Christopher Opena
2014-Feb-25 00:47 UTC
[Puppet Users] Hit and miss application of puppet modules
Howdy folks, well after successfully rebuilding my hosed puppet environment
(puppet was removing /var/lib/yum and /var/lib/rpm), I finally have a sane
and mostly functioning puppet environment. However, I'm having a strange
issue with applying modules via roles. In some instances it works, and in
others it doesn't.
To begin with, I'm using the puppetlabs firewall module (
http://forge.puppetlabs.com/puppetlabs/firewall) to drive iptables on a
number of my servers. Right now it's only attempting to drive two of them:
A file server and the puppet master itself, and I'm doing this using a
roles module. However, it seems quite happy to apply the defined module to
the file server, but not to the puppetmaster. Config below:
## ../puppet/manifests/site.pp ##
node 'JUMPBOX' {
include role::fs_server
}
node 'PUPPETMASTER' {
include role::puppet_master
}
## ../puppet/modules/role/init.pp ##
class role {
include profile::base
}
class role::fs_server inherits role {
include profile::fs_server
}
class role::puppet_master inherits role {
include profile::puppet_master
}
## ../puppet/modules/profile/init.pp ##
class profile::base {
notify {"Applying profile::base":}
include ntp
include ssh_server
include my_fw
}
class profile::fs_server {
notify {"Applying profile::fs_server":}
include ssh_server::jump_box
}
class profile::puppet_master {
notify {"Applying profile::puppet_master":}
include puppet_master
}
As you can see it's a very very basic, skeletal config that is handling
role-based module application. In the case of the
'ssh_server::jump_box'
and 'puppet_master' modules, these are both firewall application rules:
## ../puppet/modules/ssh_server/manifests/init.pp ##
class ssh_server::jump_box {
# Firewall logic (allow forwarding)
firewall { '098 allow forwarding':
chain => 'FORWARD',
proto => 'tcp',
action => 'accept',
}
# Firewall logic (allow ssh from all)
firewall { '099 accept ssh from anywhere':
chain => 'INPUT',
state => ['NEW'],
dport => '22',
proto => 'tcp',
action => 'accept',
}
}
## ../puppet/modules/puppet_master/manifests/init.pp ##
class puppet_master {
# Firewall Logic: Allow TCP/8140
firewall { '200 allow puppetmaster port':
chain => 'INPUT',
state => ['NEW'],
dport => '8140',
proto => 'tcp',
source => '<REDACTED>',
action => 'accept',
}
}
The JUMPBOX gets its 'ssh_server::jump_box' module just fine, but the
'puppet_master' module never gets applied to the PUPPETMASTER node. The
notify code in the 'profile' module is logging the "Applying
profile::fs_server" and "Applying profile::puppet_master"
messages in both
cases, but for some reason is skipping the 'puppet_master' module.
If I perform a:
puppet apply -e "include puppet_master"
on the PUPPETMASTER node, it runs the module just fine and modifies the
firewall accordingly. Is there something completely simple that I'm just
missing above? I feel like I may just have a syntax error or something
wrong with the include that I'm completely ignoring :/
TIA,
C
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAFOrgqcS0SQncyuhF2YAkX3AbHZRfYmzYyNhX%3Dceq%3D22mYE_Kg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.