A collection of task oriented solutions in Puppet

 

Manage sysctl settings

Challenge

You want to manage your sysctl settings

Solution

Puppet doesn't have a native sysctl type and provider so you'll need to install a module to manage them.

# install the sysctl module and its dependencies
$ sudo /opt/puppetlabs/bin/puppet module install herculesteam-augeasproviders_sysctl

...
Notice: Installing -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
 - herculesteam-augeasproviders_sysctl (v2.2.0)
  - herculesteam-augeasproviders_core (v2.1.3)
   - puppetlabs-stdlib (v4.17.0)
...

Once the module is installed you can add settings:

class add_sysctl_setting {

  sysctl { 'kernel.dmesg_restrict':
    ensure => present,
    value  => '1',
  }

}

And you can remove settings:

class remove_sysctl_setting {

  # remove the setting and value from the config file
  sysctl { 'kernel.panic_on_oops':
    ensure  => absent,
  }

}

Explanation

To manage sysctl settings on puppet you'll need to install a type and provider. We're going to use the excellent herculesteam-augeasproviders_sysctl. Once this is installed adding an entry to your sysctl config is as simple as:

class add_sysctl_setting {

  sysctl { 'kernel.dmesg_restrict':
    ensure => present,
    value  => '1',
  }

}
Notice: /Stage[main]/Sysctls/Sysctl[kernel.dmesg_restrict]/value:
  changed configuration value from '' to '1'
  and live value from '0' to '1'

# and then prove it's been added and set
sudo sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1

Removing settings is a slightly more involved process. Deleting the resource from your puppet manifests will leave it unmanaged and present in your config files; unless you're doing a full purge somewhere in your code base. Instead you'll often need to make consecutive changes, first set the resource to absent to remove it from the config files on the hosts, and then once puppet has run on all of your nodes remove the resource from the manifest completely.

One last feature worth noting is that you can explicitly specify the config file to write settings and their values to. This allows you to group them together logically.

class explicit_config {

  sysctl { 'net.ipv4.ip_forward':
    ensure => present,
    # write the value here, not the default location
    target => '/etc/sysctl.d/networking.conf',
    value  => '1',
  }

}
$ cat /etc/sysctl.d/networking.conf
net.ipv4.ip_forward = 1

See also