On Fri, Aug 12, 2011 at 06:32:57AM -0700, Chad wrote:
> All,
>
> I have puppet watching various services on RHEL systems and restarting
> them as necessary.
>
> Quite a while back I wrote some custom scripts as wrappers for various
> services so that I can have a "custom" running status. These have
> worked for quite a few months, but recently my iptables services have
> been restarting every time puppet checks in.
>
> Problem:
>
> [me@host ~]$ sudo /usr/sbin/puppetd --test --noop
> info: Caching catalog for host@fakedomain
> info: Applying configuration version '1312979662'
> notice: //iptables/Service[build_iptables]/ensure: is stopped, should
> be running (noop)
> notice: Finished catalog run in 3.09 seconds
>
> Excerpt from manifest that does this:
>
> service { "build_iptables":
> enable => true,
> ensure => running,
> hasstatus => true,
> }
>
>
> 'build_iptables' does a couple of things, but most importantly for
> this problem it runs a regex to look for a particular rule to see if
> it exists. If said rule exists it returns that the service is
> running, if that rule doesn't exist then it says it is not running and
> restarts the 'build_iptables' service (which does things to fix the
> issue along with restarts the "real" iptables service).
>
> But if I run the same build_iptables script I see that it is running:
>
> [me@host ~]$ sudo /sbin/service build_iptables status
> iptables is running
> [me@host ~]$ echo $?
> 0
>
> [me@host ~]$ sudo /usr/sbin/puppetd --test --noop
> info: Caching catalog for host.fakedomain
> info: Applying configuration version '1312979662'
> notice: //iptables/Service[build_iptables]/ensure: is stopped, should
> be running (noop)
> notice: Finished catalog run in 2.88 seconds
>
> [me@host ~]$ sudo /sbin/service build_iptables status
> iptables is running
> [me@host ~]$ echo $?
> 0
>
>
> This worked for a number of months, but recently broke. The issue is
> that when iptables restarts it drops it's state table and any
> connections that would be allowed (through the ESTABLISHED or RELATED
> rule) are no longer recognized and the packets are dropped.
>
> Here is the relevant debug output:
>
> debug: Service[build_iptables](provider=redhat): Executing '/sbin/
> service build_iptables status'
> debug: Puppet::Type::Service::ProviderRedhat: Executing '/sbin/
> chkconfig build_iptables'
> debug: //iptables/Service[build_iptables]: Changing ensure
> debug: //iptables/Service[build_iptables]: 1 change(s)
> notice: //iptables/Service[build_iptables]/ensure: is stopped, should
> be running (noop)
>
So puppet actually uses »/sbin/service build_iptables status« to check
if your service is running.Is it possible that your initscript depends on a specific environment (like a special PATH variable?). Maybe your script doesnt work when run through puppet so it doesnt return with zero and puppet thinks the service is not running. -Stefan
pgpNgj2RYf75K.pgp
Description: PGP signature
