| *** Bakey has quit IRC | 01:20 | |
| ara-slack | graeme.danielson: hi ara people, we are testing out ara and are seeing immediate positive results in navigating playbook results! In our test environment web access is open, however before moving into our prod deployment pipeline we need to have an authenticated gate - our auth provider is AD/LDAPS. As ara is behind nginx we could investigate auth at that level, e.g. nginx-ldap-auth. | 01:23 |
|---|---|---|
| ara-slack | However would prefer to authenticate at the app layer. Appreciate if anyone has any pointers for LDAPS auth for ara if i | 01:23 |
| ara-slack | t's possible? | 01:23 |
| *** Naphtime has quit IRC | 04:14 | |
| *** Naphta has joined #ara | 04:15 | |
| ara-slack | dmsimard: @graeme.danielson there are no authentication mechanisms in ARA right now. The web interface in the current stable release is passive (read only) and either you have access to it or you don't. | 04:38 |
| ara-slack | dmsimard: ARA 1.0 ships a REST API which can be used over http, separate from the web application. There's no form of authentication or permissions there yet either but, again, a web server (or firewall) can be used to secure the components if required. | 04:40 |
| ara-slack | dmsimard: 1.0 is rewritten from scratch with django/django-rest-framework which will make it easier to implement ACLs/RBACs if we really need them in the future. | 04:41 |
| ara-slack | dmsimard: The current lack of security is "almost" by design. Since ARA doesn't really allow you run anything, the one thing you want to control is whether people have access to the data or not. It helps manage user expectations of security, keeps things simpler to maintain with the limited development resources. I think using nginx or apache to control security is not a terrible compromise in the meantime. | 04:46 |
| *** gvincent has quit IRC | 06:20 | |
| *** gvincent has joined #ara | 07:03 | |
| *** gvincent has quit IRC | 07:06 | |
| *** gvincent has joined #ara | 07:06 | |
| *** themroc has joined #ara | 08:18 | |
| Xaroth | if it's DRF based, adding your own auth app wouldn't be that difficult to accomplish | 08:47 |
| *** themroc has quit IRC | 13:10 | |
| *** themroc has joined #ara | 13:12 | |
| *** bcoca has joined #ara | 14:04 | |
| *** bcoca has joined #ara | 14:04 | |
| dmsimard | Xaroth: yeah, it's just not a priority for the initial 1.0 release because there are several other "not that difficult" things to do before I can actually release the thing :p | 14:48 |
| Xaroth | of course | 14:48 |
| Xaroth | but I was more suggesting for whoever needed ldap auth | 14:48 |
| Xaroth | to add an auth-ldap module | 14:48 |
| Xaroth | not for ARA to have it by itself. | 14:49 |
| dmsimard | just in django you mean ? | 14:49 |
| Xaroth | mhm | 14:49 |
| dmsimard | that's not very granular, though | 14:49 |
| dmsimard | right ? | 14:49 |
| dmsimard | I mean, typically permissions in drf are set for every endpoint | 14:49 |
| Xaroth | not very, no, but you have to start somewhere :P | 14:49 |
| dmsimard | or at least I think they are | 14:49 |
| dmsimard | right | 14:50 |
| Xaroth | personally I use nginx' auth-request to shield all systems that don't have auth by themselves | 14:51 |
| Xaroth | bit of a fiddle but I got it to work | 14:51 |
| dmsimard | apollo13: what's your favorite runtime for django with wsgi ? gunicorn ? mod_wsgi ? | 14:57 |
| Xaroth | I'm biased towards uwsgi and gunicorn, I try to avoid apache/mod_wsgi whenever I can | 14:59 |
| dmsimard | ah, uwsgi is the one I was forgetting | 15:00 |
| Xaroth | nginx unit is also an option | 15:00 |
| Xaroth | but it's an oddball | 15:00 |
| dmsimard | I tend to use nginx more as a reverse proxy (with something like gunicorn etc) | 15:00 |
| Xaroth | same | 15:01 |
| dmsimard | TIL there's a gunicorn ansible module https://docs.ansible.com/ansible/latest/modules/gunicorn_module.html | 15:04 |
| Xaroth | I... why though.. don't you want to hook that to something so it actually runs as a service? | 15:05 |
| dmsimard | oh, I wasn't saying I was going to use it | 15:06 |
| dmsimard | it came up in a google search :p | 15:07 |
| dmsimard | there's a django_manage module too! | 15:07 |
| Xaroth | that's a useful one | 15:07 |
| Xaroth | running your migrations as part of your ansible deploy | 15:07 |
