Monday, 2008-05-19

« Sunday, 2008-05-18 Index Tuesday, 2008-05-20 »
[2008/05/19 00:19:58] @ Quit: johnf: Read error: 113 (No route to host)
[2008/05/19 00:26:50] @ andrewcshafer joined channel #puppet
[2008/05/19 00:42:14] @ a-priori_ joined channel #puppet
[2008/05/19 00:54:28] @ Quit: a-priori: Read error: 110 (Connection timed out)
[2008/05/19 01:03:55] @ lak joined channel #puppet
[2008/05/19 01:17:29] @ Quit: lak:
[2008/05/19 02:31:23] @ dysinger joined channel #puppet
[2008/05/19 02:50:34] @ Quit: failure: "My damn controlling terminal disappeared!"
[2008/05/19 03:13:06] @ lak joined channel #puppet
[2008/05/19 03:24:50] @ Quit: lak:
[2008/05/19 03:29:28] @ Quit: huangmingyou: Read error: 110 (Connection timed out)
[2008/05/19 03:33:48] @ a-priori joined channel #puppet
[2008/05/19 03:47:15] @ Quit: a-priori_: Read error: 110 (Connection timed out)
[2008/05/19 04:04:04] @ dysinger_ joined channel #puppet
[2008/05/19 04:20:41] @ jvanzyl joined channel #puppet
[2008/05/19 04:23:21] @ Quit: a-priori: Remote closed the connection
[2008/05/19 04:24:02] @ a-priori joined channel #puppet
[2008/05/19 04:29:12] @ Quit: dysinger: Connection timed out
[2008/05/19 04:29:46] @ lak joined channel #puppet
[2008/05/19 04:45:24] @ ^authentic joined channel #puppet
[2008/05/19 04:46:23] @ Quit: Volcane: Read error: 60 (Operation timed out)
[2008/05/19 04:46:35] @ Volcane joined channel #puppet
[2008/05/19 04:56:01] @ Quit: Volcane: Read error: 60 (Operation timed out)
[2008/05/19 04:57:16] @ Volcane joined channel #puppet
[2008/05/19 04:57:43] @ Quit: lak:
[2008/05/19 04:58:40] @ Quit: authentic: Read error: 110 (Connection timed out)
[2008/05/19 04:58:41] @ ^authentic is now known as authentic
[2008/05/19 05:08:12] @ pleemans joined channel #puppet
[2008/05/19 05:21:06] @ Quit: jmeeuwen: Read error: 110 (Connection timed out)
[2008/05/19 05:27:34] @ Quit: pleemans: "Ex-Chat"
[2008/05/19 05:30:50] @ thegcat_ joined channel #puppet
[2008/05/19 05:38:47] @ jmeeuwen joined channel #puppet
[2008/05/19 05:40:58] @ lak joined channel #puppet
[2008/05/19 05:46:20] @ Quit: mellen: Excess Flood
[2008/05/19 05:47:24] @ mellen joined channel #puppet
[2008/05/19 05:47:44] @ Quit: thegcat: Read error: 110 (Connection timed out)
[2008/05/19 05:49:48] @ thegcat joined channel #puppet
[2008/05/19 05:52:39] @ Quit: mellen: Excess Flood
[2008/05/19 05:53:49] @ mellen joined channel #puppet
[2008/05/19 05:59:02] @ Quit: mellen: Excess Flood
[2008/05/19 06:00:44] @ mellen joined channel #puppet
[2008/05/19 06:02:00] @ randybias joined channel #puppet
[2008/05/19 06:03:23] @ Quit: mellen: Remote closed the connection
[2008/05/19 06:04:46] @ mellen joined channel #puppet
[2008/05/19 06:07:13] @ thegcat__ joined channel #puppet
[2008/05/19 06:07:16] @ Quit: thegcat: Read error: 104 (Connection reset by peer)
[2008/05/19 06:07:48] @ Quit: thegcat_: Read error: 113 (No route to host)
[2008/05/19 06:09:08] @ Quit: lak:
[2008/05/19 06:15:21] @ Quit: mellen: Excess Flood
[2008/05/19 06:16:25] @ mellen joined channel #puppet
[2008/05/19 06:23:08] @ Quit: randybias:
[2008/05/19 06:33:21] @ Quit: Toad: Remote closed the connection
[2008/05/19 06:43:45] @ roald joined channel #puppet
[2008/05/19 06:51:36] @ lak joined channel #puppet
[2008/05/19 06:54:08] @ martha left channel #puppet ()
[2008/05/19 06:54:48] @ jmeeuwen`_ joined channel #puppet
[2008/05/19 06:55:20] @ Quit: jmeeuwen: Read error: 104 (Connection reset by peer)
[2008/05/19 06:58:22] @ jmeeuwen`_ is now known as jmeeuwen
[2008/05/19 07:04:21] @ Quit: lak:
[2008/05/19 07:13:51] @ Quit: happymcp`: Read error: 104 (Connection reset by peer)
[2008/05/19 07:20:15] @ a-priori_ joined channel #puppet
[2008/05/19 07:34:31] @ thegcat joined channel #puppet
[2008/05/19 07:35:58] @ Quit: a-priori: Read error: 113 (No route to host)
[2008/05/19 07:54:34] @ Quit: thegcat__: Read error: 113 (No route to host)
[2008/05/19 08:07:29] @ Quit: _lunix_: Read error: 113 (No route to host)
[2008/05/19 08:10:54] @ andrewcshafer_ joined channel #puppet
[2008/05/19 08:10:55] @ Quit: andrewcshafer: Read error: 104 (Connection reset by peer)
[2008/05/19 08:13:22] @ randybias joined channel #puppet
[2008/05/19 08:16:37] @ Quit: macbar: Read error: 110 (Connection timed out)
[2008/05/19 08:18:27] @ Quit: roald: Remote closed the connection
[2008/05/19 08:21:55] @ Quit: a-priori_:
[2008/05/19 08:29:39] @ andrewcshafer joined channel #puppet
[2008/05/19 08:29:39] @ Quit: andrewcshafer_: Read error: 104 (Connection reset by peer)
[2008/05/19 08:40:03] <plathrop> gepetto: seen lak
[2008/05/19 08:40:05] <gepetto> plathrop: lak was last seen 1 hour, 35 minutes and 42 seconds ago, quitting IRC ()
[2008/05/19 08:40:16] @ shadoi joined channel #puppet
[2008/05/19 08:42:48] @ shadoi_ joined channel #puppet
[2008/05/19 08:50:03] @ womble left channel #puppet ("Oooh! Shiny!")
