Perl 6 - the future is here, just unevenly distributed

IRC log for #salt, 2013-05-29

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:00 raz https://github.com/saltstack/salt/commit/85e352e47f84c1f7ea0284e4386057b0e83d5ee5
00:00 joehh The 0.15.1 was built from the released tar.gz
00:01 raz hm, i'm totally lost between the tags and branches now
00:01 joehh me too
00:01 raz but i kinda need that patch ;)
00:01 adotbrown joined #salt
00:01 joehh where are you getting your debs from?
00:01 raz unless there's another way to have per-host configs
00:01 raz deb http://debian.saltstack.com/debian wheezy-saltstack main
00:02 raz per-host pillars i mean
00:02 joehh good
00:02 joehh have you built debian packages before?
00:03 raz yes, but i guess i'll rather install via pip
00:04 joehh any other patches you are missing?
00:05 raz uff
00:05 raz erm no, not at this time
00:05 mgw If anyone here happens to be looking for full time employment in the Seattle area, please take a look at http://www.wtiajobs.org/employers/post_window.php?post_id=3705
00:06 raz after looking at the "quick install script" i'm not so sure installing from pip is an option anymore ;)
00:08 joehh I would avoid mixing pip and deb installs, but that might just be my conservative nature
00:08 sarkis_ joined #salt
00:09 raz well, i don't have a deployment yet, i'm just exploring salt for the first time
00:09 raz looks like a dev install might be the way to go
00:09 raz i'm honestly not fond about the six dozen install methods and don't understand why so many projects go down that rabbit hole
00:09 raz i mean, it's python. why not roll a clean virtualenv that works on all platforms.
00:10 joehh interesting thought - I know rhodecode uses that install method - seems to work well enough
00:11 raz well, just my 2cents
00:11 raz it's especially irritating when a config management system does it (chef with their "omnibus" is the weirdest)
00:14 raz ah well, as long as this is the only patch.. i just monkeypatched the file :P
00:16 joehh nice
00:16 LyndsySimon joined #salt
00:17 raz are you a salt-dev?  happen to know why the patch was not released?
00:17 raz i've seen the discussion about it, but on the ticket it sounded like it's supposed to be merged
00:19 UtahDave which one, raz?
00:19 sarkis joined #salt
00:20 raz UtahDave: https://github.com/saltstack/salt/commit/f2780e85e149bb5639d96d60cdd5f181c5d72220
00:20 * UtahDave looking
00:22 UtahDave Hm.  Tom reverted that here: https://github.com/saltstack/salt/commit/4ec6722103d49e65c2c6ce675bab4688674a5545
00:22 raz oh :(
00:22 UtahDave but it looks like terminalmage was asking about it, too.
00:22 raz 2 months ago.. ;)
00:23 UtahDave We can probably get it in if we can figure out what it broke.
00:23 raz yea, but i'm also curious how other people structure their deployments
00:23 raz where do you put per-host pillar-data ("by hostname" or "by domain")?
00:24 joehh raz: me - no, I just look after the debian packaging
00:24 UtahDave raz:  you can put it in /srv/pillar or any of the external pillars
00:25 raz UtahDave: but the external pillars don't get the hostname to match on (which the patch is about). and static data in /srv/pillar is extremely limited (by jinja).
00:26 UtahDave raz: have you looked here?  http://docs.saltstack.com/topics/development/external_pillars.html
00:26 UtahDave you get __opts__ and __grains__ and __salt__ in your custom external pillar
00:26 santagada joined #salt
00:26 UtahDave You should be able to do almost anything you want there.
00:27 raz ah..  time to dust off my python skills ;)
00:28 UtahDave :)   external pillars are actually pretty easy and very powerful.
00:28 UtahDave I can help you tomorrow, but I have to head home.  Wife and kids are waiting for me for dinner.  :)
00:28 raz yea, i was just hoping not having to write python anymore :/
00:28 raz np, thanks, have a nice one :)
00:28 UtahDave you too!
00:51 fxhp State [mystate].[myfunction] found in sls [mystate] is unavailable
00:51 fxhp any clue what that means?
00:51 fxhp I dropped a .py file into states directory
00:51 fxhp for testing / learning
00:52 fxhp and when I try to use it, I get that message
00:52 fxhp do I need to register my state somewhere?
00:58 auser fxhp: that means that it can't run the state for some reason
00:58 fxhp hmmm
00:58 auser like git will be unavailable if git-core isn't installed
00:58 fxhp I figured
00:59 santagada joined #salt
00:59 jeddi joined #salt
00:59 fxhp auser: have any hints about tracking down the cause?
00:59 fxhp already using -l debug
00:59 auser how are you running it?
00:59 auser ah, yeah, find where it runs it
00:59 fxhp sudo salt-call -l debug state.highstate
01:00 auser yep, then I do an apple+f and find the function in the output logs above
01:00 fxhp [ERROR   ] No changes made for [name varible]
01:14 Nexpro joined #salt
01:20 fxhp auser: so I moved states/user.py out of the way, and got the same error message
01:20 auser oh, is this on a minion?
01:21 fxhp masterless minion
01:21 fxhp yeah (salty-vagrant)
01:21 auser salt-call saltutil.sync_all
01:21 fxhp I do my dev like that
01:21 auser make sure it's sync in there
01:21 auser sure, I do too
01:21 fxhp Oh...
01:21 auser I built this: https://github.com/auser/salt-cli
01:21 fxhp I bet it isn't "cached?"
01:21 auser vagrant + aws
01:24 fxhp didn't see to work
01:24 fxhp let me retrace my steps
01:25 fxhp Ohhh
01:25 fxhp sync gave me a tracback
01:25 fxhp wot
01:25 fxhp woot
01:26 fxhp Thanks auser
01:31 santagada joined #salt
01:32 austin987 joined #salt
01:36 joehh joined #salt
01:41 auser sure
01:41 auser nice
01:42 cxz joined #salt
01:46 mikedawson joined #salt
01:47 kmwhite joined #salt
01:53 oz_akan joined #salt
01:57 itaifrenkel @UtahDave - hi. Could you provide a link to the openstack integration you mentioned earlier?
02:02 fxhp itaifrenkel: sorry he isn't here
02:03 santagada joined #salt
02:03 itaifrenkel fxhp: yeah. Got another Q. Can you tell me more about the status of salt-monitor project ?
02:04 fxhp don't know, I was looking at salmon earier today because goodwill linked it
02:04 fxhp itaifrenkel
02:07 itaifrenkel I noticed a comment on ServerFault mentioning memory leaks.
02:07 itaifrenkel http://serverfault.com/questions/484004/can-salt-saltstack-gather-and-relay-data-for-graphite-ganglia-or-zenoss
02:07 itaifrenkel I wonder if this is relevant or not
02:15 dthom91 joined #salt
02:16 mgw joined #salt
02:20 auser joined #salt
02:36 jdaggett joined #salt
02:40 auser joined #salt
02:40 clintberry joined #salt
02:43 LyndsySimon joined #salt
02:54 dthom91 joined #salt
02:59 auser is 'unless' available on host.present?
03:00 auser or a test available for `host`?
03:18 techdragon joined #salt
03:26 melinath joined #salt
03:33 melinath joined #salt
03:35 auser anyone needed to only put "up" hosts in /etc/hosts
03:36 knapper_tech joined #salt
03:42 santagada joined #salt
03:43 auser joined #salt
03:45 cxz i think unless is available on everything
03:45 cxz (i think)
03:46 cxz wait that sounds wrong
03:46 cxz might just be for cmd
03:49 faldridge joined #salt
03:49 auser I think it's just for cmd cxz
03:49 auser which is a bummer
03:49 auser 'cause if I teardown a host and then put a new one up, I still have the dead machine in the hosts file
03:49 mgw joined #salt
03:50 cxz yeh
03:50 auser I feel like this isn't a unique edge case
03:50 cxz yes
03:50 cxz i agree
03:50 cxz Maybe you can use test.ping in some smart manner
03:50 auser hm, yeah
03:51 auser I can use `nc`
03:51 auser but only if I use cmd.run instead
03:51 cxz try something like
03:52 cxz {% if salt['test']['ping]' == True %}
03:52 cxz then your jinja directive
03:52 cxz obviously you need your host in there as well
03:52 auser ugh, that feels so hacky
03:53 cxz Yeh
03:53 cxz It's kind of what i do for a few things because i dont have a proper solution
03:54 cxz if you come up with one for your case i would like to hear it so i can implement it too
03:54 auser sounds good
03:54 auser the problem with that is that at one point, it will be pingable
03:54 auser by the way
03:54 auser and we don't have the ip of the old one anyway, so we can't pull it out with hosts.absent
03:59 raz joined #salt
04:03 sarkis joined #salt
04:03 cxz Indeed
04:03 cxz What an annoying problem
04:03 cxz Actually
04:03 cxz It might be possible to use the salt master cache?
04:03 cxz This wouldn't persist across salt-master restarts of course
04:06 th3sp00n joined #salt
04:06 th3sp00n So I've got this fun problem. I need to use the git module to not only checkout the master branch from github, but also a particular hash. Has anyone been able to do that? Or can anyone give me any guidance?
04:07 cxz So a hash in the master branch?
04:07 th3sp00n Yeah
04:07 cxz or master branch + another random hash?
04:08 th3sp00n Nope, master granch hash
04:08 cxz let me check ok
04:08 th3sp00n thanks
04:08 cxz ok just use git.latest with - rev
04:08 cxz http://docs.saltstack.com/ref/states/all/salt.states.git.html
04:08 koolhead17 joined #salt
04:08 th3sp00n tried that, let me grab the error
04:10 Katafalkas joined #salt
04:11 th3sp00n well damn. It just worked.
04:11 th3sp00n :)
04:11 cxz Lol
04:11 cxz weird
04:11 cxz Maybe an issue with ssh auth?
04:11 cxz possibly had to connect once to get the git/ssh key
04:12 cxz and then again to actually pull
04:12 th3sp00n I think the dev just gave me a bad hash, I grab one myself and then it worked.
04:12 cxz ah ok
04:12 cxz cool
04:12 th3sp00n Rock on
04:12 th3sp00n and to think, I'm on an airplane right now doing all this.
04:17 Furao day #6 with MBP in repairs :(
04:21 santagada joined #salt
04:25 th3sp00n MBP?
04:27 indymike joined #salt
04:28 wilywonka joined #salt
04:29 Corey Macbook Pro.
04:29 Corey Doh, missed him.
04:30 Furao joined #salt
04:35 efixit joined #salt
04:36 Furao and I'm leaving to malaysia in 1 week :(
04:38 jalbretsen joined #salt
04:39 Corey yay?
04:40 Furao yay but I need to have this computer repaired before leaving
04:45 [diecast1 joined #salt
04:45 [diecast1 joined #salt
04:45 Furao joined #salt
04:56 cxz joined #salt
05:06 dthom91 joined #salt
05:08 indymike joined #salt
05:20 bensix joined #salt
05:20 bensix joined #salt
05:22 cxz joined #salt
05:48 dthom91 joined #salt
05:50 azbarcea joined #salt
05:50 jkleckner joined #salt
05:58 Slipo joined #salt
06:14 auser joined #salt
06:17 pjs joined #salt
06:17 up_the_irons joined #salt
06:29 drdran joined #salt
06:33 clintber_ joined #salt
06:36 kermit joined #salt
06:50 Newt[cz] joined #salt
06:53 carlos_ joined #salt
06:54 berto- joined #salt
06:54 lesnail joined #salt
06:55 Newt[cz]1 joined #salt
06:55 sebgoa joined #salt
06:55 Furao I hate that when I run salt-call modname.funcname /path/to[THEN PRESS TAB] to autocomplete in bash
06:55 Furao and salt-call start
07:00 berto- joined #salt
07:07 dthom91 joined #salt
07:09 backjlack joined #salt
07:11 vaxholm joined #salt
07:12 balboah joined #salt
07:14 f4cl3y joined #salt
07:14 f4cl3y joined #salt
07:17 oliv_mc joined #salt
07:19 auser cxz: hey
07:19 auser I solved it using cmd
07:21 druonysus joined #salt
07:21 druonysus joined #salt
07:22 usillos joined #salt
07:25 Sc0rp1us joined #salt
07:31 it_dude joined #salt
07:34 clintberry joined #salt
07:35 berto- joined #salt
07:37 emilis_info joined #salt
07:38 tharkun joined #salt
07:38 tharkun joined #salt
07:43 usillos joined #salt
07:45 Furao joined #salt
07:45 scott_w joined #salt
07:53 agend joined #salt
07:54 agend joined #salt
08:01 d0ugal I've got this - http://dpaste.com/1203439/ but it seems to be running as root still. Any ideas?
08:06 Furao http://docs.saltstack.com/ref/states/all/salt.states.cmd.html#salt.states.cmd.run
08:06 Furao d0ugal: runas don't exists
08:15 felixhummel joined #salt
08:16 favadi joined #salt
08:18 krissaxton joined #salt
08:19 favadi I have trouble understanding how to pass variable to template while using salt.file.managed
08:19 taotetek joined #salt
08:19 favadi in the docs,
08:19 favadi context
08:19 favadi Overrides default context variables passed to the template.
08:19 favadi defaults
08:19 favadi Default context passed to the template.
08:20 favadi I do not understand the use of `context`, why anyone want to overrides the variable define in `defaults`?
08:21 itaifrenkel joined #salt
08:21 Gareth joined #salt
08:21 favadi Can someone show me an example?
08:21 Furao check my states https://github.com/bclermont/states
08:22 Furao https://github.com/bclermont/states/blob/master/states/elasticsearch/init.sls#L74
08:22 Furao https://github.com/bclermont/states/blob/master/states/elasticsearch/config.jinja2
08:23 Furao wait no that is too old
08:23 Furao well I used it in various places
08:24 Furao but this is very old and new version don't look like this anymore
08:24 favadi Furao: I do not see you use `defaults` in your files
08:24 Furao so I'm not sure where I should look, but you can just git clone and search into it
08:24 Furao ah yes, maybe back then
08:25 Furao I myself, don't see the point of using defaults, just need to use context
08:26 favadi Furao: I'm too
08:26 favadi so I think maybe I miss some thing about `defaults`
08:27 favadi and it can be useful somehow
08:27 Furao maybe if you just put some defaults value straight in the the .sls
08:27 Furao and have - context: {{ pillar['something'] }}
08:27 Furao so the pillar will only contains what changes in defaults
08:30 Radex joined #salt
08:33 krak3n` joined #salt
08:40 felixhummel joined #salt
08:40 adotbrown joined #salt
08:42 MrTango joined #salt
08:46 favadi joined #salt
08:53 d0ugal Furao: Oh, how do I run a command as another user then?
08:53 d0ugal Thought I seen it in the docs, but maybe I missread.
08:54 Furao d0ugal: http://docs.saltstack.com/ref/states/all/salt.states.cmd.html#salt.states.cmd.run
08:54 Furao you were probably look at salt.modules.cmd and not salt.states.cmd
08:55 Furao look += ing
08:55 aorist joined #salt
08:57 Radex joined #salt
09:06 emilis_info joined #salt
09:16 emilis_info joined #salt
09:20 d0ugal Furao: from that page “The interpretation of onlyif and unless arguments are identical to those of salt.states.cmd.run(), and all other arguments(cwd, runas, ...) allowed by cmd.run are allowed here, except that their effects apply only to the commands specified in onlyif and unless rather than to the function to be invoked.”
09:20 d0ugal Seems to suggest runas would work with cmd.run - copied from just under http://docs.saltstack.com/ref/states/all/salt.states.cmd.html#salt.states.cmd.call
09:21 tomeff joined #salt
09:23 lesnail joined #salt
09:24 krissaxton joined #salt
09:31 `3rdEden joined #salt
09:32 liuyq joined #salt
09:33 liuyq hi, where can I find the document about the syntax of salt?
09:34 liuyq want to know if  {% elif grains['id'] in ['fastmodel01', 'fastmodel02'] %}  will work, or how should I write for that?
09:37 felixhummel joined #salt
09:39 Madkinder joined #salt
09:41 f4cl3y joined #salt
09:45 Madkinder hi. how can I group a bunch of states so that I could declare a requisite declaration on it?
09:46 Madkinder for example I want to create an sls to bootstrap the system: configure the repo urls, put some public keys, etc
09:47 Madkinder then I want to make sure that all the rest of the states get synced strictly after this bootstraping, as some of the packages I'm going to install are within those repositories I want to configure during bootstrap
09:48 Katafalkas joined #salt
09:49 favadi I have five hosts with id testbox1, testbox2 .. testbox 5. How can I use set only a variable for those hosts using jinja in pillar file?
09:50 favadi I know about grains['id']
09:50 favadi but do not how to do that in jinja
09:51 Madkinder just write {{ grains['id'] }}
09:51 Madkinder I mean within your sls
09:51 aorist joined #salt
09:59 Madkinder does the order of entries in a top.sls file impose the order state synchronization?
10:00 fredvd joined #salt
10:01 Madkinder for example with this top.sls http://pastebin.com/f7p2cRUn can I be sure that all the states defined in bootstrap.sls would already be synced whilst processing webserver.sls without using any requisite declarations?
10:02 favadi Madkinder: For example, I want to set variable test1=123 for hosts with id begin with testbox, and test1=456 for all other hosts.
10:02 favadi I do not figure out how to do this
10:03 Madkinder oh, I see
10:04 Madkinder I'm not sure that partial matching by id is a good idea though
10:04 wilywonka joined #salt
10:05 favadi Madkinder: so what is the better idea?
10:07 sebgoa joined #salt
10:10 tharkun joined #salt
10:10 tharkun joined #salt
10:16 ronc joined #salt
10:18 __gotcha joined #salt
10:19 Katafalk_ joined #salt
10:24 krak3n` joined #salt
10:25 mnemonikk joined #salt
10:35 Madkinder favadi: not sure, sorry. I'm a newbie myself :(
10:35 Madkinder still trying to grasp salt
10:41 middleman_ joined #salt
10:41 techdragon Is there a convenient way to make a state optional ?
10:42 techdragon without failing due to requisites being incorrect.
10:44 ninkotech__ joined #salt
10:46 giantlock joined #salt
10:54 sebgoa joined #salt
10:59 backjlack joined #salt
11:04 Furao techdragon: create sub-state
11:04 Furao I mean split a single state into smaller one
11:05 Furao such as I separate, stats, monitoring and backup from the main state
11:05 Furao such as a database
11:11 Lucas_ joined #salt
11:13 andrewclegg joined #salt
11:15 munhitsu Hola! Is it possible/valid to extend include?
11:16 munhitsu I've started to use jinja macros to parametrize states templates
11:16 munhitsu works pretty nice
11:16 munhitsu and now I'm looking for a smart way of having include within template and still being able to set include within state file
11:18 tharkun joined #salt
11:18 tharkun joined #salt
11:33 lvicks joined #salt
11:33 jpadilla joined #salt
11:35 mikedawson joined #salt
11:42 Furao munhitsu: that is called {% extends "other template" %} in jinja2 and it's not possible yet in salt, I had open an issue for that
11:43 Furao https://github.com/saltstack/salt/issues/4357
11:43 Furao maybe someday I'll just implement it myself
11:48 Katafalkas joined #salt
11:51 f4cl3y joined #salt
11:54 schvin_ joined #salt
11:57 logix812 joined #salt
11:57 jgelb joined #salt
12:00 jgelb joined #salt
12:07 jkleckner joined #salt
12:10 lesnail joined #salt
12:11 jgelb joined #salt
12:11 longdays question about provisioning a machine with a specific state
12:12 longdays i have created a state for postgres. I only want to provision that state to the minion. No base, not highstate etc.
12:12 longdays Is that possible?
12:14 kadel joined #salt
12:17 Charatna joined #salt
12:17 Charatna left #salt
12:18 Madkinder longdays: yes, it is. exclude it from top.sls and call it directly
12:19 jslatts joined #salt
12:19 Madkinder i.e. you have desired states in salt://db/pg.sls, then you call it like this:
12:19 Madkinder salt 'minion-id' state.sls db.pg
12:20 krak3n` joined #salt
12:21 longdays great thank you for the example. I am going back through the states tutorial as I feel I am missing something. No examples in the tutorial seem to show specifiying the state. They all show salt '*' state.highstate. It feels like that is not what one would want to occur in a larger environment. Am I wrong?
12:21 krak3n` joined #salt
12:26 Furao longdays: state.sls postgresql
12:27 Furao like madkinder said
12:30 longdays Furao: yeah so I am running 'salt testpostgresbox state.sls postgresql'. I see that works, but with the constant reference to highstate I feel that the configuration of the top.sls file and and others must be tuned properly to the environment to make sure highstate work when addressing all minions with *. Is that somewhat correct?
12:32 Furao yes, and you should use roles
12:34 jeddi there is much satisfaction (and safety) in having state.highstate act sanely, idempotently, and predictably for any run, i think.
12:37 Furao jeddi: I wrote a testing tool to achieve that
12:37 Furao it run every of my states or combination of states
12:37 Furao and between each of it run all absent states
12:38 Furao and it check for rogue user, process, or configs
12:38 Furao and at the end it run the monitoring checks
12:38 Furao it takes 10 hours to run ~350 tests on a ec2 c1.medium
12:39 Furao each tests are executed on a VM that got the strict minimum of packages to run the salt minion
12:40 Furao and I can run it over and over again with different pillar data set, such as with SSL turned on or not
12:40 Furao it helped me find ~100 bugs in my states, mostly missing -require and -watch
12:53 napperjabber joined #salt
12:55 Slipo joined #salt
12:55 brutasse Furao: any chance to see that on your github account?
12:57 Furao I shared it with Thomas, look like salt already do some of it, I didn't processed his reply yet
12:57 Furao but I'm not sure salt already do that
12:57 Furao in term of testing
12:58 brutasse ah. In any case I'd be interested in resources about testing infrastructure code
13:00 longdays Cool. Moved to next situation that seems pretty critical to day-day functionality, pillars. So I have created a /srv/pillar/postgres folder. Under that a init.sls file with three lines pg.range: 0.0.0.0/0 pg.user: example
13:00 danielbachhuber joined #salt
13:01 Furao yes, my focus was testing my states and not salt itself
13:01 Furao but testing states test salt itself at the same time
13:01 Furao and I open few issues lately
13:01 longdays I want to create a jinja template to grabe that pg.range variable. I am assuming that they are not globably unique, but I tried {{ pillar['pg.range'] }}
13:01 longdays that returned nothing so what is the correct syntax for getting to that value being it is stored under the /srv/pillar/postgres folder
13:02 brutasse Furao: currently I just push my states, hope they work and fix as I go
13:02 longdays pillar['postgres:pg.range'] ?
13:05 Furao longdays: pillar['pg. range'] you might need to run saltutil.refresh_pillar before, run pillar.data to see if the content is there
13:05 santagada_ joined #salt
13:05 longdays Furao: Thanks. Looking back to make sure I am assigning the pillars correctly
13:06 Furao brutasse: the thing is I'm not the only "consumer" of my states, I push to clients git servers that, they mix my states with their own, then they were failing and coming back at me with bugs. this testing tool helped me to somewhat guarantee that my states are ok. and I keep set of test pillar that somewhat match their requirements.
13:06 brutasse cool
13:06 Furao when salt 0.15.0 went out, it break some of my clients deployments, when we hit the bugs that cause file.managed - template: jinja file to ends un-rendered on the minion
13:07 Furao key = {{ pillar['value'] }}
13:07 Furao often break daemon :)
13:08 Furao my testing tool could detect those errors in salt itself, as the monitoring check will fail after state are applied (non-running daemon, closed port, or web app that return 500 internal error)
13:08 jeddi Furao: it certainly sounds pretty cool - i've been keeping an eye on your progress (within irc at least :) the past few weeks. unit testing for my statefiles is somethign i really should plan to do something about in the coming weeks.
13:09 Furao if it wasn't about my computer on repairs since last thursday, I would had enough time to work on something I was supposed to release this week
13:09 emilis_info joined #salt
13:09 Furao just got email from apple store to say my computer is ready. received 8 minutes after store close
13:10 LyndsySimon joined #salt
13:15 jeddi did they say what your computer was ready *for*?
13:17 Furao Your product is ready. Please arrange for pickup in the next 7 days or contact the Apple Store ifc mall at 3972 1500, if you need to make other arrangements.
13:17 Furao 6 days to replace screen, I/O board, keyboard and touchpad
13:17 Furao well, almost 7 as I can only pick it tomorrow
13:19 Furao at least, I'll got it for next week when I'll leave hong kong
13:19 LyndsySimon joined #salt
13:27 mikedawson joined #salt
13:30 Kholloway joined #salt
13:37 m_george|away joined #salt
13:38 santagada_ joined #salt
13:39 koolhead17 joined #salt
13:39 koolhead17 joined #salt
13:44 conan_the_destro joined #salt
13:44 m_george left #salt
13:49 sarkis joined #salt
13:51 lvicks joined #salt
13:53 whit joined #salt
13:56 whit joined #salt
13:56 longdays added the following two lines to a init.sls file
13:56 longdays - template: jinja - defaults:
13:56 longdays - ip_range: {{ pillar['pg.range'] }}
13:56 Furao that should be 3 lines
13:57 longdays it is
13:57 longdays I messed up the paste
13:57 Furao you said 2 :P
13:57 felixhummel joined #salt
13:57 longdays python is throwing an error
13:57 Furao longdays: added the following two lines to a init.sls file
13:57 longdays ha
13:57 longdays yeah I meant three
13:57 longdays sorry
13:57 Furao use a paste service, paste your state and the error
13:57 Furao throwing an error is not usefull
14:00 kaptk2 joined #salt
14:01 longdays state is here http://pastebin.com/umyfZFaC
14:01 longdays that is the state
14:02 longdays still learning this tool. Please be gentle :)
14:02 Furao indentation is wrong
14:02 Furao line 5 and 6 don't match line 4
14:02 Furao in fact the problem is line 4
14:02 Furao miss a space
14:02 Furao need to match 5-6
14:02 longdays i just verified that and line 10
14:03 Furao line 10 same
14:03 longdays on the box it is running they match
14:03 longdays paste must have came in strangly
14:03 longdays double checking though
14:03 Furao and the error?
14:04 Furao https://github.com/bclermont/states/tree/master/states/postgresql/server
14:04 Furao outdated but it works
14:04 longdays error is coming
14:04 halfss joined #salt
14:05 longdays http://pastebin.com/kz0ZERN4
14:05 longdays I verified the indentation on the sls file lines they look good
14:06 williamthekid_ joined #salt
14:06 Furao oh yes
14:06 Furao line 36
14:06 Furao remove the -
14:06 Furao it's a dict not a list
14:06 Furao {}.update({})
14:08 longdays perfect! thanks
14:08 longdays I see in the docs now
14:09 longdays so in the yaml format for the sls files every indendented "-" signifies a list element vs a dictionary?
14:09 Furao yes
14:14 felskrone joined #salt
14:15 jalbretsen joined #salt
14:25 krak3n` joined #salt
14:26 jdaggett joined #salt
14:28 wilywonka joined #salt
14:34 octarine joined #salt
14:38 mgw joined #salt
14:41 danielbachhuber joined #salt
14:41 mgw joined #salt
14:42 mannyt joined #salt
14:48 nliadm is there an example of using the 'module' state module?
14:50 Abukamel joined #salt
14:51 Abukamel hi there, i am writing a module for installing and configuring csf firewall, but my problem is i didn't get any output back to the master server, all output is on the minion server
14:52 Abukamel how can i get all the output on the minion server to be also on the master server ?
14:52 alekibango joined #salt
14:53 teskew joined #salt
14:58 kho joined #salt
14:58 LyndsySimon left #salt
14:58 juicer2 joined #salt
14:59 munhitsu thanks Furao
14:59 LyndsySimon joined #salt
15:00 munhitsu I still find it annoying to talk about states from template perspective while I'm thinking about objects, but one can get used to it
15:00 wilywonka joined #salt
15:04 kaptk2 I am having a trying to get the gitfs file system working. I am using git+ssh on salt 0.15.1
15:04 kaptk2 The error is: Exception len([]) != len(['Permission denied (publickey).', '']) occurred in file server update
15:06 m_george joined #salt
15:06 kaptk2 Any ideas on how to fix this?
15:06 Abukamel Can any body help me?
15:06 kaptk2 I have checked that the root user (which salt master runs as) can connect up just fine using ssh -T git@github.com
15:07 aat joined #salt
15:07 kevinbrolly joined #salt
15:09 itaifrenkel joined #salt
15:09 tempspace Is anybody aware of any bugs re: groups in 0.15.1? I'm not seeing anything in github, figured I'd ask here in case I missed it
15:09 itaifrenkel hello. I just bootstrapped salt for the first time (masterless). Where can I find the modules directory
15:11 tempspace nm, I just found it
15:11 tempspace would help if I sorted issues by date :)
15:14 longdays is there a way to remove a state from a minion?
15:15 itaifrenkel mm found this /usr/lib/pymodules/python2.7/salt/modules
15:19 whit joined #salt
15:22 joehh tempspace: which was the issue?
15:22 tempspace joehh:  https://github.com/saltstack/salt/issues/5019
15:23 nliadm can the 'source' argument to the file module take multiple sources?
15:23 jgelb joined #salt
15:23 Madkinder nliadm: yes, it can, afair
15:24 Madkinder the first one that gets found wins
15:25 joehh tempspace: thanks for that - I had seen it, but hadn't tracked down it if was a problem at our end or salts
15:26 fxhp So, do I need to do something special in my state (python module) to support watch?
15:26 joehh pleased to hear it should be fixed in 0.15.2
15:26 santagada_ joined #salt
15:26 joehh by it, I mean the error message, not the issue
15:26 unicoletti_ joined #salt
15:29 tempspace joehh: np!
15:30 nliadm thanks, Madkinder
15:30 nliadm worked like a charm
15:31 Madkinder nliadm: um... for what? :)
15:31 nliadm didn't know that worked
15:31 knapper_tech joined #salt
15:32 UtahDave joined #salt
15:38 emilis_info joined #salt
15:39 unicoletti_ joined #salt
15:41 drdran joined #salt
15:52 ahall left #salt
15:54 mgw1 joined #salt
15:55 Odd_Bloke I notice 0.15.2 was tagged today; when will that be pushed out?
15:58 conan_the_destro joined #salt
15:58 santagada_ joined #salt
15:59 wilywonka joined #salt
16:03 sebgoa joined #salt
16:03 jgelb joined #salt
16:05 UtahDave Odd_Bloke: our packagers are working their magic and then the announcement will be made
16:06 jgelb joined #salt
16:08 Furao kaptk2: root user need private key to reach git server
16:09 Furao Abukamel: state/modules run in minion only
16:09 kaptk2 Furao: yes, that key appears to be working as evidenced by the fact that ssh from the root user works
16:09 Furao tempspace: plenty of bugs
16:10 Furao try to checkout from master using the same url as in your config
16:11 Furao I use gifts daily and I don't have any problems
16:11 Odd_Bloke UtahDave: Brilliant!
16:12 jeddi joined #salt
16:12 Ivo joined #salt
16:12 Furao kaptk2: don't forget that it's a list not a single string
16:17 ZenoTasedro joined #salt
16:20 kaptk2 Furao: not sure what you mean
16:22 kaptk2 Furao: I have just tested the URL that I have in my config and it works fine
16:22 Odd_Bloke Can ACLs be limited to particular minions?
16:23 Odd_Bloke I'd like to allow Jenkins to do more things on our integration env than our live env.
16:23 UtahDave Odd_Bloke: yes
16:23 kaptk2 Furao: just to confirm you are using git+ssh?
16:24 Odd_Bloke UtahDave: http://docs.saltstack.com/ref/clientacl.html doesn't give any examples.
16:24 Furao kaptk2: salt master run as root?
16:25 clintberry joined #salt
16:25 kaptk2 Furao: yes
16:25 Furao my URL are like git@bitbucket.org:XXX/salt-common.git
16:26 Furao and by list versus string
16:26 Furao it's not gitfs_remotes: $gitrepo
16:26 Furao it's gitfs_remotes:
16:26 Furao - $gitrepo
16:26 mgw joined #salt
16:27 kaptk2 Furao: okay, I see what you are saying now. Yes I do have it like that. My URL looks like this: - git+ssh://git@github.com/kaptk2/gitfs.git
16:31 Furao strip +ssh
16:31 santagada_ joined #salt
16:31 Furao well no
16:31 Furao remove git+ssh://
16:31 Furao this is not a pip requirement file
16:31 Furao oh no, pip use git+git://
16:32 UtahDave Odd_Bloke: look here: http://docs.saltstack.com/topics/eauth/access_control.html?highlight=peer
16:33 kaptk2 Furao: that continues to give me the Persmission denide (publickey). error
16:33 kaptk2 s/denide/denied
16:33 Furao run master at debug level
16:33 UtahDave Odd_Bloke: would you mind adding an example to the other docs you were looking at.
16:34 Furao nvm, there isn't much logging in gitfs.py
16:34 JasonSwindle joined #salt
16:34 kaptk2 Furao: yep, not much
16:34 Furao gifts don't use /usr/bin/git
16:34 Odd_Bloke UtahDave: I assume they're generated from the main repo?
16:34 UtahDave Odd_Bloke: yeah, in the docs directory.
16:34 JasonSwindle UtahDave: You may want to update the MOTD..... tag v0.15.2 is out..... :)
16:35 JasonSwindle UtahDave: https://github.com/saltstack/salt/tree/v0.15.2
16:35 Odd_Bloke JasonSwindle: It's not packaged yet, I think.
16:35 JasonSwindle oh..... :)
16:35 UtahDave JasonSwindle: yeah, but we haven't announced the release yet. We're giving our package managers some time to get everything put together
16:35 JasonSwindle GIT FTW..... I gave up packages when I found the tags
16:36 vaxholm joined #salt
16:36 UtahDave :)
16:38 ghaering joined #salt
16:38 lvicks joined #salt
16:40 teskew joined #salt
16:40 JasonSwindle UtahDave: Are there change logs for every new release?  Like for example for v0.15.2?
16:40 UtahDave yep! Tom's working on them right now
16:40 ZenoTasedro JasonSwindle: http://docs.saltstack.com/topics/releases/index.html
16:41 JasonSwindle Neat!
16:43 krissaxton joined #salt
16:44 lvicks joined #salt
16:44 chuffpdx joined #salt
16:45 aberant joined #salt
16:54 JasonSwindle Anyone using v0.15.2 and Vagrant?
16:55 opapo joined #salt
16:56 JasonSwindle I am getting a failed (false) state, and it gives no warning..... I had to scroll up in my list to see it.
17:04 Nazca joined #salt
17:04 santagada_ joined #salt
17:07 Nazca Ok... I'm reading through bootstrap-salt.sh and I've just realized why it's nagging at me...
17:07 Nazca the code is peppered with "more_generic_function_call || return 1"
17:07 * reinsle don't love bootstrap-salt ... ists realy ugly :-)
17:08 Nazca I could be missing something simple, but all the functions return 0 on success ... and 1 on failure
17:08 felixhummel_ joined #salt
17:09 UtahDave Isn't that how things work on the cli, Nazca?
17:09 kaptk2 Furao: what version of salt are you running?
17:10 Nazca UtahDave, sometimes ... but it's short circuit bool logic
17:11 Nazca my brain doesn't like it :p
17:13 Nazca let me rephrase: why do the || and && operators work backwards
17:14 kaptk2 Furao: I just tried with a public repo and am still getting the Persmission Denied error. Seems really weird that it works for you and not for me
17:15 MrTango joined #salt
17:16 Nazca (yes, I know it's a shell question, but portage is giving me a headache)
17:19 ZenoTasedro Nazca: they don't work backward, it's just based on success or failure, and any non-zero exit code represents failure
17:23 Nazca ZenoTasedro: fair point ... really what shell does is more like "test function_call -eq 0 || return 1"
17:23 alekibango joined #salt
17:24 ZenoTasedro it reminds me a lot of code i see in php or perl where it's like mysql_connect or die("blargs!");
17:25 Nazca ZenoTasedro: right, but in those cases the return from the function evaluates to false
17:25 ZenoTasedro right, but in programming 0 is understood to be false, while in program execution the opposite is true and most of what acts like a function in bash is the execution of a program
17:26 ZenoTasedro bash ain't no programmin' language!
17:26 druonysus joined #salt
17:26 druonysus joined #salt
17:26 Nazca hmmm, yes, that is also a fair point :p
17:26 ZenoTasedro :P
17:26 Nazca this is why I avoid writing bash whenever possible ;)
17:27 Nazca I guess it just never really annoyed me enough to complain that it's really a "conceptual operation" and not a "logical operation"
17:27 ZenoTasedro i don't write many bash scripts, but use a lot of the syntax in oneliners
17:28 Nazca I don't want to count how many times I've written ./configure && make without processing that it was dumb :p
17:29 ZenoTasedro lol i do it all the time
17:29 ZenoTasedro ; can be helpful as well
17:29 ZenoTasedro so you bootstrapping a gentoo box over there?
17:30 Nazca yes :/
17:30 ZenoTasedro what kind of fuss is portage giving ya?
17:30 ZenoTasedro i've never used the bootstrap script myself, but i run salt on some
17:30 Nazca the non-existence of /etc/portage/package.accept_keywords
17:31 vaxholm joined #salt
17:31 Nazca and the assumption of what form the user might decide to have it in
17:31 auser joined #salt
17:32 LyndsySimon joined #salt
17:32 Nazca it's a file? awesome, append to it.  it's a directory? awesome, append to a file called salt within it.  it doesn't exist? uh .. what is the user going to want it to be?
17:32 it_dude joined #salt
17:33 Nazca using ACCEPT_KEYWORDS sidesteps that problem, but is too accepting compared to >= keywords
17:34 jkleckner joined #salt
17:34 Nazca --autounmask-write is a clean way of doing it, but is two step and calling dispatch-conf without knowing if there are other changes there is questionable
17:36 kermit joined #salt
17:37 santagada_ joined #salt
17:37 Furao_ joined #salt
17:39 DustD1 joined #salt
17:40 krissaxton joined #salt
17:43 m_george left #salt
17:45 berto- joined #salt
17:48 eculver joined #salt
17:51 mgw We are looking for a Salt-savvy sysadmin for a full-time position. Anybody here interested? (I work for the company, I'm not a recruiter.)
17:54 sgviking joined #salt
17:54 krissaxton joined #salt
18:01 justhamade joined #salt
18:06 tempspace Any salt-cloud users running dev and using the EC2 driver? Having an issue and wondering if I'm the only one: https://github.com/saltstack/salt-cloud/issues/600
18:08 LyndsySimon joined #salt
18:09 it_dude joined #salt
18:11 santagada_ joined #salt
18:15 Nazca okie, my gentoo install functions seem to work ... now to clean up this branch
18:15 ZenoTasedro sorry, had to jump away for a bit
18:17 ZenoTasedro Nazca: did you hack on the bootstrap script to get it working for you? i was curious about how it'd handle masking as well
18:18 ZenoTasedro i just made a base image with salt preinstalled to avoid using the bootstrap
18:24 Nazca ZenoTasedro: yup, wrote appropriate functions for bootstrap ... only needs keywords thankfully, I've set a "naive assumption" that if the user hasn't made a folder they won't later.  that should work acceptably
18:27 fxhp auser
18:27 fxhp oop
18:28 fxhp I was trying to search your name, to get this command salt-call saltutil.sync_all
18:29 Katafalkas joined #salt
18:31 EntropyWorks the salt.states.mysql_user doesn't really work like I was hoping. have given up on it and gone back to just running cmd.run  to add mysql users.
18:32 aberant joined #salt
18:34 sebgoa joined #salt
18:35 ZenoTasedro Nazca: are you working with openstack or aws or similar?
18:37 Nazca ZenoTasedro: urg, openstack ... there's some bad memories.  worst documentation ever
18:39 ZenoTasedro i've not setup my own deployment of openstack, just something of an end user
18:40 Nazca yeah, I tried to deploy it ... it's like their profit model is "make it so hard to install that they'll pay instead"
18:41 ZenoTasedro i've been wanting to tinker with salt more in gentoo as it's my preferred distro, but the openstack deployment i'm working with has no gentoo image so i'm rolling with debian
18:42 Nazca ah, yes ... that's pretty common.  I suspect the only reason we have gentoo templates on our system is cause I made them
18:42 ZenoTasedro I think UtahDave was mentioning some salt stuff for openstack, hopefully as that pans out it gets easier
18:44 ZenoTasedro i've never had an opportunity to work on a gentoo infrastructure, a lot of people seem to think it's a terrible idea
18:44 Nazca could be ... I might try it as an option to get my install working before I admit defeat and go back to xensource by hand
18:44 Nazca it is and isn't
18:45 ZenoTasedro mind that these are usually non-gentoo users
18:45 ZenoTasedro and they fixate on compiling packages
18:45 Nazca a gentoo based infrastructure has a couple of really annoying drawbacks
18:45 Nazca kernel compilation being one
18:45 Nazca system breaking changes being the other
18:46 Nazca the switch to udev-197 being a good example of the latter class
18:46 ZenoTasedro yeah i'm well aware of the udev thing :p
18:46 ZenoTasedro as i rekicked my laptop after that
18:47 Nazca if you have a dozen systems running gentoo and you have to do that udev update on all of them ... yeah, that's why I'm assigning some work time to salt :p
18:47 arctan_ left #salt
18:47 ZenoTasedro lol
18:48 Nazca if I can figure out a sane way to roll a kernel with salt I'll be set
18:48 ZenoTasedro that'd be interesting
18:48 ZenoTasedro not sure of how that could be done with my current knowledge of salt
18:48 mikedawson joined #salt
18:48 santagada_ joined #salt
18:49 Nazca I'm toying with the notion of a version specified atom to pull the right version, then file manage to push the config across
18:49 ZenoTasedro though i want to install redis from source instead of using debian packages, and wanted to find a way to get salt to manage that process
18:50 Nazca it /should/ be possible, though I may write a module to compile things if I have to lol
18:52 ZenoTasedro i've wanted a decent api to interface with emerge for a bit, finally salt comes around and offers something so nice
18:52 Nazca yea, the api makes it much nicer than trying to talk to portage directly
18:54 ZenoTasedro when i get to working on my personal project again, i want to get things setup so i can run distcc on low priority nodes and use a portage binhost to store all the compiled stuff on
18:55 krissaxton joined #salt
18:55 Corey ZenoTasedro: Bad practice, generally.
18:55 ZenoTasedro is it?
18:55 Corey ZenoTasedro: "building from source in production?" Yeah.
18:55 ZenoTasedro it won't be on prod boxes
18:55 Corey ZenoTasedro: Even in Gentoo shops there's usually a build farm that pushes packaged binaries.
18:55 Corey I build once by hand, add the package to a repo, then everything can grab it.
18:56 ZenoTasedro yeah that makes sense
18:56 Nazca my method is exporting everything under /usr/portage as ro nfs and using binpkg for anything common to multiple nodes
18:57 Corey ZenoTasedro: It's a crapton easier than trying to track down every weird build error that might possibly arise. :-)
18:57 Nazca requires a fiddle to use a local distfiles folder, but otherwise it's not too bad
18:57 ZenoTasedro I know where to pick some brains when I get tinkering with it again :p
19:08 giantlock joined #salt
19:11 it_dude joined #salt
19:11 mahimahi joined #salt
19:14 mahimahi Want to execute file.managed onlyif a directory exists.  cmd has onlyif, but file.sed or managed does not.   Does anyone know of another way to accomplish this task?
19:14 jdaggett joined #salt
19:21 santagada_ joined #salt
19:22 ZenoTasedro mahimahi: i'm not sure of the best way to handle that one, i know it'd be fairly easy to require the directory if you wanted to ensure it existed before managing a file in it
19:28 mahimahi ZenoTasedro: Yes, makedirs is easy.  Maybe a feature request to add onlyif feature to file module.  But in the meantime I'm stuck :(
19:28 wilywonka joined #salt
19:29 jeddi mahimahi: http://rn0.ru/show/FmuykcRM9ct0H2Enl5Bp/  .. not sure if i'm doing the same kind of thing that you're trying to do.
19:30 jeddi mahimahi: but that fragment lets me run an initial commit with etckeeper IFF the directory .git doesn't exist
19:31 justhamade joined #salt
19:38 maddestmen joined #salt
19:40 whit joined #salt
19:46 wilywonka joined #salt
19:48 lvicks joined #salt
19:49 jgelb_ joined #salt
19:50 necronian_ joined #salt
19:50 number_five joined #salt
19:50 cwright_ joined #salt
19:51 berto-_ joined #salt
19:52 indymike_ joined #salt
19:52 ninkotech_ joined #salt
19:54 santagada_ joined #salt
19:54 knapper_tech joined #salt
19:55 efixit joined #salt
19:56 santagada_ joined #salt
19:58 eculver joined #salt
20:15 whit joined #salt
20:16 UtahDave joined #salt
20:18 AviMarcus joined #salt
20:26 krissaxton joined #salt
20:29 aat joined #salt
20:31 santagada_ joined #salt
20:34 dave_den joined #salt
20:35 it_dude joined #salt
20:36 fxhp is it poor form to get pillar from a states/asdf.py file ?
20:36 fxhp check/get a value from pillar
20:39 spoktor ls
20:47 MrTango joined #salt
20:50 abe_music joined #salt
20:51 jdaggett joined #salt
20:51 abe_music is it possible to set the image size in a map file instead of hard coding it into a profile? i'd prefer not to have to have produce multiple profiles just to set the image size
20:55 abyss42 joined #salt
20:56 berto- joined #salt
20:56 UtahDave fxhp: That's probably fine if that helps you
20:57 fxhp UtahDave: it would save passing a pillar varible to every state function in the file
20:57 UtahDave abe_music: Yeah, I believe you can indeed do that.  Most of those config items can exist in various locations.
20:58 ZenoTasedro do the jinja templates get rendered on the minion? i know i saw something about where they get rendered before but it's slipped my mind atm
20:59 abe_music UtahDave: thanks…i should've tried before asking. i think i see what i was missing now
20:59 mahimahi1 joined #salt
21:00 UtahDave abe_music: cool
21:00 UtahDave ZenoTasedro: jinja in state files get rendered on the minion
21:00 UtahDave jinja in pillar gets rendered on the master
21:01 ZenoTasedro okay okay, i knew something rendered on the master
21:01 ZenoTasedro but that makes sense, thanks
21:01 ZenoTasedro i could've probably helped more people today knowing that
21:01 ZenoTasedro didn't want to assume and was too damn lazy to test
21:02 smeagol joined #salt
21:04 santagada_ joined #salt
21:04 ZenoTasedro jinja is sandboxed right? so i wouldn't be able to do something like check for the existence of a file unless that was passed into the template scope the way pillar and grain stuff is
21:04 UtahDave he he.
21:04 ZenoTasedro while i believe mako would be happy to let me do this
21:05 UtahDave no, you can do almost anything you want within jinja.  you have access to __salt__  as well, which means you can run any salt command you want, too
21:05 ZenoTasedro oh, yes....
21:05 ZenoTasedro i already do that a little bit.. of course
21:08 ZenoTasedro i have another burning question; is there a way to dynamically update the salt acl's?
21:08 ZenoTasedro atm i edit my master config and bounce the master service
21:10 UtahDave ZenoTasedro: Hm. I think you'd have to use external authentication  (eauth) to do that dynamically.
21:11 ZenoTasedro yeah i'm setup to use pam auth atm
21:11 Newt[cz] joined #salt
21:11 UtahDave I wonder if you could put your acl's in the pillar?  I'm not sure.
21:11 ZenoTasedro tried using ldap but i was having a hard time getting it configured
21:11 ZenoTasedro or the auth/ldap module that is
21:12 UtahDave Interesting. I haven't had to opportunity to use it.
21:12 UtahDave I know someone reported getting it to work successfully with ActiveDirectory.
21:13 ZenoTasedro i'm not really savvy with ldap, but i've implemented my own simple function to validate credentials against it
21:14 UtahDave cool
21:14 ZenoTasedro i don't know enough about it to be sure, but i suspect my method may not work in most implementations
21:14 ZenoTasedro or not work in all, rather
21:14 Dekkers joined #salt
21:15 Nazzy joined #salt
21:15 UtahDave gotcha
21:16 aat_ joined #salt
21:17 ZenoTasedro so i'll stick with pam and have pam hit ldap! but currently i put each user in pam user list, can i use wildcards to refer to users?
21:18 ZenoTasedro Like shown on http://docs.saltstack.com/topics/eauth/index.html
21:19 ZenoTasedro to do acl by group or something would be handy, i just haven't found much about whats available in the external auth
21:28 UtahDave I think you might be able to use wildcards on users. I haven't used it extensively, though.
21:28 ZenoTasedro i'll give it a test shortly and we'll find out
21:28 UtahDave cool.
21:29 ZenoTasedro still just soaking up the glory of no longer using cher
21:29 ZenoTasedro chef*
21:29 UtahDave It would be awesome if you could update the docs with any tips or clarifications.  The docs aren't exhaustive
21:29 UtahDave :)
21:29 ZenoTasedro sure i'll try to document some things, that's all in github right?
21:30 UtahDave Yep.  all the docs are in the salt/docs directory in the salt repo.
21:33 John__ joined #salt
21:33 Nazzy well github, that's a cool trick ... I sent a comment backwards in time by 15 minutes apparently
21:34 Nazzy oh heck... what are you doing mixing pam and ldap? getting that to work was a massive headache
21:35 ZenoTasedro lol did you get ldap auth working?
21:35 Nazzy for system login? after a fashion, yes
21:36 Nazzy I still haven't gone back and cleaned up the ldap schema
21:36 ZenoTasedro i meant for the salt external_auth
21:36 John__ Hy everybody, haven't found any examples of using salt.modules.apt.mod_repo in SLS files. Does anybody knows how to use it?
21:36 ZenoTasedro ldap schemas make me vomit
21:36 Nazzy welcome to the world of asn.1 :)
21:37 ZenoTasedro John__: http://docs.saltstack.com/ref/modules/all/salt.modules.apt.html#salt.modules.apt.mod_repo
21:37 Nazzy work with coding snmp requests in C everyday for a month and ldap will look appealing all of a sudden
21:38 ZenoTasedro you can look at the cli examples and apply the same general principles to the sls files
21:38 ZenoTasedro omg nvm, don't listen to me
21:38 John__ ZenoTasedro: Yeah, from CLI I can do it without any problems
21:38 ZenoTasedro yeah i'm giving you terrible advise, i will shush myself :x
21:38 ZenoTasedro advice* even
21:39 ZenoTasedro i think i know of something that might help though
21:39 John__ salt source code?
21:39 ZenoTasedro Nazzy: I love working with C actually, but snmp.....
21:40 ZenoTasedro plz no
21:40 Nazzy "sure, I can make this code update a few thousand snmp targets in a minute... C and threading, no problem" *a month passes* "it works.  it needs 30 threads.  you'll need rrdcached and an pci-e ssd to keep up with it.  please excuse me while I cry in the corner"
21:40 ZenoTasedro John__: http://docs.saltstack.com/topics/tutorials/states_pt3.html#calling-salt-modules-from-templates
21:40 ZenoTasedro maybe this will be of some help, it's at least an example of using a salt module in general from within a template
21:41 John__ Aha... thx very much, it should help
21:41 ZenoTasedro you're welcome
21:43 Nazzy hmmm....
21:43 Nazzy ZenoTasedro: what component is external_auth part of?
21:44 ZenoTasedro Nazzy: for opening up commands to users http://docs.saltstack.com/topics/eauth/index.html
21:44 ZenoTasedro the pam one is really simple
21:46 Nazzy ah ... interesting
21:47 wilywonka joined #salt
21:48 Nazzy I can tell you how I'd implement it in ldap, but if your response is similar to how my fellow devs in the office would reply, I shall save your sanity :p
21:50 danielbachhuber- joined #salt
21:54 danielbachhuber joined #salt
21:55 kho joined #salt
21:56 kho joined #salt
21:57 ZenoTasedro Nazzy: hmm, i'd want to pick your brain about how this works: https://github.com/saltstack/salt/blob/develop/salt/auth/ldap.py
21:57 sarkis joined #salt
21:57 ZenoTasedro because this does not work for me, but there are ways I can start to make it work
21:58 ZenoTasedro there's also a way i can hack on it to make it work for me, but i'd like to be able to make it work easily for others as well
21:58 ZenoTasedro lacking the requisite ldap experience :(
22:00 Nazzy looks like a standard dn bind authentication ... now how that fits with external_auth file I don't know
22:01 ZenoTasedro the options on the external_auth side are simple, it's just matching usernames to salt functionality from what i've seen so far
22:01 ZenoTasedro so when i've written my own ldap handler i'd just attempt to do a simple bind
22:01 ZenoTasedro format the passed username into a DN
22:01 ZenoTasedro and then attempt a bind with that dn and the passed in password
22:02 ZenoTasedro would such a simple auth be valid in most circumstances?
22:02 ZenoTasedro vs this which seems to bind, then search
22:02 Nazzy ah, no ... this is doing something a little more interesting
22:03 ZenoTasedro Nazzy: http://www.grotan.com/ldap/python-ldap-samples.html this is akin to what i've done in the past
22:03 Nazzy this uses base, scope, filter, bind
22:05 Nazzy it builds a filter out of the username as to where the user actually lives, connects with general creds, runs that filter within the given base, sets the creds to that user and the given password, then attempts to bind on that
22:05 Nazzy so you don't have to give the full dn, just a filter that will find it
22:05 jgelb joined #salt
22:06 ZenoTasedro i don't have general creds to work with the ldap server i'm referencing for this
22:07 Nazzy so line 110 is "find any users that match the filter" ... the two if's make sure you matched exactly one ... it grabs the dn of the only result and tries to bind with that
22:07 Nazzy that might be a problem
22:07 ZenoTasedro yeah, i got around it before by trying to simple bind with credentials passed in by the user
22:07 ZenoTasedro since i'm only using it for authentication and not access control
22:08 ZenoTasedro in general is that a bad practice?
22:08 Nazzy from what I remember, usually you set a policy on the system to allow anonymous users to search and bind
22:13 Nazzy my setup is firewalled and auth only, so I'm reasonably happy with anon permissions ... anon can search in the user subtree, auth against the password attribute, and read the fields usually found in /etc/passwd
22:13 fredvd joined #salt
22:14 Nazzy the handy thing about ldap is that you don't have to be able to read the password attribute to be able to authenticate against it
22:14 ZenoTasedro so when you're configuring an application to use an ldap backend, is this the typical way it would be handled by the application"?
22:14 ZenoTasedro configuring general creds or using anonymous bind, and doing a search
22:15 Nazzy yeah ... most things give you the option to bind anonymously or with specific creds, then do a request for the filter and if they get a hit they bind to it
22:16 ZenoTasedro okay, so that helps me understand this auth module significantly more than before
22:16 mahimahi joined #salt
22:16 Nazzy lets you do really neat things ... I have pam_ldap configured to include the machine name in the filter so that centralised auth still only allows people where they should go
22:18 ZenoTasedro thanks a lot for helping me understand this stuff Nazzy
22:18 mahimahi2 joined #salt
22:19 Nazzy no problem :)
22:19 pcarrier_ joined #salt
22:20 justhamade joined #salt
22:20 ZenoTasedro i still want to learn how to work ldap some day, I usually do better when i understand the low level nature of what's going on so when i started trying to learn ldap i went through hell trying to get a server to even start then tried to figure out how to write a schema
22:22 ZenoTasedro i thought if i made my own data structures i'd learn that way
22:22 kermit joined #salt
22:23 Nazzy Abstract Syntax Notation... ldap and snmp are both use this very clever way of formatting keys in a way that can be represented in binary or text
22:24 Nazzy essentially it describes exactly what object is and assigns it a number that is consistent across every system that might refer to it ... old school uuid
22:26 ZenoTasedro hmmm
22:27 Nazzy since I can say with certainty that the path to get, say, the bytes received on port 3 of the dell switch is going to be the exact same set of numbers on my snmp client as it is on yours, I can reference the numbers and have a much shorter message
22:28 Nazzy in ldap it's a little trickier, but the principle is the same
22:30 Nazzy I can guarantee that 1.3.6.1.4.1.36712 maps to the value on your system as it does on mine ... though you won't have the schema file to get further
22:31 UtahDave joined #salt
22:32 Nazzy under that you define attributes, syntax and object classes ... syntax defines how the value is represented, attributes what the value means, objects are how they fit together in a structure
22:38 Nazzy so I have a structural object called "infraUser" that requires the attributes "username", "userPassword", "uid"... an auxiliary object called "serverAccess" that requires "homeDirectory" and "machine" ... I have the machine attribute that inherits "host" ... I've yet to need to define a syntax
22:38 Nazzy most things in ldap are just more complicated versions of the same type of layout
22:40 smeagol joined #salt
22:43 Nazzy also, the most awesome command you have for ldap is actually snmptranslate
22:46 Nazzy doesn't really help with ldap paths unless you can find a mib file for the PEN, but it does help get your head around OIDs
22:59 adotbrown joined #salt
23:02 nliadm joined #salt
23:04 maddestmen joined #salt
23:05 sephoreph joined #salt
23:07 austin987 joined #salt
23:08 sephoreph Howdy.  I'm just looking at Salt for the first time and I might be misunderstanding.. but is it possible to compile packages from source with it?  We use CentOS 6 and (for example) the latest nginx verison in yum is 1.0.15, whereas we are using 1.4.1 currently in production.  How does Salt like to work regarding cutting edge packages like that?
23:08 maddestmen Does anyone have any ideas for disabling certain states/modules from running after a reboot? If an ISP reboots a machine and logs in as root, we don't want them to be able to run our state tree..
23:12 maddestmen @sephoreph, I would think you'd have a build service on the master that builds your packages for you, and then have pkg.install install the RPMS
23:14 auser joined #salt
23:14 maddestmen @sephoreph, see the "sources" argument here: http://docs.saltstack.com/ref/states/all/salt.states.pkg.html
23:14 Nazzy maddestmen: if your ISP does that without your say so, or you think your ISP might do that, chances are you have bigger problems.  Sorry.
23:15 sephoreph Awesome maddestmen, that's what I was thinking but wasn't sure how Salt preferred to approached it.  Thanks heaps!
23:17 maddestmen @Nazzy, LOL, I agree. But it could be someone else logging in maliciously (not the ISP).. I'm just curious if anyone has approached this yet. I guess I could have salt's cache_dir and keys and what not on an encrypted file system.
23:17 cxz joined #salt
23:17 maddestmen @sephoreph, your welcome.
23:19 Nazzy maddestmen: gaining access to the minon via root isn't "too bad", they shouldn't be able to get anything from salt that the server doesn't already know and that box is hosed anyway
23:20 pcarrier_ joined #salt
23:20 Nazzy maddestmen: gaining access to the master via root is game over ... salt states are the least of your problems at that point.
23:22 Nazzy maddestmen: as far as I understand salt's design, your worst case from the minon side is going to be changing the config and hoping it gets pushed something more interesting
23:24 elbaschid joined #salt
23:27 danielbachhuber- joined #salt
23:27 maddestmen Nazzy, ok. I'll have to start this conversation again when I have a more specific case.
23:27 Nazzy maddestmen: one option, though I'm not certain it's entirely sane, would be to place the minon's private key and cache data in to a ramdisk/tmpfs/etc ... if it gets rebooted the cache is gone and so is it's ability to talk to the master.  you just have to reaccept the key and run highstate from the master side after verification of the minion's setup
23:28 elbaschid joined #salt
23:29 drogoh when using gitfs, is file_roots still picked up?
23:29 Nazzy if you're concerned about physical security on the master... full drive encryption requesting key over serial console... you'll need a second device co-located in the same place, either a serial over ip console or a second master server, but it's the best you'd get
23:30 maddestmen Nazzy, I actually tried that.. It works..I changed my pki_dir to point to a directory on an encrypted file system that doesn't auto-mount on boot.. when the device is unmounted, salt-call fails to run modules..
23:31 aat joined #salt
23:32 Nazzy full drive encryption ... only thing that isn't encrypted is a separate mount for /boot ... password protected key and decryption module in initrd.  everything else under / is encrypted
23:33 Nazzy falls under the same level of paranoid design that has you passing request/response messages over serial to a box with no network connection ;)
23:34 Nazzy (imaginary cookie if you know which site published that trick in their security model description)
23:38 kermit joined #salt
23:39 jeffmendoza joined #salt
23:42 halfss joined #salt
23:43 adotbrown joined #salt
23:49 mgw joined #salt
23:50 drogoh it appears my question has answered itself: yes
23:54 mahimahi joined #salt

| Channels | #salt index | Today | | Search | Google Search | Plain-Text | summary