Hello community ! I have posted here my shorewall recipe: http://reductivelabs.com/trac/puppet/wiki/AqueosShorewall If anyone is interested please test and comment to see if we can improve it ! :) I also updated my facter recipe for VERIO vps servers if anyone interested... :) http://reductivelabs.com/trac/puppet/wiki/AqueosFacterVps Hope that helps ! -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 30 May , 2007, at 05:57, ADNET Ghislain wrote:> I have posted here my shorewall recipe:Thank you!
On 5/30/07, ADNET Ghislain <gadnet@aqueos.com> wrote:> Hello community ! > > I have posted here my shorewall recipe: > > http://reductivelabs.com/trac/puppet/wiki/AqueosShorewall > > If anyone is interested please test and comment to see if we can > improve it ! :) >Thanks for the recipe - Here''s the results of my first attempt. My own recipe: The shorewall class is straight from the url and is the file /etc/puppet/manifests/classes/shorewall/shorewall.pp (errors below reference line numbers in this file) class shorewall_default_rules inherits shorewall { shorewall::shorewall-rule { ''ICMP'': action => ''ACCEPT'', source => ''net'', destination => ''$FW'', protocol => ''icmp'', order => ''10000''; ''ssh'': action => ''ACCEPT'', source => ''net'', destination => ''$FW'', protocol => ''tcp'', destinationport => ''22'', order => ''20001''; ''NetBackup'': action => ''ACCEPT'', source => ''net:10.10.2.11'', destination => ''$FW'', protocol => ''tcp'', destinationport => ''13724,13782'', order => ''20002''; } } Which throws the following errors: err: Could not create shorewall-sort-rules: ''set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 err: ''set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 err: Could not create shorewall-sort-zones: ''set +o noclobber;cat /etc/shorewall/puppet/zones/* > /etc/shorewall/zones'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: ''set +o noclobber;cat /etc/shorewall/puppet/zones/* > /etc/shorewall/zones'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: Could not create shorewall-sort-conf: ''set +o noclobber; cat /etc/shorewall/puppet/conf/* > /etc/shorewall/shorewall.conf'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:20 err: ''set +o noclobber; cat /etc/shorewall/puppet/conf/* > /etc/shorewall/shorewall.conf'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:20 err: Could not create shorewall-sort-hosts: ''set +o noclobber;cat /etc/shorewall/puppet/hosts/* > /etc/shorewall/hosts'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: ''set +o noclobber;cat /etc/shorewall/puppet/hosts/* > /etc/shorewall/hosts'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: Could not create shorewall-sort-interfaces: ''set +o noclobber;cat /etc/shorewall/puppet/interfaces/* > /etc/shorewall/interfaces'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: ''set +o noclobber;cat /etc/shorewall/puppet/interfaces/* > /etc/shorewall/interfaces'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: Could not create shorewall-sort-routestopped: ''set +o noclobber;cat /etc/shorewall/puppet/routestopped/* > /etc/shorewall/routestopped'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: ''set +o noclobber;cat /etc/shorewall/puppet/routestopped/* > /etc/shorewall/routestopped'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: Could not create shorewall-sort-policy: ''set +o noclobber;cat /etc/shorewall/puppet/policy/* > /etc/shorewall/policy'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 err: ''set +o noclobber;cat /etc/shorewall/puppet/policy/* > /etc/shorewall/policy'' is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27 I''m not sure what the "is both unqualifed and specified no search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:27" means. Here''s line 27 and friends: 18 command => "set +o noclobber; cat /etc/shorewall/puppet/$name/* > /etc/sho rewall/shorewall.conf", 19 notify => Service[''shorewall''] 20 } 21 } 22 default: { 23 exec { "shorewall-sort-$name": 24 refreshonly => true, 25 command => "set +o noclobber;cat /etc/shorewall/puppet/$name/* > /etc/shor ewall/$name", 26 notify => Service[''shorewall''] 27 } 28 } 29 } 30 } 31 32 shorewall-realize { [''rules'',''zones'',''interfaces'',''routestopped'',''policy'',''hosts'',''conf'']: } 33 34 service { shorewall: 35 ensure => running, 36 enable => true 37 } When I run the first command in the error messages, it works fine: [ 16:42:21 root@ilmnirm0dt1637(pts/0):/etc/shorewall ] # set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules [ 17:21:28 root@ilmnirm0dt1637(pts/0):/etc/shorewall ] # cat rules ACCEPT net $FW icmp - ACCEPT net $FW tcp 22 ACCEPT net:10.10.2.11 $FW tcp 13724,13782 Cheers, Jeff
More info:> > err: Could not create shorewall-sort-rules: ''set +o noclobber; cat > /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# > -f2- > /etc/shorewall/rules'' is both unqualifed and specified no > search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 > err: ''set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort > --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules'' is both > unqualifed and specified no search path at > /etc/puppet/manifests/classes/shorewall/shorewall.pp:13Here''s line 13 and friends of shorewall.pp 3 class shorewall { 4 5 # creation de la configuration a partir des fichiers contenant les regles 6 define shorewall-realize { 7 case $name { 8 ''rules'': { 9 exec { ''shorewall-sort-rules'': 10 refreshonly => true, 11 command => "set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort --nume ric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules", 12 notify => Service[''shorewall''] 13 } 14 } 15 ''conf'': { 16 exec { ''shorewall-sort-conf'': 17 refreshonly => true, 18 command => "set +o noclobber; cat /etc/shorewall/puppet/$name/* > /etc/sho rewall/shorewall.conf", 19 notify => Service[''shorewall''] 20 } 21 }
Jeff Falgout a écrit :> More info: > > > >> err: Could not create shorewall-sort-rules: ''set +o noclobber; cat >> /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# >> -f2- > /etc/shorewall/rules'' is both unqualifed and specified no >> search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 >> err: ''set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort >> --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules'' is both >> unqualifed and specified no search path at >> /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 >>two thing that can go wrong here is the PATH setting for the cat command and the shell you use. I use sh as i beleive puppet use sh to work and i set noclobber to be sure i can overwrite the file. Could you try to put the complete path to cat/sort/cut in the define ? So we can rule out this possibility. I will try to do some test on another machine today. What is the target ? Debian/feudora, etch or sarge ? One other thing, you should not need to inherits the shorewall class i think. Can you try to include it instead ? I wonder if it has any effect. I will test this also this afternoon to verify :) -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Thanks Ghislain, On 6/5/07, ADNET Ghislain <gadnet@aqueos.com> wrote:> Jeff Falgout a écrit : > > More info: > > > > > > > >> err: Could not create shorewall-sort-rules: ''set +o noclobber; cat > >> /etc/shorewall/puppet/rules/*|sort --numeric-sort --key=1 | cut -d# > >> -f2- > /etc/shorewall/rules'' is both unqualifed and specified no > >> search path at /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 > >> err: ''set +o noclobber; cat /etc/shorewall/puppet/rules/*|sort > >> --numeric-sort --key=1 | cut -d# -f2- > /etc/shorewall/rules'' is both > >> unqualifed and specified no search path at > >> /etc/puppet/manifests/classes/shorewall/shorewall.pp:13 > >> > two thing that can go wrong here is the PATH setting for the cat command > and the shell you use. I use sh as i beleive puppet use sh to work and > i set noclobber to be sure i can overwrite the file. Could you try to > put the complete path to cat/sort/cut in the define ? So we can rule > out this possibility. I will try to do some test on another machine > today. What is the target ? Debian/feudora, etch or sarge ?The target is sled10 (SuSE). I put the absolute path for cat, cut, and sort (/bin/cat, /usr/bin/cut, and /usr/bin/sort) into the recipe and still the same errors. The directory /etc/shorewall/puppet is created and the subdirectories (rules, interfaces, etc) are created. I also see the files 10000, 20001, 20002 created in the rules directory with the contents defined in the class default_shorewall_rules.> > One other thing, you should not need to inherits the shorewall class i > think. Can you try to include it instead ? I wonder if it has any > effect. I will test this also this afternoon to verify :)I also changed the node defination to use an include of the shorewall class and the shorewall_default_rules class. Same results. Should I be doing something different? I''ll continue troubleshooting also. Cheers, Jeff
> > >> > > two thing that can go wrong here is the PATH setting for the cat command > > and the shell you use. I use sh as i beleive puppet use sh to work and > > i set noclobber to be sure i can overwrite the file. Could you try to > > put the complete path to cat/sort/cut in the define ? So we can rule > > out this possibility. I will try to do some test on another machine > > today. What is the target ? Debian/feudora, etch or sarge ? > > The target is sled10 (SuSE). > > I put the absolute path for cat, cut, and sort (/bin/cat, > /usr/bin/cut, and /usr/bin/sort) into the recipe and still the same > errors. > > The directory /etc/shorewall/puppet is created and the subdirectories > (rules, interfaces, etc) are created. I also see the files 10000, > 20001, 20002 created in the rules directory with the contents defined > in the class default_shorewall_rules. > > > > > One other thing, you should not need to inherits the shorewall class i > > think. Can you try to include it instead ? I wonder if it has any > > effect. I will test this also this afternoon to verify :) > > I also changed the node defination to use an include of the shorewall > class and the shorewall_default_rules class. Same results. Should I be > doing something different? >I''ve made some progress: Setting the shell in the exec type didn''t make a difference - I not sure I have the syntax correct: ''rules'': { exec { ''shorewall-sort-rules'': env => ''SHELL=/bin/bash'', refreshonly => true, command => "set +o noclobber; /bin/cat /etc/shorewall/puppet/rules/*| /usr/bin/sort --numeric-sort --key=1 | /usr/bin/cut -d# -f2- > /etc/shorewall/rules", notify => Service[''shorewall''] } } (Did it for all three execs) What did make a difference was to remove the "set +o noclobber" from the commands - and It overwrote the files in /etc/shorewall - good. I''m not quite sure as to why you used "noclobber". How are updates to the files made if noclobber is in place? I think I''m missing something here. (And yup - I broke shorewall on my test machine since I didn''t have all the shorewall configs set.) Cheers, Jeff
> > What did make a difference was to remove the "set +o noclobber" from > the commands - and It overwrote the files in /etc/shorewall - good. > >ok so no more errors ? good !> I''m not quite sure as to why you used "noclobber". How are updates to > the files made if noclobber is in place? I think I''m missing something > here. (And yup - I broke shorewall on my test machine since I didn''t > have all the shorewall configs set.) > >the noclobber is an option of sh (and i bet bash also) that tells the shell to overwrite if the file allready exist. Without this option it would fail tailling the file allready exist. You can also replace it by a rm -f of the file but in case of a failure the file would be empty and this is NOT good so i choosed the noclobber option in case the clobber option is set, from man of sh: If the redirection operator is >, and the noclobber option to the set builtin has been enabled, the redirection will fail if the file whose name results from the expansion of word exists and is a regular file. If the redirection operator is >|, or the redirection operator is > and the noclobber option to the set builtin command is not enabled, the redirection is attempted even if the file named by word exists. If set, bash does not overwrite an existing file with the >, >&, and <> redirection operators. This may be overridden when creating output files by using the redirection operator >| instead of >. so another solution seems to use >|, ok i learned a thing today ! :) tell me if this solve all the issue , if so i will update the recipe ! :) -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 06 June 2007, Jeff Falgout wrote:> What did make a difference was to remove the "set +o noclobber" from > the commands - and It overwrote the files in /etc/shorewall - good."set" is no fully qualified binary name and therefore exec needs to have the "path" set. - From http://reductivelabs.com/trac/puppet/wiki/TypeReference#exec : | The search path used for command execution. Commands must be fully qualified | if no path is specified. Paths can be specified as an array or as a | colon-separated list. Regards, David - -- - - hallo... wie gehts heute? - - *hust* gut *rotz* *keuch* - - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGZmAx/Pp1N6Uzh0URAkOyAKCItMqF+ZRRSQIfriDvE12Eofb8NgCffpSP Kg1V6TfRcx/nsEY5/Uubcy0=FNTg -----END PGP SIGNATURE-----
set is supposed to be a sh builtin command so i think it should work anyway no ? -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
i have updated the recipe, added some simpler logic and the >| change to the exec. I recall that puppet allways use sh as a shell for exec, is it needed to specify it somewhere ? -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 6/6/07, ADNET Ghislain <gadnet@aqueos.com> wrote:> i have updated the recipe, added some simpler logic and the >| change to > the exec. I recall that puppet allways use sh as a shell for exec, is it > needed to specify it somewhere ? > >I''ve tested the new recipe and have most of it working. I just needed to add the full path to ''cat''. The only outstanding issue is getting shorewall to actually restart after a file change. I''ve added a subscribe to the shorewall service: service { shorewall: ensure => running, restart => ''/sbin/shorewall restart'', enable => true, subscribe => [ FILE[''/etc/shorewall/zones''], FILE[''/etc/shorewall/routestopped''], FILE[''/etc/shorewall/policy''], FILE[''/etc/shorewall/rules''], FILE[''/etc/shorewall/interfaces''], FILE[''/etc/shorewall/hosts''], FILE[''/etc/shorewall/shorewall.conf''] ] } I''ve messed around with ''hasrestart'' with no luck. Added the ''restart'' value with no luck. When I run puppetd -t --verbose, it shows that puppet is triggering a refresh of the shorewall service, but I doesn''t actually happen: info: //global/ilmnirm0dt1637/shorewall_default_config/shorewall-rule[ssh]/File[/etc/shorewall/puppet/rules/20001]: Filebucketed to puppet with sum bd19e2f6377efb9916bc85a249f41120 notice: //global/ilmnirm0dt1637/shorewall_default_config/shorewall-rule[ssh]/File[/etc/shorewall/puppet/rules/20001]/content: changed file contents from {md5}bd19e2f6377efb9916bc85a249f41120 to {md5}3df1dc3a06f06cba45557dc885991eeb info: //global/ilmnirm0dt1637/shorewall_default_config/shorewall-rule[ssh]/File[/etc/shorewall/puppet/rules/20001]: Scheduling refresh of Exec[shorewall-sort-rules] notice: //global/ilmnirm0dt1637/shorewall/shorewall-realize[rules]/Exec[shorewall-sort-rules]: Triggering ''refresh'' from 1 dependencies info: //global/ilmnirm0dt1637/shorewall/shorewall-realize[rules]/Exec[shorewall-sort-rules]: Scheduling refresh of Service[shorewall] notice: //global/ilmnirm0dt1637/shorewall/Service[shorewall]/ensure: ensure changed ''stopped'' to ''running'' notice: //global/ilmnirm0dt1637/shorewall/Service[shorewall]: Triggering ''refresh'' from 1 dependencies notice: Finished configuration run in 15.30 seconds The new rules don''t take affect until I manually restart shorewall. Any ideas? Jeff
Jeff Falgout a écrit :> On 6/6/07, ADNET Ghislain <gadnet@aqueos.com> wrote: > >> i have updated the recipe, added some simpler logic and the >| change to >> the exec. I recall that puppet allways use sh as a shell for exec, is it >> needed to specify it somewhere ? >> >> >> > > > I''ve tested the new recipe and have most of it working. I just needed > to add the full path to ''cat''. > > The only outstanding issue is getting shorewall to actually restart > after a file change. I''ve added a subscribe to the shorewall service: > > service { shorewall: > ensure => running, > restart => ''/sbin/shorewall restart'', > enable => true, > subscribe => [ FILE[''/etc/shorewall/zones''], > FILE[''/etc/shorewall/routestopped''], FILE[''/etc/shorewall/policy''], > FILE[''/etc/shorewall/rules''], FILE[''/etc/shorewall/interfaces''], > FILE[''/etc/shorewall/hosts''], FILE[''/etc/shorewall/shorewall.conf''] ] > } > > >Humm, why use the shorewall command instead of letting puppet se the init.d script ? i use: service { shorewall: ensure => running, enable => true, status => ''shorewall status'' } and it works fine on debian sarge/etch and puppet .22.4 I have tested the addition of rules and removal of rules both restarted shorewall fine on the two box i use for testing them. I wonder what goes wrong as all work on my side and it seems to me that the logic of the recipe is okay. Could you run it in debug mode ? the shorewall-realize define should refresh the service and it seems it does from your output so it means that the service[shorewall] is the issue on your side. Please try to run in --debug to see if it gives us more information about the restart of the service :) on thing i added on my puppet recipe is in site.pp: Exec { path => "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" } this is why i do not need the full path for my execs. -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 6/7/07, ADNET Ghislain <gadnet@aqueos.com> wrote:> Humm, why use the shorewall command instead of letting puppet se the > init.d script ? > > i use: > > service { shorewall: > ensure => running, > enable => true, > status => ''shorewall status'' > } > > > and it works fine on debian sarge/etch and puppet .22.4 I have tested > the addition of rules and removal of rules both restarted shorewall fine > on the two box i use for testing them. > > I wonder what goes wrong as all work on my side and it seems to me that > the logic of the recipe is okay. Could you run it in debug mode ?I was grasping at straws trying to get shorewall to restart - that''s the reason for using the ''shorewall'' command.> > the shorewall-realize define should refresh the service and it seems it > does from your output so it means that the service[shorewall] is the > issue on your side. Please try to run in --debug to see if it gives us > more information about the restart of the service :)Amazing how a little sleep helps - Running in debug mode (for the countless time) I noticed that puppet was trying to ''START'' shorewall, not restart. The default method for puppet is to check the process table for that process name - since shorewall is just a front end for netfilter, there isn''t going to be a process named ''shorewall''. Adding the ''hasstatus => true'' line to the recipe for the shorewall service solves this problem. Everything seems to be working now. I did remove the ''|'' ( in the cat line where it was using >|) since noclobber was removed. Thanks for all the work put into the shorewall recipe - it''s a huge hurdle for us at $employer Jeff
> Amazing how a little sleep helps - Running in debug mode (for the > countless time) I noticed that puppet was trying to ''START'' shorewall, > not restart. The default method for puppet is to check the process > table for that process name - since shorewall is just a front end for > netfilter, there isn''t going to be a process named ''shorewall''. Adding > the ''hasstatus => true'' line to the recipe for the shorewall service > solves this problem. > >great news indeed !> Everything seems to be working now. I did remove the ''|'' ( in the cat > line where it was using >|) since noclobber was removed. > > Thanks for all the work put into the shorewall recipe - it''s a huge > hurdle for us at $employer > >thanks, it''s a pleasure to have the possibility to give a little back to the puppet community ! i try to track down a little more testing and i will remove the beta flag of the recipe if all works well :) thanks for your help in debugging ! -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 06 June 2007, ADNET Ghislain wrote:> set is supposed to be a sh builtin command so i think it should work > anyway no ?AFAIK puppet checks the cmd-string for qualified-ness and requires a PATH otherwise. Regards, David - -- - - hallo... wie gehts heute? - - *hust* gut *rotz* *keuch* - - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGdkGx/Pp1N6Uzh0URAsQ3AJ9x9dmyz6HeBIfBgxvV4Qh7TLP9HwCgkQeB EkEI5GjusMqmh1OqRvslDl8=7csS -----END PGP SIGNATURE----- _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Jun 18, 2007, at 3:26 AM, David Schmitt wrote:> AFAIK puppet checks the cmd-string for qualified-ness and requires > a PATH > otherwise.Exactly. -- The covers of this book are too far apart. -- Ambrose Bierce --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com