Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2018-03-07

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 cyborg-one joined #salt
00:01 whytewolf fixing so many broken things that got left behind at $client?
00:01 MTecknology yup!
00:01 MTecknology I could complain about what a daunting task this is, but I'm excited to finally be able to do it.
00:02 whytewolf going to also fix the security issues that got left behind?
00:02 cyborg-one left #salt
00:02 whytewolf or did you already handle those?
00:03 MTecknology I've been able to fix some of the more extreme problems, but there's a lot of work to do.
00:05 MTecknology Lots to do... job security! :D
00:05 lkthomas MTecknology, who tell you that
00:05 lkthomas a lot to do != job security
00:05 MTecknology a lack of things to do means no job, so...?
00:06 whytewolf it is when MT was hired to fix a broken salt enviroment and it is really broken :P
00:06 lkthomas whytewolf, LOL
00:06 lkthomas how bad in exact
00:06 MTecknology how bad is $client env?
00:06 mk-fg joined #salt
00:06 mk-fg joined #salt
00:06 lkthomas yeah
00:07 MTecknology I've discovered applications where the solution to a problem was to disable auth verification because the system couldn't handle that many requests.
00:07 lkthomas sounds right!
00:08 lkthomas give me the public IP and I will try to hack it, LOL
00:08 MTecknology there was nothing to hack... insert valid username, see user data
00:08 lkthomas heh
00:09 MTecknology not long ago, 98% of all pillar data was shared with 100% of the minions, via a >24,000 line sls file, for the minions to select their data from a dict.
00:11 MTecknology within the "hostname naming convention" doc, I was able to count 9 different naming conventions, and most systems don't quite follow any of them.
00:11 MTecknology the rest is too scary to admit it ever happened
00:37 masuberu joined #salt
00:48 zerocoolback joined #salt
00:51 ipsecguy joined #salt
00:55 zerocoolback joined #salt
00:58 lkthomas MTecknology, why is it somehow recall my memory of network engineer never unplug any used cable from patch panel and just keep on adding new cables until the trunk is full, LOL
00:58 lkthomas MTecknology, after you are done, you will get fired
00:58 lkthomas LOL
00:59 lkthomas some engineer create a mess on purpose, so that no replacement engineer know/willing to do any work
01:02 chesty joined #salt
01:11 MTecknology lkthomas: Fortunately, $client is not $employer. If $client cuts me because I ran out of things to fix or because the things being fixed aren't exciting enough, then it'll have been a successful contract.
01:17 fignew joined #salt
01:19 curio_casual joined #salt
01:23 lkthomas MTecknology, I see
01:23 justanotheruser joined #salt
01:33 Church- Sup folks
01:38 Church- So question when instantiating hosts with salt-cloud and a map file, is there a way to run all the commands using sudo and not a root account?
01:40 MTecknology My first response is- Why on earth would you want that? followed by... I'm not sure if it's possible to specify a different user to connect ot the node.
01:43 Church- MTecknology: Because for whatever stupid reason I'm trying to debug, any ssh key I authorize for the root accounts isn't working, despite root logins being allowed.
01:43 Church- Driving me nuts trying to fix this, think I have a new idea however.
01:45 MTecknology I think you should keep trying to fix it, because the alternative sounds ... not good.
01:45 MTecknology what does the auth log tell you about the failure?
01:45 Church- That the ssh key doesn't match.
01:46 Church- Hmm, frick. I'd ssh-copy-id it over, but I don't know if I ever actually knew the root password.
01:46 dendazen joined #salt
01:47 MTecknology I'm not sure I've even seen an auth log clearly state that the ssh key is incorrect.
01:47 Church- Okay, that's fucking odd.
01:47 Church- Allowing password auth let me login with my key.
01:47 Church- The fuck...
01:48 MTecknology Are you /sure/ you were actually running on the config you thought you were?
01:48 Church- Yep, only have one config and I double checked it each time.
01:48 MTecknology If you change it back, do you have issues?
01:49 MTecknology if so- what's the actual value(s) you're changing?
01:58 * lkthomas wondering what is salt-cloud
02:12 Aikar left #salt
02:16 shiranaihito joined #salt
02:22 dendazen joined #salt
02:30 hemebond salt-cloud is a command-line tool for working with cloud providers.
02:36 zerocoolback joined #salt
02:39 lkthomas I see
02:39 dendazen joined #salt
02:54 dendazen_ joined #salt
02:54 smead joined #salt
02:56 ilbot3 joined #salt
02:56 Topic for #salt is now Welcome to #salt! <+> Latest Versions: 2016.11.9, 2017.7.4 <+> RC for 2018.3.0 is out, please test it! <+> Support: https://www.saltstack.com/support/ <+> Logs: http://irclog.perlgeek.de/salt/ <+> Paste: https://gist.github.com/ <+> See also: #salt-devel, #salt-offtopic, and https://saltstackcommunity.herokuapp.com (for slack) <+> We are volunteers and may not have immediate answers
03:01 zerocoolback joined #salt
03:01 zerocoolback joined #salt
03:02 masber joined #salt
03:19 mritchie joined #salt
03:27 amy joined #salt
03:43 mk-fg joined #salt
03:43 mk-fg joined #salt
03:47 masber joined #salt
03:49 mrBen2k2k2k joined #salt
03:53 zerocoolback joined #salt
03:57 monokrome joined #salt
03:58 mk-fg joined #salt
03:58 mk-fg joined #salt
03:59 cliluw joined #salt
04:00 tiwula joined #salt
04:02 ddg joined #salt
04:12 hax404 joined #salt
04:13 monokrome joined #salt
04:21 monokrome joined #salt
04:26 jacksontj joined #salt
04:26 XenophonF joined #salt
04:27 XenophonF my salt-master instance isn't running in EC2, yet it keeps querying the AWS metadata endpoint
04:27 XenophonF how do I turn that off?
04:27 Armageddon joined #salt
04:28 XenophonF maybe it's s3fs doing it despite the API creds I gave it
04:29 dendazen joined #salt
04:31 Xenophon1 joined #salt
04:32 tiwula joined #salt
04:36 masuberu joined #salt
04:40 masber joined #salt
04:46 XenophonF joined #salt
04:48 MTecknology XenophonF: I'd guess that you have something installed that's making a grain able to load
04:48 aldevar joined #salt
05:14 aldevar left #salt
05:32 masuberu joined #salt
05:35 heyimawesome joined #salt
06:05 Church- joined #salt
06:07 onlyanegg joined #salt
06:08 lompik joined #salt
06:22 zerocoolback joined #salt
06:26 LocaMocha joined #salt
06:29 zerocoolback joined #salt
06:30 amy joined #salt
06:31 Church- joined #salt
06:32 sh123124213 joined #salt
06:47 zerocoolback joined #salt
06:48 myt joined #salt
07:02 Hybrid joined #salt
07:02 zerocoolback joined #salt
07:15 tuxawy joined #salt
07:16 amy joined #salt
07:19 zerocoolback joined #salt
07:21 Hybrid joined #salt
07:25 tuxawy joined #salt
07:29 onlyanegg joined #salt
07:34 armyriad joined #salt
07:35 yuhl joined #salt
07:43 zerocoolback joined #salt
07:45 zerocoolback joined #salt
08:13 Tucky joined #salt
08:19 aviau joined #salt
08:20 zerocoolback joined #salt
08:27 amy joined #salt
08:31 zerocoolback joined #salt
08:46 Pjusur joined #salt
08:48 Ricardo1000 joined #salt
08:49 zulutango joined #salt
09:05 zerocoolback joined #salt
09:06 Pjusur joined #salt
09:08 cewood joined #salt
09:16 Mattch joined #salt
09:27 Hybrid joined #salt
09:30 onlyanegg joined #salt
09:36 rgrundstrom Im debugging some pillar data... is there some way that i can see what pillar file the minion is getting it values from?
09:39 zerocoolback joined #salt
09:41 mattfoxxx joined #salt
09:46 babilen You can watch the master's debug log, but these is no direct way of figuring out which SLS a particular k/v came from in the pillar
09:48 zerocoolback joined #salt
09:56 xet7 joined #salt
10:05 amy joined #salt
10:18 rjc joined #salt
10:21 xet7 joined #salt
10:22 xet7_ joined #salt
10:29 chowmein__ joined #salt
10:34 __number5__ joined #salt
10:59 evle1 joined #salt
11:08 jhauser joined #salt
11:19 amy joined #salt
11:31 onlyanegg joined #salt
11:39 xet7 joined #salt
11:42 mattfoxxx Hi, Im looking at a pillar like https://github.com/saltstack-formulas/samba-formula/blob/master/samba/defaults.yaml. Is there any way to pillar.get the vars using spaces?
11:43 zerocoolback joined #salt
11:47 zerocoolback joined #salt
12:02 zerocool_ joined #salt
12:03 carmony joined #salt
12:17 ecdhe joined #salt
12:17 syd_salt2 joined #salt
12:19 amy joined #salt
12:20 sybix joined #salt
12:20 Yamakaja joined #salt
12:20 fleaz joined #salt
12:20 jesk joined #salt
12:24 nledez joined #salt
13:00 pcn rgrundstrom: have you tried narrowing your targeting in the top file, then descending from there?
13:02 pcn mattfoxxx: have you tried pillar.get('some pillar with spaces')?  I'd expect that to work just fine
13:03 darioleidi joined #salt
13:05 smead joined #salt
13:09 zer0def oh hey, slack's deprecating their XMPP and IRC gateways mid-May, that's going to be disappointing
13:12 babilen Was just a matter of time
13:18 toastedpenguin joined #salt
13:31 J0hnSteel joined #salt
13:35 mattfoxxx pcn: thank you, I just tried with a minimal pillar and it works fine, seems like a different issue which went unnoticed since salt['pillar.get'] just returns an empty string.
13:47 pcn Yeah, that can provide surprises if you're e.g. expecting to get a dictionary and try a .items() or something on the result.  You need to provide a default of {} to the pillar.get('...', {})
13:51 mattfoxxx pcn: thanks again, thats a nice tip!
13:53 jose1711 joined #salt
13:59 gh34 joined #salt
14:00 Ricardo1000 joined #salt
14:06 nfahldieck joined #salt
14:07 nfahldieck Hi, is there any way to clear a directory except for filenames, that I have in a pillar list? So basicaly a 'file.directory -clean:True' with exceptions?
14:07 pcn Cool, enjoy.  It's a really nice feature from functional languages that python has so you don't get stuck using try/except after every .get
14:08 pcn And you can provide other types/values/etc as the default too.  I like to put strings in like salt['pillar.get']('something:here', "The pillar something:here didn't resolve, go figure out why")
14:11 pcn nfahldieck: I haven't used it myself, but I see an 'exclude_pat' option for clean.
14:12 pcn But it doesn't look like there's an analog that's a list
14:13 pcn How many files are you talking about?
14:13 edrocks joined #salt
14:28 nfahldieck I'm trying to manage my /etc/nginx/sites-* dirs with a list I provide via pillar. That way I can ensure, that nobody manually adds files with different names. The files' contents are managed by different states, though.
14:33 amy_ joined #salt
14:36 dendazen joined #salt
14:42 pcn Hm.  There's a subtle point in the include_pat/exclude_pat documentation here:
14:42 pcn https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html
14:43 pcn It takes a matching style flag, similar to targeting.
14:44 pcn I wonder if that means that you can pass it a list match prefix of @L[list, of, stuff]
14:45 pcn actually the list match syntax is a comma-separated list IIRC
14:45 pcn I mean a comma-separated string that gets broken into a list
14:45 pcn https://docs.saltstack.com/en/latest/topics/targeting/globbing.html#lists
14:46 pcn Or maybe even by directly referencing your pillar? https://docs.saltstack.com/en/latest/topics/targeting/globbing.html#lists
14:46 pcn nfahldieck: do you have a test box where you could test out those possibilities?
14:47 pcn Because if it works, it's be pretty cool - it'd probably be worth providing a PR to mention it in the documentation.
14:49 yuhl joined #salt
14:51 __peke__ joined #salt
14:57 thelocehiliosan joined #salt
14:58 cgiroua joined #salt
14:59 wryfi is there any way to namespace custom execution/state/etc modules in e.g. _modules?
14:59 kojiro joined #salt
14:59 wryfi i'd like my company's salt code to all be available as myco.module.function, for example.
15:00 wryfi i tried creating _modules/myco/function.py (didn't work) and i tried having a __virtual__ function return myco.module but no dice.
15:01 kojiro hi, how can I mask the output of environ.setenv as sensitive in salt logs?
15:06 nfahldieck pcn: I have a test box and I'm going to try this out. If it works I'll make sure to open an issue/pr with the github project
15:06 nfahldieck Thanks for pointing to some docu pages, though!
15:14 inetpro joined #salt
15:16 lkthomas joined #salt
15:19 mikecmpbll joined #salt
15:25 kojiro If there's no way to mask the output of sensitive info in environment variables, is there a way to create a temporary file that I can use in another state, such that salt will destroy the temporary file when the highstate is done?
15:25 kojiro My kingdom for a context manager here ;)
15:33 nixjdm joined #salt
15:58 amy_ joined #salt
16:00 nfahldieck pcn: this just works. The list can be empty. https://gist.github.com/Rabattkarte/3723c00aef94400cf44fa95a2836748f
16:06 DammitJim joined #salt
16:38 tiwula joined #salt
16:44 dendazen joined #salt
16:59 viq in service definition I can say that the service can be reloaded instead of restarted when watched items change. Any idea how I can say that if this particular thing changes I want a restart, not a reload?
17:01 theloceh1liosan joined #salt
17:03 viq Ah, apparently that would be a separate state with onchanges
17:08 onlyanegg joined #salt
17:16 MTecknology Why would you have sensitive info in an environment variable?
17:18 MTecknology kojiro: you /can/ do that, ya, but it's going to be ugly and prone to people breaking it.
17:19 viq MTecknology: I believe that's how docker and various other tools like to do it
17:20 MTecknology more reason to never use docker...
17:23 MTecknology wryfi: Why are you trying to make a module with a namespace outside of modules? Why is salt.my_stuff.foo() not enough?
17:28 MTecknology $client prefixes their own modules with tn_, I prefix mine with mt_  (mt_netbox, mt_zones, mt_utils, etc.)
17:31 edrocks joined #salt
17:42 noobiedubie joined #salt
17:45 amy_ joined #salt
17:57 alvinstarr joined #salt
18:03 thelocehiliosan joined #salt
18:03 heyimawesome joined #salt
18:15 noobiedubie joined #salt
18:15 noobiedubie Hi all, I'm trying to setup a git hook that sends a salt event from a minion to the master which has to run as the git user(not the normal minion user). Git hook works perfect when ran as normal minon user and I can manually run an event.send with salt-call with the git user, but when running the git hook script as the git user I get no errors and the I see a salt/auth on the master event viewer but the actualy event never gets sent
18:16 noobiedubie git user has permission to minion config minion pub and pem in pki dir
18:17 noobiedubie also tried giving git user permission to /var/cache/salt and /var/log/salt/minion
18:17 noobiedubie with no change in behavior
18:17 noobiedubie git hook script is in python and using caller.cmd
18:20 cewood joined #salt
18:21 dendazen joined #salt
18:27 dendazen joined #salt
18:32 thelocehiliosan joined #salt
18:33 MTecknology noobiedubie: what is "minion user"?
