It looks to me like priority is only set for the Ruby process that is running Puppet: https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/limits.rb#L8 I.e. no inheritance to children.

It looks to me like priority is only set for the Ruby process that is running Puppet: https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/limits.rb#L8 I.e. no inheritance to children.

This message was deleted.

Yeah that's correct. There's a Windows specific version of that method https://github.com/puppetlabs/puppet/blob/131bd9e29b802d763d7f20e1320781b0e1ccad7e/lib/puppet/util/windows/monkey_patches/process.rb#L182 which calls

SetPriorityClass

for the current process, but priority is not inherited by child processes https://docs.microsoft.com/en-us/windows/win32/procthread/inheritance

Might be as simple as calling

Puppet::Pops::PuppetStack.top_of_stack

inside a Ruby function: https://github.com/hlindberg/tahu/blob/master/lib/puppet/functions/tahu/where.rb#L16

actually we are trying to implement some kind of acl as a wrapper on a vault call

This message was deleted.

Hi, trying to manage firewall with puppet, and most popular module is puppetlabs-firewalld. But looks like it disables firewalld and manages firewall with iptables?

This message was deleted.

I have a question about coding style related to require external exec resource within a module. With the below code for a simple module that is declared by a profile

➜ cat init.pp

class filebeat (
  Optional[Enum['6', '7']]    $major_version   = '6',
  Boolean                     $manage_repo     = true,
  Enum['present', 'absent']   $repo_ensure     = 'present',
  Optional[String]            $package_ensure  = '6.6.2',
  Enum['enabled', 'disabled'] $service_ensure  = 'enabled',
  String                      $logstash_server = 'foobar',
) {
  if ! ($package_ensure in ['absent', 'purged', 'disabled']) and
    (versioncmp($major_version,'7') == -1) and
    ($facts['os']['architecture'] == 'aarch64') {
    fail('filebeat supports ARM architecture only in version 7 and higher')
  }
  contain filebeat::repo
  contain filebeat::install
  contain filebeat::config
  contain filebeat::service

  Class['filebeat::repo']
  -> Class['filebeat::install']
  -> Class['filebeat::config']
  ~> Class['filebeat::service']
}


➜ cat repo.pp

class filebeat::repo {
  $repo_url    = "<https://foobar/packages/${filebeat::major_version}.x/apt|https://foobar/packages/${filebeat::major_version}.x/apt>"
  $gpg_key_url = '<https://foobbar/GPG-KEY-el|https://foobbar/GPG-KEY-el>'
  $gpg_key_id  = 'foobar'

  if ($filebeat::manage_repo == true) and ($filebeat::repo_ensure == 'present') {
    include apt
    if !defined(Apt::Source["beats-filebeat-${filebeat::major_version}"]) {
      apt::source{"beats-filebeat-${filebeat::major_version}":
        ensure   => 'present',
        location => $repo_url,
        release  => 'stable',
        repos    => 'main',
        key      => {
          id     => $gpg_key_id,
          source => $gpg_key_url,
        },
      }
    }
  } elsif ($filebeat::manage_repo == true) and ($filebeat::repo_ensure == 'absent') {
    apt::source{"beats-filebeat-${filebeat::major_version}":
      ensure   => 'absent',
    }
  }
}

➜ cat install.pp
class filebeat::install {
  package { 'filebeat':
    ensure  => $filebeat::package_ensure,
    require => Exec['apt_update'], ### <=== what bad is that?
  }
}

how bad is to have the

require => Exec['apt_update']

in

filebeat::install

class?

the above module is declared by a metaprofile

➜ cat manifests/base_runtime.pp
class profile::base_runtime (
  Boolean $enable_auditbeat   = true,
  Boolean $enable_filebeat    = true,
) {

  if $enable_filebeat == true {
    include filebeat
  } else {
    class { 'filebeat':
      package_ensure => 'absent',
      service_ensure => 'disabled',
      repo_ensure    => 'absent',
    }
  }

  if $enable_auditbeat == true {
    include auditbeat
  } else {
    class { 'auditbeat':
      package_ensure => 'absent',
      service_ensure => 'disabled',
      repo_ensure    => 'absent',
      ensure_cron    => false,
    }
  }
}

I have a question about coding style related to require external exec resource within a module. With the below code for a simple module that is declared by a profile

➜ cat init.pp

class filebeat (
  Optional[Enum['6', '7']]    $major_version   = '6',
  Boolean                     $manage_repo     = true,
  Enum['present', 'absent']   $repo_ensure     = 'present',
  Optional[String]            $package_ensure  = '6.6.2',
  Enum['enabled', 'disabled'] $service_ensure  = 'enabled',
  String                      $logstash_server = 'foobar',
) {
  if ! ($package_ensure in ['absent', 'purged', 'disabled']) and
    (versioncmp($major_version,'7') == -1) and
    ($facts['os']['architecture'] == 'aarch64') {
    fail('filebeat supports ARM architecture only in version 7 and higher')
  }
  contain filebeat::repo
  contain filebeat::install
  contain filebeat::config
  contain filebeat::service

  Class['filebeat::repo']
  -> Class['filebeat::install']
  -> Class['filebeat::config']
  ~> Class['filebeat::service']
}


➜ cat repo.pp

class filebeat::repo {
  $repo_url    = "<https://foobar/packages/${filebeat::major_version}.x/apt|https://foobar/packages/${filebeat::major_version}.x/apt>"
  $gpg_key_url = '<https://foobbar/GPG-KEY-el|https://foobbar/GPG-KEY-el>'
  $gpg_key_id  = 'foobar'

  if ($filebeat::manage_repo == true) and ($filebeat::repo_ensure == 'present') {
    include apt
    if !defined(Apt::Source["beats-filebeat-${filebeat::major_version}"]) {
      apt::source{"beats-filebeat-${filebeat::major_version}":
        ensure   => 'present',
        location => $repo_url,
        release  => 'stable',
        repos    => 'main',
        key      => {
          id     => $gpg_key_id,
          source => $gpg_key_url,
        },
      }
    }
  } elsif ($filebeat::manage_repo == true) and ($filebeat::repo_ensure == 'absent') {
    apt::source{"beats-filebeat-${filebeat::major_version}":
      ensure   => 'absent',
    }
  }
}

➜ cat install.pp
class filebeat::install {
  package { 'filebeat':
    ensure  => $filebeat::package_ensure,
    require => Exec['apt_update'], ### <=== what bad is that?
  }
}

how bad is to have the

require => Exec['apt_update']

in

filebeat::install

class?

I normally avoid referring resources from other classes. relationship between the classes should take care of it

In your case

Class['filebeat::repo']
  -> Class['filebeat::install']

but I do have that

I presume doesn't do what you want? need to fix

apt::source

or maybe pass missing parameters

It isn't bad per se so long as your exec call has safeguards in place to prevent it from running every time the agent runs.

it does have that safeguard

I am trying to solve this failure on the 1st puppet run after a VM is bootstrapped