| ara-slack | smbambling: @smbambling has joined the channel | 15:50 |
| ara-slack | smbambling: Is there a change log hosted anywhere, I don't see anything on github or RTD | 15:52 |
| ara-slack | dmsimard: @smbambling the changelog is in the tagged versions in git -- you can see them on github: https://github.com/openstack/ara/releases, for example: https://github.com/openstack/ara/releases/tag/0.16.0 | 15:53 |
| ara-slack | dmsimard: I hope we can pull them out of there to make them more obvious in the future | 15:54 |
| ara-slack | smbambling: Is there any way to see the diff changeset of a file in the web UI | 15:57 |
| ara-slack | dmsimard: as in, using --diff ? | 16:04 |
| ara-slack | chris: I’ve installed ara, configured ara, and can bring up the web interface, but my ansible plays aren’t getting recorded. Additionally I don’t see the sqlite db. Is there a logging directory or somewhere to troubleshoot why? | 16:05 |
| ara-slack | dmsimard: @chris if the ~/.ara directory of the user running ansible doesn't exist, it means Ansible hasn't loaded the callback | 16:05 |
| ara-slack | chris: Ok so that directory is there, but the web interface still comes up with the The ARA database is empty or the web application is not configured properly to find your playbook data. | 16:07 |
| ara-slack | chris: dev web interface on 9191 | 16:07 |
| ara-slack | dmsimard: So what that means is that the web server and the ansible user do not "agree" on where the database is located -- are you running the web interface from the same user ? | 16:08 |
| ara-slack | chris: i’m running the web interface as myself and then running ansible-playbook as myself but using sudo | 16:08 |
| ara-slack | dmsimard: so there's probably a database in /root/.ara ? | 16:09 |
| ara-slack | chris: i found the database in my home directory | 16:09 |
| ara-slack | chris: i was searching for .db instead of ansible.sqlite | 16:10 |
| ara-slack | dmsimard: the database location defaults to ~/.ara/ansible.sqlite -- if you run ansible as root, there'll be a database in /root/.ara/ansible.sqlite.. so if you try to run the webapp from your user, it'll try to use /home/chris/.ara/ansible.sqlite (or vice versa) | 16:11 |
| ara-slack | chris: .ara doesn’t exist for root just for my user | 16:12 |
| ara-slack | chris: I ran ansible as myself for testing and it populated the db. Thanks for the help! | 16:14 |
| ara-slack | chris: @dmsimard If I want to make ARA available to everyone who runs playbooks, I would just need to setup [ara] section in the ansible.cfg config? Would I be able to just move the site-packages for ara to the python2.7 folder instead of my home directory? | 16:19 |
| ara-slack | dmsimard: You can install ara globally so it's available to every user | 16:23 |
| ara-slack | dmsimard: ARA has some dependencies so if you just copy that one directory, it won't find them | 16:23 |
| ara-slack | dmsimard: And yes, you can use /etc/ansible/ansible.cfg | 16:24 |
| ara-slack | dmsimard: @smbambling you might not have seen my reply, I asked if you meant the contents of "--diff" or something else ? | 16:25 |
| ara-slack | smbambling: @dmsimard Yeah, we always use --diff in our run, but in the version we are running ( which is old 13.1 ) there doesn't seem to be a way to see the diff output of a changed resource. Is there a way in newer versions or some way in the current version we have | 16:27 |
| ara-slack | smbambling: Also sorry so many slacks going I got pulled into another | 16:27 |
| ara-slack | dmsimard: @smbambling --diff isn't supported yet but it's something I want to add and there's a bug for it: https://storyboard.openstack.org/#!/story/2000929 | 16:30 |
| ara-slack | smbambling: cool thanks for the pointer ! | 16:30 |
| ara-slack | chris: @dmsimard Thanks David, if I add [ara] to the ansible.cfg do I need to specify all of the variables or just ones that I want to chang from the default? Can I just change the ara_dir? | 16:54 |
| ara-slack | dmsimard: yup, you can change only the stuff that you need to change | 16:55 |
| ara-slack | chris: :raised_hands: | 16:55 |
| *** themroc has quit IRC | 16:57 | |
| *** sshnaidm|afk is now known as sshnaidm | 17:08 | |