18:34 MTecknology You should most definitely almost never give arbirtary services access to locations that other services expect to manage themselves.
18:37 MTecknology Giving it access to read private data for those services is kind of a lot worse too..
18:38 MTecknology What is your actual goal?
18:41 kojiro We have a value set in a base pillar and the same value in a non-base environment, but the value in base is what's getting rendered. How can we debug why that is happening?
18:42 MTecknology state.show_top
18:42 MTecknology make sure you're matching in the env you think you are
18:43 noobiedubie MTecknology: just the user minion service runs as
18:43 MTecknology noobiedubie: which is?..
18:43 noobiedubie MTecknology: root
18:44 MTecknology You should undo all of the permission muckery you've done and say what your actual goal is.
18:44 MTecknology Do you just want git to be able to fire an event to the master?
18:45 noobiedubie MTecknology: I have literally have the git user able to send events to master using python caller module
18:45 noobiedubie the 'permission muckery
18:45 noobiedubie ' is to allow that
18:45 MTecknology I get taht...
18:45 MTecknology that*
18:45 MTecknology again- what's your actual goal?
18:46 noobiedubie MTecknology: ? what is unclear
18:46 MTecknology nevermind, good luck
18:46 noobiedubie MTecknology: lol thanks
18:48 whytewolf noobiedubie: sounds like your githook would be better servered if it wasn't a part of the salt-minion and was just instead a webhook call.
18:49 flexd joined #salt
18:49 noobiedubie whytewolf: sorry webhook? from the minon to the master? you mean through api or something?
18:50 whytewolf yes
18:50 MTecknology api would work- I still use git hooks to tell the master that repos were pushed to and things need to update.
18:51 whytewolf well i wasn't saying don't use a githook was saying use a git hook that calls the api
18:51 whytewolf cause of the permission snafu that he has
18:51 MTecknology I apparently forgot to finish that thought... I still use salt-event via the git hook.
18:52 noobiedubie yea i don't have api set up and trying to limit available access to master
18:52 noobiedubie yea MT that's basically what I'm doing with mine
18:52 noobiedubie thanks to the help
18:53 noobiedubie just wondering if I was missing some documented permission with the current setup
18:53 MTecknology I think you're missing lots of things, but you don't seem interested in me helping you do the thing that I do myself..
18:54 noobiedubie ?ok
18:54 noobiedubie not sure what gave you that idea but sure
18:56 MTecknology kojiro: If you haven't seen it yet- https://docs.saltstack.com/en/latest/ref/states/top.html
19:00 kojiro I was looking at that, thanks
19:01 theloceh1liosan joined #salt
19:01 tuxawy joined #salt
19:03 ymasson joined #salt
19:05 DammitJim is this good form? /home/me:
19:05 DammitJim file.absent
19:05 DammitJim that state is supposed to remove the /home/me directory
19:05 kojiro awfully hard to type yaml into irc
19:05 whytewolf no, since you are posting directly to channel
19:05 kojiro Assuming that is indented correctly, it ought to work.
19:06 mianosm fpaste.org works really well
19:06 DammitJim /home/me:
19:06 DammitJim file.absent
19:06 MTecknology DammitJim: dpaste.com or similar..
19:06 DammitJim https://paste.fedoraproject.org/paste/ThdrWmO3UAbcxQBVjZoaiw
19:07 DammitJim thanks guys
19:07 DammitJim just looks weird
19:07 whytewolf that will "work" but you really want to use file.absent: [] instead
19:07 DammitJim but I'm probably the weird one
19:07 DammitJim file.absent: []
19:07 DammitJim all on the same line?
19:07 whytewolf https://docs.saltstack.com/en/latest/topics/troubleshooting/yaml_idiosyncrasies.html#yaml-does-not-like-double-short-decs
19:08 DammitJim that's the kinda stuff that I'm looking for. Thank you so much! That looks nice and clean
19:09 MTecknology whytewolf: heh... I've never actually run into that issue. Apparently I've managed to be an edge case where it's not a problem. :P
19:10 kojiro is it really such an edge case?
19:10 kojiro I've never run into it either, but I have done enough yaml suffering outside of salt that I probably wouldn't have anyway.
19:10 MTecknology nah, I just never had two in the same state so I never managed to break salt.
19:11 MTecknology or- break yaml?
19:11 kojiro My favorite form of self torture is parsing sls files with a standard yaml parser and then marching in protests when it fails to parse jinja ;)
19:11 whytewolf MTecknology: normally only happens to those who put multiple state functions into a single state. but it is still a decent habbit to tell yaml explicitly "this is an empty list"
19:12 * MTecknology will do that from now on
19:12 sh123124213 joined #salt
19:12 MTecknology my least favorite form of self-torture is using windows and/or mac in any environment :)
19:12 MTecknology followed by using puppet or chef
19:13 kojiro do people do that? :P
19:13 whytewolf of the two i would rather have mac then windows in an enviroment
19:13 kojiro I ran out of mac jokes
19:14 MTecknology I'd actually prefer windows over mac, at least if you want to actually manage the systems.
19:14 whytewolf and yes. people do that. when i works for a paper we had everything. HP-UX, Linux both redhat and ubuntu [redhat 4 through to 7], solaris, mac, and windows servers
19:14 MTecknology AIX is a fun beast to hate
19:15 whytewolf s/works/worked
19:15 whytewolf we even had an old mac os 9 system that i forgot the purpase of
19:15 MTecknology I get annoyed with mac because everything works... only if you deploy/configure exactly as they tell you that you want.
19:15 kojiro Good for running starcraft 1
19:16 kojiro I have Gentoo running on an MBP here. (The last generation before they ruined the keyboard.)
19:16 MTecknology and then things change between releases. They take a feature away, claim nobody really wanted it, add it back, and claim it's innovative and amazing.
19:16 kojiro Well, and what FOSS they include they can't update because GPL-2
19:17 kojiro (that's why bash is still 3.x)
19:17 MTecknology mac just looks like a messy failure to me
19:17 MTecknology an expensive one*
19:19 Miuku It works, which is more than I can say for majority of other platforms.
19:19 kojiro heh.
19:20 MTecknology "it works" is kinda exactly what I was disagreeing with.
19:21 kojiro I'm at the point where I'm pretty sure no software really works. I have begun wondering if we really want it to.
19:21 Miuku Feel free to disagree, there's a lot of people who would not share your view.
19:21 whytewolf humm. I never have a problem with "it works" it works for me no matter the os.
19:21 MTecknology yes.. opinions are like asses
19:21 Miuku For example I spent several weeks migrating Exchange just a while back and I would say everyone at microsoft should be shot in the head.
19:21 kojiro MTecknology: "most people have them?"
19:21 MTecknology yup
19:22 * kojiro glances knowingly at his burro
19:22 Miuku If there's something shittier than windows server, I haven't seen ityet.
19:22 MTecknology mac server...
19:22 whytewolf plan 9?
19:22 whytewolf gnu hurd?
19:22 kojiro BeOS?
19:22 MTecknology hurd!!
19:22 kojiro It's time for GNU Hurd with Perd!
19:23 racooper joined #salt
19:23 Miuku Never used Mac server but Win2k16 is an incredible pile of shit. If I'm going to die of something, it's going to be because of a tumor caused by having to use it.
19:24 whytewolf Mac server was pretty bad. there is a reason apple stopped supporting it
19:24 Miuku Uargh, makes me feel ill just thinkinga about it. Let's talk about something nice like fluffy sheep.
19:24 kojiro If you get a tumor, I hope the hospital that treats you uses an EMR based on a good platform.
19:24 kojiro lol!
19:25 cliluw joined #salt
19:26 MTecknology my tumor is almost gone! :)
19:27 kojiro If we could figure out a way to store cryptocurrency in tumors, folks would be hard at work figuring out how to remove them.
19:28 Miuku Salt those miners.
19:28 whytewolf could just tell congres that. they wouldn't know better
19:28 kojiro lol!
19:31 noobiedubie for anyone interested minimum permission needed to send events through python module caller: /etc/salt/pki/minion/minion.pub\pem, /etc/salt/minion, /etc/salt/grains, and read write to files in /run/salt/minion the rest just need read permissions
19:32 noobiedubie and if you have anything in minion.d/ will need read permissions to that as well
19:34 yuhl joined #salt
19:34 whytewolf noobiedubie: you mean this https://docs.saltstack.com/en/latest/ref/configuration/nonroot.html
19:35 noobiedubie yeah except on centos 7 at least it's not /var/run
19:39 MTecknology whytewolf: nah, they apparently have a git hook that needs access to secret salt files in order to do in python what could much more cleanly be done without python.
19:40 noobiedubie plus those instructions are to run the minion service as another user and I'm just trying to give anther user the minium permissions needed to send a salt event
19:41 noobiedubie MTecknology: clearly your understanding is unmatched
19:42 noobiedubie MTecknology: btw did you know salt is written in python? so if your cleaner way involves salt at all it involves python
19:43 MTecknology noobiedubie: enjoy your bliss
19:43 noobiedubie MTecknology: i am thanks for checking though
19:44 whytewolf noobiedubie: ... a. running minion as another user and sending an event as another user = the same thing. you are just creating a new front end.
19:45 noobiedubie ok...? how is using the python api creating a front end?
19:46 whytewolf how is writing python that calls the same methods as the salt commands like writing a front end?
19:47 noobiedubie it's not? it's following the documented way to firing events using python
19:47 noobiedubie https://docs.saltstack.com/en/latest/topics/event/events.html#from-custom-python-scripts
19:47 noobiedubie but yea i guess that's a front end...
19:48 whytewolf which is exactly how salt-call event.send does it.
19:48 noobiedubie yes not arguing that as the documents note as well
19:50 noobiedubie but can you wrap your head around a scenario where you don't want something to run as the minion user simply to send an event
19:51 MTecknology I can picture *all* scenarios where I don't want git getting more that the miminum level of access it needs.
19:51 whytewolf yes, i can which is why there is salt-api
19:51 whytewolf or even the webhook engine
19:52 noobiedubie that is an option and if we had a need for any other 'outside' users (not the minion user) to be able to access salt commands or modules I would probably set it up
19:58 DammitJim joined #salt
19:58 aldevar joined #salt
20:00 MTecknology I still need to start using the salt api over salt event commands, but "it already works sanely" makes finding that motivation hard.
20:09 thelocehiliosan joined #salt
20:17 xet7 joined #salt
20:20 rjc joined #salt
20:27 thelocehiliosan joined #salt
20:40 thelocehiliosan joined #salt
20:45 copec Hi, I just started seriously using salt a month ago and I have been manually putting in a pillar to convert grains['id'] (which is the same as fqdn) to a 'id-path' pillar, so like servar1.example.com -> com/example/servar1
20:45 copec Initially I just gathered all the configs to file.manage them
20:46 copec now I'm abstracting actual states, etc.
20:46 copec I wonder if there is a relatively easy way to manipulate the grains string into a path like that with jinja?
20:48 MTecknology copec: as long as you have standardized conventions, breaking that stuff out should be pretty easy.  You could have a utility module that you write to break id's into their appropriate parts, and then a grain that uses that module to assemble the path you want.
20:49 MTecknology or it might be trivial enough that the utility module is a bit silly, but I use one so I can re-use that block of code.
20:49 copec Like a python module?
20:50 MTecknology a module for salt, written in python
20:50 copec google -> http://intothesaltmine.readthedocs.io/en/latest/chapters/development/writing-modules.html
20:51 copec and https://docs.saltstack.com/en/latest/ref/states/writing.html
20:51 copec I guess I just need to read an dig into it
20:51 Edgan copec: I think I know what you mean
20:51 Edgan copec: yes, you can
20:51 MTecknology I was referring to execution modules, which are easier yet
20:52 MTecknology that first link is what you need
20:52 copec thanks~!
20:52 MTecknology gimme a minute to share a sample
20:53 Edgan copec: Do you mean something like this in relation to grains['id']? https://pastebin.com/SZfPmq4h
20:54 Hybrid joined #salt
20:55 copec This appears to be in the same vein as what I'm wanting to do
20:56 MTecknology copec: http://dpaste.com/3K2EZG4
20:56 copec thanks Edgan MTecknology
20:57 Edgan MTecknology: Your regex is not very readable
20:57 MTecknology Edgan: I'm far from a regex expert- care to help? :)
20:57 Edgan MTecknology: I more just wouldn't use a regex. I use split.
20:58 MTecknology I used split for my home setup, but that didn't really work for $client
20:58 Edgan MTecknology: My jinja above is basically python disguised as jinja
20:58 MTecknology ya.. I was gonna ask you why it wasn't just written in python :P
20:59 MTecknology fwiw- the <wiki_link> bit is a link that actually explains what each bit of that pattern does, why, and what it will/won't match.
20:59 Edgan MTecknology: More secure this way. To make it python I need a grain, and grains are client side. My old way was a grain.
21:00 MTecknology where are you using that? pillar?
21:00 Edgan MTecknology: I use it everywhere
21:00 MTecknology including minion?
21:00 Edgan MTecknology: state top.sls, pillar top.sls, pillars, and map.jinja of formulas
21:01 MTecknology How do you keep it off of minions?
21:01 MTecknology or did you just not want to use a grain?
21:02 Edgan As I said grains aren't secure, and all the data is compiled on the master.
21:02 MTecknology It sounds like you let minions see this, so "why not a module" still confuses me
21:02 MTecknology map.jinja, unless part of your pillar structure, is rendered minion side.
21:02 Edgan MTecknology: It could probably be a module too, but most people understand grains and pillars more
21:03 Edgan The map.jinja is just defaults and pulls in pillars as overrides
21:03 Edgan No, security issue there
21:03 MTecknology so then you don't actually use it there
21:03 MTecknology anyway... moving on
21:03 Edgan I do, let me show you
21:03 whytewolf Edgan: states are rendered on the minion. not the master.
21:04 whytewolf not all jinja is rendered on the master
21:05 Edgan MTecknology: https://cygnusx-1.org/formula.txt
21:05 MTecknology I need an adult!!
21:05 Edgan whytewolf: I will think about that more
21:05 Edgan MTecknology: ?
21:08 MTecknology man.. you /really/ like your jinja
21:09 copec giving me jinjavitis :-P
21:09 MTecknology lol
21:10 MTecknology copec: If you use a module like what I had, then you can have a grain that imports the module, runs something like:  n = salt.my_util.parse_id(grains['id'])  if not n: return {}  return {'grain_name': n}
21:11 MTecknology or.. n['tld']/n['domain']/..
21:12 Hybrid joined #salt
21:13 copec I'm reading/messing with modules now
21:14 MTecknology If you want to use it master-side, in pillar 'n such, then you might not need to create the grain at all- you could just have the master run that function within pillar and use the string as you see fit.  {% set n = ...
