyone had issues importing on 7.2?
14:07 Reverend 7.1 master, 7.2 minion and it's exploding :/
14:08 jas02 joined #salt
14:08 Reverend i think the if it matching, but the import_yaml isn't.
14:08 Reverend isn't working*
14:10 robman doesn't the master need to be a higher version than the minion?
14:11 yuhl joined #salt
14:12 dxiri joined #salt
14:13 tkharju joined #salt
14:14 Reverend not that I was aware... thought it was version agnostic. :S
14:15 robman from the FAQ: "Backwards compatibility for minions running newer versions of salt than their masters is not guaranteed."
14:16 babilen Master has to be at least as new as the newest master or b00m
14:16 babilen err
14:17 babilen newest minion naturally :)
14:17 threwahway joined #salt
14:18 wavded joined #salt
14:21 coredumb what are you guys using salt with to manage your cloud instances DNS ?
14:21 Reverend babilen robman - okay. thanks chaps. I'll downgrade it and try to get rid of the booms :P
14:22 babilen Why not upgrade the master?
14:26 fracklen joined #salt
14:28 beardedeagle joined #salt
14:30 Reverend this is in productoin. we'll do that when we have time to plan recoveries undoubtedly.
14:31 Reverend also - downgrading didn't fix :/
14:31 Reverend darn it
14:32 fracklen joined #salt
14:33 Rubin joined #salt
14:34 dxiri_ joined #salt
14:36 tapoxi joined #salt
14:36 tapoxi t
14:37 tapoxi any way to avoid waiting for a minion to return?
14:38 tapoxi e.g. not hanging waiting for the minion after performing salt 'minionname' system.reboot
14:40 Reverend ctrl+c :P
14:41 jas02 joined #salt
14:41 sjorge joined #salt
14:46 ivanjaros joined #salt
14:47 fracklen_ joined #salt
14:48 gmoro joined #salt
14:49 dxiri joined #salt
14:53 dxiri joined #salt
14:54 tapoxi Reverend: yeah I was hoping for a flag or something
14:54 tapoxi normally I use the python api but I need something for my little bash loops when doing stuff manually
14:55 whytewolf --async
14:55 tapoxi whytewolf: thanks!
14:56 whytewolf you won't get the output of coarse
14:57 tapoxi yeah doesnt matter can just lookup the jid later
14:57 tapoxi surprised that flag wasnt in the man page
14:57 whytewolf i see it in the man page
14:59 tapoxi hmm
14:59 tapoxi I need coffee
14:59 tapoxi :)
15:00 cgiroua joined #salt
15:07 ahrs joined #salt
15:07 vishvendra joined #salt
15:08 jas02 joined #salt
15:11 maestropandy joined #salt
15:12 maestropandy left #salt
15:17 Reverend okay, so here's the story. top.yml has `from blah/config.yml import config`. config.yml import_yaml's from another file... and as far as I can tell, it ONLY doesn't work on the 2017.7.1 box.
15:18 Reverend "redering primary top file failed." if this was broken for every box, I'd expect that error for every box. right? I mean it's a top file... it's rendered for everything.
15:25 nixjdm joined #salt
15:31 lompik joined #salt
15:34 fracklen joined #salt
15:34 sarcasticadmin joined #salt
15:35 JoshL joined #salt
15:39 wonko21 joined #salt
15:40 XenophonF I'll do you one better.
15:41 XenophonF I have an selinux.boolean state that works on a bunch of CentOS Linux 7.4 servers but fails on another bunch of CentOS Linux 7.4 servers, because the selinux exec module fails to load on some but works fine on the others.
15:43 Neighbour XenophonF: Are they on the same version of libsemanage?
15:44 mntnman joined #salt
15:45 xet7 joined #salt
15:45 XenophonF yes, same libsemanage
15:46 XenophonF on the broken machines, I'm getting this error: AttributeError: 'module' object has no attribute 'which'
15:46 XenophonF that's when the __virtual__ function calls salt.utils.path.which() to see if various SELinux commands are available
15:47 bildz is anyone going to saltconf next week?
