https://www.puppet.com/community logo
Join Slack
Powered by
# puppet
  • s
    This message was deleted.
    m
    • 2
    • 1
  • s
    You are right here There is a common thing between these 3 servers i.e. hostname (fqdn) itself tcp-pub-app1-bla.bbb-qc.aws.aaa.com tcp-pub-app2-bla.bbb-qc.aws.aaa.com tcp-pub-app3-bla.bbb-qc.aws.aaa.com as of now, I have ignored etcsshsshd CIS on these 3 node definition in controlrepo hiera and manually applied rules required, so that puppet is not updating sshd_config file on these 3 nodes
    Copy code
    ---

cem_linux::config:
  ignore:
    - ensure_permissions_on_etcsshsshd_config_are_configured
  • a
    would not it be good if service resource type support unless/onlyif parameters? I need to check configuration before restarting service and for this I use seperate exec resource and require it on service, this works but causes to have corrective status all the time.
  • b
    you can update your systemd file so the service does a validation before the actual start
  • a
    I know it looks ugly but what do you think using unless parameter in exec and copying command there too, it works but kinda funny
  • a
    exec { 'check_auth':
    command => 'pdns_server --config=check',
    path    => ['/usr/bin', '/usr/sbin/', '/usr/local/sbin'],
    unless  => 'pdns_server --config=check'
    }
  • a
    lets use thread
  • m
    @Allahshukur Ahmadzada this is builtin with the module.... for instance haproxy module runs a check before trying to restart.
  • m
    PDNS ... lemme check.... I have it as well
  • a
    I am building module myself
  • a
    above exec works fine, do you see any problem having such exec and requiring it on service?
  • b
    yes. it's not idempotent
  • a
    if sevice resource had unless/onlyif would it be idempotent?
  • b
    this is not really how puppet is designed to work
  • b
    what's the goal you aim for? To not restart a service if the config file is bad?
  • a
    yes
  • b
    use a systemd dropin to add 
    ExecStartPre=/usr/bin/pdns_server --config=check
    to the unit
  • m
    anyway, the powerDNS module that I am using is not checking the configuration. I have put a bogus parameter and it broke the service
  • b
    is the goal to validate the config before writing it? use https://puppet.com/docs/puppet/7/types/file.html#file-attribute-validate_cmd
    👍 1
  • b
    and is there a reason for writing your own module and not using the existing one?
    ☝️ 1
  • a
    what if configuration is nested, like there 3 different config files, and check config checks all at once
  • a
    so one file resource may fail because of another config file?
  • m
    anyhow.... the bogus parameter is not recognized by: 
    pdns_recursor --config=check
  • m
    but service restart fails
  • a
    I do not really understand why you are againist to have unless/onlfif in service
  • a
    recursor has no check feature
  • m
    I have both. Let me try the other
  • a
    exec { 'check_auth':
    command => 'pdns_server --config=check',
    path    => ['/usr/bin', '/usr/sbin/', '/usr/local/sbin'],
    unless  => 'pdns_server --config=check'
    }
    service { $service:
    ensure   => running,
    enable   => true,
    provider => systemd,
    require  => [ Exec['check_auth'], Package[$powerdns::authoritative_package]]
    }
  • a
    this works, but it is like hack
  • m
    you're right. With authoritative server it works.
1...242526...428Latest