search

voxpupuli / puppet-augeasproviders_sysctl

Augeas-based sysctl type and provider for Puppet
Apache License 2.0
10 stars 36 forks source link

Error: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details. #19

Open HanzzM opened 7 years ago

HanzzM commented 7 years ago

I get this error when I use more than one target files. And after changing the value or the comment in the last file (/etc/sysctl.d/90-kernel.conf).

Example code:

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '20',
      comment => 'Automatic reboot 20 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

The first puppet agent run is going well. But after changing the code (value of kernel.panic changed from 20 into 30):

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

I get the messages:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30' and live value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Error: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

It works only when I also chang the order from my code ( move the changing part to the top ) into:

   sysctl { 'kernel.panic':
      ensure  => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target  => '/etc/sysctl.d/90-kernel.conf',
  }

  sysctl { 'net.ipv4.tcp_syncookies':
      ensure  => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target  => '/etc/sysctl.d/90-net.conf',
  }

Now the Puppet agent run is going well again:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Notice: Applied catalog in 9.14 seconds
HanzzM commented 6 years ago

This only happens when I use comment. There are no problems when I leave the comment option out off my code.

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      target => '/etc/sysctl.d/90-net.conf',
}

sysctl { 'kernel.panic':
      ensure => present,
      value   => '20',
      target => '/etc/sysctl.d/90-kernel.conf',
 }
WBasson commented 3 years ago

This happens to us, but only if we specify the tart as /etc/sysctl.d/99-sysctl.conf We also have multiple settings going into the file, don't know if that is contributing to the problem.

montaguethomas commented 1 year ago

I've determined this issue is due to these lines: https://github.com/voxpupuli/puppet-augeasproviders_sysctl/blob/78c2bcb9cdab9743152cc973d364e8997bd94420/lib/puppet/provider/sysctl/augeas.rb#L192-L194

When I comment out line 194 (aug.insert) the comment is updated correctly.

montaguethomas commented 1 year ago

After some testing, I found two options:

  1. Remove this preference logic. This seems to be from along ago and actually causes a mess when comments are used:

first puppet run:

vm.min_free_kbytes = 67584
#kernel.kptr_restrict = 0
kernel.kptr_restrict = 2
# net.ipv4.tcp_invalid_ratelimit: networking tuning
net.ipv4.tcp_invalid_ratelimit = 500
# kernel.kptr_restrict: hiding kernel pointers

second puppet run:

vm.min_free_kbytes = 67584
#kernel.kptr_restrict = 0
# kernel.kptr_restrict: hiding kernel pointers
kernel.kptr_restrict = 2
# net.ipv4.tcp_invalid_ratelimit: networking tuning
net.ipv4.tcp_invalid_ratelimit = 500
# kernel.kptr_restrict: hiding kernel pointers
  1. It's possible to update the logic to not try to insert after the comment when the entity already exists:
      augopen! do |aug|
        if aug.match(resource_path).empty?
          # Prefer to create the node next to a commented out entry
          commented = aug.match("$target/#comment[.=~regexp('#{resource[:name]}([^a-z\.].*)?')]")
          aug.insert(commented.first, resource[:name], false) unless commented.empty?
        end
        aug.set(resource_path, value)
        setvars(aug)
      end