The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #15452

Chicken/Egg problem when using the purge feature of puppetlabs-firewall module

Added by Justin Ellison almost 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:07/10/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:firewallSpent time:-
Target version:-
Keywords: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

In the README, it states that you can purge non-puppet created firewall rules by doing this:

resources { "firewall":
  purge => $ true,
}

This works as advertised, but on brand-new hosts, it causes a problem:

err: Failed to apply catalog: Parameter name failed: Could not find resource type 'firewall' at /etc/puppet/environments/production/modules/my_firewall/manifests/config.pp:12

The problem appears to be that the client is compiling the catalog before the initial plugin sync is done, so on the very first run, it doesn’t know what a ‘firewall’ resource type is yet.

I’ve even tried wrapping the above resource in an ‘if defined('firewall’)‘ conditional, but it still causes the problem. If I comment out the code, run puppet once, then uncomment it again, it works fine.

I don’t really think this is a bug in this module, it’s more of a puppet core thing. However, I was wondering if there was a known workaround that I hadn’t found yet, since this approach is outlined in the README.

History

#1 Updated by Justin Ellison almost 2 years ago

I had an incorrect copy/paste in the resource above. It’s actually this:

resources { "firewall":
  purge => true,
}

Sorry about that.

#2 Updated by Ken Barber almost 2 years ago

I can’t replicate this myself, if I remove all traces from /var/lib/puppet/lib/puppet … add a rule that doesn’t belong there and run puppet it syncs first then removes the extraneous rule. I did this test as far back as puppet 2.7.6 … are you sure pluginsync is configured on the first run?

#3 Updated by Justin Ellison almost 2 years ago

Sorry, I should have mentioned that we’re running Puppet from EPEL – we’re at 2.6.16. Probably something that was fixed in the 2.7 release?

#4 Updated by Justin Ellison almost 2 years ago

  • Status changed from Unreviewed to Closed

Nevermind, now I see what you mean by pluginsync on the first run.

Pluginsync defaults to false, so the chicken/egg is there. For anyone else that hits this issue, this thread outlines the problem and the fix: https://groups.google.com/forum/?fromgroups#!topic/puppet-users/zIqWR6CdHqs

Thanks for steering me down the right path Ken.

#5 Updated by Ken Barber almost 2 years ago

No problemo.

Also available in: Atom PDF