15:47 bildz Ill be there starting wednesday
15:47 Neighbour XenophonF: How about libselinux-python?
15:48 XenophonF yup that's the same too
15:48 tapoxi joined #salt
15:48 Neighbour hmm, odd
15:48 XenophonF haha yeah no kidding :)
15:49 XenophonF the difference is that the broken ones all seem to be installed from the AMI via salt-cloud
15:49 whytewolf XenophonF: corrupted installs. most likely broken salt-common
15:49 whytewolf bildz: I"ll be there.
15:50 bildz o/ whytewolf
15:50 XenophonF salt-common isn't installed on either
15:50 whytewolf meeting time
15:50 bildz whytewolf: I can thank you in person for all your help
15:50 Neighbour XenophonF: so utils.path doesn't have a 'which'...can you check out what decorators are present there, any why they apparently cause path.which to not load?
15:51 XenophonF I'm going to rpm -ql salt\* on both systems, diff that, and then md5 the files on both ends and diff those
15:52 noobiedubie joined #salt
15:53 user-and-abuser joined #salt
15:56 XenophonF salt/modules/selinux.py is the same on both servers
15:56 XenophonF that's the where the broken __virtual__ function is
15:57 Neighbour XenophonF: Except the virtual function isn't broken...there's a component it uses (utils.path.which) which isn't there (but should be)
15:58 XenophonF the code looks right - it's written as "if not salt.utils.which(cmd):"
15:58 XenophonF and the which function lives in salt/utils/__init__.py
15:59 XenophonF hang on let me paste the error
15:59 XenophonF http://ix.io/BMA
16:00 XenophonF this is the code it says it's executing, which doesn't match the .py file: `if not salt.utils.path.which(cmd):`
16:00 XenophonF so woah something's really screwed up
16:00 XenophonF lemme diff the .pyc/.pyo files
16:02 XenophonF nope - md5s for salt/modules/selinux.py* match on both the working and broken servers
16:02 noobiedubie joined #salt
16:03 XenophonF brb going to ask on #python
16:03 maestropandy joined #salt
16:04 xet7 joined #salt
16:05 gh34 joined #salt
16:12 tiwula joined #salt
16:20 XenophonF there are differences where things like pip and setuptools are installed (on the broken system) but not on the other (working system)
16:20 XenophonF that shouldn't amtter
16:20 XenophonF matter
16:29 frew Can anyone tell me if a bug exists in a newer version of salt than 2016.11?  I can't find it in the github issues
16:29 frew (specifically: salt-key never seems to error non-zero)
16:30 frew (ie run as non-root, or have /etc/salt/pki/master missing, or, as far as I can tell, any error)
16:31 Trauma joined #salt
16:32 evle joined #salt
16:34 XenophonF I think I'm going to have to build some test systems to track down this problem.
16:35 viq XenophonF: 'salt-call -l trace' on both to see what's going on?
16:36 XenophonF well according to the backtrace, the broken machine is executing code that doesn't exist on the file system
16:36 XenophonF I'll try it anyway :)
16:38 viq and/or time to read code to see what salt.utils.path.which does to determine whether it's available or not
16:39 tracphil joined #salt
16:39 XenophonF it isn't
16:40 tracphil join #nocbot
16:40 XenophonF the code in salt.modules.selinux.__virtual__() calls salt.utils.which()
16:40 XenophonF which does exist in salt/utils/__init__.py
16:40 nixjdm joined #salt
16:40 XenophonF but the error says it's trying to call salt.utils.path.which(), which doesn't exist
16:41 XenophonF trace logging bypasses I/O redirection??
16:41 * XenophonF beats head against desk
16:42 tracphil I do that a lot as well @XenophonF
16:42 XenophonF well the exception logged at the trace level is the same was what I'm getting
16:43 XenophonF OH
16:43 XenophonF God dammit.
16:43 XenophonF /var/cache/salt/minion/extmods/modules/selinux.py
16:43 XenophonF I am such a freaking idiot.