[2008/05/19 08:50:37] <plathrop> Anyone around know RSpec well?
[2008/05/19 08:51:33] <fujin> picking up, not really though
[2008/05/19 08:51:33] <fujin> sup?
[2008/05/19 08:51:45] <plathrop> Trying to figure out how to test a module.
[2008/05/19 08:52:01] @ Quit: andrewcshafer: Read error: 104 (Connection reset by peer)
[2008/05/19 08:52:05] <fujin> extend an object with the module, then you can call its methods
[2008/05/19 08:52:24] @ andrewcshafer joined channel #puppet
[2008/05/19 08:52:31] <plathrop> As in foo=Object.new() and then Object.extend(SomeModule)?
[2008/05/19 08:52:46] <fujin> foo = Object.new.extend(Some::Module)
[2008/05/19 08:52:46] <plathrop> sorry, foo.extend ...
[2008/05/19 08:52:55] <fujin> but yeah, same
[2008/05/19 08:52:58] <plathrop> Ah, okay. Thanks
[2008/05/19 08:53:13] <fujin> take a look here
[2008/05/19 08:53:13] <fujin> http://github.com/fujin/puppet/tree/8a25261fdf564c5107274ce3458f7d34486b3642/spec/unit/reports/tagmail.rb
[2008/05/19 08:53:17] <fujin> what I have learnt so far
[2008/05/19 08:53:18] * plathrop hopes he can get a few more tests written this weekend.
[2008/05/19 08:53:34] <plathrop> okay, I'll take a look.
[2008/05/19 08:53:43] <fujin> they are a tricky concept to understand.. I still go crosseyed sometimes
[2008/05/19 08:53:52] <fujin> good luck :
[2008/05/19 08:54:24] <plathrop> Thanks!
[2008/05/19 09:04:28] @ a-priori joined channel #puppet
[2008/05/19 09:04:39] @ Quit: andrewcshafer: Read error: 104 (Connection reset by peer)
[2008/05/19 09:04:46] <fujin> plathrop: let me know if you get any tests written
[2008/05/19 09:04:49] <fujin> be interested in seeing how you go
[2008/05/19 09:04:56] <fujin> you on github btw?
[2008/05/19 09:04:59] @ andrewcshafer joined channel #puppet
[2008/05/19 09:05:24] <plathrop> fujin: I will. I'm plathrop on github. I just finished writing tests for util/storage.rb on branch fix-1228
[2008/05/19 09:05:34] <plathrop> http://github.com/plathrop/puppet/tree/fix-1228/spec/unit/util/storage.rb
[2008/05/19 09:06:01] <plathrop> I thought I'd write some for util/warnings.rb next
[2008/05/19 09:06:50] <fujin> ah cool
[2008/05/19 09:07:24] <plathrop> Ugh. This module's methods are apparently "private" and can't be called... how do you test that?
[2008/05/19 09:08:04] <plathrop> mostly rhetorical, I'm sure I'll figure it out
[2008/05/19 09:08:12] <fujin> hrm, private methods
[2008/05/19 09:08:13] * plathrop considers bugging folks in #rspec
[2008/05/19 09:08:28] <fujin> test the non-private methods? :P
[2008/05/19 09:11:20] <plathrop> fujin: All joking aside, that actually seems to be The Right Way(tm) :-)
[2008/05/19 09:11:27] <plathrop> Guess this doesn't need tests
[2008/05/19 09:11:35] <fujin> yeah
[2008/05/19 09:11:39] <fujin> I ran into similar issues the other day
[2008/05/19 09:11:42] <fujin> namely i was patching puppetd
[2008/05/19 09:11:53] <fujin> cause you can't really instantiate it like an object
[2008/05/19 09:11:58] <fujin> it's more like a script.. untestable I think
[2008/05/19 09:12:05] <fujin> unless you shell out to it with options and test what it returns
[2008/05/19 09:12:24] @ randybias_ joined channel #puppet
[2008/05/19 09:16:01] @ Quit: randybias_: Client Quit
[2008/05/19 09:16:31] @ randybias_ joined channel #puppet
[2008/05/19 09:27:53] @ zobbo joined channel #puppet
[2008/05/19 09:29:56] @ Quit: randybias: Read error: 110 (Connection timed out)
[2008/05/19 09:31:59] @ johnf joined channel #puppet
[2008/05/19 09:32:34] <holoway> plathrop: I think you can get to that by using "call"
[2008/05/19 09:33:17] <plathrop> holoway: Reading a bit more it seems like you aren't supposed to test private methods...? What do you think?
[2008/05/19 09:33:21] <holoway> but yeah, in general, the answer is "don't test them"
[2008/05/19 09:33:50] <plathrop> Yeah, I thought so. I decided to move on. Looking at testing util/variables.rb next
[2008/05/19 09:35:00] @ fbe joined channel #puppet
[2008/05/19 09:38:50] @ Quit: plathrop: "ERC Version 5.2 (IRC client for Emacs)"
[2008/05/19 09:39:03] @ plathrop joined channel #puppet
[2008/05/19 09:44:33] <fujin> holoway: thoughts on testing "binaries"?
[2008/05/19 09:50:27] <holoway> fujin: as in "puppetd"?
[2008/05/19 09:51:07] <holoway> I think you probably would want to refactor as much logic out of them as possible
[2008/05/19 09:51:20] <holoway> otherwise, you might be able to do some fun with eval
[2008/05/19 09:51:26] <fujin> heh
[2008/05/19 09:51:27] <fujin> http://github.com/fujin/puppet/commit/a3fe56240e4a1ec49365ce0773ad40e3936f2a4e
[2008/05/19 09:51:33] <fujin> that's my 'fix' for #1200
[2008/05/19 09:51:36] <gepetto> fujin: #1200 is http://reductivelabs.com/trac/puppet/ticket/1200 "puppetd exits when dns resolution fails and client doesn't have a certificate yet"
[2008/05/19 09:51:36] <holoway> or even a creepy instance_eval thing
[2008/05/19 09:51:39] <fujin> and also inadvertently one other bug
[2008/05/19 09:51:45] <fujin> in the same while block
[2008/05/19 09:52:35] <fujin> holoway: james thought it'd need tests
[2008/05/19 09:52:43] <fujin> haven't managed to prod lak about it yet though
[2008/05/19 09:52:59] <fujin> there are only a few currently existing tests.. and they actually execute puppetd and check return code
[2008/05/19 09:58:59] <holoway> hrm
[2008/05/19 09:59:09] <holoway> I haven't looked a lot at the puppetd binary
[2008/05/19 09:59:39] <holoway> but a lot of that logic might be better refactored out of the binary
[2008/05/19 09:59:54] <holoway> but you would certainly need to to talk with lak
[2008/05/19 10:02:15] <fujin> mm. will prod him when he's around
[2008/05/19 10:02:18] @ Quit: fbe: Read error: 104 (Connection reset by peer)
[2008/05/19 10:05:39] <gepetto> ::puppet:: Ticket #1229 (refactor created): Clean up unused files @ http://reductivelabs.com/trac/puppet/ticket/1229 (by paul@tertiusfamily.net)
[2008/05/19 10:07:16] @ randybias joined channel #puppet
[2008/05/19 10:10:36] @ Quit: randybias: Client Quit
[2008/05/19 10:17:25] @ Quit: shake-n-bake:
[2008/05/19 10:17:44] <jamesturnbull> fujin: yeah I spoke to lak about the binaries
[2008/05/19 10:18:06] <jamesturnbull> fujin: he cited an older convo when he stated a preference to refacter all the logic out of them
[2008/05/19 10:18:41] <fujin> ah
[2008/05/19 10:18:43] <fujin> makes sense though
[2008/05/19 10:20:40] @ shake-n-bake joined channel #puppet
[2008/05/19 10:21:40] <holoway> fujin: fwiw, that would be an easy refactor
[2008/05/19 10:24:35] <fujin> holoway: where to?
[2008/05/19 10:24:46] @ Quit: randybias_: Read error: 113 (No route to host)
[2008/05/19 10:25:37] <holoway> fujin: I tend to put them in something like Foo::CLI::Binary
[2008/05/19 10:25:46] <holoway> where Binary == the name of the thing
[2008/05/19 10:26:07] <fujin> ah yep
[2008/05/19 10:26:12] <fujin> I'll have a look around when I get home
[2008/05/19 10:26:19] <fujin> got told off for working on puppet internals @ work
[2008/05/19 10:28:09] <shadoi_> bastids
[2008/05/19 10:33:55] <fujin> heh yeah
[2008/05/19 10:34:11] <fujin> "puppet is a tool we _use_, not write"
[2008/05/19 10:34:12] <fujin> cunts
[2008/05/19 10:34:23] <plathrop> fujin: That's bunk
[2008/05/19 10:34:33] <fujin> agree
[2008/05/19 10:34:36] <kolla> heh
[2008/05/19 10:34:54] <fujin> They refuse to hear any of my arguments for allowing me time to work on it aswell
[2008/05/19 10:35:12] <plathrop> fujin: That really sucks. Improving the tools you use is a great investment.
[2008/05/19 10:35:19] <plathrop> Of course, that's preachin' to the choir.
[2008/05/19 10:35:20] <fujin> yeah..
[2008/05/19 10:35:40] <fujin> extending and fixing puppet bugs surely leads to a more stable environment here
[2008/05/19 10:35:44] <fujin> directly or indirectly
[2008/05/19 10:36:14] <shadoi_> fujin: they just don't want you to learn enough to find a better job. ;)
[2008/05/19 10:41:20] @ Laos18549 joined channel #puppet
[2008/05/19 10:41:21] <fujin> yeah.. I wouldn't be surprised actually
[2008/05/19 10:41:31] <fujin> I'm just going to shuffle my days around
[2008/05/19 10:53:26] <MrProper_> morning all
[2008/05/19 10:54:23] <fujin> howdy
[2008/05/19 10:55:00] @ Quit: shake-n-bake:
[2008/05/19 11:01:47] <MrProper_> fujin, lol just stick with a release that has a show stopping bug for your company
[2008/05/19 11:01:56] <MrProper_> fujin, then see how long it takes for them to realise
[2008/05/19 11:03:32] <fujin> haha
[2008/05/19 11:03:35] <fujin> did that for long enough
[2008/05/19 11:03:37] <fujin> didn't seem to help
[2008/05/19 11:03:44] <fujin> hell me and holoway had to fix it ourselves
[2008/05/19 11:04:51] @ randybias joined channel #puppet
[2008/05/19 11:05:21] @ kolla_ joined channel #puppet
[2008/05/19 11:05:24] @ Quit: kolla: Read error: 104 (Connection reset by peer)
[2008/05/19 11:07:45] <holoway> fujin: ah, the horrible memories
[2008/05/19 11:08:13] * fujin shudders
[2008/05/19 11:08:25] <fujin> heh, my PuTTy sessions had a 'holoway' entry in it the other day
[2008/05/19 11:08:29] <fujin> I cringed when I nearly clicked on it
[2008/05/19 11:08:50] <holoway> ha!
[2008/05/19 11:09:05] <holoway> I just had a big "ah-ha" moment, where I figured out how to test controllers in merb
[2008/05/19 11:09:11] <fujin> nice
[2008/05/19 11:09:23] <fujin> heard people talking about merb - what is it?
[2008/05/19 11:09:27] <fujin> another framework like rails?
[2008/05/19 11:09:41] <fujin> nm
[2008/05/19 11:09:42] * fujin reads
[2008/05/19 11:10:46] @ shake-n-bake joined channel #puppet
[2008/05/19 11:11:07] <fujin> wah, template language agnostic.. sounds pretty
[2008/05/19 11:11:16] <fujin> jam HAML in it or something
[2008/05/19 11:11:29] <fujin> threads too.. nice
[2008/05/19 11:11:34] <holoway> it's * agnostic
[2008/05/19 11:11:37] <fujin> holoway: written any merb apps?
[2008/05/19 11:11:41] <holoway> writing one now
[2008/05/19 11:11:48] <fujin> cool
[2008/05/19 11:11:53] <fujin> Show me
[2008/05/19 11:11:53] <holoway> probably going to move iclassify over to merb
[2008/05/19 11:11:55] * fujin waves hand
[2008/05/19 11:11:57] <holoway> so that packaging can not suck
[2008/05/19 11:12:00] <fujin> ha
[2008/05/19 11:12:01] <fujin> sweet
[2008/05/19 11:12:35] <fujin> pastie: hit me
[2008/05/19 11:12:36] <pastie> fujin: are you sure, it might hurt?
[2008/05/19 11:13:08] <fujin> smartass
[2008/05/19 11:13:11] <fujin> pastie: give
[2008/05/19 11:13:12] <fujin> me
[2008/05/19 11:13:13] <fujin> a url
[2008/05/19 11:13:48] <pastie> http://pastie.org/199265 by fujin.
[2008/05/19 11:13:50] <holoway> fujin: HAML, btw, kicks ass
[2008/05/19 11:13:55] <fujin> trying to make uh
[2008/05/19 11:14:03] <fujin> ruby my primary 'do things' language
[2008/05/19 11:14:14] <fujin> holoway: so I've heard
[2008/05/19 11:16:07] <shadoi_> holoway: what's the benefit other than slightly more terse?
[2008/05/19 11:16:59] <shadoi_> I like the syntax.. but if that's the only benefit... I'll just stick with HTML for less dependencies. :)
[2008/05/19 11:18:48] <fujin> %strong{:class => "code", :id => "message"} Hello, World!
[2008/05/19 11:18:50] <fujin> sntax looks nice
[2008/05/19 11:20:06] @ Quit: fujin: "Lost terminal"
[2008/05/19 11:20:37] <shadoi_> honestly I think it gets a little confusing when mixed with ruby.
[2008/05/19 11:21:38] <jamesturnbull> any ruby gurus know how to force ruby to use LANG=C?
[2008/05/19 11:23:14] @ fujin joined channel #puppet
[2008/05/19 11:23:34] <fujin> shit
[2008/05/19 11:23:43] <fujin> some chinese are owning the crap out of my box
[2008/05/19 11:23:48] <fujin> bruteforcing 22
[2008/05/19 11:23:52] <fujin> from a single address
[2008/05/19 11:23:52] <fujin> fail
[2008/05/19 11:24:20] <kolla_> that's common these days
[2008/05/19 11:24:27] @ kolla_ is now known as kolla
[2008/05/19 11:24:38] <jamesturnbull> fujin: I changed everything away from port 22
[2008/05/19 11:24:43] <jamesturnbull> fujin: problem went away
[2008/05/19 11:24:46] <kolla> :)
[2008/05/19 11:25:05] <holoway> shadoi_: it's a very concise way to express html markup
[2008/05/19 11:25:13] <kolla> we just use port 443 for everything :>
[2008/05/19 11:25:14] <jamesturnbull> fujin: failing that fail2ban, blocksshd, etc or iptables modules
[2008/05/19 11:25:29] <holoway> shadoi_: it encourages you to use helpers, too, which you should anyway
[2008/05/19 11:25:44] <holoway> mostly, I like never having to close a tag
[2008/05/19 11:25:55] <jamesturnbull> fujin: in fact here's one I prepared earlier - http://www.google.com.au/url?sa=t&ct=res&cd=3&url=http%3A%2F%2Fsearchenterpriselinux.techtarget.com%2Ftip%2F0%2C289483%2Csid39_gci1274148%2C00.html&ei=B9cwSP6ELIiYoQTa_4iaDQ&usg=AFQjCNEPFf-yS8EZjRrXPlW8gVoL1ZbvCw&sig2=wAvUFdp5gQF71EQMgW7BYw :)
[2008/05/19 11:26:20] <jamesturnbull> sorry all - stupid google links
[2008/05/19 11:26:21] <kolla> is that an url, or is it.. perl? :)
[2008/05/19 11:26:37] <jamesturnbull> fujin: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1274148,00.html
[2008/05/19 11:26:45] <z00dax> or just use pam_shield
[2008/05/19 11:27:05] <z00dax> fail2ban / denyhosts etc are quite a waste of time for such stuff
[2008/05/19 11:27:10] <kolla> I just use tcpwrapper and maintain /etc/hosts.*
[2008/05/19 11:27:32] <z00dax> implement a reasonable tarpit and make it moderately expensive for them to try this, or pam_shield it off
[2008/05/19 11:27:57] <kolla> what does pam_shield do?
[2008/05/19 11:28:03] <kolla> (apart from being a pam module)
[2008/05/19 11:28:09] <jamesturnbull> z00dax: I like stopping it earlier
[2008/05/19 11:28:20] <jamesturnbull> z00dax: on the firewall
[2008/05/19 11:29:00] <z00dax> kolla: pam_sheild will implemnt your policy of failures handles in either nullrouting or iptables
[2008/05/19 11:29:14] <kolla> I made my own denyssh script that just tailed the auth.log for 'Did not receive identification string from' and stuffed the IP-address into /etc/hosts.deny
[2008/05/19 11:29:16] <z00dax> jamesturnbull: umm... firewall on the same machine right ?
[2008/05/19 11:29:22] <fujin> jamesturnbull: yeah; fail2ban is a bit of a pain though
[2008/05/19 11:29:29] <fujin> I have an iptables script.. so fail2ban has to run after it
[2008/05/19 11:29:32] <kolla> right
[2008/05/19 11:29:35] <fujin> or it gays it all up
[2008/05/19 11:29:46] <plathrop> Heh. Our solution is OpenVPN.
[2008/05/19 11:29:57] <jamesturnbull> fujin: most of those are designed for home shop ops (I wrote blocksshd several years ago btw)
[2008/05/19 11:30:05] <jamesturnbull> z00dax: well both
[2008/05/19 11:30:05] <z00dax> plathrop: hope you updated your keys, if you use deb/derivaties
[2008/05/19 11:30:14] <shadoi_> kolla: TCP Wrappers are vulnerable to DoS though
[2008/05/19 11:30:16] <jamesturnbull> z00dax: firewall on Linux-based firewall and a local version
[2008/05/19 11:30:25] <plathrop> z00dax: We gen all our keys on an OpenBSD box
[2008/05/19 11:30:32] <kolla> shadoi_: sure, but I never had the problem really
[2008/05/19 11:30:44] <shadoi_> yeah, 80/20 in effect. :)
[2008/05/19 11:31:11] <z00dax> jamesturnbull: so how do you do signalling between ssh-attacked box and firewall-box ?
[2008/05/19 11:31:31] <kolla> hehe, spent entire last week generating new certificates, ordering, issueing, installing, replacing :)
[2008/05/19 11:32:15] <kolla> at least my ordinary "debian sucks" attitude wasnt ridiculed as much as they use to :)
[2008/05/19 11:32:49] <jamesturnbull> z00dax: don't - we route all incoming ssh through a recent chain
[2008/05/19 11:33:15] <jamesturnbull> z00dax: the local stuff is to 2nd layer defence against compromised perim./internal hosts
[2008/05/19 11:33:27] <z00dax> jamesturnbull: so its all local on the machine, in which case, pam_shield will do the business with a much lower over head than other apps that watch log files etc
[2008/05/19 11:33:55] <kolla> "recent chain"?
[2008/05/19 11:34:03] <jamesturnbull> z00dax: no - the vast majority of ssh attacks are stopped at the first firewall
[2008/05/19 11:34:03] <fujin> -m recent
[2008/05/19 11:34:21] <fujin> iptables -m recent --help
[2008/05/19 11:34:27] <kolla> aha
[2008/05/19 11:34:38] <kolla> I never bothered to play with iptables
[2008/05/19 11:34:42] <jamesturnbull> z00dax: the only attacks the local firewall stops are if something bad happens internally - never been triggered as far as I know
[2008/05/19 11:35:38] <kolla> firewalling tend to break all kinds of services in obscure ways :|
[2008/05/19 11:35:44] <z00dax> right, well if you have multiple layers, might as well use a vpn
[2008/05/19 11:36:50] <jamesturnbull> z00dax: depends on the service - we do have some open ssh for reasons that aren't worth going into because I'll rant
[2008/05/19 11:37:56] <z00dax> :D
[2008/05/19 11:38:05] <z00dax> btw, centos downloads went up like 6% in the last 4 days
[2008/05/19 11:38:17] <z00dax> I believe ubuntu was blamed
[2008/05/19 11:38:27] <jamesturnbull> kolla: depends on the firewall and the skills of the implementer - I actually did a study of this a while back - I went through every change record raised where "the firewall" was blamed for the issues. 85% of them were actually applications errors and the vast majority of the others were bad rules
[2008/05/19 11:38:31] <z00dax> howse that for a random stat / trivia ?
[2008/05/19 11:38:48] * fujin blows up centos
[2008/05/19 11:38:54] <z00dax> firewall-- netlables++
[2008/05/19 11:39:58] <kolla> jamesturnbull: more than half of the time people call us about "network is down", it's their firewall that has broken down
[2008/05/19 11:40:19] <kolla> also - firewalls makes it hopeless to do debugging
[2008/05/19 11:40:25] <z00dax> kolla: when you say firewall, do you imply iptables ?
[2008/05/19 11:40:28] <kolla> unless you have brains on location :)
[2008/05/19 11:40:33] <kolla> no
[2008/05/19 11:40:38] <kolla> any firewall
[2008/05/19 11:40:54] <kolla> blackboxes that people buy to make them sleep bettwe at nights
[2008/05/19 11:40:58] <kolla> better
[2008/05/19 11:41:03] <jamesturnbull> kolla: I have used PIX, Checkpoint, Netscreen, ipchains, pf, iptables over the years and I find it very much varies on what firewall you use
[2008/05/19 11:41:16] <z00dax> thats quite a generalisation .... surely, all firewall's cant be bad, unless you are contesting the very idea of a firewall.
[2008/05/19 11:41:19] <fujin> we've got a checkpoint cluster here, they're quite nice
[2008/05/19 11:41:24] <jamesturnbull> kolla: Checkpoint for example - in the right deployment - generally bulletproof
[2008/05/19 11:41:25] <z00dax> sometime now, we'd be OT for this channel
[2008/05/19 11:41:28] <kolla> z00dax: I kinda do :)
[2008/05/19 11:41:34] @ Quit: \ask:
[2008/05/19 11:41:58] <jamesturnbull> z00dax: yeah sorry - security topic - made my ears burn and ssh blocking - pet hobby :)
[2008/05/19 11:42:05] <kolla> :)
[2008/05/19 11:42:10] <z00dax> righto, you'll lov netlabels then
[2008/05/19 11:43:06] <kolla> I wont even bother to mention what happens when people want multicast and IPv6 through their commercial firewalls
[2008/05/19 11:43:26] <kolla> and people confusing NAT and firewalls
[2008/05/19 11:43:45] <kolla> geh.. *spit* :)
[2008/05/19 11:44:02] <kolla> blocking icmp is so smart
[2008/05/19 11:44:09] <jamesturnbull> kolla: isn't NAT the same as a firewall....?
[2008/05/19 11:44:16] * jamesturnbull is kidding... :P
[2008/05/19 11:45:32] <kolla> breaking path mtu discovery, so that they experience all kinds of weird problems
[2008/05/19 11:45:41] <kolla> yeah.. I love firewalls :)
[2008/05/19 11:45:59] <plathrop> firewalls != packet filters, though.
[2008/05/19 11:46:03] <plathrop> Just to nitpick
[2008/05/19 11:46:21] <kolla> I prefer packet filters, on the router
[2008/05/19 11:46:49] <fujin> christ
[2008/05/19 11:46:49] <fujin> I don't
[2008/05/19 11:46:54] <fujin> ACL's on most ciscos slow the shit out of it
[2008/05/19 11:46:58] <fujin> especially with any sort of PAT involved
[2008/05/19 11:47:03] <fujin> mind you, those new ASA devies are pure sex
[2008/05/19 11:47:08] <jamesturnbull> fujin: yeah agreed - use security devices for security - routers for routing
[2008/05/19 11:47:09] <fujin> 12GB/s of filtered NAT
[2008/05/19 11:47:20] <fujin> jamesturnbull: aye - thats' where the ASA model comes in
[2008/05/19 11:47:20] <plathrop> Packet filters are a component of firewalls, sure. I just hate when most people seem to assume setting up a packet filter is all they need to do.
[2008/05/19 11:47:25] <plathrop> "Now we have a firewall"
[2008/05/19 11:47:30] <fujin> they're like a PIX on arnie steroids
[2008/05/19 11:47:50] <plathrop> I've had to explain to far too many C-level execs that a firewall is not a fire-and-forget thing, and is not just a packet filter
[2008/05/19 11:48:31] <kolla> plathrop: it's more like "now we dont need a firewall" :)
[2008/05/19 11:48:33] <plathrop> And I'm not even slightly deluded that I'm a security guy :-)
[2008/05/19 11:49:08] <kolla> a firewall is just another system that needs babysitting
[2008/05/19 11:49:45] <kolla> fujin: PAT is also "evil" :)
[2008/05/19 11:50:03] * plathrop apparently can't stay away from the keyboard this evening.
[2008/05/19 11:50:48] @ Gwayne- joined channel #puppet
[2008/05/19 11:52:28] <fujin> kolla: yeah.. in some cases
[2008/05/19 11:52:36] <fujin> on hardware that can't handle it.. like a cisco 1800
[2008/05/19 11:52:38] * fujin cringes
[2008/05/19 11:53:37] <kolla> heh
[2008/05/19 11:59:47] @ Quit: johnf: Read error: 113 (No route to host)
[2008/05/19 12:06:22] @ huangmingyou joined channel #puppet
[2008/05/19 12:06:33] <holoway> plathrop: don't you have a blog post about that?
[2008/05/19 12:07:52] @ Quit: Gwayne-: "+++ OK ATH OK"
[2008/05/19 12:08:24] @ Quit: Gwayne: Connection reset by peer
[2008/05/19 12:26:52] @ johnf joined channel #puppet
[2008/05/19 12:45:37] @ Quit: zobbo: "Enough, no more. 'tis not as sweet as it was before."
[2008/05/19 12:46:04] @ zobbo joined channel #puppet
[2008/05/19 12:51:16] <plathrop> holoway: About not being able to stay away from the keyboard?
[2008/05/19 13:06:16] @ Quit: dysinger_:
[2008/05/19 13:08:24] @ dysinger joined channel #puppet
[2008/05/19 13:10:23] @ Quit: randybias:
[2008/05/19 13:11:09] @ maxquerry joined channel #puppet
[2008/05/19 13:14:06] @ Quit: huangmingyou: "Leaving."
[2008/05/19 13:14:14] @ huangmingyou joined channel #puppet
[2008/05/19 13:14:50] <kolla> pam_shield is ok, but it doesnt seem to work well with IPv6.. it just adds routes, but fails to remove them
[2008/05/19 13:16:00] @ Quit: dysinger:
[2008/05/19 13:16:21] <kolla> not that much of a problem though, hardly see any attacks over ipv6
[2008/05/19 13:18:07] @ shake-n-bake left channel #puppet ()
[2008/05/19 13:58:50] @ Quit: andrewcshafer:
[2008/05/19 13:59:59] @ andrewcshafer joined channel #puppet
[2008/05/19 14:06:13] @ nevyn joined channel #puppet
[2008/05/19 14:12:14] @ randybias joined channel #puppet
[2008/05/19 14:16:32] @ Quit: andrewcshafer: Read error: 110 (Connection timed out)
[2008/05/19 14:19:47] @ jsgotangco joined channel #puppet
[2008/05/19 14:26:18] @ a-priori_ joined channel #puppet
[2008/05/19 14:32:40] <fujin> kolla: your provider gives you ipv6?
[2008/05/19 14:32:50] <fujin> heh, we're one of the better data facilitys in NZ
[2008/05/19 14:32:53] <fujin> not even thought about v6 yet
[2008/05/19 14:42:18] @ Quit: a-priori: Read error: 110 (Connection timed out)
[2008/05/19 14:50:24] @ andrewcshafer joined channel #puppet
[2008/05/19 15:00:27] <fujin> wee
[2008/05/19 15:00:34] * fujin just made a HTML template for the new tagmail template ERBiness
[2008/05/19 15:00:37] * fujin puffs some erb
[2008/05/19 15:04:01] @ Quit: thegcat:
[2008/05/19 15:10:35] @ roald joined channel #puppet
[2008/05/19 15:25:11] @ \ask joined channel #puppet
[2008/05/19 15:25:19] @ Quit: zobbo: Read error: 104 (Connection reset by peer)
[2008/05/19 15:25:44] @ zobbo joined channel #puppet
[2008/05/19 15:32:04] @ kombucha joined channel #puppet
[2008/05/19 15:32:06] @ Quit: shadoi_: Read error: 104 (Connection reset by peer)
[2008/05/19 15:32:07] @ Quit: shadoi: Connection reset by peer
[2008/05/19 15:32:29] <kombucha> can i have a hostname in my site.pp that has a "." in it, like foo.dev.com instead of just foo ?
[2008/05/19 15:32:50] @ shadoi joined channel #puppet
[2008/05/19 15:34:51] <f3ew> 'foo.example.com'
[2008/05/19 15:34:58] <f3ew> single quotes
[2008/05/19 15:44:14] @ thegcat joined channel #puppet
[2008/05/19 15:51:28] @ Quit: huangmingyou: "Leaving."
[2008/05/19 15:51:39] @ huangmingyou joined channel #puppet
[2008/05/19 15:55:16] <kombucha> I am running centos 5, i keep getting this error on my puppet client: Puppet (err): Could not retrieve configuration: Certificates were not trusted: hostname not match with the server certificate
[2008/05/19 16:01:50] <plathrop> kombucha: See topic
[2008/05/19 16:01:59] @ Quit: roald: Remote closed the connection
[2008/05/19 16:02:18] @ lak joined channel #puppet
[2008/05/19 16:03:29] @ Quit: thegcat:
[2008/05/19 16:07:39] @ thegcat joined channel #puppet
[2008/05/19 16:10:09] <_NiC> morning
[2008/05/19 16:12:17] @ Quit: Maliuta: Read error: 110 (Connection timed out)
[2008/05/19 16:13:02] @ chadh_ joined channel #puppet
[2008/05/19 16:15:49] @ g1 is now known as gh
[2008/05/19 16:18:54] @ Quit: chadh: Read error: 113 (No route to host)
[2008/05/19 16:22:13] @ Quit: kolla: Remote closed the connection
[2008/05/19 16:22:37] @ Quit: a-priori_:
[2008/05/19 16:49:26] @ Quit: gh: "Leaving."
[2008/05/19 16:59:40] @ Quit: randybias:
[2008/05/19 17:06:04] @ Maliuta joined channel #puppet
[2008/05/19 17:06:56] @ shake-n-bake joined channel #puppet
[2008/05/19 17:08:03] @ Quit: shake-n-bake: Client Quit
[2008/05/19 17:11:42] @ Quit: lak:
[2008/05/19 17:17:18] @ _newbie_ joined channel #puppet
[2008/05/19 17:18:06] @ kolla joined channel #puppet
[2008/05/19 17:18:40] @ tim|macbook joined channel #puppet
[2008/05/19 17:18:50] @ Quit: tim|macbook: Client Quit
[2008/05/19 17:19:23] @ tim|macbook joined channel #puppet
[2008/05/19 17:19:26] @ Quit: shadoi: Read error: 110 (Connection timed out)
[2008/05/19 17:26:33] @ shake-n-bake joined channel #puppet
[2008/05/19 17:29:41] @ roald joined channel #puppet
[2008/05/19 17:44:10] @ Quit: kolla: Remote closed the connection
[2008/05/19 17:44:37] @ kolla joined channel #puppet
[2008/05/19 17:47:28] @ Quit: shake-n-bake:
[2008/05/19 17:55:03] @ Quit: huangmingyou: "Leaving."
[2008/05/19 17:55:11] @ huangmingyou joined channel #puppet
[2008/05/19 18:26:41] <thegcat> hello
[2008/05/19 18:27:22] <thegcat> I have some difficulties grasping the whole class naming stuff
[2008/05/19 18:28:00] <thegcat> suppose I have a module called cypres, in which I have a manifests/init.pp with a "class cypres { }"
[2008/05/19 18:29:01] <thegcat> if I have a class cypres::users, and maybe even a cypres::users::modias, do I need to include them separately, or are they included automatically when I include cypres?
[2008/05/19 18:32:21] <tim|macbook> you need to include them separately
[2008/05/19 18:32:43] <tim|macbook> include cypres only include the class cyprus
[2008/05/19 18:32:50] <tim|macbook> wherever it's located
[2008/05/19 18:35:46] @ Quit: t0mm: Remote closed the connection
[2008/05/19 18:43:31] @ Quit: _newbie_: "KVIrc 3.2.5 Anomalies http://www.kvirc.net/"
[2008/05/19 18:48:51] @ Quit: Maliuta: Read error: 113 (No route to host)
[2008/05/19 18:53:37] @ Quit: huangmingyou: kubrick.freenode.net irc.freenode.net
[2008/05/19 18:53:38] @ Quit: andrewcshafer: kubrick.freenode.net irc.freenode.net
[2008/05/19 18:53:39] @ Quit: Laos18549: kubrick.freenode.net irc.freenode.net
[2008/05/19 18:53:40] @ Quit: authentic: kubrick.freenode.net irc.freenode.net
[2008/05/19 18:53:41] @ Quit: bch820: kubrick.freenode.net irc.freenode.net
[2008/05/19 18:54:00] @ huangmingyou joined channel #puppet
[2008/05/19 18:54:00] @ andrewcshafer joined channel #puppet
[2008/05/19 18:54:01] @ Laos18549 joined channel #puppet
[2008/05/19 18:54:02] @ authentic joined channel #puppet
[2008/05/19 18:54:03] @ bch820 joined channel #puppet
[2008/05/19 18:58:12] @ duritong_ joined channel #puppet
[2008/05/19 19:02:11] @ Quit: lassizci: Read error: 104 (Connection reset by peer)
[2008/05/19 19:02:18] @ lassizci joined channel #puppet
[2008/05/19 19:12:10] @ Quit: huangmingyou: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:12:11] @ Quit: bch820: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:12:12] @ Quit: andrewcshafer: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:12:13] @ Quit: Laos18549: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:12:15] @ Quit: authentic: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:12:16] @ Quit: duritong: Read error: 110 (Connection timed out)
[2008/05/19 19:12:52] @ huangmingyou joined channel #puppet
[2008/05/19 19:12:53] @ andrewcshafer joined channel #puppet
[2008/05/19 19:12:53] @ Laos18549 joined channel #puppet
[2008/05/19 19:12:54] @ authentic joined channel #puppet
[2008/05/19 19:12:55] @ bch820 joined channel #puppet
[2008/05/19 19:25:22] @ sparanjape joined channel #puppet
[2008/05/19 19:28:52] @ Gwayne joined channel #puppet
[2008/05/19 19:29:28] @ Maliuta joined channel #puppet
[2008/05/19 19:39:19] @ Quit: andrewcshafer:
[2008/05/19 19:50:45] @ _newbie_ joined channel #puppet
[2008/05/19 19:52:44] <thegcat> tim|macbook: thanks
[2008/05/19 19:52:48] @ Quit: thegcat:
[2008/05/19 19:54:18] @ Quit: huangmingyou: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:54:19] @ Quit: bch820: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:54:20] @ Quit: Laos18549: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:54:22] @ Quit: authentic: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:54:40] @ huangmingyou joined channel #puppet
[2008/05/19 19:54:41] @ Laos18549 joined channel #puppet
[2008/05/19 19:54:42] @ authentic joined channel #puppet
