Puppet users - Mar 2012 - dsl check if port is open

Can I check if a port is open for DSL? I need to check if the box has an
acl allowing the nagios server to connect via nrpe before writing nagios
config. If the port is closed I would like to defer the checks to
mcollective.

-- 
David Garvey

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Mar 27, 2012 at 11:05 AM, david.garvey@gmail.com <
david.garvey@gmail.com> wrote:
> Can I check if a port is open for DSL? I need to check if the box has an
> acl allowing the nagios server to connect via nrpe before writing nagios
> config. If the port is closed I would like to defer the checks to
> mcollective.
>
This is possible, but it would traditionally be done by writing a custom
fact to parse the output of netstat or iptables or something similar.

Really though, would it be better to just have Puppet manage the state of
the port explicitly using something like the firewall module [1] ?

[1] http://forge.puppetlabs.com/puppetlabs/firewall

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Ho David,

On Tuesday, 27 March 2012 19:05:09 UTC+1, David Garvey
wrote:
>
> Can I check if a port is open for DSL? I need to check if the box has an 
> acl allowing the nagios server to connect via nrpe before writing nagios 
> config. 
[...]

Managing firewall using Puppet as well, as per what Jeff suggested, is of 
course the preferred way to solve this sort of problem, but if you need to 
check whether a port is open, then have a look: 
https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/is_port_open.rb

Jeff will probably not approve of that :-)
 
KW

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/723yLiwMWB4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Mar 27, 2012 at 2:24 PM, Krzysztof Wilczynski <
krzysztof.wilczynski@linux.com> wrote:
> Ho David,
>
>
> On Tuesday, 27 March 2012 19:05:09 UTC+1, David Garvey wrote:
>>
>> Can I check if a port is open for DSL? I need to check if the box has
an
>> acl allowing the nagios server to connect via nrpe before writing
nagios
>> config.
>
> [...]
>
> Managing firewall using Puppet as well, as per what Jeff suggested, is of
> course the preferred way to solve this sort of problem, but if you need to
> check whether a port is open, then have a look:
>
https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/is_port_open.rb
>
> Jeff will probably not approve of that :-)
>
Eh, I may surprise you...  I don''t think my approval matters much at
all
and I''m a fan of whatever works for the problem at hand given the tools
we
have today.

I can totally see the value of a function that automatically figures out if
a remote port is _actually_ open and listening, rather than _should_ be
open and listening, from the perspective of the Puppet master.

With that said, I''m more interested in the problem David is facing than
I
am in a specific solution solution because I''m pretty sure Puppet
doesn''t
have the capability to solve this in a elegant, simple and easy way.  We
can solve it with a custom function or custom fact today, but I''d like
to
make this easier for everyone in the future.

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks Jeff and Krzysztof,

I think I will write a facter using netcat or something then and catch it
in the manifests.

nc -z domain_name port

Cheers,
DGarvey

On Tue, Mar 27, 2012 at 2:36 PM, Jeff McCune <jeff@puppetlabs.com> wrote:
> On Tue, Mar 27, 2012 at 2:24 PM, Krzysztof Wilczynski <
> krzysztof.wilczynski@linux.com> wrote:
>
>> Ho David,
>>
>>
>> On Tuesday, 27 March 2012 19:05:09 UTC+1, David Garvey wrote:
>>>
>>> Can I check if a port is open for DSL? I need to check if the box
has an
>>> acl allowing the nagios server to connect via nrpe before writing
nagios
>>> config.
>>
>> [...]
>>
>> Managing firewall using Puppet as well, as per what Jeff suggested, is
of
>> course the preferred way to solve this sort of problem, but if you need
to
>> check whether a port is open, then have a look:
>>
https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/is_port_open.rb
>>
>> Jeff will probably not approve of that :-)
>>
>
> Eh, I may surprise you...  I don''t think my approval matters much
at all
> and I''m a fan of whatever works for the problem at hand given the
tools we
> have today.
>
> I can totally see the value of a function that automatically figures out
> if a remote port is _actually_ open and listening, rather than _should_ be
> open and listening, from the perspective of the Puppet master.
>
> With that said, I''m more interested in the problem David is facing
than I
> am in a specific solution solution because I''m pretty sure Puppet
doesn''t
> have the capability to solve this in a elegant, simple and easy way.  We
> can solve it with a custom function or custom fact today, but I''d
like to
> make this easier for everyone in the future.
>
> -Jeff
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
David Garvey

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi David,

No problem, although there are few things to consider. For instance, I 
would avoid unneeded fork(), therefore no need to use netcat if you can 
achieve the same thing with pure Ruby (you can literally copy and paste 
code from the function I have created for you). Remember, that in terms of 
having a fact there, you have to maintain details about the remote port in 
the fact code, whereas in case of the functions you simply store this 
information inside a manifest. But, to be quite honest, if you have to 
resort to such active checks in order to determine state of your systems 
and therefore make an elaborated decision in the code about what to do, 
then I would say that you are doing something not necessary right. Well, in 
the end "whatever works" as Woody Allen would say :)

KW

On Wednesday, 28 March 2012 01:00:45 UTC+1, David Garvey
wrote:
>
> Thanks Jeff and Krzysztof,
>
> I think I will write a facter using netcat or something then and catch it 
> in the manifests.
>
> nc -z domain_name port
>
> Cheers,
> DGarvey
>
> On Tue, Mar 27, 2012 at 2:36 PM, Jeff McCune <jeff@puppetlabs.com>
wrote:
>
>> On Tue, Mar 27, 2012 at 2:24 PM, Krzysztof Wilczynski <
>> krzysztof.wilczynski@linux.com> wrote:
>>
>>> Ho David,
>>>
>>>
>>> On Tuesday, 27 March 2012 19:05:09 UTC+1, David Garvey wrote:
>>>>
>>>> Can I check if a port is open for DSL? I need to check if the
box has
>>>> an acl allowing the nagios server to connect via nrpe before
writing nagios
>>>> config. 
>>>
>>> [...]
>>>
>>> Managing firewall using Puppet as well, as per what Jeff suggested,
is
>>> of course the preferred way to solve this sort of problem, but if
you need
>>> to check whether a port is open, then have a look: 
>>>
https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/is_port_open.rb
>>>
>>> Jeff will probably not approve of that :-)
>>>
>>
>> Eh, I may surprise you...  I don''t think my approval matters
much at all
>> and I''m a fan of whatever works for the problem at hand given
the tools we
>> have today.
>>
>> I can totally see the value of a function that automatically figures
out
>> if a remote port is _actually_ open and listening, rather than _should_
be
>> open and listening, from the perspective of the Puppet master.
>>
>> With that said, I''m more interested in the problem David is
facing than I
>> am in a specific solution solution because I''m pretty sure
Puppet doesn''t
>> have the capability to solve this in a elegant, simple and easy way. 
We
>> can solve it with a custom function or custom fact today, but
I''d like to
>> make this easier for everyone in the future.
>>  
>> -Jeff
>>
>> -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> -- 
> David Garvey
>  
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/pzCRtD_gMD4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.