| ara-slack | chris: Is there a way to skip PyYAML install to keep our distutils version? Cannot uninstall 'PyYAML'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall. | 17:17 |
| ara-slack | chris: It’s using version 3.10 and it wants to install 3.13 | 17:18 |
| *** etienne has joined #ara | 17:18 | |
| ara-slack | dmsimard: it's typically not a good idea to mix pip and distro packages... could you perhaps have a "global" virtualenv instead ? | 17:18 |
| ara-slack | dmsimard: what I've seen before was something like /opt/ansible-venv with everything installed to it and then /usr/local/bin/ansible{-playbook} symlinked to /opt/ansible-venv/bin/ansible{-playbook} | 17:19 |
| ara-slack | chris: You’re chatting with a guy who is learning ansible and python as he goes. I can certainly look into doing that | 17:20 |
| ara-slack | dmsimard: a virtual environment is basically an isolated python interpreter with it's own set of libraries and modules -- sort of like a container or a chroot | 17:21 |
| ara-slack | dmsimard: there's usually a distro package for virtualenv | 17:21 |
| ara-slack | dmsimard: so you do something like "virtualenv /opt/ansible-venv" which will set up a python interpreter at /opt/ansible-venv/bin/python and a pip binary at /opt/ansible-venv/bin/pip | 17:22 |
| ara-slack | dmsimard: so you can do either "/opt/ansible-venv/bin/pip install ara" -- or activate the virtualenv so that you're set to use it first: "source /opt/ansible-venv/bin/activate; pip install ara" | 17:23 |
| etienne | https://packaging.python.org/guides/installing-using-pip-and-virtualenv/#creating-a-virtualenv | 17:23 |
| ara-slack | chris: does running ansible-playbook change at all with the virtualenv? | 17:24 |
| dmsimard | well, if you currently have ansible installed globally, this means you already have an ansible-playbook command in /usr/bin/ or /usr/local/bin (in your shell $PATH) | 17:25 |
| dmsimard | if you want to be able to type "ansible-playbook" and have it pick the one from the virtualenv instead of the /usr/local/bin/ one, you need to either adjust your PATH environment variable or remove the installed ansible and symlink them | 17:25 |
| dmsimard | otherwise it doesn't change anything | 17:26 |
| ara-slack | chris: Alternatively I could just remove the PyYAML dist package and install from pip, yes? Also thank you for all the virtualenv information. That’s really fascinating to know it’s available. I am trying to keep things straightforward for our sysadmin team to manage ansible. | 17:29 |
| ara-slack | dmsimard: the distro might or might not let you do that | 17:32 |
| ara-slack | dmsimard: for example, if you have a package that depends on PyYAML -- removing that package might lead to the uninstallation of the software that depends on it | 17:33 |
| ara-slack | dmsimard: I can't recommend mixing distribution and pip packages | 17:33 |
| ara-slack | dmsimard: What distribution are you using ? | 17:34 |
| ara-slack | chris: Understood. I’m looking for the most straightforward approach. CentOS7.5 | 17:34 |
| ara-slack | dmsimard: I've packaged ARA for Fedora but it's not in EPEL due to conflicting base OS dependencies unfortunately | 17:36 |
| *** dougbtv has joined #ara | 17:36 | |
| ara-slack | dmsimard: There is a third party repository that has packaged ARA for CentOS -- it's not "officially" supported but it's there and could be an option, perhaps | 17:36 |
| ara-slack | dmsimard: hmmm | 17:38 |
| ara-slack | chris: I can look into that as well. You’re suggestion of the venv may be the best option. | 17:38 |
| ara-slack | dmsimard: yeah, no matter how I look it -- the venv is the best bet IMO | 17:39 |
| ara-slack | chris: Perfect, an opportunity to learn something new. Thanks again for your time and patience! | 17:39 |
| ara-slack | dmsimard: happy to help | 17:39 |
| *** dougbtv has quit IRC | 18:00 | |
| *** dougbtv has joined #ara | 18:03 | |
| *** dougbtv has quit IRC | 18:36 | |
| *** dougbtv has joined #ara | 18:48 | |
| ara-slack | chris: Just to follow up I removed PyYAML with yum, installed ara with pip, then reinstalled PyYAML with yum and everything is working correctly. | 20:05 |
| *** jrist has quit IRC | 20:22 | |
| ara-slack | dmsimard: @chris lucky :p | 20:23 |
| ara-slack | chris: No doubt! | 20:23 |
| *** jrist has joined #ara | 21:15 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!