[2008/05/19 19:54:43] @ bch820 joined channel #puppet
[2008/05/19 19:57:32] @ Quit: huangmingyou: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:57:34] @ Quit: bch820: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:57:36] @ Quit: Laos18549: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:57:37] @ Quit: authentic: kubrick.freenode.net irc.freenode.net
[2008/05/19 19:58:20] @ huangmingyou joined channel #puppet
[2008/05/19 19:58:21] @ Laos18549 joined channel #puppet
[2008/05/19 19:58:22] @ authentic joined channel #puppet
[2008/05/19 19:58:22] @ bch820 joined channel #puppet
[2008/05/19 20:16:23] @ Quit: huangmingyou: kubrick.freenode.net irc.freenode.net
[2008/05/19 20:16:25] @ Quit: bch820: kubrick.freenode.net irc.freenode.net
[2008/05/19 20:16:27] @ Quit: Laos18549: kubrick.freenode.net irc.freenode.net
[2008/05/19 20:16:28] @ Quit: authentic: kubrick.freenode.net irc.freenode.net
[2008/05/19 20:16:42] @ huangmingyou joined channel #puppet
[2008/05/19 20:16:43] @ Laos18549 joined channel #puppet
[2008/05/19 20:16:43] @ authentic joined channel #puppet
[2008/05/19 20:16:44] @ bch820 joined channel #puppet
[2008/05/19 20:38:19] <Gwayne> puppet rules
[2008/05/19 20:38:36] <Gwayne> Well at least it made me happy today :)
[2008/05/19 20:47:43] @ _newbie_ is now known as f--z
[2008/05/19 21:07:24] @ huangmingyou left channel #puppet ()
[2008/05/19 21:29:49] @ andrewcshafer joined channel #puppet
[2008/05/19 21:30:10] @ Quit: maxquerry: "ChatZilla 0.9.82.1 [Firefox 2.0.0.14/2008040413]"
[2008/05/19 21:32:12] @ Quit: kenvandine: "Ex-Chat"
[2008/05/19 21:36:27] @ huangmingyou joined channel #puppet
[2008/05/19 21:38:49] @ Quit: jsgotangco: "Ciao"
[2008/05/19 21:45:24] @ Innocenti joined channel #puppet
[2008/05/19 21:51:53] @ jcollie joined channel #puppet
[2008/05/19 22:05:00] @ Quit: huangmingyou: "Leaving."
[2008/05/19 22:05:09] @ huangmingyou joined channel #puppet
[2008/05/19 22:09:42] @ thegcat joined channel #puppet
[2008/05/19 22:21:48] @ Quit: chillitom: "Ex-Chat"
[2008/05/19 22:22:20] @ chillitom joined channel #puppet
[2008/05/19 22:28:00] @ kenvandine joined channel #puppet
[2008/05/19 22:57:25] @ Quit: huangmingyou: "Leaving."
[2008/05/19 22:57:35] @ huangmingyou joined channel #puppet
[2008/05/19 22:57:40] @ kambiz joined channel #puppet
[2008/05/19 23:02:47] @ aiurea joined channel #puppet
[2008/05/19 23:03:01] <aiurea> hi
[2008/05/19 23:03:16] <aiurea> is there a way I can make sure a command gets run before any Package call? I want to add an apt-get update
[2008/05/19 23:03:51] <aiurea> I have an apt-setup which does apt-get update, and I would need it to run before installing packages
[2008/05/19 23:04:39] <thegcat> make an exec for apt-get update and put a "before => Package["something"]" in there
[2008/05/19 23:05:09] <aiurea> I have a number of Package calls
[2008/05/19 23:05:21] <aiurea> adding it to each of them would mean it gets run over and over again
[2008/05/19 23:05:44] <tim|macbook> give the Package calls an "require => Exec[apt-get-update]" :)
[2008/05/19 23:05:59] <tim|macbook> or make your own definition mypackage that adds that require
[2008/05/19 23:06:07] <aiurea> aha
[2008/05/19 23:06:41] <tim|macbook> however, in my experience, we only run apt-get update once a day from cron-apt (or apt-cron, whatever the name is)
[2008/05/19 23:06:44] <tim|macbook> more than enough for us
[2008/05/19 23:08:30] <thegcat> aiurea: or you can add something like "Package { require => Exec["apt-get-update"], }" so that every package { "soemthing" } gets this require per default
[2008/05/19 23:09:22] <aiurea> aha that is great
[2008/05/19 23:10:06] <tim|macbook> ah yeah, didn't think about that
[2008/05/19 23:27:30] @ strerror_work joined channel #puppet
[2008/05/19 23:27:40] @ Quit: strerror_work: Remote closed the connection
[2008/05/19 23:30:12] @ strerror_work joined channel #puppet
[2008/05/19 23:30:39] @ shenson_not_here is now known as shenson
[2008/05/19 23:31:46] <thegcat> ah, now i remembered what I wanted to ask
[2008/05/19 23:32:23] <thegcat> do I have a way to iterate over hosts I have defined in some class?
[2008/05/19 23:36:53] <tim|macbook> please elaborate what you want to do exactly :)
[2008/05/19 23:37:18] * tim|macbook doesn't understand what you mean with "defining hosts in some class"
[2008/05/19 23:37:23] <tim|macbook> how does one define a host in a class?
[2008/05/19 23:44:10] <thegcat> mmh, forget about the class
[2008/05/19 23:45:14] <thegcat> I have my hosts defined in a host { "someserver": ip => "a.b.c.d"; "someotherserver": ip => "e.f.g.h"; }
[2008/05/19 23:45:57] <thegcat> and I'd need this list of hostnames and/or IPs in some templates and maybe other stuff
[2008/05/19 23:46:04] <Volcane> why not use an array?
[2008/05/19 23:46:16] <Volcane> or do you need to access the values individually too?
[2008/05/19 23:47:03] <thegcat> no, I don't think so
[2008/05/19 23:47:26] <thegcat> but how would I use an array with the host {} stuff?
[2008/05/19 23:48:17] <thegcat> my point would be to not have to write the same information (hostname, ip, ...) in several different places
[2008/05/19 23:48:39] <Volcane> ah
[2008/05/19 23:48:49] <Volcane> puppet needs multi dimensional arrays :P
[2008/05/19 23:51:30] <f3ew> that would be nice
[2008/05/19 23:52:08] <f3ew> or hashes
« Sunday, 2008-05-18 Index Tuesday, 2008-05-20 »

Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!