Info: Applying configuration version '1056-9ce1905f38-release_20220905T143940Z-1-g9ce1905'
Notice: /Stage[main]/Base::Barx_agent/File[/var/tmp/BarxCloudAgent]/ensure: created
Notice: /Stage[main]/Base::Barx_agent/Archive[BarxCloudAgent-4.6.0.56.deb]/ensure: download archive from <https://Barx-cloud-agents.s3.amazonaws.com/b1995fe1102add6f/BarxCloudAgent-4.6.0.56.deb> to /var/tmp/BarxCloudAgent/BarxCloudAgent-4.6.0.56.deb  without cleanup
Notice: /Stage[main]/Base::Barx_agent/Package[Barx-cloud-agent]/ensure: created
Info: /Stage[main]/Base::Barx_agent/Package[Barx-cloud-agent]: Scheduling refresh of Exec[bootstrap-Barx-agent]
Notice: /Stage[main]/Base::Barx_agent/Exec[bootstrap-Barx-agent]/returns: Setting necessary permission for user: ubuntu
Notice: /Stage[main]/Base::Barx_agent/Exec[bootstrap-Barx-agent]/returns: Setting necessary permission for group: ubuntu
Notice: /Stage[main]/Base::Barx_agent/Exec[bootstrap-Barx-agent]/returns: hostid search path: /etc
Notice: /Stage[main]/Base::Barx_agent/Exec[bootstrap-Barx-agent]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Base::Barx_agent/Systemd::Dropin_file[Barx-cloud-agent-limits.conf]/File[/etc/systemd/system/Barx-cloud-agent.service.d]/ensure: created
Notice: /Stage[main]/Base::Barx_agent/Systemd::Dropin_file[Barx-cloud-agent-limits.conf]/File[/etc/systemd/system/Barx-cloud-agent.service.d/Barx-cloud-agent-limits.conf]/ensure: defined content as '{sha256}ef177583d69de116cd0cb8fdc963c598025467e3734ab1cccee705dba4aa8b45'
Info: /Stage[main]/Base::Barx_agent/Systemd::Dropin_file[Barx-cloud-agent-limits.conf]/File[/etc/systemd/system/Barx-cloud-agent.service.d/Barx-cloud-agent-limits.conf]: Scheduling refresh of Systemd::Daemon_reload[Barx-cloud-agent.service]
Info: Systemd::Daemon_reload[Barx-cloud-agent.service]: Scheduling refresh of Exec[systemd-Barx-cloud-agent.service-systemctl-daemon-reload]
Notice: /Stage[main]/Filebeat::Repo/Apt::Source[beats-filebeat-6]/Apt::Key[Add key: foobar from Apt::Source beats-filebeat-6]/Apt_key[Add key: foobar from Apt::Source beats-filebeat-6]/ensure: created
Notice: /Stage[main]/Filebeat::Repo/Apt::Source[beats-filebeat-6]/Apt::Setting[list-beats-filebeat-6]/File[/etc/apt/sources.list.d/beats-filebeat-6.list]/ensure: defined content as '{sha256}833512cb911a91936674f89da969e4e3662d0dce91c62769694bb1d03b370aa3'
Info: /Stage[main]/Filebeat::Repo/Apt::Source[beats-filebeat-6]/Apt::Setting[list-beats-filebeat-6]/File[/etc/apt/sources.list.d/beats-filebeat-6.list]: Scheduling refresh of Class[Apt::Update]
Error: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install filebeat=6.6.2' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package filebeat
Error: /Stage[main]/Filebeat::Install/Package[filebeat]/ensure: change from 'purged' to '6.6.2' failed: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold --force-yes install filebeat=6.6.2' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
W: --force-yes is deprecated, use one of the options starting with --allow instead.
E: Unable to locate package filebeat
Notice: /Stage[main]/Filebeat::Config/File[/etc/filebeat/filebeat.yml]: Dependency Package[filebeat] has failures: true
Warning: /Stage[main]/Filebeat::Config/File[/etc/filebeat/filebeat.yml]: Skipping because of failed dependencies
Warning: /Stage[main]/Filebeat::Service/Service[filebeat]: Skipping because of failed dependencies
Info: Class[Filebeat]: Unscheduling all events on Class[Filebeat]
Notice: /Stage[main]/Auditbeat::Repo/Apt::Source[beats-7]/Apt::Setting[list-beats-7]/File[/etc/apt/sources.list.d/beats-7.list]/ensure: defined content as '{sha256}b2b9c8c4c6397f67a74ce3b5eb55f654833e7bbbab32ca5de92c085baab0a681'
Info: /Stage[main]/Auditbeat::Repo/Apt::Source[beats-7]/Apt::Setting[list-beats-7]/File[/etc/apt/sources.list.d/beats-7.list]: Scheduling refresh of Class[Apt::Update]
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Auditbeat::Install/Package[auditbeat]/ensure: created

This message was deleted.

and first ordering is not there

what we see here is that after the installation of the apt source definition for filebeat the apt update exec is not executed and puppet tries to install the package which is not yet in the apt cache and that fails

what we see here is that after the installation of the apt source definition for filebeat the apt update exec is not executed and puppet tries to install the package which is not yet in the apt cache

what we see here is that after the installation of the apt source definition for filebeat the apt update exec is not executed and puppet tries to install the package which is not yet in the apt cache and that fails

you need to

contain class_that_will_run_apt_update

in your filebeat::repo and send refresh to that class

if that class exists

the

apt::source

does send a notify

if not, just some exec

notify to what?

I guess I need to contain https://github.com/puppetlabs/puppetlabs-apt/blob/main/manifests/update.pp