type "sensu_agent_entity_config" always executed before iptables can cause puppet to fail
maxadamo opened this issue · 6 comments
Description of problem
- I have upgraded from the version 4.x of the module to version 5.6, and the firewall was blocking access from the agent to the API (port 8080).
- I created an outbound accept rule (using puppetlabs/firewall module), but the type
sensu_agent_entity_configis always executed before the firewall module (before/require does not help) and puppet fails to run.
There are two options to work around the issue.
- bring the firewall off, and then run puppet
- explicitly declare the namespace on the agent (even if it's
default) and setvalidate_namespacetofalse
I'm not sure I understand the problem. The firewall change should be made on the backend, and is permanent. The sensu_agent_entity_config is run on agents but could also run on the backend as it's likely you have the agent running on the backend host. If you have ordering issues on the backend with agent code then I'd recommend updating your profile class for Sensu to do something like this:
firewall { '8080 - allow port 8080':
...
before => Service['sensu-agent']
}
The above ordering should only be necessary on the backend host if you also have sensu::agent applied on the backend host.
The above idea is just one example, that works becausesensu_agent_entity_config auto requires both sensu-backend and sensu-agent services.
I could easily fix the backend to allow inbound traffic, but in this case it was missing an outbound rule (from Agent to Backend).
And I was using this code, to open the outbound traffic on the agents:
firewall { 200 Allow outbound Sensu API from .... to .... ':
action => accept,
before => Class['sensu', 'sensu::agent'],
chain => 'OUTPUT',
...
}
I was using "before class sensu" but, the ordering, on the agent, did not work and puppet failed
That should have worked. The only reason I can think it would not work is if you have something like sensu::agent::subscription or sensu::agent::label defined somewhere for the agent since those resources are not going to be under Class[sensu] or Class[sensu::agent]. You could try this:
Sensu_agent_entity_config <| |> {
require => Firewall['200 Allow outbound Sensu API from .... to .... '],
}
Did you have any errors or warnings for sensu_agent_entity_validator when things failed? I would expect your before on Class[sensu::agent] to also make it come before the validator which is auto required by all Sensu_agent_entity_config resources. The only other reason I can think that you would get errors despite the ordering being correct is that the ordering is only for applying resources, not prefetch and validation and the prefetch and especially the validation are likely failing before your host has the firewall port open. I think the only way around such issues is to ensure the firewall rule is bootstrapped into the host when provisioned before Puppet runs. I think any code changes we make to fix this issue would essentially make the validation not do anything which is not desirable. So if provisioning with firewall rules in place is not an option then maybe disabling namespace validation is only other option.
I never used sensu::agent::label and sensu::agent::subscription (in the version 3 of the module, they were not yet available) and I never used them, when I went through version 4 and now 5.
Then I think what is failing for you is the validation which isn't going to be influenced by ordering like applying the actual resource. I think you will have to disable namespace validation for now. I think I have an idea of one way I can fix this so that the validation happens when the resource is applied rather than when the catalog is started to be evaluated.
Closing due to inactivity.