16:44 XenophonF thanks viq
16:45 XenophonF I monkey patched selinux.py a month ago to work around a bug in filetype_id_to_string.
16:45 vishvendra hey guys.. Is there any way to get the salt enterprise trial version?
16:50 XenophonF Now I remember.
16:50 XenophonF I hit https://github.com/saltstack/salt/issues/42505.
16:51 XenophonF And I backported the fix from https://github.com/saltstack/salt/pull/43068.
16:51 XenophonF Neighbour, viq, whytewolf: thank you all for your help
16:53 Lionel_Debroux joined #salt
16:54 reavon left #salt
16:54 _JZ_ joined #salt
16:57 reavon joined #salt
16:59 reavon left #salt
17:01 Miouge joined #salt
17:09 laertus i have a little server that i occasionally connect to that's hosted by a VPS provider
17:10 laertus i'd like to run salt on there, but can't decide whether to have a salt minion or run salt masterless on it
17:11 laertus the issue that gives me pause is that normally that machine can't contact my home laptop (on which the salt master runs.. .or will run once i set it up)
17:11 laertus i could set up some port forwarding on localhost on that remote machine, so it can contact my laptop... but those ports will only be open when i connect to the laptop, and closed otherwise
17:12 laertus so i'm wondering if that kind of setup will be problematic, or if i'm just better off running salt masterless on there
17:14 aldevar joined #salt
17:17 Edgan laertus: You best bet is salt-ssh
17:18 laertus ah, ok, cool... that looks interesting
17:19 Edgan laertus: It is the easiest for development too. No having to git commit, push, pull untested code, or having to rsync code for masterless.
17:20 laertus right.. that makes sense
17:22 user-and-abuser joined #salt
17:26 sh123124213 joined #salt
17:26 ansleyp joined #salt
17:30 pipps joined #salt
17:30 ansleyp is it possible to specify multiple random minutes using salt.cron?
17:30 ansleyp for example
17:31 ansleyp cron.present:     - identifier: my_script     - user: root     - minute: random,random
17:34 Edgan ansleyp: is random a magic keyword, or is it a jinja variable like {{ random }}
17:34 ansleyp it's a keyword from salt.states.cron
17:34 Edgan ansleyp: If you used a jinja variable, then you can repeat it all you want
17:35 ansleyp minute: {{ random }}, {{ random }}
17:35 ansleyp like that?
17:37 DanyC joined #salt
17:38 DanyC_ joined #salt
17:39 Nahual joined #salt
17:39 ansleyp to be clear I want to run a cron job at 2 random minutes
17:39 ansleyp as a cron entry it would look like
17:40 ansleyp 3,5 * * * *
17:40 nixjdm joined #salt
17:44 _KaszpiR_ joined #salt
17:50 pipps joined #salt
17:52 lordcirth_work ansleyp, wouldn't you want a random time, but every 30 minutes?  2 randoms could get you 4,5
17:52 dxiri_ joined #salt
17:53 ansleyp that could work
17:53 ansleyp but I still need them to be random
17:54 ansleyp I can't have all my servers running this cron script at 12:00 and 12:30
17:55 lordcirth_work How about somethign like this: {% set x = random %} {{ random }}, {{ random + 30 % 60 }}
17:56 ansleyp where would I put that set statement?
17:56 viq laertus: why not run salt master on that VPS?
17:57 laertus i'd rather have the master on my laptop, so it can send out commands to other servers
17:57 laertus rather than relying on that one vps server
17:58 lordcirth_work ansleyp, anywhere above.  But that was more pseudocode than valid jinja, maybe
17:59 viq laertus: well, servers *listen* for commands, not "get sent" them
17:59 laertus viq: also, like i said before, that vps server won't always have access to my laptop, so the VPS server won't be able to control my laptop if i'm not connected to it and have port forwarding enabled
17:59 DanyC joined #salt
17:59 laertus viq: servers can certainly be salt minions.. that's part of the reason for using salt: to control/command other servers
17:59 viq laertus: that's why it would be your laptop connecting to master running on vps
18:00 laertus hmm
18:00 laertus yeah, i guess i could do it that way.. but then i'd need to give that VPS server access to other servers too.. like give it AWS creds.. and i just don't trust it enough
18:01 laertus i'd rather just have all that power kept on my laptop
18:02 ansleyp lordcirth_work why didn't you use the 'x' variable?
