Service[iptables] is reloaded each puppet run on Debian

[sathieu]

notice: /Stage[main]/Iptables/Service[iptables]/ensure: ensure changed 'stopped' to 'running'

This is because

• iptables-persistent doesn't have a "status"
• there is no process running.

I don't know how to check the service. Maybe the module should start the service only on refresh.

[alvagante]

Did you test on a Debian 6?

[alvagante]

A solution could be to modify:

$manage_service_ensure = $iptables::bool_disable ? {
  true    => 'stopped',
  default =>  $iptables::bool_absent ? {
    true    => 'stopped',
    default => 'running',
  },
}

And place an undef instead of running for the operatingsystems where status is not available

[sathieu]

I tested on (upcoming) Debian 7.

[sathieu]

How is status implemented in other distros?

[alvagante]

AFAIK on distros like redhat family status works. Can you tell me if placing an undef instead of running solves ? If you I would add to $manage_service_ensure a selector that checks for service_status and returns undef if service_status is false

[sathieu]

it doesn't works: changes to the rules don't restart the service.

I will try another solution and proose a patch.

[sathieu]

See https://github.com/example42/puppet-iptables/pull/19.

[whiteadam]

I am having this same issue on Cent 6.4 at the moment:

Notice: /Stage[main]/Iptables/Service[iptables]/ensure: ensure changed 'running' to 'stopped'

I have the following in Hiera:

iptables::disable: true iptables::disableboot: true

I only added this to test the disable, but it had no effect:

iptables::disableboot: true

[alvagante]

Just commit a patch that should solve. Note that to disable iptables (or any other example42 module service) both at runtime and at boot just need just disable => true, With disableboot => true you disable it at boot (as with disable) and do not check the service status (useful for cases when a service is managed by a cluster).

[whiteadam]

Thanks Al, you're the man.