For what it's worth, leaving the incl => and lens => statements in did the trick. Either that or cleaning up some of the iptables.save and other similar files ahead of time.
I did have to figure out the correct format for the lens => statement, which is apparently to use a capitalized lens name with a '.lns' suffix, like 'Iptables.lns'. It wasn't clear from the documentation, and I had tried the actual file name containing the lens, 'iptables.aug', first. That's why I had initially commented these sections out. The lens name clearly comes from the 'module' statement inside the lens source file, iptables.aug, but where the '.lns' suffix comes from I have no idea. Anyway, thanks again, -- Pat On 10/6/13 3:24 PM, Patrick Spinler wrote: > > I'm not using the puppet firewall module because, if I read the docs > correctly, I'd need to use that module to completely manage the firewall > settings, and it seems to require a good bit of setup to get there, too. > > Unfortunately, due to political and organizational circumstance, I don't > have the ability to subsume the system's setup in that fashion. Maybe > someday. Until then, I can only add my extra stuff on top. Ergo, augeas. > > As far as commenting out the incl and lens settings; I wasn't sure they > had the correct syntax and were working, or may even have been part of > the problem. Ergo, simplify, and comment out until then. > > I'll try using them again, thanks. > > -- Pat > > On 10/6/13 4:09 AM, Cory Stoker wrote: >> Ouch my eyes... Augeas can wreck your day sometimes. I have to ask >> though, why not use the Puppetlabs Firewall Module? It's here: >> https://forge.puppetlabs.com/puppetlabs/firewall >> >> Then you would do something like this: >> firewall { 'mayo_fw TCP/31111': >> ensure => present, >> table => 'filter', >> chain => 'Mayo-Firewall-INPUT', >> proto => 'tcp', >> dport => 31111, >> action => 'accept', >> } #End >> >> As far as your output above it looks like it errored out on the files >> iptables.save and iptables.orig? What's weird is you have incl >> commented out which would make me think it should only load the one >> path you specified. >> >> On Fri, Oct 4, 2013 at 7:13 AM, Patrick Spinler <[email protected]> wrote: >>> >>> (apologies in advance for the line wrap) >>> >>> I have the following tidbit of augeas code, which inserts a rule into >>> /etc/sysconfig/iptables as the first rule of a specifically named chain; >>> >>> # augtool> insert append before >>> "/files/etc/sysconfig/iptables/table/append[. = 'Mayo-Firewall-INPUT'][1]" >>> # augtool> match /files/etc/sysconfig/iptables/table/append[. = ''] >>> # /files/etc/sysconfig/iptables/table/append[8] = (none) >>> # augtool> set /files/etc/sysconfig/iptables/table/append[. = ''] >>> 'Mayo-Firewall-INPUT' >>> # augtool> set /files/etc/sysconfig/iptables/table/append[. = >>> 'Mayo-Firewall-INPUT'][1]/protocol 'tcp' >>> # augtool> set /files/etc/sysconfig/iptables/table/append[. = >>> 'Mayo-Firewall-INPUT'][1]/match 'tcp' >>> # augtool> set /files/etc/sysconfig/iptables/table/append[. = >>> 'Mayo-Firewall-INPUT'][1]/dport '31111' >>> # augtool> set /files/etc/sysconfig/iptables/table/append[. = >>> 'Mayo-Firewall-INPUT'][1]/jump 'ACCEPT' >>> # augtool> print /files/etc/sysconfig/iptables/table/append[. = >>> 'Mayo-Firewall-INPUT'][1] >>> # /files/etc/sysconfig/iptables/table/append[8] = "Mayo-Firewall-INPUT" >>> # /files/etc/sysconfig/iptables/table/append[8]/dport = "31111" >>> # /files/etc/sysconfig/iptables/table/append[8]/match = "tcp" >>> # /files/etc/sysconfig/iptables/table/append[8]/protocol = "tcp" >>> # /files/etc/sysconfig/iptables/table/append[8]/jump = "ACCEPT" >>> >>> I'd like to convert this to a puppet augeas define. So far, I've got this: >>> >>> define mayo_firewall_insert ($dport, $proto) { >>> >>> augeas { "firewall_${title}": >>> context => "/files/etc/sysconfig/iptables/table", >>> # incl => "/etc/sysconfig/iptables", >>> # lens => "iptables.aug", >>> onlyif => "match append[dport='$dport'] size != 0", >>> changes => [ >>> "insert append before append[. = >>> 'Mayo-Firewall-INPUT'][1]", >>> "set append[. = ''] 'Mayo-Firewall-INPUT'", >>> "set append[. = 'Mayo-Firewall-INPUT'][1]/protocol >>> '$proto'", >>> "set append[. = 'Mayo-Firewall-INPUT'][1]/match '$proto'", >>> "set append[. = 'Mayo-Firewall-INPUT'][1]/dport '$dport'", >>> "set append[. = 'Mayo-Firewall-INPUT'][1]/jump 'ACCEPT'", >>> ], >>> } >>> >>> However, when I declare a resource using the above define, I get augeas >>> syntax errors, and I'm not sure how to track down the problem: >>> >>> (invoked as 'puppet apply --verbose --debug --detailed-exitcodes >>> --execute "include omnibus_node"') >>> >>> ... >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Opening >>> augeas with root /, lens path , flags 32 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Augeas >>> version 1.1.0 is installed >>> Warning: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Loading >>> failed for one or more files, see debug for /augeas//error output >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.save/error/pos = 115 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.save/error/line = 3 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.save/error/char = 0 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.save/error/lens = >>> /shares/nfs/unixarch/share/augeas/lenses/dist/shellvars.aug:163.12-.99: >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.save/error/message = Syntax error >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.orig/error/pos = 64 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.orig/error/line = 2 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.orig/error/char = 0 >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.orig/error/lens = >>> /shares/nfs/unixarch/share/augeas/lenses/dist/shellvars.aug:163.12-.99: >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): >>> /augeas/files/etc/sysconfig/iptables.orig/error/message = Syntax error >>> Debug: Augeas[firewall_omnibus_tcp_4100](provider=augeas): Closed the >>> augeas connection >>> ... >>> >>> >>> I'm guessing the augeas tree isn't what I think it is by the time it >>> goes to save, but there doesn't appear to be a way to invoke 'print' or >>> some other, similar augeas command, so I can't tell. >>> >>> Can anyone please advise how I might debug this? >>> >>> Thanks, >>> -- Pat >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/puppet-users. >>> For more options, visit https://groups.google.com/groups/opt_out. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
