I'm trying to get Puppet to upgrade our Varnish 3 servers to Varnish 4, a major update which requires an updated config file or it won't start. This is on Ubuntu 12.04.
The Varnish module is essentially built with these classes and dependencies:
Class['varnish::repo']
-> Class['varnish::install']
-> Class['varnish::tools']
-> Class['varnish::config']
~> Class['varnish::service']
I've updated the Apt-repo URL in varnish::repo, set ensure=>latest in varnish::install and provided an updated config file to varnish::config. So far so good.
When Puppet runs these dependencies, the run fails at the varnish::install stage because Apt tries to restart the Varnish daemon immediately after upgrading it, not giving Puppet the chance to replace the config file. The failure in the varnish::install class leads to a broken dependency chain and causes the remaining classes to fail as well. The result is a broken Varnish installation that needs manual recovery.
How do you deal with this?
I thought about using policy-rc.d, which essentially tells Apt not to perform automatic stops and starts of services. I tried creating the file before the upgrade and removing it afterwards.
file {'/usr/sbin/policy-rc.d':
ensure => $ensure,
content => "#!/bin/sh\nexit 101",
owner => 'root',
group => 'root',
mode => '0755',
}
Of course creating and removing is a problem because Puppet sees this as a duplicate resource.
Why do I want to remove the policy again, after just installing it, you ask? Because we use unattended-upgrades to perform minor security-upgrades and I want to allow automatic service restarts in those cases, just not in this case. Furthermore, policy-rc.d affects all services, not just Varnish.
Maybe I'm thinking about this wrongly, but can I somehow tell Puppet or Apt to wait with the restart until the config file is replaced as well?
Why not replace the config file before installing the update? If it loads on restart, it won't use the "wrong" config file till after the update restarts it . . .