21:15 MTecknology </babble>
21:16 copec Right now I just have pillar with a bunch of if/elif's matching grains['id'] and setting id-path:
21:16 copec I figured if I wanted to change the id-path because something didn't follow id == fqdn
21:17 copec but it has become apparent that mapping id to an id-path pillar with a module function would be nice
21:18 * copec takes small steps
21:22 denstark_ joined #salt
21:22 MTecknology what's your end goal?
21:23 MTecknology Are you trying to build a clean way to have per-minion pillar configs with the sls files being dynamically loaded?
21:24 copec To transform everything into the most generic abstracted recipe, and then be able to pull from some datasource for allocation of various resources while provisioning new server instances
21:25 copec My goal right now was what you said
21:26 MTecknology something like this?  https://gist.github.com/MTecknology/082df07516ebc691722bd701da8a314f
21:27 MTecknology (just look at console & pillar before caring about the rest)
21:28 copec yeah, exactly like that
21:29 copec well, almost
21:29 copec heh
21:29 mikecmpbll joined #salt
21:29 sh123124213 joined #salt
21:29 MTecknology You can do the exact same thing with a different directory structure. You don't need to include defaults. You can do it with just node files..
21:30 onlyanegg joined #salt
21:34 babilen copec: http://paste.debian.net/1013668/ might serve as inspiration
21:34 MTecknology This is what I use at home- http://dpaste.com/17TWJ05
21:34 copec That's clean babilen
21:36 babilen copec: Can be done a little nicer with jinja filters |regex_search (cf. https://docs.saltstack.com/en/latest/topics/jinja/index.html#std:jinja_ref-regex_search) or a custom execution function for the id parsing, but I really like the power ignore_missing provides here
21:36 copec cool
21:37 MTecknology both of ours rely on that magic
21:38 copec thanks babilen MTecknology
21:38 copec All the examples are awesome
21:38 MTecknology No! Ur awesome!
21:40 babilen
21:41 MTecknology babilen: fwiw- mine is gitfs
21:41 cro joined #salt
21:42 aldevar left #salt
21:43 tuxawy joined #salt
21:46 MTecknology babilen: Are you sure yours won't also work as gitfs?
21:48 Edgan whytewolf: Thinking about it further, even if it some is rendered minion side it doesn't matter. The key is are pillars and it's jinja rendered minion side, if it is all master side the most the minion can do is break themselves.
21:49 MTecknology that's my logic behind being okay with _modules/mt_netbox. without the access key in the master's config, the module is useless.
21:51 babilen MTecknology: It does
21:51 MTecknology ah, excellent! (there's a comment that says otherwise)
21:52 babilen Hmm .. I'll have something based on that original idea running at work on gitfs
21:52 whytewolf Edgan: yes. that is true. i was just correcting the "all jinja is rendered master side" not going against anything else.
21:52 babilen Ah .. that comment refers to an earlier version without ignore_missing
21:52 babilen Let me remove that right away
21:53 babilen ta
21:53 MTecknology $old_employer is still using that massive if/elif structure
21:54 whytewolf one of these days someone should document the existance of ignore_missing
21:55 MTecknology I nominate copec as tribute!
21:55 copec I choose to throw salt as my weapon
21:56 copec https://bugasalt.com/
21:57 copec Next con they should give some of those away rebranded with saltstack
21:57 copec heh
21:58 MTecknology utah might have a 2 milliliter per drink maximum... but that still sounds like a bad idea
21:58 MTecknology oh.. I read that as saltconf
21:59 Edgan whytewolf: I am surprised they render states minion side. Though it probably explains why the salt masters don't get overloaded.
21:59 MTecknology rendering master side is basically the entire reason pillar exists
21:59 copec I was under the impression that the only thing that wasn't was pillar data
22:00 whytewolf copec: there are a lot of things that are rendered masterside. reactors/pillars/orchestration that is ran with salt-run. ect.
22:00 Edgan The state top and which states to ship across still has to be master side.
22:00 whytewolf nope
22:01 Edgan whytewolf: WTF, they ship the all git repo?
22:01 MTecknology copec: as far as a minion execution is concerned, I'm pretty sure that's correct; but yeah, lots of other things you haven't seen yet are master side
22:01 MTecknology Edgan: no..
22:01 whytewolf no, salt:// is a vertial filesystem
22:01 whytewolf virtual
22:01 MTecknology Edgan: top.sls is one of the files requested and retrieved
22:02 whytewolf anything that the minionthinks it needs it requests from the master in raw format
22:02 Kelsar joined #salt
22:02 copec whytewolf, I suppose that could also be classified as pillar data?
22:02 Kelsar joined #salt
22:02 copec oh, that's not a path
22:02 copec hah
22:03 copec / == or
22:03 whytewolf pillar is a dict that gets shipped over about every 60 seconds or so [what ever loop_interval is set to]
22:04 whytewolf Edgan: now, it is different for salt-ssh the master does try to determine what it needs to ship over and puts that into the thintar. but the thintar contains the raw files not anything that is rendered
22:04 copec Does salt have VRML interface so I can fly through all the states?
22:05 whytewolf thats one of the reasons the salt-ssh is such a pain when it comes to file dependencies sometimes
22:05 MTecknology copec: what's vrml? It looks like a thing for 3D modeling.
22:05 whytewolf I havn't heard VRML in YEARS!
22:06 Edgan whytewolf: I know that one very well. My intention is to rewrite salt-ssh to break up a master laptop side ad-hoc, and make the remote machine start up a minion that talks to the master across an ssh tunnel. It would solve my 5% problems with differences between salt-ssh and salt masters.
22:06 copec It's also a joke that I arbitrarily insert for the last two decades
22:06 copec heh
22:06 MTecknology wikipedia says it's loooong before my time
22:06 Edgan s/break/set/g
22:07 Edgan whytewolf: I tested the concept, and it worked.
22:07 whytewolf nice
22:07 Edgan whytewolf: Then you just ship across the minion code instead of the salt-call code.
22:08 MTecknology copec: you should come work for $client! :D  I have just the person for you to replace! :D
22:09 * copec is not sure if that's good or bad
22:09 Edgan whytewolf: I think such a salt-ssh mode would help Salt's adpotion by providing a better and easier way to test Salt code.
22:09 MTecknology copec: it's one of the worst environments I've ever dealt with... I'd I've been thrown into some real messes.
22:10 MTecknology we're finally in clean-up mode, but it's a horribly painful process
22:12 whytewolf Edgan: I like it. although it would have to be an option. as I can still see the use of salt-call based configs as useful also
22:13 Edgan whytewolf: yes, the idea is a new mode
22:13 Edgan whytewolf: Can't break people already married to the existing model
22:13 copec I haven't read the salt-ssh documentation yet, can it bootstrap the minion too?
22:13 copec bootstrap [salt]
22:13 Edgan copec: bootstrapping is salt-cloud
22:13 Edgan copec: but I use salt-ssh to bootstrap new environments
22:14 whytewolf copec: yes. although saltify would be easier to use [salt-cloud likje Edgan said]
22:14 Edgan copec: I bake the minion into the AMI
22:14 copec ah
22:14 Edgan copec: and use cloud-init to feed the minion the keys
22:14 copec Do you use pre-highstate'd container images of anykind?
22:14 Edgan copec: but I use salt-ssh to setup my apt repos, dns, and salt master
22:15 Edgan copec: In theory, I would use pre-baked AMIs or containers for auto-scaled things
22:16 Edgan copec: onces the pre-reqs are setup, everything not auto-scaled is in master mode
22:16 MTecknology copec: If you want fast deployments, you can build a default image and then multiple images with extra packages installed from there, using things like packer.
22:17 Edgan yeah, packer is my pre-baked AMI solution. Though docker/kubernetes for containers.
22:17 MTecknology Anything I deploy is done using salt-cloud using only the default/base image, and my base image is just default debian with lots of stuff removed.
22:18 MTecknology Bootstrap!  https://gist.github.com/MTecknology/66ce7c7f148fc9da936bcf26cc572cd7
22:18 copec nice
22:18 whytewolf yeah, same here. an almost default image. although i do update the installed packages in the image now and then with packer
22:20 Edgan Mine is ubuntu with salt-minion added, and I update it every time I make a new salt package. I backport patches, and make my own bugfixes. Then roll my own packages based on the official latest ones.
22:21 whytewolf so many ways to bootstrap, so little time :P
22:21 MTecknology I have an internal apt repo for things I need to override/add, but I haven't used it since Debian 9.
22:22 Edgan There are way too many Salt bugs for my taste to not make my own packages.
22:23 MTecknology that's the reason I used to do it- but I don't really run into salt bugs anymore.
22:25 Edgan MTecknology: I currently have five patches. Some will probably go away with 2018.3.
22:26 Edgan MTecknology: Technically, more like four patches. One I have to patch Salt to make Salt cache properly when I patch Salt.
22:42 tuxawy joined #salt
22:42 woodtablet joined #salt
22:43 woodtablet hello everyone
22:48 woodtablet i was wondering if someone could point out what i am missing for  what i believe is a nodegroup problem, but it boggles me. i have a nodegroup.conf file that goes like this= nodegroups: saltminions: 'minion* or ss-*'. i have salt minion called ss-ibs-server1.fqdn, and calling the high state says : saltenv base is not available on the salt master or through a configured fileserver
22:49 woodtablet but i have a dozen machines that start with ss-XXX-server.fqdn that work fine
22:49 ecdhe MTecknology: what's your stack for the internal apt repo?
22:50 MTecknology ecdhe: just reprepro
22:50 hemebond woodtablet: Does highstate work on that minion?
22:52 woodtablet hemebond: No. but from -l debug, i get this: https://gist.github.com/gwaters/0d9dcc942954372282cf9d00daa36bfe
22:53 hemebond woodtablet: You have an error in your pillar for that minion.
22:53 woodtablet oh
22:53 woodtablet niceee, thanks!
22:53 ecdhe MTecknology: do you fully mirror upstream plus your own additions?  Or just your own additions?
22:53 woodtablet i ll go look around!
22:54 MTecknology ecdhe: I just add my own additions and set it as a higher preference than what's in upstream. I use apt-cacher-ng for the rest of it.
23:57 zerocoolback joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary