Puppet users - Jul 2012 - How to restart Winbind when hung?

Hello fellow puppet masters,

We currently use winbind to allow our admins to log onto our Linux servers 
with their Windows AD accounts.  Every now and then, a comms issue will 
drop AD out from under the server, which causes winbind to stop checking 
AD.  The service is still technically running though, so puppet thinks 
everything is fine.  I can run a "getent passwd <username>" to
verify that
winbind is or isn''t working. 

So I wanted to utilize that check and have my winbind service entry to 
subscribe to this exec:

service{ ''winbind'':
enable       => true,
ensure       => running,
subcribe     => Exec[''check-winbind''];
}
 
exec{ ''check-winbind'':
path         =>
[''/usr/bin'',''/sbin'',''/bin''],
command => [''getent passwd user | grep -c user''],
 }

So when the command failed, that would trigger puppet to restart the 
service.  But when the check would return 0 (because it couldn''t find
user
in AD), puppet gives me the following:

Service[winbind]: Dependency Exec[check-winbind] has failures: true
Service[winbind]: Skipping because of failed dependencies

Not what I wanted to see... though I do understand why it is saying it 
(just not how to change it).  So what I ended up doing was turning the 
command into an "unless" statement, and set the "command" to
be "service
winbind restart", and remove the subscribe statement form my winbind 
service entry.  Now, this works... but it just seems silly to me to have to 
restart the service via an exec statement when I am already monitoring the 
winbind service.

Any ideas on how to simplify this and get it back to my original goal of 
subscribing the service to this check?  Thanks!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/zuisMOF45xUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Wed, Jul 18, 2012 at 3:08 PM, Adam <carlson.adam.web@gmail.com>
wrote:
> Hello fellow puppet masters,
>
> We currently use winbind to allow our admins to log onto our Linux servers
> with their Windows AD accounts.  Every now and then, a comms issue will
drop
> AD out from under the server, which causes winbind to stop checking AD. 
The
> service is still technically running though, so puppet thinks everything is
> fine.  I can run a "getent passwd <username>" to verify
that winbind is or
> isn''t working.
>
> So I wanted to utilize that check and have my winbind service entry to
> subscribe to this exec:
>
> service{ ''winbind'':
> enable       => true,
> ensure       => running,
> subcribe     => Exec[''check-winbind''];
> }
>
> exec{ ''check-winbind'':
> path         =>
[''/usr/bin'',''/sbin'',''/bin''],
> command => [''getent passwd user | grep -c user''],
> }
>
> So when the command failed, that would trigger puppet to restart the
> service.  But when the check would return 0 (because it couldn''t
find user
> in AD), puppet gives me the following:
>
> Service[winbind]: Dependency Exec[check-winbind] has failures: true
> Service[winbind]: Skipping because of failed dependencies
>
> Not what I wanted to see... though I do understand why it is saying it
(just
> not how to change it).  So what I ended up doing was turning the command
> into an "unless" statement, and set the "command" to be
"service winbind
> restart", and remove the subscribe statement form my winbind service
entry.
> Now, this works... but it just seems silly to me to have to restart the
> service via an exec statement when I am already monitoring the winbind
> service.
>
> Any ideas on how to simplify this and get it back to my original goal of
> subscribing the service to this check?  Thanks!
You could make use of the service type''s ''status''
parameter.  Your
example would then read:

service{ ''winbind'':
 enable       => true,
 ensure       => running,
 status => ''/usr/bin/getent passwd user | /bin/grep -c
user''
}

I suspect this overrides the usual puppet behaviour of using ''service
winbind status'' to perform the status check, but that may not be an
issue in your case.

Regards,

Matt.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Matt, 

Good thinking, I hadn''t thought of that!  Even though it does override
the
usual puppet behavior, if winbind is stopped then that query will also 
fail; therefore, the functionality is all still there.  Thanks!

Adam

On Wednesday, July 18, 2012 10:59:50 AM UTC-4, Matthew Burgess
wrote:
>
> On Wed, Jul 18, 2012 at 3:08 PM, Adam <carlson.adam.web@gmail.com>
wrote:
> > Hello fellow puppet masters, 
> > 
> > We currently use winbind to allow our admins to log onto our Linux 
> servers 
> > with their Windows AD accounts.  Every now and then, a comms issue
will
> drop 
> > AD out from under the server, which causes winbind to stop checking
AD.
>  The 
> > service is still technically running though, so puppet thinks
everything
> is 
> > fine.  I can run a "getent passwd <username>" to
verify that winbind is
> or 
> > isn''t working. 
> > 
> > So I wanted to utilize that check and have my winbind service entry to
> > subscribe to this exec: 
> > 
> > service{ ''winbind'': 
> > enable       => true, 
> > ensure       => running, 
> > subcribe     => Exec[''check-winbind'']; 
> > } 
> > 
> > exec{ ''check-winbind'': 
> > path         =>
[''/usr/bin'',''/sbin'',''/bin''],
> > command => [''getent passwd user | grep -c user''],
> > } 
> > 
> > So when the command failed, that would trigger puppet to restart the 
> > service.  But when the check would return 0 (because it
couldn''t find
> user 
> > in AD), puppet gives me the following: 
> > 
> > Service[winbind]: Dependency Exec[check-winbind] has failures: true 
> > Service[winbind]: Skipping because of failed dependencies 
> > 
> > Not what I wanted to see... though I do understand why it is saying it
> (just 
> > not how to change it).  So what I ended up doing was turning the
command
> > into an "unless" statement, and set the "command"
to be "service winbind
> > restart", and remove the subscribe statement form my winbind
service
> entry. 
> > Now, this works... but it just seems silly to me to have to restart
the
> > service via an exec statement when I am already monitoring the winbind
> > service. 
> > 
> > Any ideas on how to simplify this and get it back to my original goal
of
> > subscribing the service to this check?  Thanks! 
>
> You could make use of the service type''s
''status'' parameter.  Your
> example would then read: 
>
> service{ ''winbind'': 
>  enable       => true, 
>  ensure       => running, 
>  status => ''/usr/bin/getent passwd user | /bin/grep -c
user''
> } 
>
> I suspect this overrides the usual puppet behaviour of using
''service
> winbind status'' to perform the status check, but that may not be
an
> issue in your case. 
>
> Regards, 
>
> Matt. 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/MRFTSEp5RmcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.