Two of the lesser known attributes of Puppet’s resource type „file“ are “validate_cmd” and its partner “validate_replacement”.
This is kind of curious, as they can be used to check configuration files for syntactic errors – on the target system.
Admittedly, for a long time I did not know those two either, which is why we resorted to the other ways circulating the internet – tolerating their increased complexity and increased susceptibility to error.
Just so you know what I’m referring to, here are the two most widely spread hacks:
- Overriding the “restart” attribute for your service definition to run something like “configtest && restart” to only allow the restart on successful a configtest.
- Placing an “exec” resource between your configuration files and you service only to be run, when the file changes.
Without going in too deep, there are two main problems:
- Number 1 overrides Puppet logic on which initsystem to use
- Number 2 will roll out the erroneous config files and alert you only once on the problem
Using „validate_cmd“ leaves your service definition untouched, so Puppet’s internal mechanism keeps control. Likewise it will refuse to roll out the file as long as the syntax validation fails, so you will not end up with a broken configuration on your system.
Since Puppetlabs’ official documentation has got this covered pretty unambiguously, I will forgo pasting a piece of code here, instead here’s the link: