jrojas
2009-May-01 18:58 UTC
[Puppet Users] camptocamp puppet-iptables constantly applying changes?
In the pastie here: http://pastie.org/465261 The same set of rules are applied on each run. I used numbers as the names to sort the rules accordingly since iptables rules'' order does matter. Has anyone been using this module/plugin? I havent tried using a-z for the names of the rules, and there are no specified dependencies of each rule (requires,before,after). Any suggestions or help are welcome :) -Jason --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Marc Fournier
2009-May-04 08:03 UTC
[Puppet Users] Re: camptocamp puppet-iptables constantly applying changes?
Hi,> The same set of rules are applied on each run. I used numbers as the > names to sort the rules accordingly since iptables rules'' order does > matter. Has anyone been using this module/plugin? I havent tried > using a-z for the names of the rules, and there are no specified > dependencies of each rule (requires,before,after).It is an issue I am aware of, is irritating me, and must investigate. Using a-z names instead of numbers shouldn''t solve the problem. I''ve only noticed this on hosts with a fair amount of iptable resources declared. So I believe one or several rules built by puppet don''t match the output of iptables-save. This leads puppet to think something has changed. I previously used regular require/before/after dependencies but I switched to alphabetical ordering because of another "always running" issue. Unless you declared strictly linear dependencies (first rule before 2nd rule, 2nd rule before 3rd rule, etc) you depended on puppet''s random ordering of resources. And in this case, a different ordering might mean something completely different, maybe even the opposite of what is intended. This wasn''t too much of an issue when all resources were declared in the same file (for instance inside a node{}). But my idea was to include different iptable{} resources in different modules, which weren''t all included on each node. And this led to loads of failed dependencies. I''ll try to have a look at this issue soon. Thanks for the feedback ! Marc --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---