Saturday, 2009-04-04

« Friday, 2009-04-03 Index Sunday, 2009-04-05 »
[2009/04/04 00:02:54] @ Log started by gepetto
[2009/04/04 00:02:54] @ Quit: benblack: "Leaving..."
[2009/04/04 00:13:38] @ rmiller4pi81 joined channel #puppet
[2009/04/04 00:13:41] @ Quit: rmiller4pi81: Read error: 104 (Connection reset by peer)
[2009/04/04 00:20:56] @ Quit: webx: "My damn controlling terminal disappeared!"
[2009/04/04 00:23:00] @ Quit: ethan_rowe: "Lack of interest wins out."
[2009/04/04 00:23:05] <johnw> hmm... if I use the rpm provider on a real .rpm, and ensure => latest, it tries to reinstall it on each run it seems
[2009/04/04 00:23:57] <johnw> how do I get it to update from the physical rpm only if it's an actual upgrade?
[2009/04/04 00:29:55] @ Quit: d3vilb0x:
[2009/04/04 00:31:21] @ Quit: rmiller4pi8: Read error: 110 (Connection timed out)
[2009/04/04 00:31:58] <eythian> johnw: because I don't yet have a custom repository system, I put package files into /var/local/packages/<module>, and have an exec subscribe to the file.
[2009/04/04 00:32:08] <eythian> (the exec doing the install)
[2009/04/04 00:41:18] <johnw> ah, i see
[2009/04/04 00:41:34] <johnw> funny, i just started coding that solution :)
[2009/04/04 00:42:41] <johnw> i'd like to still use the rpm provider though
[2009/04/04 00:42:54] <johnw> hmm.. i don't think package has refreshonly...
[2009/04/04 00:43:02] @ benblack joined channel #puppet
[2009/04/04 00:44:08] <johnw> i may need my own yum repository for this
[2009/04/04 00:44:14] <johnw> so that it can all be handled through yum update
[2009/04/04 00:48:22] <eythian> johnw: that's what I intend to do when I have time.
[2009/04/04 00:48:45] <johnw> seems to be extremely simple
[2009/04/04 00:48:54] <johnw> just have to run yum-arch whenever the directory contents have changed
[2009/04/04 00:48:58] <johnw> other than that, yum does the rest
[2009/04/04 00:49:11] <eythian> I also need to learn how to create packages, that's a bigger step :)
[2009/04/04 00:49:21] <johnw> ah, most of what i'm working with here is already rpm
[2009/04/04 00:49:30] <johnw> like, puppet 0.24.8
[2009/04/04 00:49:55] <eythian> yeah, I have a number of things that are already .debs, but a few that aren't that I do want to package.
[2009/04/04 00:50:32] <johnw> eythian: http://www.informit.com/articles/article.aspx?p=440160
[2009/04/04 00:52:30] <eythian> johnw: yeah, I have all the references bookmarked. I just need to put the time in, which I don't have at the moment (which is why I'm doing things like making puppet work with glassfish on a Saturday afternoon)
[2009/04/04 00:53:07] <johnw> what kind of stuff is in your glassfish type?
[2009/04/04 00:53:11] <johnw> i need to get it working with jboss next
[2009/04/04 00:53:59] <eythian> it's going to allow creation of jdbc pools and other assorted things. Nothing too fancy, as the glassfish API is a bit pants.
[2009/04/04 00:54:15] <eythian> But enough that it'll deploy the config for me.
[2009/04/04 00:55:03] <eythian> I'm just working through the command line interface, the other option is to work with the XML, but that's a bad idea.
[2009/04/04 01:00:27] <Djelibeybi> johnw: you want createrepo these days, not yum-arch
[2009/04/04 01:00:59] <Djelibeybi> yum-arch creates the header (.hdr) files for the old up2date. createrepo creates the xml.gz metadata for yum
[2009/04/04 01:01:03] <Djelibeybi> Oddly.
