#arpnetworks 2014-10-28,Tue

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
brycecIn fact there are many comparisons out there, mercutio
I didn't need something as complex and all-managing as Chef or Puppet. I just needed a convenient way to do shit on multiple hosts (eg: apt-get upgrades) and ansible fulfills that role (with parallellisation, etc) and it was very simple to setup
[00:44]
BryceBotget on up
and DANCE
BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-<
[00:46]
brycecshutup BryceBot [00:46]
BryceBotNOYOUSHUTUP brycec [00:46]
brycecIt's true that Ansible has a feature similar to Chef/Puppet recipes, the Anisble Playbook, but I don't have deployments large enough for that to be useful. (I'm 99% maintaining servers, ones and twos of various tasks - not exactly rolling out new deployments) [00:47]
....... (idle for 30mn)
mercutiobrycec: maybe if you're looking for comparisions for that
brycec: i just thought it'd be nifty if some blog i could read every now and then informed me of such things :)
i'm a bit apprehensive about automation as it makes simple things complicated, and leaves complicated things complicated.
i can understand wanting to do it if needing to for number of servers though.
a friend was mentioning ubuntu's autoupdate thing before, and how he wanted to use it because he never gets around to doing updates.
i have no idea how safe/reliable it is though, as i've never touched it myself.
[01:17]
........ (idle for 37mn)
***JC_Denton has quit IRC (Ping timeout: 240 seconds)
JC_Denton has joined #arpnetworks
JC_Denton is now known as Guest61953
LT has joined #arpnetworks
[01:58]
plettWe use puppet quite heavily at work. We've got something approaching 100 machines (both virtual and physical) under puppet control. For us it's the ability to, for example, go from the requirement to build a new customer-facing DNS resolver to it being live and hooked in to BGP in about 10 minutes time.
What we need to do next is make better use of packages, i.e. building our own for deployment of software onto machines in a repeatable way. At the moment we have puppet checking our some internal git and svn repos and building code.
Another thing we need is "lifecycle management" to keep machines up to date with packages. Just putting "apt-get update;apt-get upgrade" in cron is too blunt a tool, but 100 machines is too many for our team to be able to ssh in to each one and do things manually each time there is an openssl update.
[02:08]
BryceBotget on up
and DANCE
BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-<
[02:13]
mercutioplett: you can put apt-get update; apt-get -d upgrade in [02:21]
BryceBotget on up
and DANCE
BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-<
[02:21]
mercutiowhere -d is download only
then you can do apt-get install <package that got updated> split across all the machines.
i generally don't think 100 machines is too many to do manually because you still want to test it manually anyway.
also the ssl thing was more complicated because you have to edit apache config to disable ssl 3
but yeah, i can understand wanting to automate package updates on 100 servers. virtualisation tends to encourage more hosts.
[02:21]
plettmercutio: What I think we need is the ability to group servers, and update packages on one test member of that group and confirm that it all still works, then approve the same updates to other members of the same group [02:31]
mercutiosounds good [02:31]
plettI think RedHat's SpaceWalk project does that, but I've not had the time to look at it [02:31]
mercutiobasically staging server.
i think the whole area could be improved radically
it seems thigns went backwards to a degree
like it used to be that people would often have /usr read only nfs mounted.
and shared between machines, then /usr/local with local changes.
i think in some ways if the "OS" can't even modify it's basic self working stuff and it's all read only and externally controlled that could be good
[02:31]
pyvpxyeah [02:33]
plettYeah. With all our servers, we might have 3 or 4 live members (say spamassassin boxes for email filtering) and one test box which we try out config changes on, we would just use that to test package updates on [02:33]
pyvpxrumpkernels that are readonly :) [02:33]
plettmercutio: It sounds like you are describing Docker [02:33]
mercutioahh i haven't seen that.
see i need a blog to inform me of these things :)
[02:34]
plettDocker is interesting. Fundamentally, it's a chroot on steroids for Linux, kind of like FreeBSD jails [02:34]
mercutiointeresting.
i played with chroots a while ago
it takes a bit of maintenance
[02:34]
plettAs well as a chroot for file isolation, it can have its own IP addresses distinct from the host it is on, can be limited in disk/network/memory etc via cgroups and all that stuff [02:36]
mercutioi used to use linux vserver [02:36]
plettBut that is just how it works (and most of that comes directly from Linux Containers), what Docker has built on top of that is layers of abstraction [02:37]
mercutioyeah i think linux itself got updated quite a lot
i haven't actually played with cgroups yet
but i think there's some automatic stuff
disk throttling is complicated.
[02:37]
plettSay you wanted to build a spamassassin server as a Docker app. You would take a base image of your chosen OS which had already been packaged as a docker app, spin up a VM, install whatever packages and generic config you need to make spamassassin work, then snapshot it and distribute it [02:38]
mercutioi haven't tried dedicated spamassassin vm's
i've always mixed postfix and spamassassin.
[02:39]
plettThe clever bit is that your additional bits are stuck on top of the base image, kind of like unionfs [02:39]
mercutiothe complicated bit was pushing user lists to other boxes
so it can drop mail for unknown users.
