brycec: I didn't need something as complex and all-managing as Chef or Puppet. I just needed a convenient way to do shit on multiple hosts (eg: apt-get upgrades) and ansible fulfills that role (with parallellisation, etc) and it was very simple to setup BryceBot: get on up
and DANCE -: BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-< brycec: shutup BryceBot BryceBot: NOYOUSHUTUP brycec brycec: It's true that Ansible has a feature similar to Chef/Puppet recipes, the Anisble Playbook, but I don't have deployments large enough for that to be useful. (I'm 99% maintaining servers, ones and twos of various tasks - not exactly rolling out new deployments) mercutio: brycec: maybe if you're looking for comparisions for that
brycec: i just thought it'd be nifty if some blog i could read every now and then informed me of such things :)
i'm a bit apprehensive about automation as it makes simple things complicated, and leaves complicated things complicated.
i can understand wanting to do it if needing to for number of servers though.
a friend was mentioning ubuntu's autoupdate thing before, and how he wanted to use it because he never gets around to doing updates.
i have no idea how safe/reliable it is though, as i've never touched it myself. ***: JC_Denton has quit IRC (Ping timeout: 240 seconds)
JC_Denton has joined #arpnetworks
JC_Denton is now known as Guest61953
LT has joined #arpnetworks plett: We use puppet quite heavily at work. We've got something approaching 100 machines (both virtual and physical) under puppet control. For us it's the ability to, for example, go from the requirement to build a new customer-facing DNS resolver to it being live and hooked in to BGP in about 10 minutes time.
What we need to do next is make better use of packages, i.e. building our own for deployment of software onto machines in a repeatable way. At the moment we have puppet checking our some internal git and svn repos and building code.
Another thing we need is "lifecycle management" to keep machines up to date with packages. Just putting "apt-get update;apt-get upgrade" in cron is too blunt a tool, but 100 machines is too many for our team to be able to ssh in to each one and do things manually each time there is an openssl update. BryceBot: get on up
and DANCE -: BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-< mercutio: plett: you can put apt-get update; apt-get -d upgrade in BryceBot: get on up
and DANCE -: BryceBot dances :D-<
BryceBot dances :D|-<
BryceBot dances :D/-< mercutio: where -d is download only
then you can do apt-get install <package that got updated> split across all the machines.
i generally don't think 100 machines is too many to do manually because you still want to test it manually anyway.
also the ssl thing was more complicated because you have to edit apache config to disable ssl 3
but yeah, i can understand wanting to automate package updates on 100 servers. virtualisation tends to encourage more hosts. plett: mercutio: What I think we need is the ability to group servers, and update packages on one test member of that group and confirm that it all still works, then approve the same updates to other members of the same group mercutio: sounds good plett: I think RedHat's SpaceWalk project does that, but I've not had the time to look at it mercutio: basically staging server.
i think the whole area could be improved radically
it seems thigns went backwards to a degree
like it used to be that people would often have /usr read only nfs mounted.
and shared between machines, then /usr/local with local changes.
i think in some ways if the "OS" can't even modify it's basic self working stuff and it's all read only and externally controlled that could be good pyvpx: yeah plett: Yeah. With all our servers, we might have 3 or 4 live members (say spamassassin boxes for email filtering) and one test box which we try out config changes on, we would just use that to test package updates on pyvpx: rumpkernels that are readonly :) plett: mercutio: It sounds like you are describing Docker mercutio: ahh i haven't seen that.
see i need a blog to inform me of these things :) plett: Docker is interesting. Fundamentally, it's a chroot on steroids for Linux, kind of like FreeBSD jails mercutio: interesting.
i played with chroots a while ago
it takes a bit of maintenance plett: As well as a chroot for file isolation, it can have its own IP addresses distinct from the host it is on, can be limited in disk/network/memory etc via cgroups and all that stuff mercutio: i used to use linux vserver plett: But that is just how it works (and most of that comes directly from Linux Containers), what Docker has built on top of that is layers of abstraction mercutio: yeah i think linux itself got updated quite a lot
i haven't actually played with cgroups yet
but i think there's some automatic stuff
disk throttling is complicated. plett: Say you wanted to build a spamassassin server as a Docker app. You would take a base image of your chosen OS which had already been packaged as a docker app, spin up a VM, install whatever packages and generic config you need to make spamassassin work, then snapshot it and distribute it mercutio: i haven't tried dedicated spamassassin vm's
i've always mixed postfix and spamassassin. plett: The clever bit is that your additional bits are stuck on top of the base image, kind of like unionfs mercutio: the complicated bit was pushing user lists to other boxes
so it can drop mail for unknown users. plett: So when the base OS image gets an update, you pull down the new image and your spamassassin dock automatically has the new files in it LT: the other neat thing about docker is it's all versioned - if an update breaks something you can just pull the previous version to rollback mercutio: lt: now that is cool. plett: Yes. That too mercutio: unless spamassassin updates it's database format or such LT: the underlying chroot/container bit isn't that exciting, but the toolkit they've built on top of it quite neat mercutio: i so can't keep up with all of these things
maybe i should mkae a note of stuff to read up on :) plett: Same here. Docker is still on my list of things that look cool and which I should play with at some point mercutio: docker, puppet, ansible
like 15 years ago (wow that long) i used to read freshmeat
and it'd tell me about all kinds of new software.
there was some other linux blog too that went away plett: I think Docker might be good enough for us to be able to kill off a load of single purpose VMs and turn them into bundled apps all running on one machine
Fewer things to administrate, etc mercutio: yeah
i actually started running more things on the same vm's again
cos it was getting hell, and there's better security now days generally
virus filtering is probably on the side of "less sure about" though.
err virus/spam
as there's so many different programs that can all look at mail plett: The Docker guys still don't recommend using it for where you need security isolation between docks, do they? mercutio: i use spamassassin, dkim, razor, dcc, etc.
some people say the same about virtualisation
because cpu bugs could allow breaking out or something pyvpx: well and there is a much larger attack surface, in general. interfaces/code/whathaveyou
well yeah* and there.
but I'm one of those nutty openbsd users who doesn't admin scale-sized stuff, or much at all in production. mercutio: i like openbsd pyvpx: docker/lxc seems to be performant and popular
but after I read a thesis and ran a NetBSD kernel in my web browser, locally...I kinda got hooked on this anykernel idea. mercutio: anykernel? pyvpx: rumpkernel.org mercutio: cool added to my to read list :)
thanks. pyvpx: the :login; paper is pretty neat read LT: I would definitely say that docker isn't a security thing - seems to be very much driven by people who want ease of deployment for webapps with security as a relatively low priority. that said it can't be any worse security than running it all on a single host ***: staticsafe has quit IRC (Ping timeout: 265 seconds)
xales has quit IRC (Ping timeout: 272 seconds)
meingtsla has quit IRC (Ping timeout: 265 seconds)
meingtsla has joined #arpnetworks
staticsafe has joined #arpnetworks
xales has joined #arpnetworks pcn: Yeah ***: vissborg has quit IRC (Max SendQ exceeded)
vissborg has joined #arpnetworks
LT has quit IRC (Quit: Leaving)
forg0tten has quit IRC (Remote host closed the connection)
Guest61953 is now known as JC_Denton
Seju has quit IRC (Ping timeout: 255 seconds) mercutio: did you hear of flocker LT?
oh he left
well plett was talking about it too plett: mercutio: flocker? No, I've not heard of that
Their website seems short on details though
It's a haproxy equivalent frontend to direct network connections to the right docker instance? And ZFS (on Linux?) for the image storage? ***: Seji has joined #arpnetworks mercutio: it seems they want to do database and stuf fmigration etc
i found it off zfs yes :)
https://clusterhq.com/
i was trying to find out about the new zfs on linux features first.
there have been a few recent zfs changes with things like faster zfs sends etc.