18:03 lordcirth_work ansleyp, er, because I'm multitasking too much :P
18:04 lordcirth_work {% set x = random %} {{ x }}, {{ x + 30 | modulo(60) }} ought to work
18:05 cyborg-one joined #salt
18:06 viq laertus: remember it's the minions connecting to master. so if you can run it somewhere where all can connect to, that would get you set
18:07 nomeed joined #salt
18:07 laertus yeah, that makes sense, but has the issue of if my laptop is the master then they might not be able to connect until/unless i connect to them
18:07 laertus which is why i like the salt-ssh solution.. at least for now
18:08 laertus and i just don't trust any of them to be masters with creds to the rest
18:08 laertus my laptop's really the only central authority i can trust right now
18:09 ansleyp lordcirth_work: gettting syntax error, no filter named 'modulo'
18:10 ansleyp {% set r = random %}
18:10 ansleyp - minute: {{ r }}, {{ r + 30 | modulo(60) }}
18:10 ansleyp that's what my config looks like
18:11 lordcirth_work ansleyp, I guess that's not in Salt's jinja yet...
18:20 viq laertus: technically you can have credentials in pillars, and those you can provide on cli or via api
18:20 pipps joined #salt
18:21 ansleyp lordcirth_work: now getting Jinja variable 'random' is undefined when settting the variable
18:22 laertus viq: that's an interesting solution.. but now that i think more about it, i'd also have to trust the master with the data sent to the minions, and i can't trust any but my laptop with that either
18:24 viq laertus: I somewhat do understand, but please elaborate why is that the case?
18:25 laertus viq: for instance, if a VPS server was my salt master and it was hacked in to, the hacker could put a rootkit in to the salt fileserver and that rootkit would then be sent out to the minions when i do a salt run, or just alter salt states to pull a rootkit from some external server under his control
18:25 aviau joined #salt
18:26 viq laertus: "and how do you protect your laptop?"
18:26 laertus on the other hand, if the VPS server was just a minion (masterless or just a target of salt-ssh) its compromise would remain contained to itself
18:26 laertus viq: well, if my laptop is compromised, then it's game over
18:26 laertus and i trust my laptop much more than a VPS under the control of someone else
18:27 laertus the VPS owners have total control over their servers, and the VPS servers are also on shared hardware, which is vulnerable to attack by other people on the same hardware
18:27 viq laertus: and often laptop has much bigger attack surface - browser, email, documents, media files, etc
18:28 laertus viq: well, like i said, if my laptop is compromised, it's game over because all the creds to everything are on here.. there's just nothing i can do about that
18:28 laertus so why would i increase the attack surface to my laptop+some VPS?
18:28 viq laertus: and while I don't trust VPS servers myself, AFAIK you can get quite high level of protection on AWS, or do like I do and get a cheap dedicated server somewhere
18:28 laertus why not just limit it to my laptop alone?
18:28 nixjdm joined #salt
18:30 viq *shrug* it's about choices and compromises. I've made mine, seems you've made yours :) I'm just trying to provide questions that may help you refine your answers.
18:30 laertus yeah, i appreciate that
18:30 laertus it's good to hash all this out to find out what solutions are appropriate
18:31 laertus btw, another thing i just thought of that argues against using a VPS as the master is that i'd be dependent on the VPS provider
18:31 laertus if i ever lost access to it, i'd be screwed
18:31 viq For me, a dedicated server with limited ssh, FDE, and encrypted pillars in git on my box at home was a reasonable compromise.
