> Thank a lot Ken... Just to be sure and clear, the "lockout" problem is > not about locking puppet agent itself out, that is : > > - All the rules, part of the catalogue, are retrieved from the puppet > master in one go, then applied one after another, in unpredictable > order, but there is no chance of firewall rules changing in the middle > of agent-master transaction, right?
The rules are changing whenever the resource is applied after the catalogue is downloaded from the master. If the agent is running as a daemon on its own, the order matters only a little. The fix is specifically for a situation where you are running the agent in the foreground via SSH for example (and usually the first time you run Puppet on a box). The documented solution was added because someone in the field hit this problem - if you don't feel you need it - you don't need to use it. > I did see a problem where puppet agent fails to send its report back, > after a wrong iptables config was applied, but that is not the same > thing. > > I do not like/feel the solution to the feared problem... so I just > wanna understand and live with it. Okay. So an alternate solution would be to store the rules in a file (like /etc/iptables/rules.v4 for debian), and apply them late. Its been suggested in the past, however it brings with it other implications/problems. I think if there was enough demand for it an alternative provider could be made to do this perhaps. Persistent vs real-time handling for providers has always will been a contentious area for Puppet :-). ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