[2009/04/04 01:01:34] <johnw> thx, found that out the hard way
[2009/04/04 01:01:56] <Djelibeybi> johnw: Go Go Accurate Tool Names. :)
[2009/04/04 01:02:31] @ Quit: Flam5: Connection timed out
[2009/04/04 01:04:28] @ rmiller4pi8 joined channel #puppet
[2009/04/04 01:16:24] <eythian> It's very confusing to me that wiki:CreatingCustomTypes and wiki:PracticalTypes seem to say very different things about how custom types work.
[2009/04/04 01:16:25] <gepetto> eythian: wiki:CreatingCustomTypes is http://reductivelabs.com/trac/puppet/wiki/CreatingCustomTypes
[2009/04/04 01:16:26] <gepetto> eythian: wiki:PracticalTypes is http://reductivelabs.com/trac/puppet/wiki/PracticalTypes
[2009/04/04 01:27:14] <eythian> In the :ensure property def of my type, I'm creating the resource. What do I call the function to remove it if it's given ensure=>absent?
[2009/04/04 01:33:27] @ Quit: rmiller4pi8: "Leaving."
[2009/04/04 01:44:22] @ tessier joined channel #puppet
[2009/04/04 01:50:16] @ madrescher joined channel #puppet
[2009/04/04 01:58:18] @ Quit: madrescher: "Leaving."
[2009/04/04 02:01:15] <eythian> puppet seems to require a large amount of memory to move large files :(
[2009/04/04 02:05:40] @ mfoster joined channel #puppet
[2009/04/04 02:08:04] @ Quit: mfoster: Client Quit
[2009/04/04 02:08:07] @ mfoster joined channel #puppet
[2009/04/04 02:09:14] @ Quit: mfoster: Client Quit
[2009/04/04 02:11:47] @ Quit: johnw:
[2009/04/04 02:13:55] @ johnw joined channel #puppet
[2009/04/04 02:24:08] @ Quit: benblack: "Leaving..."
[2009/04/04 03:13:51] @ Quit: Djelibeybi: "Leaving"
[2009/04/04 03:31:06] @ fbe__ joined channel #puppet
[2009/04/04 03:31:07] @ Quit: fbe_: Read error: 104 (Connection reset by peer)
[2009/04/04 03:33:46] @ Quit: Dyson: "Client exiting"
[2009/04/04 03:53:37] @ Quit: fujin:
[2009/04/04 03:55:08] @ Quit: andrewcshafer:
[2009/04/04 04:14:40] @ ChoHag joined channel #puppet
[2009/04/04 04:14:59] <ChoHag> Is it possible to get puppet to run commands on the puppetmaster?
[2009/04/04 04:16:03] <ChoHag> Or in some way retrieve data which is restricted based on the client requesting it.
[2009/04/04 04:27:53] @ Quit: raphink: Remote closed the connection
[2009/04/04 04:29:08] @ raphink joined channel #puppet
[2009/04/04 04:45:14] @ Quit: alban2: Read error: 113 (No route to host)
[2009/04/04 05:20:54] @ mvn071 joined channel #puppet
[2009/04/04 05:23:55] @ ivoid joined channel #puppet
[2009/04/04 05:25:48] @ Quit: ivoid: Client Quit
[2009/04/04 05:32:07] @ fujin joined channel #puppet
[2009/04/04 05:55:43] @ briandquinn joined channel #puppet
[2009/04/04 06:21:54] @ ribo_ joined channel #puppet
[2009/04/04 06:34:18] @ Quit: ribo: Read error: 110 (Connection timed out)
[2009/04/04 06:40:29] @ alban2 joined channel #puppet
[2009/04/04 06:46:44] @ nakano_ is now known as nakano
[2009/04/04 07:09:42] @ d3vilb0x joined channel #puppet
[2009/04/04 07:18:20] @ Quit: alban2: Read error: 113 (No route to host)
[2009/04/04 07:28:23] <Volcane> ChoHag: not natively unless you mess around with generate, but you can easily extend puppet with functions
[2009/04/04 07:28:32] @ cirquitz joined channel #puppet
[2009/04/04 07:28:39] <Volcane> ChoHag: and these functions can query anything u can imagine...
[2009/04/04 07:32:10] <erikh> Volcane: do you sleep? :)
[2009/04/04 07:32:35] <erikh> I mean that lightheartedly; I just always see you in here answering questions :)
[2009/04/04 07:32:42] <Volcane> oi its lunch time :P
[2009/04/04 07:32:48] <erikh> ah, that explains it
[2009/04/04 07:32:52] <erikh> it's 4:30am here :)
[2009/04/04 07:33:57] <Volcane> heh, i dont sleep a lot though, my girlfriend and i work different times so i have way too much time on my hands
[2009/04/04 07:34:06] <Volcane> i work 11-7, she does 3-11
[2009/04/04 07:34:27] <Volcane> 3pm to 11pm
[2009/04/04 07:34:42] <erikh> ah yeah
[2009/04/04 07:34:59] <erikh> for years my wife and I would work different hours. she'd work days, I'd work graves
[2009/04/04 07:35:07] <erikh> made living hard.
[2009/04/04 07:35:14] <Volcane> so she gets home like 12ish, which means i get to bed by 1:30 if i am lucky
[2009/04/04 07:35:26] <erikh> I can dig it
[2009/04/04 07:35:49] <Volcane> i could technically change my times to match, but I'd be bored out my skull if i dont work in the day
[2009/04/04 07:36:17] <erikh> heh yeah, i'd just be playing a video game or something
[2009/04/04 07:38:37] <Volcane> and anyway, with 100s of machines all being managed by puppet what else do i have to do? :)
[2009/04/04 07:40:21] <ChoHag> So what about restricting access?
[2009/04/04 07:40:43] <ChoHag> Can you write a function to be executed on the server which will know which private key is being used in the client/server communication?
[2009/04/04 07:41:08] <Volcane> ChoHag: i just use the fqdn as set by puppet as a key in the lookup
[2009/04/04 07:41:20] <ChoHag> But that's set by the client.
[2009/04/04 07:41:50] <Volcane> ChoHag: sure, if u needed more you could no doubt write a fact to show the crypto fingerprint of the ssl cert on the client
[2009/04/04 07:41:51] <ChoHag> And if a client is hijacked, it can assume the identity of any other client and steal its files.
[2009/04/04 07:42:09] <Volcane> though even that can be faked ofcourse
[2009/04/04 07:42:13] <Volcane> if they can copy the ssl keys
[2009/04/04 07:42:37] <Volcane> i dont believe theres a 100% certified proof of identity between client and server that cant be subverted by someone with access to the client
[2009/04/04 07:42:37] <ChoHag> Well if they have access to another client's ssl keys then you just need to pull the plug and start again.
[2009/04/04 07:43:28] <ChoHag> If you have access to all the clients, no.
[2009/04/04 07:43:50] <ChoHag> But if you can only read one client's private key, you can only impersonate that client.
[2009/04/04 07:44:04] <Volcane> yeah
[2009/04/04 07:44:10] <Volcane> so it wouldnt be hard to make such a fact
[2009/04/04 07:44:11] <ChoHag> Unless puppet breaks ssl somehow.
[2009/04/04 07:44:35] <ChoHag> What data is available to functions executed by the server?
[2009/04/04 07:44:46] <ChoHag> Apart from facts.
[2009/04/04 07:45:05] <Volcane> functions executed by the master used in compiling manifests?
[2009/04/04 07:45:10] <ChoHag> Yes.
[2009/04/04 07:45:14] <Volcane> just facts
[2009/04/04 07:45:58] <Volcane> so you could make a fact to fingerprint the ssl cert and send the fingerprint to the master as a fact
[2009/04/04 07:46:56] <ChoHag> Is puppet: file transfer performed separately to the manifest transfer?
[2009/04/04 07:47:24] <Volcane> yes
[2009/04/04 07:47:32] <ChoHag> What protocol does it use?
[2009/04/04 07:47:38] <Volcane> HTTPS
[2009/04/04 07:48:32] <ChoHag> Hmm that could be a better approach.
[2009/04/04 07:48:52] <Volcane> whats the problem you want to solve?
[2009/04/04 07:49:09] <ChoHag> Restricting data to a specific client only.
[2009/04/04 07:49:16] <Volcane> a file?
[2009/04/04 07:49:19] <ChoHag> Yes.
[2009/04/04 07:49:34] <Volcane> well i wouldnt say its awesomely inpeneterable
[2009/04/04 07:49:41] <Volcane> but if you have a fact - say fqdn
[2009/04/04 07:49:57] <Volcane> source => "puppet://puppet/path/to/file.${fqdn}"
[2009/04/04 07:49:59] <Volcane> will do it
[2009/04/04 07:50:09] <ChoHag> But you don't have a fact, you have a dubious fact.
[2009/04/04 07:50:09] <Volcane> ofcourse as you say, spoofable and what not
[2009/04/04 07:50:14] <Volcane> indeed
[2009/04/04 07:50:24] <Volcane> cos its on the client and controlled by it
[2009/04/04 07:50:48] <Volcane> its like any other client submitted data, but you could use a fingerprint of the ssl certs or something
[2009/04/04 07:50:51] <Volcane> thats a bit better
[2009/04/04 07:50:58] @ aymerick joined channel #puppet
[2009/04/04 07:51:02] <Volcane> but still not awesome, harder to fake though
[2009/04/04 07:51:16] <ChoHag> But it seems I could do that but intercept the call such that a cgi is used which verifies which client key is used.
[2009/04/04 07:51:34] <Volcane> you cant really intercept the calls between client and master
[2009/04/04 07:51:42] @ Quit: aymerick: Remote closed the connection
[2009/04/04 07:51:59] @ aymerick joined channel #puppet
[2009/04/04 07:52:11] <ChoHag> You can if you mess around with reverse proxies.
[2009/04/04 07:52:32] <ChoHag> Just have something else listen on port 8140 which provides its own fileserver and forwards anything else to the real puppet port.
[2009/04/04 07:52:42] <ChoHag> Of course they both need access to the server's private key.
[2009/04/04 07:53:06] <Volcane> the puppet file server isnt *just* a https server doling out files
[2009/04/04 07:53:35] <Volcane> it will become more like that in future versions, now though its a RPC server over HTTPS
[2009/04/04 07:54:17] @ keithlard joined channel #puppet
[2009/04/04 08:02:18] @ Quit: cirquitz: Read error: 113 (No route to host)
[2009/04/04 08:05:14] @ Djelibeybi joined channel #puppet
[2009/04/04 08:05:23] @ Djelibeybi left channel #puppet ("Leaving")
[2009/04/04 08:54:49] @ kolla joined channel #puppet
[2009/04/04 09:02:02] @ Bass10 joined channel #puppet
[2009/04/04 09:09:47] <briandquinn> what's the best to monitor puppets activity, i.e. what's changing and where?
[2009/04/04 09:16:43] @ Quit: ChoHag: Read error: 145 (Connection timed out)
[2009/04/04 09:17:25] <Volcane> briandquinn: puppet can send reports back to the master
[2009/04/04 09:19:29] <briandquinn> they just ship back the logs from each client right?
[2009/04/04 09:20:18] <Volcane> and some stats
[2009/04/04 09:22:02] <briandquinn> cool, I'll go that direction then. Thanks.
[2009/04/04 09:24:52] <Volcane> they're yaml files, so easy to parse or load into a db or whatever
[2009/04/04 09:28:36] @ ChoHag joined channel #puppet
[2009/04/04 09:58:16] @ mikepea joined channel #puppet
[2009/04/04 10:16:21] @ Quit: briandquinn: Read error: 110 (Connection timed out)
[2009/04/04 10:34:07] @ rmiller4pi8 joined channel #puppet
[2009/04/04 11:21:57] @ benblack joined channel #puppet
[2009/04/04 11:28:18] @ pleemans joined channel #puppet
[2009/04/04 11:38:01] @ mfoster joined channel #puppet
[2009/04/04 11:48:48] @ ethan_rowe joined channel #puppet
[2009/04/04 11:50:34] @ Quit: ethan_rowe: Client Quit
[2009/04/04 12:05:10] @ lak joined channel #puppet
[2009/04/04 12:17:17] @ thegcat joined channel #puppet
[2009/04/04 12:18:59] @ Quit: benblack: "Leaving..."