18:32 whytewolf use a credentials vault. and stop putting things like creds on your laptop. anyone could steal it at any time
18:32 XenophonF what whytewolf said
18:32 laertus i could lose access to that
18:32 XenophonF that's what backups are for
18:33 XenophonF for me keeping states in github and gpg-encrypted pillars in codecommit seemed like a reasonable choice
18:33 XenophonF with keymat archived in 1password
18:33 XenophonF plus local offline backups
18:34 laertus yeah, backups are always good
18:34 laertus i personally don't like to put my data on external servers, even when that data is encrypted
18:35 Edgan laertus: If you don't trust encryption to do it's job, then you have a pile of problems.
18:35 viq laertus: are you implying you can't lose access to your laptop, either due to hard drive failure or device loss?
18:35 laertus i do think those problems are there, and i don't need to add to them by also exposing my data to potential future compromise on some third-party system
18:35 SkyRocknRoll joined #salt
18:36 laertus viq: i can lose access to my laptop, but i also make backups... they're just local backups to physical media, not to the cloud
18:36 whytewolf laertus: you are more likely to lose access to your laptop then a service
18:36 whytewolf so no offsite?
18:36 laertus that's true, but then i have to put some trust in to the service and/or hope that the encryption won't be defeated in the future
18:37 laertus i mean, i don't think there's any perfect solution.. especially not for everyone
18:37 laertus it's all just a choice of compromises
18:37 whytewolf there are bad solutions and local only is a bad one
18:38 whytewolf esp. if local is mobile
18:38 laertus i don't agree.. as i said, putting encrypted data on some third party system has the potential of that data being compromised if/when the encryption gets defeated
18:38 whytewolf are you wire only to your laptop?
18:38 laertus sorry?
18:38 whytewolf do you use wireless
18:39 laertus no
18:39 laertus i have a traditional old ethernet cable blinking away in my laptop right now
18:40 laertus yes, i recognize that using wireless exposes oneself to wireless attacks
18:40 nixjdm_ joined #salt
18:40 whytewolf not really. if you know what to lok for and are educated about how to deal with the attacks.
18:41 whytewolf like don't use wpa2 currently unless you are patched
18:41 whytewolf security is more about educating yourself about the risks and knowing what actually is a vector. then mindlessly head down and ignoreing what is possable.
18:42 Edgan whytewolf: Use wpa2(patched or not) or don't use wireless. The alternatives are WEP or no encryption.
18:43 DammitJim joined #salt
18:43 sjorge joined #salt
18:43 whytewolf Edgan: well, i was refering to KRACK... which it would almost be better to run WEP then an unpatched WPA2
18:44 Edgan whytewolf: yeah, no, WEP is even more trivial to hack
18:44 whytewolf true.
18:45 whytewolf also I recomend enterprise wpa2 over commercial wpa2 anyway
18:45 whytewolf but not everyone wants to set up pki keys
18:46 Edgan whytewolf: yes, in general. I don't know the exact details, but I have heard people say wpa2 enterprise has the same problem as wpa2
18:47 fracklen joined #salt
18:47 whytewolf it does, and doesn't. the attack vector is smaller then standard. and it gets rid of part of the issue with unpatched linux and android boxes
18:48 whytewolf but other wise there is still a vector there
18:48 whytewolf unless you patch
18:49 babilen We've patched all our boxes and ubiquiti gear (luckily wasn't too much work)
18:50 whytewolf i have to hand it to ubiquiti they were on the ball with the patch
18:51 babilen But there'll be millions of unpatched ISP provided routers/APs around that are accessed via boxes/tablets/phones/... that haven't seen a single security update in years
18:51 babilen whytewolf: Yeah, it was awesome :)
18:53 toanju joined #salt
18:55 SkyRocknRoll joined #salt
18:55 whytewolf laertus: i used to work at a bank. i would have been fired a day in had i kept the practices you are wanting. and those laptops we had were VERY secure.
18:56 laertus i've worked at financial institutions myself my entire career
18:56 laertus so i'm not exactly ignorant of security practices at banks and elsewhere
18:56 whytewolf if you can't trust something in an external setup. then setup a local server
18:57 user-and-abuser joined #salt
18:57 laertus if i could afford one, i would
18:57 laertus right now my laptop's all i have, though
18:58 whytewolf ebay is your friend.