and bookmarks, where you don't have to keep old snapshots around and can do your snapshotting on a storage/backup server ***: sga0_ has joined #arpnetworks mercutio: snapshotting tends to lead to fragmentation, but now that ssds are getting so much cheaper/common etc you can have hard-disk system with snapshots. ***: sga0_ has quit IRC (Read error: Connection reset by peer)
sga0__ has quit IRC (Ping timeout: 255 seconds)
sga0 has joined #arpnetworks mercutio: apparently the word around the net is that facebook is down brycec: Loads for me over curl
ipv6 even mercutio: heh brycec: and in my browser mercutio: you have no account? staticsafe: up_the_irons: you around? brycec: my browser wasn't convenient, mercutio mercutio: weird loads for me in curl
oh it's back now brycec: (I have an account, it loads fine0 up_the_irons: facebook is down? mercutio: it seems to be back again
to a lot of people facebook is the net :)
facebook is using spdy apparently brycec: "OH GOD THE INTERNET IS DOWN!!!" mercutio: it still goes slow for me though
oh up_the_irons are you using spdy yet?
now that you force https
may as well spdy
http://spdycheck.org/ brycec: http://spdycheck.org/#facebook.com up_the_irons: mercutio: not using spdy mercutio: yeah spdycheck suggests not brycec: There's much more to spdy than just being https though, it's all about ordering the load of resources and such mercutio: brycec: yeh but it also goes over https
so if using https already it seems logical step brycec: I know https is a requirement :p mercutio: i mean if you need to get a cert and all
it's a lot more work
i've been reading about mod_pagespeed etc ***: Guest8160 has quit IRC (Ping timeout: 244 seconds) mercutio: apparently it can do mobile versions of sites automatically too brycec: I looked into this before... basically implementing SPDY without actually optimising the site is completely pointless mercutio: as well as doing a whole lot of google optimisations
oh
did you look into mod_pagespeed?
https://developers.google.com/speed/pagespeed/module brycec: I might have - it was a couple years ago mercutio: apparently it's available as nginx and apache modules brycec: http://nginx.org/en/docs/http/ngx_http_spdy_module.html mercutio: it can do things like use webp versions of images
i dont' have a proper web site or ssl cert
i just have directories and stuff with files
for linking etc. brycec: spdy enabled! that was easy...
free ssl certs ftw :)
(startcom being my preference) mercutio: i think chrome has changed something, because web sites in general all seem to load pretty quick now
i used to find https etc sites were slow
can you get a free wildcard
i'm using ip's atm hah
but i don't haveto
and subdomains. brycec: free wildcard? I'm not aware of any, but I've heard of some dirt-cheap ones ($7 USD) mercutio: $7US/year?
i suppose i could handle that.
to play with spdy. brycec: (I'd have to poke someone to get the name... something like dirtycheapssl or the like) BryceBot: That's what she said!! brycec: BryceBot: no BryceBot: Oh, okay... I'm sorry. '(I'd have to poke someone to get the name... something like dirtycheapssl or the like)' mercutio: haha
lowendtalk discussion
this should tell me staticsafe: $7 wildcard per year is not happening lol mercutio: oh old discussion
i hate ssl tax
well cert tax staticsafe: im seeing $45 yearly for an AlphaSSL wildcard mercutio: too much
i might just load a cert into my browser/hosts.
i suppose i could get lots of non wildcard ***: Guest8160 has joined #arpnetworks mercutio: i wish spdy could work without https ***: Seji has quit IRC (Ping timeout: 240 seconds)
Seji has joined #arpnetworks
derjur has joined #arpnetworks derjur: hmmm... is there a self-serve for PTR records? mercutio: yeah
in the control panel m0unds: had a water line break above my pantry today. good stuff. mercutio: ouch derjur: mercutio: so it is! thank you m0unds: yeah, can't get a plumber out til thursday mercutio: ouch
so you turned water off? m0unds: yep mercutio: damn that sucks
is it a holiday there or something m0unds: it's a slow-ish leak
nah, just busy mercutio: maybe try a diff one/ m0unds: this was the shortest
called 6 different ones
haha mercutio: oh :( RandalSchwartz: need parallel plumbers! brycec: And parallel plumbing! m0unds: my plumbing isn't webscale :( mercutio: heh
plumbing problems are pretty common really RandalSchwartz: EPIPE m0unds: haha
i didn't notice the leak til i opened the pantry to feed my cats and their food had water in it
they were sulking til i was able to get the water shut off and poke holes in the ceiling so i could run to the store and get more food RandalSchwartz: the real problm there is "cats" :) m0unds: why's that a problem? ***: dj_goku has quit IRC (Remote host closed the connection)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Ping timeout: 265 seconds)
dj_goku has joined #arpnetworks