Puppet: how to run an exec only if puppet has made changes

We are doing basic management of some servers via puppet - The servers themselves run as part of a clustered system that handles other aspects like user accounts etc and includes a monitoring script that detects changes in key files (/etc/passwd and the like). If puppet updates a package it potentially changes these key files triggering the monitoring system. (which is not unintentional)

The monitoring system has a command that can be manually run to clear the state and we have to do this each time puppet applies any changes, When we start getting emails!

We could define an exec that runs in a post run_stage to run the command but this by default would fire every time puppet runs, and then our reports will always show as puppet made changes regardless of whether changes were made or not.

Is there a way we can set the exec so that it only runs if puppet has applied other changes?

Solution

If the exec resource has a dedicated stage, you can implement the desired behavior by having it subscribe to all other stages, e.g.

exec { "pacify-rkhunter":
    ...
    subscribe   => Stage['pre','main','aux'],
    refreshonly => true,
}

Comments (2)

+0 – this sounds exactly like what i need, let me give it a try — Jul 09, 2014 at 19:28
+1 – I'm not sure what alternative to offer, but stages are problematic. eg if you want something to have to happen after the exec, then it can't really be part of any of the usual stages, and so this can't work as part of a module that might be depended on by anything else. — Jul 15, 2014 at 15:00

References

https://serverfault.com/questions/611200