Puppet users - Oct 2011 - help with the firewall puppet forge module

Hi,

 I''m new to the puppet forge - I decided to give the puppetlabs
firewall module a try.  I ran:

cd /etc/puppet/modules  # yes - this is where my modules go
puppet-module install puppetlabs-firewall

and I modified my puppet.conf to include the "pluginsync = true" in
the [agent] section.  When I tried adding the following to my snmp
module:

firewall { "allow-snmp": action => ''accept'', }

I got:

err: Could not autoload firewall: no such file to load --
puppet/util/firewall at /etc/puppet/modules/snmp/manifests/config.pp:9
on node ns2.math.osu.edu

I tried "puppet describe firewall" and got:

Could not run: Could not autoload
/etc/puppet/modules/firewall/lib/puppet/type/firewall.rb: no such file
to load -- puppet/util/firewall

Help?

...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Dave, you may have an older version of puppet-module tool that requires you
to do:

mv puppetlabs-firewall firewall

Newer versions strip the user prefix from the module name automatically.



On Tue, Oct 25, 2011 at 2:49 PM, David Alden <dave@alden.name> wrote:
> Hi,
>
>  I''m new to the puppet forge - I decided to give the puppetlabs
> firewall module a try.  I ran:
>
> cd /etc/puppet/modules  # yes - this is where my modules go
> puppet-module install puppetlabs-firewall
>
> and I modified my puppet.conf to include the "pluginsync = true"
in
> the [agent] section.  When I tried adding the following to my snmp
> module:
>
> firewall { "allow-snmp": action => ''accept'',
}
>
> I got:
>
> err: Could not autoload firewall: no such file to load --
> puppet/util/firewall at /etc/puppet/modules/snmp/manifests/config.pp:9
> on node ns2.math.osu.edu
>
> I tried "puppet describe firewall" and got:
>
> Could not run: Could not autoload
> /etc/puppet/modules/firewall/lib/puppet/type/firewall.rb: no such file
> to load -- puppet/util/firewall
>
> Help?
>
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
Nigel Kersten
Product Manager, Puppet Labs

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Oct 25, 2011, at Oct 25, 6:20 PM, Nigel Kersten
wrote:
> Dave, you may have an older version of puppet-module tool that requires you
to do:
> 
> mv puppetlabs-firewall firewall
> 
> Newer versions strip the user prefix from the module name automatically.
I''m running 0.3.4.  The module was installed in the firewall directory
(not puppetlabs-firewall).  Any other ideas?  :-)

...thnx,
...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Try restarting your puppetmaster and trying again.

ken.

On Wed, Oct 26, 2011 at 2:29 AM, David Alden <dave@alden.name>
wrote:
> Hi,
>
> On Oct 25, 2011, at Oct 25, 6:20 PM, Nigel Kersten wrote:
>> Dave, you may have an older version of puppet-module tool that requires
you to do:
>>
>> mv puppetlabs-firewall firewall
>>
>> Newer versions strip the user prefix from the module name
automatically.
>
> I''m running 0.3.4.  The module was installed in the firewall
directory (not puppetlabs-firewall).  Any other ideas?  :-)
>
> ...thnx,
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Oct 25, 2011, at Oct 25, 9:42 PM, Ken Barber wrote:
> Try restarting your puppetmaster and trying again.
Nope - same problem.  Thanks for the suggestion.

...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Did you run puppet agent -t on your master?

Check your /var/lib/puppet/lib/puppet/util directory ... and let me
know if there is a copy of firewall.rb in there before and after
running puppet agent on your master.

ken.

On Wed, Oct 26, 2011 at 2:47 AM, David Alden <dave@alden.name>
wrote:
> Hi,
>
> On Oct 25, 2011, at Oct 25, 9:42 PM, Ken Barber wrote:
>> Try restarting your puppetmaster and trying again.
>
> Nope - same problem.  Thanks for the suggestion.
>
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

FWIW, I use this as `puppetlabs-firewall'' and the resource name
`firewall''.

On Tue, Oct 25, 2011 at 6:54 PM, Ken Barber <ken@puppetlabs.com> wrote:
> Did you run puppet agent -t on your master?
>
> Check your /var/lib/puppet/lib/puppet/util directory ... and let me
> know if there is a copy of firewall.rb in there before and after
> running puppet agent on your master.
>
> ken.
>
> On Wed, Oct 26, 2011 at 2:47 AM, David Alden <dave@alden.name> wrote:
> > Hi,
> >
> > On Oct 25, 2011, at Oct 25, 9:42 PM, Ken Barber wrote:
> >> Try restarting your puppetmaster and trying again.
> >
> > Nope - same problem.  Thanks for the suggestion.
> >
> > ...dave
> >
> > --
> > You received this message because you are subscribed to the Google
Groups
> "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Oct 25, 2011, at Oct 25, 9:54 PM, Ken Barber wrote:
> Did you run puppet agent -t on your master?
No, I hadn''t.  Is that mentioned in the instructions, or should I have
known that?  :-)

I''m setting up a new puppet server (sadly I''ve been running
the same old version since the guy who set it up left a few years ago - Hi Jeff
:-).  I haven''t set up any rules for the puppet server, so I
hadn''t run the agent on it yet.

> Check your /var/lib/puppet/lib/puppet/util directory ... and let me
> know if there is a copy of firewall.rb in there before and after
> running puppet agent on your master.
It wasn''t there before, but it''s there now.

...thnx,
...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 25 October 2011 22:49, David Alden <dave@alden.name> wrote:
> I got:
>
> err: Could not autoload firewall: no such file to load --
> puppet/util/firewall at /etc/puppet/modules/snmp/manifests/config.pp:9
> on node ns2.math.osu.edu
>
> I tried "puppet describe firewall" and got:
>
> Could not run: Could not autoload
> /etc/puppet/modules/firewall/lib/puppet/type/firewall.rb: no such file
> to load -- puppet/util/firewall
>
For the benefit of the archives, you''ll also see the same error if used
in
master-less setup with "puppet apply".

It''s related to this bug: https://projects.puppetlabs.com/issues/4248

A hacky workaround is to make all the requires relative to __FILE__ like
this: https://gist.github.com/1315760

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks Dan - I''ve submitted a pull request and created a ticket around
this.

http://projects.puppetlabs.com/issues/10295

I''ve also updated the README to be more descriptive about restarting
and pluginsync if the workaround doesn''t do what we want.

I''ve tested this standalone - and it seems to work well. I''ve
also
tested it in a single environment and it works without pluginsync or
restart.

Multi-environments still require pluginsync it would seem. If you have
any ideas around this let me know - I believe this might be another
puppet related bug. Regardless the doc specifies what to do in this
case so I hope I''ve covered all possible angles now.

Thanks !

ken.

On Wed, Oct 26, 2011 at 9:14 AM, Dan Carley <dan.carley@gmail.com>
wrote:
> On 25 October 2011 22:49, David Alden <dave@alden.name> wrote:
>>
>> I got:
>>
>> err: Could not autoload firewall: no such file to load --
>> puppet/util/firewall at /etc/puppet/modules/snmp/manifests/config.pp:9
>> on node ns2.math.osu.edu
>>
>> I tried "puppet describe firewall" and got:
>>
>> Could not run: Could not autoload
>> /etc/puppet/modules/firewall/lib/puppet/type/firewall.rb: no such file
>> to load -- puppet/util/firewall
>
> For the benefit of the archives, you''ll also see the same error if
used in
> master-less setup with "puppet apply".
> It''s related to this
bug: https://projects.puppetlabs.com/issues/4248
> A hacky workaround is to make all the requires relative to __FILE__ like
> this: https://gist.github.com/1315760
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,
  So now I''m not getting any errors when I put the following in one of
my classes:

      firewall { "allow-snmp":
        proto => ''all'',
        dport => ''161'',
        action => ''accept'',
      }

But I''m also not seeing any change in my iptables firewall (nor am I
seeing anything about the firewall module in the debug output).  Do I have to
include another command to get this to take affect?

...thnx,
...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Dave,

Is the class getting included properly? You should be getting:

err: Could not run Puppet configuration client: Parameter name failed:
Invalid value "allow-snmp".

Which is what I''m seeing when I use that rule. The rules need numbers
for ordering:

      firewall { "500 allow-snmp":
        proto => ''all'',
        dport => ''161'',
        action => ''accept'',
      }

And will generally reject any namevars that don''t have them.

ken.

On Wed, Oct 26, 2011 at 3:39 PM, Dave Alden <dave@alden.name>
wrote:
> Hi,
>  So now I''m not getting any errors when I put the following in one
of my classes:
>
>      firewall { "allow-snmp":
>        proto => ''all'',
>        dport => ''161'',
>        action => ''accept'',
>      }
>
> But I''m also not seeing any change in my iptables firewall (nor am
I seeing anything about the firewall module in the debug output).  Do I have to
include another command to get this to take affect?
>
> ...thnx,
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Oct 26, 2011, at 10:55 AM, Ken Barber wrote:
> Is the class getting included properly? You should be getting:
> 
> err: Could not run Puppet configuration client: Parameter name failed:
> Invalid value "allow-snmp".
I believe it is.  I was not getting the error, but I''ve gone ahead and
added the number, so now I have the following in my snmp::config class:

      firewall { "500 allow-snmp":
        proto => ''all'',
        dport => ''162'',
        action => ''accept'',
      }

      notify{ "notify: after firewall statement":}

My node includes the snmp class, which includes the snmp::config class.  When I
run "puppet agent -t", I''m getting:

/usr/lib/ruby/site_ruby/1.8/puppet/provider/package/msi.rb:50: warning:
parenthesize argument(s) for future version
info: Caching catalog for ns2.math.osu.edu
info: Applying configuration version ''1319642997''
notice: notify: after firewall statement
notice: /Stage[main]/Snmp::Config/Notify[notify: after firewall
statement]/message: defined ''message'' as ''notify:
after firewall statement''
notice: Finished catalog run in 4.96 seconds


...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Odd that you get no results.

I''m curious. What is the output of ''iptables-save'' on
your box?

Also ... can you do a:

puppet resource firewall

And does it return anything? Try inserting a rule and testing it as
well (rule needs a number - but we are fixing that now).

ken.

On Wed, Oct 26, 2011 at 4:33 PM, Dave Alden <dave@alden.name>
wrote:
> Hi,
>
> On Oct 26, 2011, at 10:55 AM, Ken Barber wrote:
>> Is the class getting included properly? You should be getting:
>>
>> err: Could not run Puppet configuration client: Parameter name failed:
>> Invalid value "allow-snmp".
>
> I believe it is.  I was not getting the error, but I''ve gone ahead
and added the number, so now I have the following in my snmp::config class:
>
>      firewall { "500 allow-snmp":
>        proto => ''all'',
>        dport => ''162'',
>        action => ''accept'',
>      }
>
>      notify{ "notify: after firewall statement":}
>
> My node includes the snmp class, which includes the snmp::config class.
 When I run "puppet agent -t", I''m getting:
>
> /usr/lib/ruby/site_ruby/1.8/puppet/provider/package/msi.rb:50: warning:
parenthesize argument(s) for future version
> info: Caching catalog for ns2.math.osu.edu
> info: Applying configuration version ''1319642997''
> notice: notify: after firewall statement
> notice: /Stage[main]/Snmp::Config/Notify[notify: after firewall
statement]/message: defined ''message'' as ''notify:
after firewall statement''
> notice: Finished catalog run in 4.96 seconds
>
>
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On Oct 26, 2011, at 11:50 AM, Ken Barber wrote:
> Odd that you get no results.
> 
> I''m curious. What is the output of
''iptables-save'' on your box?
> 
> Also ... can you do a:
> 
> puppet resource firewall
> 
> And does it return anything? Try inserting a rule and testing it as
> well (rule needs a number - but we are fixing that now).
I''m an idiot.  I had put the pluginsync = true on the server, not on
the client machine.  Once I added that, it worked as expected.  Sorry to waste
your time.  If there''s any way you can make puppet throw an error in
this situation - it might help future idiots like me.  :-)

...dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Lol. Yeah I''m surprised puppet didn''t break on that.

So we''ve pushed 0.0.2 with a fix for your puppet/util/firewall problem
- so thanks a lot for that :-). The next person might have an easier
time of it I hope.

ken.

On Wed, Oct 26, 2011 at 10:29 PM, Dave Alden <dave@alden.name>
wrote:
> Hi,
>
> On Oct 26, 2011, at 11:50 AM, Ken Barber wrote:
>> Odd that you get no results.
>>
>> I''m curious. What is the output of
''iptables-save'' on your box?
>>
>> Also ... can you do a:
>>
>> puppet resource firewall
>>
>> And does it return anything? Try inserting a rule and testing it as
>> well (rule needs a number - but we are fixing that now).
>
> I''m an idiot.  I had put the pluginsync = true on the server, not
on the client machine.  Once I added that, it worked as expected.  Sorry to
waste your time.  If there''s any way you can make puppet throw an error
in this situation - it might help future idiots like me.  :-)
>
> ...dave
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.