1
notice ("This should be echoed")
service { "iptables":
    ensure => "stopped",
}

This does not stop iptables, I am not sure why. service iptables stop works fine. Puppet 2.6.17 on CentOS 6.3.

UPDATE:
/etc/puppet/manifests/nodes.pp

 node 'linux-dev' {
    include mycompany::install::apache::init
    include mycompany::config::services::init
}

/etc/puppet/modules/mycompany/manifests/config/services/init.pp

class mycompany::config::services::init {
    if ($::id == "root") {
        service { 'iptables':
        #name => '/sbin/iptables',
        #enable => false,
        #hasstatus => true,
        ensure => stopped
    } 
    notice ("IPTABLES is now being stopped...")

    file { '/tmp/puppet_still_works':
        ensure => 'present',
        owner => root

    } else {
    err("Error: this manifest must be run as the root user!")
    }
}

1 Answers1

3

It is different for iptables since there is no daemon, it is not like for crond daemon for example. Service type will look in the process table for a process name "iptables" and if it is not there it will assume it is stopped. Add 'hasstatus => true' and it will work. EDITED: status => "true", worked this usually supplies for type service manually, this command must return 0 if the service is running and a nonzero value otherwise.

notice ("This should be echoed")
service { "iptables":
    ensure => "stopped",
    hasstatus => "true",
    status => "true",

}

Danila Ladner
  • 5,241
  • 21
  • 30
  • I'm afraid it doesn't work still. The status command does exist for service iptables, but this manifest does not stop the service strangely, even after adding hasstatus => true. As a side note, should true/false values be quoted? Wouldn't that "stringify" a boolean operator? I was wondering about that as well. –  Nov 12 '13 at 14:52
  • I do not have it quoted, I think it is unnecessary. I would get rid of them. also it does not make difference but i would do 'iptables', also do you have "service iptables status' on your OS, there isn't on some OS's – Danila Ladner Nov 12 '13 at 15:04
  • Yes, like I said above: "The status command does exist for service iptables". I even tried: exec { 'service iptables stop': path => '/sbin', unless => "service iptables status" } but it still didnt work. –  Nov 12 '13 at 15:09
  • try onlyif instead of unless, also this just worked for me in vagrant puppet apply -e "service{'iptables': ensure => stopped}" rhel6.4 Something weird. – Danila Ladner Nov 12 '13 at 15:15
  • Also, service type has a 'stop' parameter to specify a stop command, instead of using the exec – Danila Ladner Nov 12 '13 at 15:23
  • puppet apply -e "service{'iptables': ensure => stopped}" works for me too. –  Nov 12 '13 at 15:29
  • See my updates, perhaps I have something wrong in my general config? However, the /tmp/puppet_still_works file does get created. –  Nov 12 '13 at 15:35
  • Do not see any issue, what OS ? – Danila Ladner Nov 12 '13 at 16:17
  • CentOS 6.3 on clients and puppet server –  Nov 12 '13 at 16:31
  • Hmm, interesting. Does it work for any other service? Like apache or crond? – Danila Ladner Nov 12 '13 at 16:50
  • I added an httpd ensure => stopped and it works. Also it gave the notice httpd changed from running to stopped, I never got notices about the iptables, it simply skips the whole block it seems. –  Nov 12 '13 at 18:37
  • Then I commented out the original IPtables block and just changes the working httpd block to iptables but it did nothing. I guess there is a problem with the init script? –  Nov 12 '13 at 18:39
  • I noticed the init script for iptables is /bin/sh but httpd is /bin/bash, testing that now. Nope, didn't seem to matter anything. –  Nov 12 '13 at 18:40
  • can you also try to add: status => "true", – Danila Ladner Nov 12 '13 at 19:21
  • or status => '/sbin/service iptables status | grep "is not running"', try these ... – Danila Ladner Nov 12 '13 at 19:26
  • YES!!!! Adding status => "true" resolved it!! –  Nov 12 '13 at 20:14
  • Ok, Glad it worked for you. Still do not get it why it doesn't work with just stopped, as it works for 6.4. Must be different init scripts. – Danila Ladner Nov 12 '13 at 20:46