Home / server / Questions / 430321
In Process
Matt McClure
Asked: 2012-09-21 09:04:47 +0800 CST

What Puppet resource types require an audit metaparameter to force Puppet to manage the resource if it's removed?

  • 772

Until recently, I was under the impression that merely declaring a resource with various attributes would ensure that Puppet manages the resource and brings it back to the configured state if it were to change.

Today, I found that wasn't the case for a yumrepo resource I have configured, until I added an audit => all metaparameter to the resource. I deleted /etc/yum.repos.d/foo.repo and ran puppetd --test. Puppet did not recreate the resource. Does that indicate a Puppet defect?

If that's the intended behavior, it begs the question, what other resources require audit => all to tell Puppet to manage the resource's state if it changes on the system under management?

Here is the repository class:

class yum::therepo {
    # Temporarily remove the Yum repo configuration if we don't have
    # httpd yet.
    exec { 'disable-the-repo-to-get-its-dependencies':
        provider => shell,
        command => 'rm -f /etc/yum.repos.d/the.repo',
        unless => 'rpm -q httpd',
        onlyif => 'test -f /etc/yum.repos.d/the.repo',
        before => [Package['httpd'], Exec['httpd-for-yum'],],
        path => '/bin:/usr/bin',
    }

    # Ensures httpd is running as a Yum server before anything else
    # tries to install packages from it.
    exec { 'httpd-for-yum':
        provider => shell,
        command => '/sbin/service nginx stop || true ; /sbin/service httpd restart',
        require => Class['yum::server'],
    }

    yumrepo {
        "the":
            require    => [Exec['httpd-for-yum'],],
            descr      => "The YUM Repo",
            baseurl    => "http://yum/repos/redhat/5/x86_64/",
            gpgcheck   => "0",
            enabled    => "1",

            # One puppet run failed to recreate the.repo. I added audit
            # => all, and the next puppet run did recreate the.repo.
            # Possibly a red herring. I'd like to understand why it
            # worked in one case and not in the other.
            #audit      => all,
    }
}

And the Yum server class:

class yum::server {
    include httpd
    include iptables

    package { ['createrepo']:
        ensure => present;
    }

    exec { 'update-repo-metadata':
        require => [ Package['createrepo']],
        cwd => '/var/www/html/yum',
        command => '/usr/bin/createrepo --update -d repos/redhat/5/x86_64/',
        creates => '/var/www/html/yum/repos/redhat/5/x86_64/repodata/repomd.xml',
    }

    file {'/etc/httpd/conf.d/yum.conf':
        ensure  => file,
        mode    => 0644,
        source  => "puppet:///modules/yum/yum_httpd.conf",
        require => Package['httpd'],
        notify  => Service['httpd'],
    }
}
puppet

2 Answers

  1. I think you're misunderstanding the audit flag, but could you post your yum resource section, as that'd help alot. Typically, no, you don't need audit on a yumrepo resource to make it create a .repo file.

    http://puppetlabs.com/blog/all-about-auditing-with-puppet/

    • 0

  2. Creating most Puppet resource types without an ensure property is undefined behavior. Sure, Puppet knows about the resource, but without knowing what the end-state is supposed to be, Puppet can't do anything useful with it.

    As an example, try to puppet apply the following code fragment:

    file { '/testfile': }
    • -1