Puppet users - Feb 2007 - Problem with iptables && ensure => running

I''ve been seeing this for a long time now...

Got a class like:

<snip>
class iptables
{
     package {
         iptables:
             ensure => latest
     }

     service {
         iptables:
             enable => true,
             ensure => running
     }

     remotefile {
         "/etc/sysconfig/iptables":
             mode => 400,
             source => "system/iptables",
             notify => Service[iptables]
     }
}
</snip>

And each time puppet runs, it *always* ends up changing it from  
''stopped'' to ''running''... when it is already
running, and no changes
have been made to the configuration file.

I just want to make sure that iptables is always enabled, always  
started, and only restart if the configuration file has changed.

Any idea what is going on?

Systems are all FC5, using puppet 0.22.1.

--jason

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 15 February 2007 01:28, Jason Dillon wrote:
> I''ve been seeing this for a long time now...
>
> Got a class like:
>
> <snip>
> class iptables
> {
>      package {
>          iptables:
>              ensure => latest
>      }
>
>      service {
>          iptables:
>              enable => true,
>              ensure => running
>      }
>
>      remotefile {
>          "/etc/sysconfig/iptables":
>              mode => 400,
>              source => "system/iptables",
>              notify => Service[iptables]
>      }
> }
> </snip>
>
> And each time puppet runs, it *always* ends up changing it from
> ''stopped'' to ''running''... when it is
already running, and no changes
> have been made to the configuration file.
>
> I just want to make sure that iptables is always enabled, always
> started, and only restart if the configuration file has changed.
>
> Any idea what is going on?
Has the iptables init script a sensible "status" implementation? If
yes, then
you can tell the Service type to check that before (re)starting the service. 
If not, then you can still implement some kind of manual check in the Service 
type.


Regards, David
- -- 
- - hallo... wie gehts heute?
- - *hust* gut *rotz* *keuch*
- - gott sei dank kommunizieren wir über ein septisches medium ;)
 -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF1Eg5/Pp1N6Uzh0URAtcEAJ9WWfamGUruRS2oUURSkRfg4+MZwwCfSX7Q
mZAky/7MlYWAN44Hg6+yWC4=SBSC
-----END PGP SIGNATURE-----

David,

You hit the nail on the head.  Iptables'' status command spits out the 
results of ''iptables -L'' not ''is running'' or
the like.

Trevor

David Schmitt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thursday 15 February 2007 01:28, Jason Dillon wrote:
>> I''ve been seeing this for a long time now...
>>
>> Got a class like:
>>
>> <snip>
>> class iptables
>> {
>>      package {
>>          iptables:
>>              ensure => latest
>>      }
>>
>>      service {
>>          iptables:
>>              enable => true,
>>              ensure => running
>>      }
>>
>>      remotefile {
>>          "/etc/sysconfig/iptables":
>>              mode => 400,
>>              source => "system/iptables",
>>              notify => Service[iptables]
>>      }
>> }
>> </snip>
>>
>> And each time puppet runs, it *always* ends up changing it from
>> ''stopped'' to ''running''... when it
is already running, and no changes
>> have been made to the configuration file.
>>
>> I just want to make sure that iptables is always enabled, always
>> started, and only restart if the configuration file has changed.
>>
>> Any idea what is going on?
> 
> Has the iptables init script a sensible "status" implementation?
If yes, then
> you can tell the Service type to check that before (re)starting the
service.
> If not, then you can still implement some kind of manual check in the
Service
> type.
> 
> 
> Regards, David
> - -- 
> - - hallo... wie gehts heute?
> - - *hust* gut *rotz* *keuch*
> - - gott sei dank kommunizieren wir über ein septisches medium ;)
>  -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFF1Eg5/Pp1N6Uzh0URAtcEAJ9WWfamGUruRS2oUURSkRfg4+MZwwCfSX7Q
> mZAky/7MlYWAN44Hg6+yWC4> =SBSC
> -----END PGP SIGNATURE-----
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

>> Has the iptables init script a sensible "status"
implementation?
>> If yes, then
>> you can tell the Service type to check that before (re)starting  
>> the service.
>> If not, then you can still implement some kind of manual check in  
>> the Service
>> type.
How can I implement some kind of manual check?  `/etc/init.d/iptables  
status` on FC5 spits out very `iptables -L`-like output.

--jason

Jason Dillon wrote:
>>> Has the iptables init script a sensible "status"
implementation?
>>> If yes, then
>>> you can tell the Service type to check that before (re)starting  
>>> the service.
>>> If not, then you can still implement some kind of manual check in  
>>> the Service
>>> type.
> 
> How can I implement some kind of manual check?  `/etc/init.d/iptables  
> status` on FC5 spits out very `iptables -L`-like output.
> 
> --jason
Gentoo keeps track of everything you''ve started in 
/var/lib/init.d/started. If your init scripts don''t keep track of 
service states, you''ll have to hack the script to touch a file when
it''s
started, and rm it when it''s stopped (preferably somewhere that
won''t
survive a reboot).

Alternatively, you could hack status (either in the script or in puppet) 
to grep iptables -L for something you know will be in there. That''s 
certainly easier, but less reliable.

There''s of course no iptables daemon, so it''s reasonable for
an iptables
init script not to respond with ''started'' or
''stopped''.

P

On 2/14/07, Jason Dillon <jason@planet57.com>
wrote:
> I''ve been seeing this for a long time now...
>
> Got a class like:
>
> <snip>
> class iptables
> {
>      package {
>          iptables:
>              ensure => latest
>      }
>
>      service {
>          iptables:
>              enable => true,
>              ensure => running
>      }
>
>      remotefile {
>          "/etc/sysconfig/iptables":
>              mode => 400,
>              source => "system/iptables",
>              notify => Service[iptables]
>      }
> }
> </snip>
>
> And each time puppet runs, it *always* ends up changing it from
> ''stopped'' to ''running''... when it is
already running, and no changes
> have been made to the configuration file.
>
> I just want to make sure that iptables is always enabled, always
> started, and only restart if the configuration file has changed.
This works for me:

class iptables {
    file { "/etc/sysconfig/iptables":
        owner  => root,
        group  => root,
        mode   => 600,
        source => "puppet://$server/firewall/iptables",
    }
    exec { "/etc/init.d/iptables stop && /etc/init.d/iptables
start":
        subscribe   => File["/etc/sysconfig/iptables"],
        refreshonly => true,
    }
    service { "iptables":
        status => "/root/bin/iptables_check",
        start  => "/etc/init.d/iptables start",
        ensure => running,
    }
}

/root/bin/iptables_check exists on the client, is executable and contains:

#!/bin/sh
if [ ! -f /proc/net/ip_tables_names ];then
    exit 1
fi

I''m running RHEL 4 and "/proc/net/ip_tables_names" only
exists if
iptables rules are live, so I used that for a check.

You could also do something like:

#!/bin/sh
/etc/init.d/iptables status | /bin/grep -i stopped
if [ $? != 1 ];then
    exit 1
fi

hth,
Kent

-- 
"It may be true that the law cannot make a man love me, but it can stop him
 from lynching me, and I think that''s pretty important." - Martin
Luther King Jr.