18:58 whytewolf also ewaste
18:59 laertus yeah, it's a good idea
18:59 laertus i hear you.. and i should really make more of an effort to get myself another machine.. as old and weak as it might be
18:59 laertus it'd still be better than just putting everything on my laptop.. you're right
19:00 whytewolf my personal salt server is an old dell 2950 III that i bought off amazon. i paid like $80 for it coarse i put a little more into it after i bought it. but it would have run salt fine.
19:01 laertus i appreciate the suggestion... it is a good one
19:11 Hybrid joined #salt
19:23 ChubYann joined #salt
19:28 Hybrid joined #salt
19:29 fracklen joined #salt
19:36 XenophonF and then you build the mirrored backup server running freenas
19:36 XenophonF and then you upgrade to a proper gigabit switch
19:36 XenophonF and then you add a UPS
19:36 XenophonF and then you upgrade to a proper firewall - opnsense, say
19:36 XenophonF and then you decide to put all the gear into one cabinet
19:36 XenophonF and then you expand the NAS
19:36 whytewolf and then you drop 10K on a personal openstack setup and wonder ... what am i doing with my life
19:37 XenophonF ^-- this guy!
19:38 XenophonF so glad to hear I'm not the only one
19:38 * MTecknology https://imgur.com/a/fjdoE
19:38 racooper joined #salt
19:39 whytewolf https://imgur.com/gallery/HgSk1
19:39 XenophonF that's beautiful
19:40 beardedeagle your cabling could be cleaner. I troll, I troll.
19:40 XenophonF I'm going to talk a buddy of mine into 3d-printing me some cable combs for home use
19:40 nixjdm_ joined #salt
19:40 MTecknology my cabling was done with the mindset that this stuff sometimes needs to move out of my way
19:41 whytewolf i didn't have cable combs and was being to lazy to make some. and didn't want to rejigger the power
19:41 XenophonF both are very nicely done
19:41 beardedeagle agreed
19:42 whytewolf you can hardly tell my rails are bent to hell cause i didn't have help mounting the hardware :P
19:43 beardedeagle I need to get a pic of my setup
19:45 XenophonF MTecknology: I like how paranoid you are.
19:45 XenophonF You need to check out Proconsul.
19:46 MTecknology paranoid? how so?
19:46 XenophonF everything's firewalled to hell and back, bastion hosts everywhere
19:46 XenophonF I'm getting ready to deploy Proconsul and take away domain admin access.
19:46 MTecknology ah, thanks :)
19:47 MTecknology I have a couple recent blog posts about being paranoid as well... https://michael.lustfield.net/
19:47 XenophonF You have to log into Proconsul using Shibboleth IdP (so domain login + TOTP MFA), and from there you go through novnc in a browser to backend servers
19:47 XenophonF using temporary credentials
19:47 XenophonF can't phish the domain admin password if you don't have one
19:47 MTecknology I suppose we're all very off topic at the moment and probably know where we should be, eh?..
19:48 whytewolf I use salt to manage it all... theer we are back on topic :P
19:49 MTecknology I took a break, but I'm still trying to get to the point that I deploy a VM in any DC (VPS provider(s) or home) just by defining it in netbox.
19:49 beardedeagle MTecknology: XenophonF hasn't graced us with their presence in #salt-offtopic
19:49 XenophonF Yeah I need to finish the Hyper-V to OpenStack migration, and then I can start using Salt Cloud at home.
19:50 XenophonF LOL
19:50 XenophonF I kind of wish Salt supported Hyper-V :-/
19:51 beardedeagle https://github.com/saltstack/salt/issues/13449
19:51 beardedeagle open since 2014
19:53 XenophonF wow
19:56 beardedeagle sounds like you need to put in a pr
20:10 absolutejam hey guys, what's the best way of moving a folder on a minion to another location
20:10 absolutejam Rename /parent/child -> /parent/
20:11 absolutejam file.recurse requires salt:// path source
20:12 absolutejam file.managed requires a file
20:12 absolutejam file.directory has no source param
20:12 MTecknology For a one-off thing, I tend to just use cmd.run
20:18 absolutejam Makes sense, haha
20:18 absolutejam Easiest option
20:18 absolutejam Now my state isn't updating? O.o
20:19 absolutejam Changed it to cmd.run and it's still running the old state...
