Checking puppet-generated exim config before deploying

puppet exim

I use Puppet to generate /etc/exim4.conf and I want to make sure that the configuration is valid before I install the file on production systems.

I've considered—

  • using a git hook to call exim4 -bV -C filename... but this won't work because I use an ERB template to generate the file, so the end result isn't actually generated until the Puppet agent runs. I already have a git hook to test ERB syntax.

  • letting the init script check the config file... but this isn't good enough because, while the script will refuse to reload Exim if the configuration is invalid, the file will have already been installed and direct calls to Exim (to send mail from applications, for example) will fail.

Ideally what I want is some kind of Puppet directive that looks like

file { '/etc/exim4/exim4.conf':
    content => template("exim/etc/exim4/exim4.conf.erb"),
    notify => Service[exim4],
    but_before_we_install_check_syntax_with => '/usr/bin/exim4 -bV -C',
}

How can I check the syntax of the config file after it's been generated by Puppet but before it gets installed?

I'm using Exim 4.80 and Puppet 2.7.26 on Debian Wheezy systems.


Solution 1:

It sounds like you are describing the validate_cmd parameter exactly. From the Puppet type reference for file:

A command for validating the file’s syntax before replacing it. If Puppet would need to rewrite a file due to new source or content, it will check the new content’s validity first. If validation fails, the file resource will fail.

This command must have a fully qualified path, and should contain a percent (%) token where it would expect an input file. It must exit 0 if the syntax is correct, and non-zero otherwise. The command will be run on the target system while applying the catalog, not on the puppet master.

In your example, I think you would do this:

file { '/etc/exim4/exim4.conf':
    content      => template("exim/etc/exim4/exim4.conf.erb"),
    notify       => Service[exim4],
    validate_cmd => '/usr/bin/exim4 -bV -C %',
}

Solution 2:

You could test the resulting configuration by using a git hook to fire up a virtual machine / container (Docker would be ideal for this) and apply the manifest in that environment.

If you're doing this regularly you might consider implementing a CI system (like Jenkins) which you push your changes to, have the CI run a suite of tests and on success push the changes to production.

Related

Grouping nodes in puppet
Can I use TLSv1.0 for one client IP, TLS v1.2 for everyone else
Where do md array definitions come from?
Multiple wildcard certificates for same common name on different servers
Why is the cron ENV different from the user's ENV?
Google Chrome says my SSL uses outdated security settings but other site tests disagree [closed]
Server2k8: Prevent membership in a group based on membership in another group
Squid3 'The proxy server is refusing connections'
Enforce 15-character minimum password length on Windows
How configure environment variable with AcceptEnv
TCP sequence number randomization
How to create advanced rules with firewall-cmd?