Hit and miss application of puppet modules

[Christopher Opena]

Howdy folks, well after successfully rebuilding my hosed puppet environment (puppet was removing /var/lib/yum and /var/lib/rpm), I finally have a sane and mostly functioning puppet environment.  However, I'm having a strange issue with applying modules via roles.  In some instances it works, and in others it doesn't.

To begin with, I'm using the puppetlabs firewall module (http://forge.puppetlabs.com/puppetlabs/firewall) to drive iptables on a number of my servers.  Right now it's only attempting to drive two of them:  A file server and the puppet master itself, and I'm doing this using a roles module.  However, it seems quite happy to apply the defined module to the file server, but not to the puppetmaster.  Config below:

## ../puppet/manifests/site.pp ##

node 'JUMPBOX' {

include role::fs_server

}

node 'PUPPETMASTER' {

include role::puppet_master

}

## ../puppet/modules/role/init.pp ##

class role { 

include profile::base

}

class role::fs_server inherits role { 

include profile::fs_server

}

class role::puppet_master inherits role { 

include profile::puppet_master

}

## ../puppet/modules/profile/init.pp ##

class profile::base { 

notify {"Applying profile::base":}

include ntp

                include ssh_server

include my_fw

}

class profile::fs_server {

notify {"Applying profile::fs_server":}

include ssh_server::jump_box

}

class profile::puppet_master {

notify {"Applying profile::puppet_master":}

include puppet_master

}

As you can see it's a very very basic, skeletal config that is handling role-based module application.  In the case of the 'ssh_server::jump_box' and 'puppet_master' modules, these are both firewall application rules:

## ../puppet/modules/ssh_server/manifests/init.pp ##

class ssh_server::jump_box {

# Firewall logic (allow forwarding)

firewall { '098 allow forwarding':

chain   => 'FORWARD',

    proto   => 'tcp',

    action  => 'accept',

}

# Firewall logic (allow ssh from all)

firewall { '099 accept ssh from anywhere':

    chain   => 'INPUT',

    state   => ['NEW'],

    dport   => '22',

    proto   => 'tcp',

    action  => 'accept',

  }

}

## ../puppet/modules/puppet_master/manifests/init.pp ##

class puppet_master {

# Firewall Logic: Allow TCP/8140

firewall { '200 allow puppetmaster port':

 chain   => 'INPUT',

 state   => ['NEW'],

 dport   => '8140',

 proto   => 'tcp',

 source  => '<REDACTED>',

 action  => 'accept',

  }

}

The JUMPBOX gets its 'ssh_server::jump_box' module just fine, but the 'puppet_master' module never gets applied to the PUPPETMASTER node.  The notify code in the 'profile' module is logging the "Applying profile::fs_server" and "Applying profile::puppet_master" messages in both cases, but for some reason is skipping the 'puppet_master' module.

If I perform a:

puppet apply -e "include puppet_master"

on the PUPPETMASTER node, it runs the module just fine and modifies the firewall accordingly.  Is there something completely simple that I'm just missing above?  I feel like I may just have a syntax error or something wrong with the include that I'm completely ignoring :/

TIA,

C

[Ramin K]

On 2/24/2014 4:47 PM, Christopher Opena wrote:

> class profile::puppet_master {
> notify {"Applying profile::puppet_master":}
> include puppet_master
> }

Because you're within class profile::puppet_master Puppet assume you
mean the local puppet_master class instead of the top scope
puppet_master. In order to force top scope you need include ::puppet_master

I find myself defaulting to include ::module_name when using
role/profile as a safety precaution.

Ramin

[Christopher Opena]

Ah, thanks Ramin K - I knew it would be something fairly simple yet completely unknown to me.  Learn something new every day.  I think I'll pick up the same default habit, seems the safe thing to do indeed.

Ramin

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/530BF14E.7090001%40badapple.net.
For more options, visit https://groups.google.com/groups/opt_out.