Home / server / Questions / 463736
Accepted
Peter Grace
Asked: 2013-01-08 08:54:09 +0800 CST

Why does my Puppet class's exec call fire even if the subscribe trigger is not matched?

  • 772

Attached below is a puppet module I've written that pushes the iptables configuration to our load balancers. It works, except that the so-bans-apply script runs every puppet run, irregardless of whether the Services themselves actually had an update. My question is why is the exec firing every run, and how can I only make it run when the subscribed service is refreshed?

I have tried removing the "onlyif" statement in the Exec, thinking that perhaps an onlyif would trigger an unconditional execution, but even without the "onlyif", the exec still triggers every run of puppet.

The node definition is specified similar to this, without any arguments specified:


node /or-rtlb\d{2}/ {
     include iptables
}

And here's the code to the class itself:



class iptables ($ApplyBans=true)
{
    if $hostname =~ /(?i:or-rtlb\d{2})/ {
        $ip6tables_file="or-rtlbs.ip6tables"
        $iptables_file="or-rtlbs.iptables"
    }
    if $hostname =~ /(?i:or-puptest)/ {
        $ip6tables_file="or-rtlbs.ip6tables"
        $iptables_file="or-rtlbs.iptables"
    }


    case $::osfamily {
        RedHat:
        {
            file { "/etc/sysconfig":
                ensure => directory,
                owner => root,
                group => root,
                mode  => 0755
            }

            file { "ip6tables-file":
                path    => "/etc/sysconfig/ip6tables",
                ensure  => present,
                owner   => root,
                group   => root,
                mode    => 0644,
                source  => "puppet:///modules/iptables/$ip6tables_file",
                require => [File["/etc/sysconfig"], Package["iptables"]],
                notify  => Service["ip6tables-service"]
            }
            file { "iptables-file":
                path    => "/etc/sysconfig/iptables",
                ensure  => present,
                owner   => root,
                group   => root,
                mode    => 0644,
                source  => "puppet:///modules/iptables/$iptables_file",
                require => [File["/etc/sysconfig"], Package["iptables"]],
                notify  => Service["iptables-service"]
            }
            package { "iptables":
                ensure => installed
            }
            package { "iptables-ipv6":
                ensure => installed
            }
            service { "iptables-service":
                name        => "iptables",
                ensure          => running,
                hasstatus       => true,
                hasrestart      => true,
                enable          => true,
            }
            service { "ip6tables-service":
                name        => "ip6tables",
                ensure          => running,
                hasstatus       => true,
                hasrestart      => true,
                enable          => true,
            }

            if ($ApplyBans)
            {
                exec { "so-bans-apply" :
                    command => "/root/bans/so-bans/force-ban-refresh",
                    onlyif => "/usr/bin/test -f /root/bans/so-bans/force-ban-refresh",
                    subscribe => [
                        Service["iptables-service"],
                        Service["ip6tables-service"],
                    ]                   
                }
            }
        }
    }
}
puppet

1 Answers

  1. Best Answer

    Add refreshonly => true to the exec, and it will only run when a notify or subscribe relationship triggers it.

    • 5