Disabling a module on a particular node type ...

[Matt Wise]

We're using Puppet to build up a few docker containers, and we find that the puppetlabs-firewall module throws some errors during initial compilation. These errors are ignorable ... but they're obnoxious. Is there a way to explicitly disable a module from being parsed for a particular node type?

Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
Error: /Stage[main]/Main/Resources[firewall]: Failed to generate additional resources using 'generate': Command iptables_save is missing

(obviously this is more than just not saying 'include firewall' ... because the provider/types get parsed regardless of whether or not we 'include firewall').

Matt Wise

Sr. Systems Architect

Nextdoor.com

[Felix Frank]

Hi,

the providers should not generate error output on their own accord. Debugging messages - sure. Don't collect those during provisioning ;-)

I believe that you do something along the lines of `resources { 'firewall': purge => true }` on the global scope. Move this to a site-specific firewall wrapper module. Create a special environment that mirrors production, but replaces this wrapper module with a stub. This way, nodes can effectively ignore firewalling during provisioning. You can even remove the puppetlabs-firewall module from this environment, I believe.

Failing that, you can always fall back to a custom fact that is false during the initial run, and true afterwards. Wrap any firewalling resources in queries for this fact value.

HTH,
Felix