Hey every one,
Over the past week I have been exploring puppet and had been ignoring
an oddity in its output that Luke helped me figure out today.
It all started with trying to configure puppet to configure iptables
using redhats utility system-config-securitylevel-tui on rhel4. I was
able to get it up and running using the following configuration:
node default{
firewall {rhel4:
ports => [ "22:tcp", # ssh
"8139:tcp", # puppetd
]
}tables using redhats utility
}
define
firewall($ports=["22:tcp"],$template="system-config-securitylevel.erb"){
# Define variables for template
$firewall_ports=$ports
$firewall_template=$template
include rhel4_firewall
}
class rhel4_firewall {
package {
rhel4_firewall_system-config-securitylevel:
name => "system-config-securitylevel-tui",
provider => "up2date",
ensure => "present",
}
exec {
rhel4_firewall_system-config-securitylevel:
command => "/usr/bin/system-config-securitylevel-tui
-q",
refreshonly => true;
}
file {
rhel4_firewall_system-config-securitylevel:
path =>
"/etc/sysconfig/system-config-securitylevel",
content => template($firewall_template),
mode => 644,
checksum => md5,
ensure => present,
require =>
Package[rhel4_firewall_system-config-securitylevel],
notify => exec[rhel4_firewall_system-config-securitylevel];
}
}
###system-config-securitylevel.erb###
--enabled
<% firewall_ports.each do |port| -%>
--port=<%= port %>
<% end -%>
This worked perfectly except that on every run puppetd would tell me
that it is replacing /etc/sysconfig/system-config-securitylevel and
restarting the firewall with the exact same message every time:
May 1 19:17:25 test puppetd[21941]:
(//default/firewall[rhel4]/rhel4_firewall/File[rhel4_firewall_system-config-securitylevel]/checksum)
checksum changed ''{md5}b5c161b466bf90e2c4892ce833
4362cf'' to ''{md5}3030222f6c4f031229bca113f29fec17''
May 1 19:17:25 test puppetd[21941]:
(//default/firewall[rhel4]/rhel4_firewall/File[rhel4_firewall_system-config-securitylevel]/content)
changed file contents from {md5}3030222f6c4f031229
bca113f29fec17 to {md5}b5c161b466bf90e2c4892ce8334362cf
May 1 19:17:25 test puppetd[21941]:
(//default/firewall[rhel4]/rhel4_firewall/Exec[rhel4_firewall_system-config-securitylevel])
Triggering ''refresh'' from 2 dependencies
So all day to day Luke helped chase around the code to try and figure
out where puppet was either getting the wrong contents from or if
puppet was some how screwing up the md5 hash. We finally figured out
that the innocent `system-config-securitylevel-tui -q` which I had
assumed doesn''t modify anything actually adds a comment to the top of
the file. Thus puppet fought with system-config-securitylevel-tui
about what the contents of the file should be every time it ran.
The solution, add system-config-securitylevel-tui''s comment to the
template so that we have:
# Configuration file for system-config-securitylevel
--enabled
<% firewall_ports.each do |port| -%>
--port=<%= port %>
<% end -%>
The lesson, double check that any commands you call from puppet do not
modify files that puppet manages with an md5.
If Luke ever finds himself in Seattle he''ll have a beer waiting for
him.
Thanks
Brian