20:19 absolutejam Tried clearing minion cache, renaming and renaming back
20:19 absolutejam I'm using it with include:
20:19 pipps joined #salt
20:20 DanyC joined #salt
20:21 charims1 joined #salt
20:21 absolutejam I've even renamed the state and it's doing it......
20:21 absolutejam eh
20:22 choke joined #salt
20:23 absolutejam This is really weird.
20:24 charims1 left #salt
20:27 absolutejam sorted
20:28 charims1 joined #salt
20:38 Edgan absolutejam: I take a very different view. You don't just renaming a file. Either you are placing it and you should rename it upstream, or Salt should own it and write it. If necessary delete the other one.
20:40 Edgan absolutejam: This is why I also don't append lines or edit lines into files. Which is even bigger than a rename, and can be more problematic.
20:40 nixjdm_ joined #salt
20:45 morissette joined #salt
20:45 Miouge joined #salt
20:48 threwahway joined #salt
20:54 sh123124213 joined #salt
20:57 major joined #salt
21:10 felskrone joined #salt
21:12 aldevar left #salt
21:17 DammitJim is it normal that when running a state, it'll take a long time to execute because there is an archive.extracted for a tar.gz file that is 1GB even though I have an if statement to check for the directory ?
21:18 fracklen joined #salt
21:23 tkharju joined #salt
21:24 iggy define if statement
21:25 whytewolf i stopped reading after 1gb
21:26 whytewolf which kind of reads like. how can i stop the pain from shooting myself in the foot
21:27 iggy I've done worse
21:27 whytewolf file.recurse on a directory with 10k items?
21:27 iggy and found bugs in salt that most people didn't consider because they were dealing with a very specific use case (theirs) when developing the feature
21:28 absolutejam what do you mean Edgan?
21:28 absolutejam anyone recommend Saltstack for DevOps https://leanpub.com/saltstackfordevops?
21:30 absolutejam Edgan: I'm copying configs into /etc/sensu/checks.d/_validate, running sensu-server --validate on the dir and if it passes, move contents to parent, otherwise remove _validate dir
21:30 absolutejam meaning no bad configs are sent to the server, as it would die upon restart
21:31 whytewolf absolutejam: sooo. you are taking over the functionality of cmd_check
21:31 DammitJim all I meant was: why does my state take so long? I'm assuming it's because the archive.extract is the problem
21:31 DammitJim but I have an if_exists, which shouldn't even attempt to copy the file over
21:32 DammitJim I mean, if_missing
21:32 absolutejam well TIL whytewolf, but I don't see it for file.recurse
21:33 whytewolf https://docs.saltstack.com/en/latest/ref/states/requisites.html#check-cmd
21:33 whytewolf it is global
21:35 fracklen joined #salt
21:37 iggy DammitJim: one of the last things checked is the if_missing bit... so yeah, it downloads and compares checksums, etc before that
21:37 iggy sounds like what you're hitting
21:41 nixjdm_ joined #salt
21:44 xet7 joined #salt
21:52 mechleg1 left #salt
21:56 absolutejam well it's good to know, but its a bit more limited
21:56 absolutejam i'm using docker.run atm, guess I could just check_cmd: docker exec etc.
22:21 tkharju joined #salt
22:38 vishvendra joined #salt
22:40 XenophonF DammitJim: there's a caching setting for archive.extracted that you should set
22:40 XenophonF that way it won't repeatedly download the archive
22:40 XenophonF (i keep forgetting to set it on my archive.extracted states too)
22:41 nixjdm_ joined #salt
22:43 mikecmpbll joined #salt
22:44 jas02 joined #salt
22:52 pipps joined #salt
22:55 dfinn joined #salt
23:19 omie888777 joined #salt
23:27 jas02 joined #salt
23:32 pipps joined #salt
23:40 tiwula joined #salt
23:52 cgiroua joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary