Ask Your Question

Refresh and Reload the same Service Resource

asked 2015-11-19 15:42:59 -0600

cybersamurai gravatar image

I would like to be able to invoke a restart (refresh) of a 'service' resource upon modification of a 'file' resource (say config file). This is no problem, I can accomplish this via standard subscribe/notify/~>.

In addition, I would like to invoke a reload (in particular, send a signal) to the SAME service resource upon modification of a different file resource.

How can I support both for the same service?

Example: Intrusion Detection System - Restart the service if the main configuration file is changed, but only reload(send a signal) service if the signature file is updated.

edit retag flag offensive close merge delete


Does the IDS reload the main configuration file is a signal is sent to the process vs. performing a full stop/start?

GregLarkin gravatar imageGregLarkin ( 2015-11-19 19:46:24 -0600 )edit

For the Suricata IDS, sending a SIGUSR2 initiates a "live rule swap" - only reloads the IDS signatures. In order to reload the main configuration file, the application must be restarted.

cybersamurai gravatar imagecybersamurai ( 2015-11-19 21:58:43 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2015-11-19 19:55:01 -0600

GregLarkin gravatar image

As far as I can tell, there's no way to control the type of refresh event that's sent to the service based on a dependency. When you declare the service resource, the most you can do is set the restart command to your choosing. By default, Puppet will do a full stop, then start.

Is that acceptable for the situation where the signature file is updated? If not, as long as the IDS reloads its main configuration file when it receives a signal, then you could change the restart attribute of the service resource to send a signal instead of using the default stop/start.

The main issue you'll face there is getting the correct PID. It's possible your attribute would look something like:

restart => 'kill -HUP `cat /var/run/`'

That seems fragile to me, though, so I'd encourage you to use the default behavior if you can.

edit flag offensive delete link more


One potential hack could be creating an 'exec' resource with the command set to the reload command (either the kill -SIGUSR2 command or wrap it in systemctl reload in case of systemd) with the 'refreshonly' flag. Then subscribing to the config file resource.I will have to test. Thanks for your input

cybersamurai gravatar imagecybersamurai ( 2015-11-19 22:02:41 -0600 )edit

answered 2015-11-20 08:50:23 -0600

scoffland gravatar image

If you want a second notify restart option I would define an exec for this task.

exec { 'refresh_idp':
  command => "service $ipd_service reload",
  refreshonly => true,

file { foo.conf:
  source => foo.conf,
  notify => Service["$ipd_service"],

file { bar.conf:
  source => bar.conf,
  notify => Exec['refresh_idp'],
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-11-19 15:42:59 -0600

Seen: 5,404 times

Last updated: Nov 20 '15