I have noticed a very strange problem on CentOS 7 nodes where they are collecting and/or applying their exported resources. I have a class called "brazos::firewall" that's used internally to export a firewall rule that is then collected by "brazos::gw" to allow specific systems through the gateway server's NAT. Below are the actual classes. I've found that on CentOS 6 systems, the resource is correctly exported (NOT applied by exporting host) and collected by the gw server. On CentOS 7 systems the resource is exported, and also applied by the exporting host when it's not supposed to be.
All systems are running Puppet 3.6.2. I have tested this issue using the Pupppetlabs yum repo version of Puppet as well as the EPEL7 version, both show this issue.
How can this behavior be debugged?
I have looked in /var/lib/puppet/state/classes.txt on the nodes incorrectly applying their exported resource and the "brazos::gw" class is not listed. I have no idea WHY the Firewall resource is being applied when it should be exported.
I am using Hiera to assign classes and set parameters and Foreman to set the environment and provide various top-scope variables. The only thing applied to EL7 systems that's different than EL6 systems in my Hiera configuration is the path to EPEL repos, paths to a few commands (like mco), and the Puppet version. No separate classes are applied that differ from EL6 systems.
Thanks
- Trey
brazos::firewall:
class brazos::firewall (
$allow_forward = false,
) inherits brazos::params {
validate_bool($allow_forward)
if $allow_forward {
@@firewall { "050 allow forward ${::fqdn}":
ensure => 'present',
chain => 'FORWARD',
action => 'accept',
proto => 'all',
source => $::fqdn,
tag => 'allow_forward',
}
}
}
brazos::gw:
class brazos::gw (
$private_interface = 'UNSET',
$ib_interface = 'ib0',
$public_interface = 'UNSET',
) inherits brazos::params {
<snip>
Firewall <<| tag == 'allow_forward' |>>
<snip>
}