I''ve been seeing this for a long time now... Got a class like: <snip> class iptables { package { iptables: ensure => latest } service { iptables: enable => true, ensure => running } remotefile { "/etc/sysconfig/iptables": mode => 400, source => "system/iptables", notify => Service[iptables] } } </snip> And each time puppet runs, it *always* ends up changing it from ''stopped'' to ''running''... when it is already running, and no changes have been made to the configuration file. I just want to make sure that iptables is always enabled, always started, and only restart if the configuration file has changed. Any idea what is going on? Systems are all FC5, using puppet 0.22.1. --jason
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 15 February 2007 01:28, Jason Dillon wrote:> I''ve been seeing this for a long time now... > > Got a class like: > > <snip> > class iptables > { > package { > iptables: > ensure => latest > } > > service { > iptables: > enable => true, > ensure => running > } > > remotefile { > "/etc/sysconfig/iptables": > mode => 400, > source => "system/iptables", > notify => Service[iptables] > } > } > </snip> > > And each time puppet runs, it *always* ends up changing it from > ''stopped'' to ''running''... when it is already running, and no changes > have been made to the configuration file. > > I just want to make sure that iptables is always enabled, always > started, and only restart if the configuration file has changed. > > Any idea what is going on?Has the iptables init script a sensible "status" implementation? If yes, then you can tell the Service type to check that before (re)starting the service. If not, then you can still implement some kind of manual check in the Service type. Regards, David - -- - - hallo... wie gehts heute? - - *hust* gut *rotz* *keuch* - - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF1Eg5/Pp1N6Uzh0URAtcEAJ9WWfamGUruRS2oUURSkRfg4+MZwwCfSX7Q mZAky/7MlYWAN44Hg6+yWC4=SBSC -----END PGP SIGNATURE-----
David, You hit the nail on the head. Iptables'' status command spits out the results of ''iptables -L'' not ''is running'' or the like. Trevor David Schmitt wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thursday 15 February 2007 01:28, Jason Dillon wrote: >> I''ve been seeing this for a long time now... >> >> Got a class like: >> >> <snip> >> class iptables >> { >> package { >> iptables: >> ensure => latest >> } >> >> service { >> iptables: >> enable => true, >> ensure => running >> } >> >> remotefile { >> "/etc/sysconfig/iptables": >> mode => 400, >> source => "system/iptables", >> notify => Service[iptables] >> } >> } >> </snip> >> >> And each time puppet runs, it *always* ends up changing it from >> ''stopped'' to ''running''... when it is already running, and no changes >> have been made to the configuration file. >> >> I just want to make sure that iptables is always enabled, always >> started, and only restart if the configuration file has changed. >> >> Any idea what is going on? > > Has the iptables init script a sensible "status" implementation? If yes, then > you can tell the Service type to check that before (re)starting the service. > If not, then you can still implement some kind of manual check in the Service > type. > > > Regards, David > - -- > - - hallo... wie gehts heute? > - - *hust* gut *rotz* *keuch* > - - gott sei dank kommunizieren wir über ein septisches medium ;) > -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF1Eg5/Pp1N6Uzh0URAtcEAJ9WWfamGUruRS2oUURSkRfg4+MZwwCfSX7Q > mZAky/7MlYWAN44Hg6+yWC4> =SBSC > -----END PGP SIGNATURE----- > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
>> Has the iptables init script a sensible "status" implementation? >> If yes, then >> you can tell the Service type to check that before (re)starting >> the service. >> If not, then you can still implement some kind of manual check in >> the Service >> type.How can I implement some kind of manual check? `/etc/init.d/iptables status` on FC5 spits out very `iptables -L`-like output. --jason
Jason Dillon wrote:>>> Has the iptables init script a sensible "status" implementation? >>> If yes, then >>> you can tell the Service type to check that before (re)starting >>> the service. >>> If not, then you can still implement some kind of manual check in >>> the Service >>> type. > > How can I implement some kind of manual check? `/etc/init.d/iptables > status` on FC5 spits out very `iptables -L`-like output. > > --jasonGentoo keeps track of everything you''ve started in /var/lib/init.d/started. If your init scripts don''t keep track of service states, you''ll have to hack the script to touch a file when it''s started, and rm it when it''s stopped (preferably somewhere that won''t survive a reboot). Alternatively, you could hack status (either in the script or in puppet) to grep iptables -L for something you know will be in there. That''s certainly easier, but less reliable. There''s of course no iptables daemon, so it''s reasonable for an iptables init script not to respond with ''started'' or ''stopped''. P
On 2/14/07, Jason Dillon <jason@planet57.com> wrote:> I''ve been seeing this for a long time now... > > Got a class like: > > <snip> > class iptables > { > package { > iptables: > ensure => latest > } > > service { > iptables: > enable => true, > ensure => running > } > > remotefile { > "/etc/sysconfig/iptables": > mode => 400, > source => "system/iptables", > notify => Service[iptables] > } > } > </snip> > > And each time puppet runs, it *always* ends up changing it from > ''stopped'' to ''running''... when it is already running, and no changes > have been made to the configuration file. > > I just want to make sure that iptables is always enabled, always > started, and only restart if the configuration file has changed.This works for me: class iptables { file { "/etc/sysconfig/iptables": owner => root, group => root, mode => 600, source => "puppet://$server/firewall/iptables", } exec { "/etc/init.d/iptables stop && /etc/init.d/iptables start": subscribe => File["/etc/sysconfig/iptables"], refreshonly => true, } service { "iptables": status => "/root/bin/iptables_check", start => "/etc/init.d/iptables start", ensure => running, } } /root/bin/iptables_check exists on the client, is executable and contains: #!/bin/sh if [ ! -f /proc/net/ip_tables_names ];then exit 1 fi I''m running RHEL 4 and "/proc/net/ip_tables_names" only exists if iptables rules are live, so I used that for a check. You could also do something like: #!/bin/sh /etc/init.d/iptables status | /bin/grep -i stopped if [ $? != 1 ];then exit 1 fi hth, Kent -- "It may be true that the law cannot make a man love me, but it can stop him from lynching me, and I think that''s pretty important." - Martin Luther King Jr.
Maybe Matching Threads
- Could not set file on ensure: undefined method `[]'' for nil:NilClass
- [Bug 1064] New: iptables-save fails silently in unprivileged lxc/lxd container
- Component/type defaults for 0.22.x
- tincctl localhost timeout
- [PATCH 0/3] p2v, v2v: Ensure the full version is always available in several places.