This message was deleted Puppet Community #puppet-enterprise

Join Slack

This message was deleted.

# puppet-enterprise

Slackbot

05/18/2023, 7:36 PM

This message was deleted.

Mike Langhorst

05/18/2023, 7:37 PM

class caiso_unix_firewalld { package { 'firewalld': ensure => present, } service { 'firewalld': ensure => running, enable => true, } file { '/etc/firewalld/zones': ensure => directory, owner => 'root', group => 'root', mode => '0750', } }

Mike Langhorst

05/18/2023, 7:37 PM

class caiso_unix_firewalld::nrpe { require caiso_unix_firewalld $zonefile = $facts['caiso_environment'] ? { 'caiso_dev' => 'nrpe_zone.dev', default => 'nrpe_zone.prod', } file { '/etc/firewalld/zones/CAISO-nrpe.xml': ensure => file, owner => 'root', group => 'root', mode => '0640', source => "puppet:///modules/caiso_unix_firewalld/${zonefile}", notify => Service['firewalld'], } }

Mike Langhorst

05/18/2023, 7:38 PM

Error: Found 1 dependency cycle: (File[/etc/firewalld/zones/CAISO-nrpe.xml] => Service[firewalld] => Class[Caiso_unix_firewalld] => Class[Caiso_unix_firewalld::Nrpe] => File[/etc/firewalld/zones/CAISO-nrpe.xml])\nTry the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz Error: Failed to apply catalog: One or more resource dependency cycles detected in graph

bastelfreak

05/18/2023, 7:39 PM

a) there's a firewalld module, I highly recommend using that instead of reinventing the wheel

bastelfreak

05/18/2023, 7:39 PM

b) in

caiso_unix_firewalld::nrpe

you require caiso_unix_firewalld but also send a notify to a service in that class. that doesn't work

bastelfreak

05/18/2023, 7:40 PM

I don't see why the

require

is requried. just drop that

bastelfreak

05/18/2023, 7:40 PM

https://github.com/voxpupuli/puppet-firewalld I recommend that, if you need to use firewalld

Mike Langhorst

05/18/2023, 7:40 PM

require is so that the package & service is there

bastelfreak

05/18/2023, 7:41 PM

no. require means that the package and service is defined before caiso_unix_firewalld::nrpe. that doesn't make sense in your usecase

bastelfreak

05/18/2023, 7:41 PM

you can switch to

include

if you like

👍 1

bastelfreak

05/18/2023, 7:41 PM

then it will float through the catalog

Mike Langhorst

05/18/2023, 7:41 PM

yea, now that you mention that, include would be better

csharpsteen

05/18/2023, 7:43 PM

Yup,

require caiso_unix_firewalld

means all resources declared in

caiso_unix_firewalld

have to be synced before any resources in

caiso_unix_firewalld::nrpe

. So anything in

caiso_unix_firewalld::nrpe

that tries to move before something in

caiso_unix_firewalld

, like

notify => Service['firewalld']

, is going to be a circular dependency.

Mike Langhorst

05/18/2023, 7:43 PM

I was looking at the firewalld module, and had started with a rich rule, rather than a zone. first time dealing with firewalld/nftables in rhel9, other admins preferred defining in zones rather than rich rules

Mike Langhorst

05/18/2023, 7:43 PM

ahhh, thanks for the explanation there @csharpsteen

csharpsteen

05/18/2023, 7:44 PM

include caiso_unix_firewalld

just ensures the compiler has evaluated that class so that things like

Service['firewalld']

are available to form dependencies against.

Mike Langhorst

05/18/2023, 7:47 PM

re: firewalld, so needed a bit more time to figure out the module, when I have a couple dev/test hosts that "need it now"

Mike Langhorst

05/18/2023, 7:51 PM

thanks everyone

Open in Slack

Previous Next