Please allow for the use of / as a key separator, as described in the sysctl man page

[ghost]

In RHEL, the sysctl man page describes the use of / as a key separator instead of .:

PARAMETERS
       variable
              The  name  of  a  key to read from.  An example is kernel.ostype.  The ’/’ separator is also accepted in
              place of a ’.’.

This is required in situations where a sub-key name itself includes a ., such as network interfaces with vlans (bond0.209 for example). Specifically:

# sysctl net.ipv4.conf.bond0.209.rp_filter
error: "net.ipv4.conf.bond0.209.rp_filter" is an unknown key
# sysctl net/ipv4/conf/bond0.209/rp_filter
net.ipv4.conf.bond0/209.rp_filter = 1
# sysctl net.ipv4.conf.bond0/209.rp_filter
net.ipv4.conf.bond0/209.rp_filter = 1

As seen in the output of the second example, you can apparently also replace a . in the sub-key name with a /.

However, neither work-around works with the augeas provider, because the / apparently breaks the parsing of the key names:

# puppet apply -t --debug -e 'sysctl {"net/ipv4/conf/bond0.209/rp_filter": value=>2 }'
…
Notice: /Stage[main]/Main/Sysctl[net/ipv4/conf/bond0.209/rp_filter]/ensure: created
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/net
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:34.7-36.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match

()
 (     | { })
()
 (     | { /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ })
  with tree
    { "ipv4" }
Error: /Stage[main]/Main/Sysctl[net/ipv4/conf/bond0.209/rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.
…
# puppet apply -t --debug -e 'sysctl {"net.ipv4.conf.bond0/209.rp_filter": value=>2 }'
…
Notice: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/209.rp_filter]/ensure: created
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/net.ipv4.conf.bond0
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:34.7-36.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match

()
 (     | { })
()
 (     | { /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ })
  with tree
    { "209.rp_filter" = "2" }
Error: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/209.rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

Please update the augeas lens to allow the use of this work-around.

[raphink]

Related: hercules-team/augeas#176

[waipeng]

I've noticed that puppet-agent 7.19.0 has been released which has augeas-1.13.0. See https://tickets.puppetlabs.com/browse/PA-4494

However, a sysctl key with / in it still doesn't work. Is there something more that needs to be done, e.g. in puppet-augeasproviders_sysctl or puppet-augeasproviders_core?

I had a brief look and it seems that the path is being set wrongly

Debug: Executing: '/usr/sbin/sysctl -e net.ipv4.conf.bond0/3082.rp_filter'
Debug: Executing: '/usr/sbin/sysctl -n net.ipv4.conf.bond0/3082.rp_filter'
Notice: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/3082.rp_filter]/value: changed configuration value from '' to '2'
...
Debug: Executing: '/usr/sbin/sysctl -w net.ipv4.conf.bond0/3082.rp_filter=2'
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/files/etc/sysctl.conf/net.ipv4.conf.bond0
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/simplevars.aug:34.7-36.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match tree under /files/etc/sysctl.conf/net.ipv4.conf.bond0

     { "3082.rp_filter" = "2" }

  with pattern

()
 (     | { })
U(
      | { /#comment/ = /[^\t\n\r ].*[^\t\n\r ]|[^\t\n\r ]/ })

Error: /Stage[main]/Main/Sysctl[net.ipv4.conf.bond0/3082.rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.```

[waipeng]

This is also discussed in hercules-team/augeas/pull/755

[johnwarburton]

Just an FYI for anyone following here - I can confirm VLAN '/' separator still does not work with

• puppet agent 7.25.0
• puppet-augeasproviders_core 3.2.1
• puppet-augeasproviders_sysctl 3.0.0
• puppetlabs-augeas_core 1.3.0

It looks like the updated lens dropped into augeas 9 months ago - https://github.com/hercules-team/augeas/blob/master/lenses/sysctl.aug and has support for more "non-alphabetic" characters and is part of the 1.14.0 release

I am not sure how to wrangle this into the system before the agent is updated

[johnwarburton]

Ok, so I am almost there. I have confirmed that I can run augtool with the puppet agent libraries and lenses and confirm failure with the sysctl lens

$ grep Version /opt/puppetlabs/puppet/lib/pkgconfig/augeas.pc
Version: 1.13.0

$ cat vlan-augeas-commands
set /files/etc/sysctl.conf/net.ipv4.conf.eth2\/666.rp_filter 6

$ LD_LIBRARY_PATH=/opt/puppetlabs/puppet/lib ./augtool --include /opt/puppetlabs/puppet/share/augeas/lenses/dist --backup --root /tmp/augeas-sandbox --autosave --interactive --file vlan-augeas-commands
augtool> print /files/etc/sysctl.conf/
/files/etc/sysctl.conf
/files/etc/sysctl.conf/net.ipv4.conf.eth2\/666.rp_filter = "6"
augtool> save
error: Failed to execute command
saving failed (run 'errors' for details)

$ cp sysctl/augeas-HEAD/lenses/sysctl.aug /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug

$ LD_LIBRARY_PATH=/opt/puppetlabs/puppet/lib ./augtool --include /opt/puppetlabs/puppet/share/augeas/lenses/dist --backup --root /tmp/augeas-sandbox --autosave --interactive --file vlan-augeas-commands
augtool> print /files/etc/sysctl.conf/
/files/etc/sysctl.conf
/files/etc/sysctl.conf/#comment[1] = "HEADER: This file was autogenerated at 2023-06-21 14:11:36 +1000"
/files/etc/sysctl.conf/#comment[2] = "HEADER: by puppet.  While it can still be managed manually, it"
/files/etc/sysctl.conf/#comment[3] = "HEADER: is definitely not recommended."
/files/etc/sysctl.conf/fs.file-max = "19574123"
…
/files/etc/sysctl.conf/vm.nr_overcommit_hugepages = "0"
/files/etc/sysctl.conf/jw = "1"
/files/etc/sysctl.conf/net.ipv4.conf.eth2\/666.rp_filter = "6"
augtool> save
Saved 1 file(s)

Now, when I run puppet with the sysctl lens from 1.14/HEAD, I am sooo close! The commands are mostly run and puppet fails on a weird UTF-8 invalid byte sequence

If I was to guess, maybe the provider needs to escape the / forward slash before writing? But that's only a guess

Debug: Executing: '/usr/sbin/sysctl -n net.ipv4.conf.eth2/666.rp_filter'
Notice: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]/value: changed configuration value from '' to '0' and live value from '1' to '0'
Debug: Executing: '/usr/sbin/sysctl -w net.ipv4.conf.eth2/666.rp_filter=0'
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/files/etc/sysctl.conf/net.ipv4.conf.eth2
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug:44.7-46.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match tree under /files/etc/sysctl.conf/net.ipv4.conf.eth2

     { "666.rp_filter" = "0" }

  with pattern

()
 (     | { })
<F4>
 (     | { /#comment/ = /[^\t\n\r ].*[^\t\n\r ]|[^\t\n\r ]/ })

Error: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]: Could not evaluate: invalid byte sequence in UTF-8

[johnwarburton]

Follow up - that 'invalid byte sequence' phrase appears in puppet::stdlib, and I noted I had a very old version. I updated it and all augeas related modules and now back to the error @waipeng is reporting

I suspect more work is required in puppet-augeasproviders_sysctl to quote the / when passing to augeas as the augeas internal representation quotes the /

Debug: Executing: '/usr/sbin/sysctl -n net.ipv4.conf.eth2/666.rp_filter'
Notice: /Stage[main]/Imc_r_profile::Sysctl/Sysctl[net.ipv4.conf.eth2/666.rp_filter]/value: changed configuration value from '' to '0' and live value from '1' to '0'
Debug: Executing: '/usr/sbin/sysctl -w net.ipv4.conf.eth2/666.rp_filter=0'
Debug: Puppet::Type::Sysctl::ProviderAugeas: Save failure details:
/augeas/files/etc/sysctl.conf/error/path = /files/etc/sysctl.conf/files/etc/sysctl.conf/net.ipv4.conf.eth2
/augeas/files/etc/sysctl.conf/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug:44.7-46.43:
/augeas/files/etc/sysctl.conf/error/message = Failed to match tree under /files/etc/sysctl.conf/net.ipv4.conf.eth2

     { "666.rp_filter" = "0" }

  with pattern

()
 (     | { })
E
 (     | { /#comment/ = /[^\t\n\r ].*[^\t\n\r ]|[^\t\n\r ]/ })

Error: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

[johnwarburton]

A good night's sleep and I worked out that the provider needed to quote the slashes in strings only when communicating with augeas and not every time the key is used

With the changes in PR #79 plus the new sysctl lens jammed into the puppet agent, I managed to get a working add/modify/delete for strings with a / in them:

Debug: Executing: '/usr/sbin/sysctl -n net.ipv4.conf.eth2/666.rp_filter'
Notice: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]/value: changed configuration value from '' to '1'
Debug: Executing: '/usr/sbin/sysctl -w net.ipv4.conf.eth2/666.rp_filter=1'
Debug: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]: The container Class[Imc_r_profile::Sysctl] will propagate my refresh event

and

Notice: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]/ensure: removed
Debug: /Stage[main]/Sysctl[net.ipv4.conf.eth2/666.rp_filter]: The container Class[Imc_r_profile::Sysctl] will propagate my refresh event

[johnwarburton]

This also works for me dropping the 1.14 sysctl lens into puppet agent $libdir/augeas/lenses rather than directly hacking /opt/puppetlabs/puppet/share/augeas/lenses/dist/sysctl.aug