[2009/04/04 12:31:45] @ Quit: mfoster: Read error: 110 (Connection timed out)
[2009/04/04 12:41:07] @ ribo_ is now known as ribo
[2009/04/04 12:45:45] @ Quit: lak:
[2009/04/04 12:48:07] @ rmiller4pi81 joined channel #puppet
[2009/04/04 12:48:07] @ Quit: rmiller4pi8: Read error: 104 (Connection reset by peer)
[2009/04/04 13:17:04] @ Quit: raphink: Remote closed the connection
[2009/04/04 13:17:54] @ raphink joined channel #puppet
[2009/04/04 13:18:23] @ ezmob joined channel #puppet
[2009/04/04 13:18:35] @ cirquitz joined channel #puppet
[2009/04/04 13:19:51] @ benblack joined channel #puppet
[2009/04/04 13:23:59] @ alban2 joined channel #puppet
[2009/04/04 13:25:50] @ lak joined channel #puppet
[2009/04/04 13:33:29] @ verwilst joined channel #puppet
[2009/04/04 13:34:16] @ Quit: lak:
[2009/04/04 13:42:41] @ Shamgar_ is now known as Shamgar
[2009/04/04 13:44:42] @ nakano is now known as nakano_
[2009/04/04 13:46:45] @ nakano_ is now known as nakano
[2009/04/04 13:52:29] @ lak joined channel #puppet
[2009/04/04 13:59:20] @ Quit: verwilst: Remote closed the connection
[2009/04/04 14:16:05] @ Quit: lak:
[2009/04/04 14:17:30] @ Quit: mvn071: "Leaving"
[2009/04/04 14:18:35] @ Quit: pleemans: Read error: 110 (Connection timed out)
[2009/04/04 14:21:39] @ nakano is now known as nakano_
[2009/04/04 14:46:08] @ Quit: cirquitz: "Leaving"
[2009/04/04 14:54:46] @ Quit: alban2: Read error: 113 (No route to host)
[2009/04/04 15:07:26] @ Quit: rmiller4pi81: "Leaving."
[2009/04/04 15:19:42] @ Quit: tessier: "leaving"
[2009/04/04 15:23:57] @ aymerick_ joined channel #puppet
[2009/04/04 15:28:08] @ Quit: fujin:
[2009/04/04 15:35:23] @ Quit: fluxdude: Remote closed the connection
[2009/04/04 15:35:51] @ Quit: aymerick: Read error: 110 (Connection timed out)
[2009/04/04 15:39:48] @ andrewcshafer joined channel #puppet
[2009/04/04 15:40:18] @ Quit: tuf8_: Read error: 110 (Connection timed out)
[2009/04/04 15:40:37] @ Quit: johnw:
[2009/04/04 15:52:52] @ Quit: ezmob: "Bye!"
[2009/04/04 16:14:15] @ Quit: andrewcshafer:
[2009/04/04 16:15:31] @ Quit: mikepea:
[2009/04/04 16:16:01] @ alban2 joined channel #puppet
[2009/04/04 16:16:29] @ mfoster joined channel #puppet
[2009/04/04 16:21:35] <jmeeuwen> has anything changed in the way certificates are generated?
[2009/04/04 16:21:50] <jmeeuwen> 0.24.8 is what i'm talking about here btw ;-)
[2009/04/04 16:30:30] <hacim> nope
[2009/04/04 16:33:58] @ Quit: mfoster: Read error: 60 (Operation timed out)
[2009/04/04 16:43:40] @ glaw joined channel #puppet
[2009/04/04 16:50:47] @ nakano_ is now known as nakano
[2009/04/04 17:11:21] @ Quit: glaw: ""Remember, information is not knowledge, knowledge is not wisdom, wisdom is not truth, truth is not beauty, beauty is not lov
[2009/04/04 17:19:30] @ ezmob joined channel #puppet
[2009/04/04 17:24:13] @ Djelibeybi joined channel #puppet
[2009/04/04 17:26:47] @ Quit: aymerick_:
[2009/04/04 17:51:46] @ peiriannydd joined channel #puppet
[2009/04/04 17:51:56] @ peiriannydd left channel #puppet ()
[2009/04/04 17:53:23] @ peiriannydd joined channel #puppet
[2009/04/04 17:53:34] @ peiriannydd left channel #puppet ()
[2009/04/04 17:55:30] @ Quit: fbe__: Read error: 104 (Connection reset by peer)
[2009/04/04 17:55:35] @ peiriannydd joined channel #puppet
[2009/04/04 18:18:02] @ Quit: f3ew: Read error: 104 (Connection reset by peer)
[2009/04/04 18:18:56] @ Quit: teratoma: Remote closed the connection
[2009/04/04 18:19:11] @ f3ew joined channel #puppet
[2009/04/04 18:19:28] @ aaronl_ joined channel #puppet
[2009/04/04 18:21:20] @ PhabX joined channel #puppet
[2009/04/04 18:22:08] @ Quit: PhabX: Client Quit
[2009/04/04 18:22:36] @ Quit: aaronl_: Client Quit
[2009/04/04 18:23:07] @ Quit: thegcat: Read error: 113 (No route to host)
[2009/04/04 18:32:34] @ Quit: dsch04: "Leaving"
[2009/04/04 18:41:27] @ andrewcshafer joined channel #puppet
[2009/04/04 18:42:17] @ fbe joined channel #puppet
[2009/04/04 18:55:22] @ ezmob is now known as ezmob|away
[2009/04/04 18:59:10] @ ezmob|away is now known as ezmob
[2009/04/04 19:19:10] @ ezmob is now known as ezmob|away
[2009/04/04 19:23:57] @ ezmob|away is now known as ezmob
[2009/04/04 19:59:52] @ Quit: tmz: "leaving"
[2009/04/04 20:08:17] @ tmz joined channel #puppet
[2009/04/04 20:19:45] @ lak joined channel #puppet
[2009/04/04 20:23:39] @ PhabX joined channel #puppet
[2009/04/04 20:46:43] @ Quit: f3ew: Read error: 113 (No route to host)
[2009/04/04 20:47:50] @ f3ew joined channel #puppet
[2009/04/04 20:48:46] @ Quit: lak:
[2009/04/04 20:50:31] @ Quit: keithlard:
[2009/04/04 20:55:23] @ keithlard joined channel #puppet
[2009/04/04 21:43:04] @ johnw joined channel #puppet
[2009/04/04 21:43:07] @ mikepea joined channel #puppet
[2009/04/04 21:45:10] @ fujin joined channel #puppet
[2009/04/04 21:53:49] @ tessier joined channel #puppet
[2009/04/04 21:55:57] @ Quit: keithlard:
[2009/04/04 22:05:27] @ ezmob is now known as ezmob|away
[2009/04/04 22:30:37] @ ezmob|away is now known as ezmob
[2009/04/04 22:46:13] @ Quit: ezmob: "Bye!"
[2009/04/04 22:48:46] @ mfoster joined channel #puppet
[2009/04/04 22:49:24] @ Quit: mikepea:
[2009/04/04 23:01:33] @ Quit: mfoster: "Leaving."
[2009/04/04 23:06:40] @ ezmob joined channel #puppet
[2009/04/04 23:10:00] @ walrus joined channel #puppet
[2009/04/04 23:11:31] @ Quit: PhabX: "Leaving..."
[2009/04/04 23:32:38] @ Quit: walrus: "Leaving"
[2009/04/04 23:44:00] @ Quit: neh: Read error: 60 (Operation timed out)
« Friday, 2009-04-03 Index Sunday, 2009-04-05 »

Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!