Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2018-02-18

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:09 eseyman_ left #salt
00:10 eseyman joined #salt
00:43 exarkun joined #salt
00:44 edrocks joined #salt
01:23 jmedinar joined #salt
01:23 jmedinar Hi all. Question: Is possible to run modules sequentially?
01:26 jmedinar if trying to run a module across multiple minions... can I have it to wait until one has finish to start the next one?
01:30 hemebond jmedinar: batch?
01:35 jmedinar yeah... but thats outside saltstack
01:35 jmedinar wondering if there was a simpler way of just saying... run one by one.
01:36 jmedinar but yeah I guess Ill create a runner
01:41 hemebond What>
01:41 hemebond ?
01:42 hemebond salt \* test.ping -b 1
01:42 hemebond ^ run a module against one minion at a time
01:42 jmedinar ah... nice one... let me try
01:43 jmedinar thing is I am testing network speed... with a file transference (Throughput Test)... but since they all are transferring to the master they need to be separated
01:43 hemebond Sure. Batch. -b
01:44 jmedinar beautiful ... thanks! where was that documented?
01:45 swa_work joined #salt
01:45 hemebond https://docs.saltstack.com/en/latest/topics/targeting/batch.html
01:47 jmedinar thanks!
02:06 oida joined #salt
02:24 exarkun joined #salt
02:25 felixhummel hi! I generate a keypair with cmd.run resulting in /foo/pub.key and /foo/priv.key. what would be the best way to expose /foo/pub.key? pillar or grains? and how do I do this from an sls?
02:27 felixhummel my basic flow (for DKIM) is this: 1) run a state resulting in the keys. 2) use /foo/pub.key to set some DNS records and wait a bit. 3) state.apply dkim
02:32 XenophonF I generate keymat and distribute it via Pillar.
02:32 XenophonF I don't generate it on the fly.
02:33 XenophonF You could hack something together using Grains or Mine or Vault or whatever, but pregenerating the keymat is simpler.
02:35 felixhummel XenophonF: that's how I did it too, but that involved a lot of copy and pasting. basically: genkey, cat pubkey, copy, paste to pillar, cat privkey, copy, paste to pillar (and make sure you get multiline right)
02:35 justanotheruser joined #salt
02:36 felixhummel I don't need the priv keys in pillar. having the pub keys there would be nice though.
02:38 felixhummel it's a general thing. I like the idea of never seeing private keys - they are generated on the minion and stay on the minion, but I need their public keys... to do things. ;)
02:41 felixhummel and yeah, sure - I could hack something together using Grains or Mine, but I was hoping there was a simpler way to expose some file contents to pillar (or the minion's grains)...
02:41 justanotheruser joined #salt
02:42 nomeeed joined #salt
02:56 ilbot3 joined #salt
02:56 Topic for #salt is now Welcome to #salt! <+> Latest Versions: 2016.11.9, 2017.7.3 <+> Support: https://www.saltstack.com/support/ <+> Logs: http://irclog.perlgeek.de/salt/ <+> Paste: https://gist.github.com/ <+> See also: #salt-devel, #salt-offtopic, and https://saltstackcommunity.herokuapp.com (for slack) <+> We are volunteers and may not have immediate answers
03:18 MTecknology felixhummel: Why do you need that data in pillar?
03:19 felixhummel MTecknology: I do not neccessarily... I just need a way to expose the public key (for me) to use it in another system.
03:20 MTecknology That's exactly what mine is for.
03:20 MTecknology Generate a key on the minion, drop the pub key into mine, tada.
03:22 * MTecknology does exactly that so that each root user on each node can push backup data to a hostname-based user on the backup server.
03:23 felixhummel So I could have a mine_function called "dkim_pubkey" with "file.read /foo/pub.key"... that sounds good :)
03:23 MTecknology no
03:23 felixhummel ?
03:23 MTecknology I mean, you could... but why?
03:23 felixhummel do you have something simpler on your mind?
03:23 MTecknology yup
03:23 MTecknology ...
03:24 MTecknology dot dot dot (working on it)  :)
03:32 MTecknology finally..
