puppet keeps trying to start ossec

asked 2013-08-21 08:55:18 -0600

updated 2013-08-21 11:20:00 -0600

I'm running puppet-server-2.7.6-2.

I created a manifest to manage ossec:

class ossec {
            ensure  => directory,
            owner   => root,
            group   => root,
            mode    => '0644',
            ensure  => present,
            owner   => 'root',
            group   => 'root',
            mode    => '0644',
            content => template('ossec/ossec.conf.erb'),
            require => File["/var/ossec/etc"],
            notify  => Service["ossec"],

            ensure  => running,
            enable  => true,

But then in my puppet dashboard, although ossec is already running. I noticed puppet keeps trying to start ossec service and I keep seeing this:

PropertyMessageensureensure changed 'stopped' to 'running'

answered 2013-08-21 11:27:29 -0600

It looks like you haven't set status command, so it will be using the default method of checking status. This usually involves looking in the process table.

If the name of the service ossec doesn't match the exact process name, this could cause the service to appear to not be running, which would cause puppet to attempt to start it each time.

If you add status => 'some command to check status', to your service resource, you should be able to stop puppet from trying to start the service each run.

Awesome! Thanks llowder. I just tested it and it worked. :-)

answered 2013-08-21 13:24:23 -0600

llowder doesn't have that quite correct. By default Puppet will look at the output of service $servicename status to determine if a service is up. If it is not, it'll attempt to restart it. If the init script does not support status you can set a status method or use the pattern parameter.

service { 'ossec':
  ensure    => running,
  enable    => true,
  hasstatus => false, # default is true as of Puppet 2.7
  pattern   => 'ossec-as-seen-in-ps', # default is service name if you don't specify
  #status   => '/usr/bin/ossectl --healthcheck', # some service have cli tools to check health
My answer was based on the docs for the referenced version of puppet - which states checking the process table. The default for no status has changed and is currently 'service <servicename>'

The docs you reference says that service uses hasstatus => true, by default to determine service status. The ps table is only queried when it's false.

I hadn't looked at source, just the published docs. :| But, the fact still remains that explicitly setting status is the way around this.

That's not my problem with your answer, ". This usually involves looking in the process table." is incorrect. Puppet won't do that unless you tell it to.

Asked: 2013-08-21 08:55:18 -0600

Seen: 416 times

Last updated: Aug 21 '13