some values set okay when puppet agent run from node, but not when run from puppet master

[smokecatcher]

Puppet Enterprise 2019.8.4/OS RHEL 7 (on both puppet master and node) I use the hercules-team augeasproviders_sysctl to set several sysctl values. Some work fine no matter how the puppet agent is run, and some only work when the puppet agent is run from the command line on the node.

---

Example: Debug file from puppet run using "puppet agent -t" from command line on node: 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv6.conf.all.accept_source_route' 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.ip_forward' 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.send_redirects' 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.send_redirects' 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.accept_redirects' 2021-08-18 14:43:13,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.accept_redirects' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.icmp_echo_ignore_broadcasts' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.accept_source_route' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.default.rp_filter' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.rp_filter' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n net.ipv4.conf.all.accept_source_route' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -n kernel.randomize_va_space' 2021-08-18 14:43:12,debug,Executing: '/sbin/sysctl -a' 2021-08-18 14:43:12,debug,Prefetching augeas resources for sysctl

Debug log when run on same node but initiating from Puppet Master with Run Puppet: 2021-08-18 14:33:39,debug,"Resource is being skipped, unscheduling all events" 2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv6.conf.all.accept_source_route is not a valid sysctl key 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.ip_forward' 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.send_redirects' 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.send_redirects' 2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.conf.all.accept_redirects is not a valid sysctl key 2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.conf.default.accept_redirects is not a valid sysctl key 2021-08-18 14:33:39,err,Could not evaluate: Error: net.ipv4.icmp_echo_ignore_broadcasts is not a valid sysctl key 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.accept_source_route' 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.default.rp_filter' 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.rp_filter' 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -n net.ipv4.conf.all.accept_source_route' 2021-08-18 14:33:39,err,Could not evaluate: Error: kernel.randomize_va_space is not a valid sysctl key 2021-08-18 14:33:39,debug,Executing: '/usr/sbin/sysctl -a'

---

Checks on keys on node with sysctl -a and sysctl -n yields following results or similar for all keys listed as "invalid"

sysctl -a 2>/dev/null | grep kernel.randomize_va_space

kernel.randomize_va_space = 2

/usr/sbin/sysctl -n kernel.randomize_va_space

2

sysctl -a 2>/dev/null | grep net.ipv4.icmp_echo_ignore_broadcasts

net.ipv4.icmp_echo_ignore_broadcasts = 1

/usr/sbin/sysctl -n net.ipv4.icmp_echo_ignore_broadcasts

1

---

Running puppet agent from Puppet Master on node results in manifest failure for sysctl values every time, but execution of puppet by puppet agent on the node get fail, fail, success, fail, fail, success...pattern.

---

My class definition:

---

class profile::baseline::sysctl ( String $kernel_randomize_va_space = '2', String $net_ipv4_conf_all_accept_source_route = '0', String $net_ipv4_conf_all_rp_filter = '1', String $net_ipv4_conf_default_rp_filter = '1', String $net_ipv4_conf_default_accept_source_route = '0', String $net_ipv4_icmp_echo_ignore_broadcasts = '1', String $net_ipv4_conf_default_accept_redirects = '0', String $net_ipv4_conf_all_accept_redirects = '0', String $net_ipv4_conf_default_send_redirects = '0', String $net_ipv4_conf_all_send_redirects = '0', String $net_ipv4_ip_forward = '0', String $net_ipv6_conf_all_accept_source_route = '0', ) {

kernel.randomize_va_space = 2

sysctl { 'kernel.randomize_va_space': ensure => present, value => $kernel_randomize_va_space, }

net.ipv4.conf.all.accept_source_route = 0

sysctl { 'net.ipv4.conf.all.accept_source_route': ensure => present, value => $net_ipv4_conf_all_accept_source_route, }

net.ipv4.conf.all.rp_filter = 1

sysctl { 'net.ipv4.conf.all.rp_filter': ensure => present, value => $net_ipv4_conf_all_rp_filter, }

net.ipv4.conf.default.rp_filter = 1

sysctl { 'net.ipv4.conf.default.rp_filter': ensure => present, value => $net_ipv4_conf_default_rp_filter, }

net.ipv4.conf.default.accept_source_route = 0

sysctl { 'net.ipv4.conf.default.accept_source_route': ensure => present, value => $net_ipv4_conf_default_accept_source_route, }

net.ipv4.icmp_echo_ignore_broadcasts = 1

sysctl { 'net.ipv4.icmp_echo_ignore_broadcasts': ensure => present, value => $net_ipv4_icmp_echo_ignore_broadcasts, }

net.ipv4.conf.default.accept_redirects = 0

sysctl { 'net.ipv4.conf.default.accept_redirects': ensure => present, value => $net_ipv4_conf_default_accept_redirects, }

net.ipv4.conf.all.accept_redirects = 0

sysctl { 'net.ipv4.conf.all.accept_redirects': ensure => present, value => $net_ipv4_conf_all_accept_redirects, }

net.ipv4.conf.default.send_redirects = 0

sysctl { 'net.ipv4.conf.default.send_redirects': ensure => present, value => $net_ipv4_conf_default_send_redirects, }

net.ipv4.conf.all.send_redirects = 0

sysctl { 'net.ipv4.conf.all.send_redirects': ensure => present, value => $net_ipv4_conf_all_send_redirects, }

net.ipv4.ip_forward = 0

sysctl { 'net.ipv4.ip_forward': ensure => present, value => $net_ipv4_ip_forward, }

net.ipv6.conf.all.accept_source_route = 0

sysctl { 'net.ipv6.conf.all.accept_source_route': ensure => present, value => $net_ipv6_conf_all_accept_source_route, } }