03:32 MTecknology https://gist.github.com/MTecknology/8bd278d7ab1ee751421553ab7d03f821
03:34 MTecknology felixhummel: There's a lot more there than you need for the task, but I figured context would help.  (the earlier 'no' was because mine already has a function for exporting ssh keys)
03:36 felixhummel MTecknology: thanks! Understood. You allow minions to run `ssh.user_keys`, so the bkupnode can allow their pub keys for their respective users.
03:38 felixhummel The mine sounds right. I'm not talking about ssh keys here, but openDKIM keys that live in /etc/opendkim/.../. I can use the mine though to allow file.read on /etc/opendkim/some_pub.key.
03:39 MTecknology OH! You even said dkim.
03:39 felixhummel And from there on use the approach you took. Thanks! :)
03:40 MTecknology You could also write a custom mine function. You could probably very easily copy/paste the existing ssh stuff, strip lots out, and mostly just find/replace something.
03:40 felixhummel The principle is the same though: generate on the minion. Never look at private keys. Expose the public keys via mine! \o/
03:40 MTecknology yup :)
03:40 felixhummel much simpler for my needs
03:40 felixhummel ...
03:41 Ivo joined #salt
03:42 felixhummel https://gist.github.com/felixhummel/467b466c8a85b935f3c38ab3b4a09f4d
03:42 felixhummel :)
03:44 MTecknology Oh.. I didn't realize that mine functions are just execution modules.
03:44 felixhummel yep. named if you want to.
03:44 MTecknology hm?
03:45 felixhummel in my gist, i created a named mine function "dkim_pubkey" that uses "file.read" with the argument "/etc/opendkim/foo/keys/bar.pub"
03:46 MTecknology I just didn't follow the meaning of "named if you want to"
03:46 MTecknology My brain isn't at full capacity this year.
03:47 felixhummel this way other minions can run "dkim_pubkey", e.g. salt 'another-minion' mine.get 'mail' 'dkim_pubkey'
03:48 MTecknology I'm curious what you end up with when the file doesn't exist.. might be worth checking.
03:50 felixhummel good question... if my DNS server was running on a minion, then I would investigate this, but I just need to know the pubkey *after* applying "opendkim-genkey", so salt 'mail' file.read ... it is ^^
03:52 MTecknology the better an admin, the more scenarios are accounted for before there's a chance of the issue existing. :)
03:53 felixhummel thanks for for your time, MTecknology! talking about it really helped. My readme draft: https://gist.github.com/felixhummel/a5be5fc2181ed7644a0576aa17f81cd8
03:54 MTecknology something about that second half has me slightly confuzzled
03:54 MTecknology I like how torvald's talks about coding with taste--taking the exception, and making it not the exception.
03:55 felixhummel that's just the public key. I need to paste its contents into my DNS config (web-frontend).
03:55 felixhummel a little context: this is for my private server, so DNS is managed by my provider
03:56 MTecknology Why are you saying "paste"?
03:56 MTecknology Why is this not managed by salt?
03:56 felixhummel no full-auto here - just using salt to document dependencies and configs - and a few manual steps in-between
03:56 felixhummel because salt cannot manage my provider's DNS
03:56 MTecknology I'll betcha it could..
03:56 felixhummel well, maybe it could (they have an API after all), but this would be overkill for a pet project ;)
03:57 MTecknology grrrr
03:57 MTecknology you keep disappointing me..
03:57 MTecknology It's PERFECT for a pet project. You don't have the business constraints to deal with!
03:59 MTecknology Managing my personal external DNS is a project I have planned ... at some point.
03:59 felixhummel LOL :D true, but also not true. setting up DKIM happens every N years. good docs and automation of simple things are enough. in a real project, I expect route53.
03:59 felixhummel automating route53 is trivial: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.boto_route53.html
04:00 MTecknology I *hate* AWS
04:01 felixhummel overpriced api layer on xen? ^^
04:01 MTecknology Soooo much mucking and fiddling and magic sauce and sooooo much money and unless you totally buy into their ecosystem you're wasting even more money
04:01 MTecknology nickle & dollar you to death
04:02 MTecknology or for the sake of not managing things yourself
04:02 felixhummel yep. my analogy is Apple for "normal people". pay way too much for not having to fiddle around.
04:03 felixhummel but it's something I understand.
04:03 felixhummel I do the same with my car.
04:03 zerocoolback joined #salt
04:04 felixhummel it's interesting to know things about it and I do simple maintenance on it myself, but when things get complex, I let professionals handle it
04:04 felixhummel money for time. simple trade-off.
04:04 exarkun joined #salt
04:08 MTecknology I like to know everything about anything involving my trade. Salt was the driving force behind me learning salt.
04:08 MTecknology learning python.**
04:08 felixhummel other way around for my. knowing Python was the driving force behind me learning Salt. :)
04:09 felixhummel on topic though: https://github.com/saltstack-formulas/opendkim-formula/blob/master/pillar.example#L21
04:09 MTecknology You should hop into #salt-offtopic so I feel more comfortable rambling like this. :)
04:10 felixhummel the formula does not mention (or manage) the keys. one of the reasons I don't like formulas.
04:10 Miuku Hrm, I wonder how people manage their infra if they want to store everything in git and then name stuff based on hosts.
04:11 felixhummel Miuku: what do you mean? Storing what exactly in git?
04:12 MTecknology I tend to keep different projects in different repos. Each web application has it's own repo, and pulls stuff from there.
04:12 Miuku felixhummel: Well I worked a while for a company that used puppet and they had an interesting setup where they had a tree structure; /hosts/domain/server.fqdn where they stored all the per-host instructions.
04:13 Miuku felixhummel: I wonder how this works with Salt as I have a rather pristine setup I'm trying to wrap my head around how to best implement :p
04:13 MTecknology Miuku: What's your definition of "per-host instructions."?
04:13 MTecknology What I hear is "every host has wildly different sets of states applied.
04:13 MTecknology "
04:13 Miuku MTecknology: Well they had a template where they stated which modules it pulls and then per host file where they included all changes to the host (f.ex. what to add to the apache template)
04:14 MTecknology yuck
04:14 MTecknology that's an extremely non-scalable design, ya?
04:14 Miuku Kinda, but it was really simple to wrap your head around :p
04:15 MTecknology sure... so is my old boss' concept of nodes/init... and now I have to spend a bunch of time destroying it.
04:16 MTecknology Miuku: You should try to make your states generic things that don't need much for magic logic (just loops and look-ups mostly). Then use pillar to define what data each minion has to shove into those states.  Same with state templates... keep them as generic as possible. Use .d/ directories when possible.
04:17 Miuku As you can understand, I'm trying to figure out what would be the best practice witH salt, considering this background :-)
04:17 MTecknology demo!  https://github.com/MTecknology/saltstack-demo
04:17 MTecknology granted, I've revamped how pillar data is assigned so it's super-duper more magical now..
04:18 felixhummel Miuku: maybe move from hostnames to "role names"? sounds a lot like "here's a bunch of pets, please make them cattle."
04:18 MTecknology NO! NO ROLES!
04:19 MTecknology Skip that painful step! :D
04:19 Miuku MTecknology: Thanks, I'll take a peek at that repo.
04:20 Miuku (Just woke up and it's 6 in the morning so.. O_O all brain activity is not at full power :p )
04:20 MTecknology Remember that minion_id does not need to equal the hostname. Build meaningful minion IDs so that you can use that instead of often-broken roles logic. :)
04:26 felixhummel good point. never thought of that. nice!
04:26 felixhummel so basically: hostname=vm245982 minion_id=web1, hostname=vm48fa53 minion_id=web2?
04:29 MTecknology yup
04:30 Miuku I need to make the setup easy enough for the programmers to also be able to make modifications. Oh well, thanks guys - I'll try to conjure up something that will make everyone happy and at the same time wrap my head around the different concepts.
