All,
I have puppet watching various services on RHEL systems and restarting
them as necessary.
Quite a while back I wrote some custom scripts as wrappers for various
services so that I can have a "custom" running status. These have
worked for quite a few months, but recently my iptables services have
been restarting every time puppet checks in.
Problem:
[me@host ~]$ sudo /usr/sbin/puppetd --test --noop
info: Caching catalog for host@fakedomain
info: Applying configuration version '1312979662'
notice: //iptables/Service[build_iptables]/ensure: is stopped, should
be running (noop)
notice: Finished catalog run in 3.09 seconds
Excerpt from manifest that does this:
service { "build_iptables":
enable => true,
ensure => running,
hasstatus => true,
}
'build_iptables' does a couple of things, but most importantly for
this problem it runs a regex to look for a particular rule to see if
it exists. If said rule exists it returns that the service is
running, if that rule doesn't exist then it says it is not running and
restarts the 'build_iptables' service (which does things to fix the
issue along with restarts the "real" iptables service).
But if I run the same build_iptables script I see that it is running:
[me@host ~]$ sudo /sbin/service build_iptables status
iptables is running
[me@host ~]$ echo $?
0
[me@host ~]$ sudo /usr/sbin/puppetd --test --noop
info: Caching catalog for host.fakedomain
info: Applying configuration version '1312979662'
notice: //iptables/Service[build_iptables]/ensure: is stopped, should
be running (noop)
notice: Finished catalog run in 2.88 seconds
[me@host ~]$ sudo /sbin/service build_iptables status
iptables is running
[me@host ~]$ echo $?
0
This worked for a number of months, but recently broke. The issue is
that when iptables restarts it drops it's state table and any
connections that would be allowed (through the ESTABLISHED or RELATED
rule) are no longer recognized and the packets are dropped.
Here is the relevant debug output:
debug: Service[build_iptables](provider=redhat): Executing '/sbin/
service build_iptables status'
debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/
chkconfig build_iptables'
debug: //iptables/Service[build_iptables]: Changing ensure
debug: //iptables/Service[build_iptables]: 1 change(s)
notice: //iptables/Service[build_iptables]/ensure: is stopped, should
be running (noop)
And the log entry from the puppet service:
Aug 11 16:12:13 host/host puppetd[4113]: (//iptables/
Service[build_iptables]/ensure) ensure changed 'stopped' to 'running
Any ideas?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