[02:40]
plettSo when the base OS image gets an update, you pull down the new image and your spamassassin dock automatically has the new files in it [02:40]
LTthe other neat thing about docker is it's all versioned - if an update breaks something you can just pull the previous version to rollback [02:41]
mercutiolt: now that is cool. [02:41]
plettYes. That too [02:41]
mercutiounless spamassassin updates it's database format or such [02:41]
LTthe underlying chroot/container bit isn't that exciting, but the toolkit they've built on top of it quite neat [02:42]
mercutioi so can't keep up with all of these things
maybe i should mkae a note of stuff to read up on :)
[02:43]
plettSame here. Docker is still on my list of things that look cool and which I should play with at some point [02:43]
mercutiodocker, puppet, ansible
like 15 years ago (wow that long) i used to read freshmeat
and it'd tell me about all kinds of new software.
there was some other linux blog too that went away
[02:43]
plettI think Docker might be good enough for us to be able to kill off a load of single purpose VMs and turn them into bundled apps all running on one machine
Fewer things to administrate, etc
[02:45]
mercutioyeah
i actually started running more things on the same vm's again
cos it was getting hell, and there's better security now days generally
virus filtering is probably on the side of "less sure about" though.
err virus/spam
as there's so many different programs that can all look at mail
[02:45]
plettThe Docker guys still don't recommend using it for where you need security isolation between docks, do they? [02:46]
mercutioi use spamassassin, dkim, razor, dcc, etc. [02:46]
some people say the same about virtualisation
because cpu bugs could allow breaking out or something
[02:54]
pyvpxwell and there is a much larger attack surface, in general. interfaces/code/whathaveyou
well yeah* and there.
but I'm one of those nutty openbsd users who doesn't admin scale-sized stuff, or much at all in production.
[02:54]
mercutioi like openbsd [02:55]
pyvpxdocker/lxc seems to be performant and popular
but after I read a thesis and ran a NetBSD kernel in my web browser, locally...I kinda got hooked on this anykernel idea.
[02:55]
mercutioanykernel? [02:56]
pyvpxrumpkernel.org [02:57]
mercutiocool added to my to read list :)
thanks.
[02:57]
pyvpxthe :login; paper is pretty neat read [02:57]
.... (idle for 17mn)
LTI would definitely say that docker isn't a security thing - seems to be very much driven by people who want ease of deployment for webapps with security as a relatively low priority. that said it can't be any worse security than running it all on a single host [03:14]
..... (idle for 22mn)
***staticsafe has quit IRC (Ping timeout: 265 seconds)
xales has quit IRC (Ping timeout: 272 seconds)
[03:36]
meingtsla has quit IRC (Ping timeout: 265 seconds)
meingtsla has joined #arpnetworks
[03:45]
staticsafe has joined #arpnetworks
xales has joined #arpnetworks
[04:02]
.................................. (idle for 2h48mn)
pcnYeah [06:51]
................................ (idle for 2h38mn)
***vissborg has quit IRC (Max SendQ exceeded)
vissborg has joined #arpnetworks
[09:29]
........... (idle for 54mn)
LT has quit IRC (Quit: Leaving) [10:26]
......... (idle for 41mn)
forg0tten has quit IRC (Remote host closed the connection) [11:07]
....................... (idle for 1h54mn)
Guest61953 is now known as JC_Denton
Seju has quit IRC (Ping timeout: 255 seconds)
[13:01]
............... (idle for 1h12mn)
mercutiodid you hear of flocker LT?
oh he left
well plett was talking about it too
[14:16]
.... (idle for 15mn)
plettmercutio: flocker? No, I've not heard of that
Their website seems short on details though
It's a haproxy equivalent frontend to direct network connections to the right docker instance? And ZFS (on Linux?) for the image storage?
[14:32]
...... (idle for 27mn)
***Seji has joined #arpnetworks [15:02]
....... (idle for 31mn)
mercutioit seems they want to do database and stuf fmigration etc
i found it off zfs yes :)
https://clusterhq.com/
i was trying to find out about the new zfs on linux features first.
there have been a few recent zfs changes with things like faster zfs sends etc.
and bookmarks, where you don't have to keep old snapshots around and can do your snapshotting on a storage/backup server
[15:33]
***sga0_ has joined #arpnetworks [15:36]
mercutiosnapshotting tends to lead to fragmentation, but now that ssds are getting so much cheaper/common etc you can have hard-disk system with snapshots. [15:36]
***sga0_ has quit IRC (Read error: Connection reset by peer)
sga0__ has quit IRC (Ping timeout: 255 seconds)
[15:38]
....... (idle for 34mn)
sga0 has joined #arpnetworks [16:12]
mercutioapparently the word around the net is that facebook is down [16:14]
brycecLoads for me over curl
ipv6 even
[16:16]
mercutioheh [16:16]
brycecand in my browser [16:16]
mercutioyou have no account? [16:16]
staticsafeup_the_irons: you around? [16:16]
brycecmy browser wasn't convenient, mercutio [16:16]
mercutioweird loads for me in curl
oh it's back now
[16:16]
brycec(I have an account, it loads fine0 [16:17]
up_the_ironsfacebook is down? [16:17]
mercutioit seems to be back again
to a lot of people facebook is the net :)
facebook is using spdy apparently
[16:18]
brycec"OH GOD THE INTERNET IS DOWN!!!" [16:18]
mercutioit still goes slow for me though
oh up_the_irons are you using spdy yet?
now that you force https
may as well spdy
http://spdycheck.org/
[16:19]
brycechttp://spdycheck.org/#facebook.com [16:19]
up_the_ironsmercutio: not using spdy [16:19]
mercutioyeah spdycheck suggests not [16:20]
brycecThere's much more to spdy than just being https though, it's all about ordering the load of resources and such [16:20]
mercutiobrycec: yeh but it also goes over https
so if using https already it seems logical step
[16:20]
brycecI know https is a requirement :p [16:20]
mercutioi mean if you need to get a cert and all
it's a lot more work
i've been reading about mod_pagespeed etc
[16:20]
***Guest8160 has quit IRC (Ping timeout: 244 seconds) [16:21]
mercutioapparently it can do mobile versions of sites automatically too [16:21]
brycecI looked into this before... basically implementing SPDY without actually optimising the site is completely pointless [16:21]
mercutioas well as doing a whole lot of google optimisations
oh
did you look into mod_pagespeed?
https://developers.google.com/speed/pagespeed/module
[16:21]
brycecI might have - it was a couple years ago [16:22]
mercutioapparently it's available as nginx and apache modules [16:22]
brycechttp://nginx.org/en/docs/http/ngx_http_spdy_module.html [16:23]
mercutioit can do things like use webp versions of images
i dont' have a proper web site or ssl cert
i just have directories and stuff with files
for linking etc.
[16:23]
brycecspdy enabled! that was easy...
free ssl certs ftw :)
(startcom being my preference)
[16:24]
mercutioi think chrome has changed something, because web sites in general all seem to load pretty quick now
i used to find https etc sites were slow
can you get a free wildcard
i'm using ip's atm hah
but i don't haveto
and subdomains.
[16:26]
brycecfree wildcard? I'm not aware of any, but I've heard of some dirt-cheap ones ($7 USD) [16:27]
mercutio$7US/year?
i suppose i could handle that.
to play with spdy.
[16:27]
brycec(I'd have to poke someone to get the name... something like dirtycheapssl or the like) [16:29]
BryceBotThat's what she said!! [16:29]
brycecBryceBot: no [16:29]
BryceBotOh, okay... I'm sorry. '(I'd have to poke someone to get the name... something like dirtycheapssl or the like)' [16:29]
mercutiohaha
lowendtalk discussion
this should tell me
[16:29]
staticsafe$7 wildcard per year is not happening lol [16:30]
mercutiooh old discussion
i hate ssl tax
well cert tax
[16:30]
staticsafeim seeing $45 yearly for an AlphaSSL wildcard [16:30]
mercutiotoo much
i might just load a cert into my browser/hosts.
i suppose i could get lots of non wildcard
[16:31]
***Guest8160 has joined #arpnetworks [16:33]
mercutioi wish spdy could work without https [16:35]
***Seji has quit IRC (Ping timeout: 240 seconds)
Seji has joined #arpnetworks
[16:48]
.......... (idle for 46mn)
derjur has joined #arpnetworks [17:36]
................ (idle for 1h15mn)
derjurhmmm... is there a self-serve for PTR records? [18:51]
mercutioyeah
in the control panel
[18:55]
...... (idle for 25mn)
m0undshad a water line break above my pantry today. good stuff. [19:20]
mercutioouch [19:22]
derjurmercutio: so it is! thank you [19:24]
m0undsyeah, can't get a plumber out til thursday [19:24]
mercutioouch
so you turned water off?
[19:24]
m0undsyep [19:24]
mercutiodamn that sucks
is it a holiday there or something
[19:25]
m0undsit's a slow-ish leak
nah, just busy
[19:25]
mercutiomaybe try a diff one/ [19:25]
m0undsthis was the shortest
called 6 different ones
haha
[19:25]
mercutiooh :( [19:29]
RandalSchwartzneed parallel plumbers! [19:37]
brycecAnd parallel plumbing! [19:40]
m0undsmy plumbing isn't webscale :( [19:46]
mercutioheh
plumbing problems are pretty common really
[19:48]
RandalSchwartzEPIPE [19:54]
m0undshaha
i didn't notice the leak til i opened the pantry to feed my cats and their food had water in it
they were sulking til i was able to get the water shut off and poke holes in the ceiling so i could run to the store and get more food
[19:54]
RandalSchwartzthe real problm there is "cats" :) [20:04]
.............. (idle for 1h7mn)
m0undswhy's that a problem? [21:11]
.................. (idle for 1h29mn)
***dj_goku has quit IRC (Remote host closed the connection)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
[22:40]
............ (idle for 56mn)
dj_goku has quit IRC (Ping timeout: 265 seconds) [23:37]
dj_goku has joined #arpnetworks [23:46]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)