04:30 MTecknology the default minion_id is $hostname, but it's just a default.  "echo 'prd-pubweb-07.core.dom.sub' >/etc/salt/minion_id"
04:45 fxhp joined #salt
04:52 robawt joined #salt
05:13 lompik joined #salt
05:17 Vaelatern_ left #salt
05:18 Vaelatern joined #salt
05:43 exarkun joined #salt
06:15 hoonetorg joined #salt
06:34 pualj joined #salt
06:44 taylorbyte1 joined #salt
06:49 sh123124213 joined #salt
06:49 wongster80 joined #salt
07:06 masber joined #salt
07:11 pualj joined #salt
07:14 scoopex left #salt
07:24 exarkun joined #salt
08:22 pualj joined #salt
09:02 viq joined #salt
09:03 exarkun joined #salt
09:46 Trauma joined #salt
09:48 justanotheruser joined #salt
09:56 __number5__ joined #salt
09:58 __number5__ joined #salt
10:13 __number5__ joined #salt
10:36 __number5__ joined #salt
10:41 sh123124213 joined #salt
10:44 exarkun joined #salt
10:45 __number5__ joined #salt
10:46 aviau joined #salt
11:05 cyteen joined #salt
11:11 __number5__ joined #salt
11:53 yidhra joined #salt
12:01 rubenb left #salt
12:18 evle joined #salt
12:47 masber joined #salt
12:54 rockey quick question: if i define pki_dir and cache_dir to ${workdir}/salt/ in salt-ssh's Saltfile configuration, how come it still creates ${workdir}/etc and ${workdir}/var and uses it?
12:54 rockey ${workdir} isn't an actual variable, just definition on where in the tree i am
13:15 aldevar joined #salt
13:49 mTeK I'm trying to deploy a custom AMI with salt-cloud and I'm getting a Failed dependencies error because I cant add the epel- release. How can I ask it not to check this dependency because a I have a repo that includes the rpms
13:57 XenophonF mTeK: since this is your own AMI, pre-install the Salt Minion and write a custom deploy script that only pushes the minion ID/keymat
13:57 XenophonF https://docs.saltstack.com/en/latest/topics/cloud/deploy.html
14:03 mTeK Thanks I think I can use the example the way that it is for fedora
14:04 mTeK That worked but installed a minion alot older than I'm running on the master.
14:06 XenophonF it's your AMI, so either add the latest SaltStack packages to your "repo that inclues the rpms" or add the SaltStack repo to your image
14:07 XenophonF or make your custom deploy script add the SaltStack repo
14:07 mTeK Yep still very new to salt as a whole so I appreciate the help looking for documentaion as well as ideas
14:09 mTeK I think I have a state of requirements that brings the server up to par. I will have to look but I thought it installed the latest salt..  Well I know it does on the debian distros cause thats all I was targeting when I started with salt.
14:16 Miuku You have to administer RHEL/Fedora? I feel for you :P
14:18 mTeK Oh I hate it so much but changed jobs and want to use salt and simple things don't work like the do with ubuntu.
14:18 mTeK I may not have done them correct the first time but they worked but sure dont work on centos 7
14:18 Miuku I just got out of a job where I had to deal with RHEL and the obnoxious /opt/rh- packaging system.
14:19 mTeK This doesn't work in a state file but swear it works on ubuntu. pkg.installed:
14:19 mTeK - pkgs:
14:19 mTeK - zabbix-agent
14:28 NightMonkey joined #salt
14:39 XenophonF i feel bad for all of you, having to deal with linux ;)
14:39 pbandark joined #salt
14:40 XenophonF I like the SCL system, but then I've dealt with too many broken systems caused by third-party repos.
14:41 XenophonF mTeK: that works the same on anything that supports the pkg state
14:41 XenophonF I use it all the time on FreeBSD/CentOS/Debian/Ubuntu/Windows.
14:41 XenophonF what error are you getting?
14:44 mTeK XenophonF: I copied a state from my ubuntu salt deployments made some slight adjustments and it fails. Im currently working on a custom repo to install a package so the state isn't going to compile as I have no clue what I can use with pkgrepo.managed with rhel
14:44 mTeK I'm like the blind mouse looking for the light switch... is it really going to help.
14:45 XenophonF so, first off, you can use pkgrepo states on RHEL/CentOS just like on Debian/Ubuntu
14:45 mTeK This is the first time I'
14:45 mTeK I've done this...
14:46 XenophonF mTeK: here's an example for both O/S familes - https://github.com/irtnog/shibboleth-formula/blob/master/shibboleth/repo.sls
14:47 XenophonF mTeK: and here's an example of a pkg.installed/pkgs state that works across everything - https://github.com/irtnog/shibboleth-formula/blob/master/shibboleth/sp/init.sls#L5
14:47 mTeK That helps..
14:48 XenophonF only difference there is I'm using Jinja and the |yaml filter to serialize the list, instead of writing it out longhand
14:48 mTeK Over my head :)
14:48 XenophonF that's fine - if you're just starting out, you don't need most of the Jinja templating stuff
14:49 mTeK I'll have to dumb this down a bit but thanks its a very good start.
14:53 XenophonF Have you looked at the SaltStack getting started tutorial?
14:53 XenophonF https://docs.saltstack.com/en/getstarted/
14:54 XenophonF if you're starting out, you should definitely go through the Salt Fundamentals tutorial
14:58 nielsk left #salt
14:59 pualj joined #salt
15:00 GrisKo joined #salt
15:00 mTeK Why in earth is the module not available? Reason: Module 'pkgrepo' is not available.
15:05 nielsk joined #salt
15:14 NightMonkey joined #salt
15:17 XenophonF what version of everything are you using?
15:17 XenophonF post the SLS and the full traceback to gist.github.com or ix.io or something
15:30 tiwula joined #salt
15:40 nielsk left #salt
16:15 EthPyth joined #salt
16:27 aldevar joined #salt
16:37 bowhunter joined #salt
16:37 evle1 joined #salt
16:53 rainbowtux joined #salt
16:54 rainbowtux Hi all, I am looking into salt-cloud for following use case: I have existing VMs in a VMWare cluster and need to update certain resources (adding vCPUs e.g.), can salt update VMs? I only see create/destroy in the docs...
16:54 EthPyth left #salt
16:56 pualj joined #salt
17:24 exarkun joined #salt
17:35 evle2 joined #salt
17:49 nielsk joined #salt
18:02 systeem[m]1 joined #salt
18:18 Miuku rainbowtux: Fancy seeing you here :P
18:21 wedgie what is the "oldest supported main release branch" per https://docs.saltstack.com/en/latest/topics/development/contributing.html#which-salt-branch right now? is it 2016.11?
18:29 sjorge joined #salt
18:39 MTecknology rainbowtux: salt-cloud is for deploying/destroying, not for tweaking.  If you added that sort of support, I'm sure a PR would be accepted.
18:40 LostSoul joined #salt
19:01 XenophonF rainbowtux: if you have existing VMs, you can push Salt to them using saltify
19:02 tiwula joined #salt
19:04 XenophonF once Salt's installed, you can control updates a variety of ways, e.g., the pkg.uptodate state (Linux), the wua state module (Windows)
19:04 XenophonF you can also use Salt to bootstrap a patch management solution, e.g., at work we deploy the P9 agent on our PCs and servers using Salt
19:07 MTecknology XenophonF: that's not what he was asking, though..
19:08 XenophonF oh - they meant update VM configs
19:09 XenophonF sorry, I misunderstood
19:18 aldevar joined #salt
19:28 mTeK XenophonF: I want to say thanks for your help. Its been at least a year since I've worked with salt so I was rusty.
19:29 mTeK I used your idea to make sure that my AMI deployments had the correct version of the minion. Thats why my states were failing as the minion on centos was 2015.XXX
19:30 mTeK Using a custom salt-cloud scrip I was able to pin to the major release and then my states worked perfect.
19:42 yuhl joined #salt
20:14 Edgan joined #salt
20:31 inad922 joined #salt
21:08 swa_work joined #salt
21:19 tiwula joined #salt
21:36 masber joined #salt
21:37 tiwula joined #salt
21:41 aldevar left #salt
22:06 jab416171 joined #salt
22:40 jesusaur joined #salt
22:59 masber joined #salt
23:01 masuberu joined #salt
23:27 bowhunter joined #salt
23:29 mechleg left #salt
23:43 XenophonF mTeK: awesome glad it's working!
23:49 Whissi joined #salt
23:59 gmoro_ joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary