[Puppet - Bug #8372] (Unreviewed) files that require execs land changes even when the exec exits non-zero

[tickets]

Issue #8372 has been reported by Nick Moffitt.

----------------------------------------
Bug #8372: files that require execs land changes even when the exec exits 
non-zero
https://projects.puppetlabs.com/issues/8372

Author: Nick Moffitt
Status: Unreviewed
Priority: Normal
Assignee: 
Category: exec
Target version: 
Affected Puppet version: 2.6.4
Keywords: require exec
Branch: 


In order to ensure that broken sudoers stanzas do not land on production 
machines, I have a define something like the following:

        define sudoers_file($source) {
                $tmpfile = "/etc/sudoers.d/${name}.test"
                $dstfile = "/etc/sudoers.d/${name}"
                
                file { 
                        $tmpfile:
                                mode => 0440, 
                                source => $source,
                                notify => Exec["sudocheck_${name}"],
                                require => Class["sudo"];
                        $dstfile:
                                mode => 0440, # sudo is very particular about 
perms
                                source => $source,
                                require => Exec["sudocheck_${name}"];
                }

                exec { "/usr/sbin/visudo -c -f ${tmpfile}":
                        refreshonly => true,
                        alias => "sudocheck_${name}",
                }
        }       

When the source file has bogus sudoers configuration in it, the resources 
proceed as follows:

1. the .test file lands
2. the exec runs `visudo -c -f` on the test file, and throws an error as it 
exits with a status of 1
3. the `$dstfile` lands!

This is rather disturbing, as I was counting on the failure of the exec to 
bring puppet to a grinding halt.  Broken sudoers files are the kind of thing 
that can really throw a spanner into repair efforts, and the situation needs to 
go back to a human reviewer.

The exec would not have run if it required a file that did not successfully 
land.  So why does the reverse happen?



-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.