Linux – Puppet: how to run an exec only if puppet has made changes

centoslinuxpuppet

We are doing basic management of some servers via puppet – The servers themselves run as part of a clustered system that handles other aspects like user accounts etc and includes a monitoring script that detects changes in key files (/etc/passwd and the like). If puppet updates a package it potentially changes these key files triggering the monitoring system. (which is not unintentional)

The monitoring system has a command that can be manually run to clear the state and we have to do this each time puppet applies any changes, When we start getting emails!

We could define an exec that runs in a post run_stage to run the command but this by default would fire every time puppet runs, and then our reports will always show as puppet made changes regardless of whether changes were made or not.

Is there a way we can set the exec so that it only runs if puppet has applied other changes?

Best Answer

If the exec resource has a dedicated stage, you can implement the desired behavior by having it subscribe to all other stages, e.g.

exec { "pacify-rkhunter":
    ...
    subscribe   => Stage['pre','main','aux'],
    refreshonly => true,
}

Related Solutions

Puppet: Running shell command when file (or package) is updated

Use the audit attribute to track the file content or package version number and trigger the change by subscribing to the package resource. A few issues with this, this does not work with --noop because the state.yaml file will update the file md5 checksum/package version in --noop mode. I'm not sure if this is a pending bug since I can't track it down at the moment.

file { '/etc/tzinfo':
  audit => content,
}

exec { '/usr/bin/mysql_tzinfo_to_sql':
  subscribe => File['/etc/tzinfo'],
}

A more reliable method is just to duplicate the file elsewhere and use it to trigger updates (the location isn't important we are just tracking the original tzinfo as source).

file { '/etc/puppet/stage/tzinfo':
  source => '/etc/tzinfo',
}

exec { '/usr/bin/mysql_tzinfo_to_sql':
  subscribe => File['/etc/tzinfo'],
}

The second method of course does not work with packages, but you would avoid the --noop and state.yaml problems.

Regarding the third question, yes, you can use pipe and redirects (use an title and put the command in the command attribute):

exec { 
  '/bin/echo foo | grep foo > /tmp/foo':
}

How to prevent puppet interfering with manual server changes

What I normally do is the following

Manually stop puppet on that machine
Have a nagios or monitoring tool of your choice alert that will warn me when puppet hasn't been run for more than 2 hours
If you want to be extra cautious also make a pupet watchdog, one that checks that the /var/run file is in place, if you stop puppet properly it'll erase it, if the file is there but there's no process it died so it'll start up again

With #1 and #2 you'll cover 99% of your case scenarios, and if you want to maybe #3 will help you when puppet misbehaves (sometimes it did on me)

Good luck!

Best Answer

Related Solutions

Puppet: Running shell command when file (or package) is updated

How to prevent puppet interfering with manual server changes

Related Topic