justinstoller · November 10, 2017 17:04
diff --git a/gistfile1.txt b/gistfile1.txt

 Seeing this failure when tring to install PDB via the module on Debian 9:

  cy21od14dqt4842.delivery.puppetlabs.net (debian9-64-1) executed in 4.38 seconds
  RuntimeError: PuppetAcceptance::DSL::Helpers.with_puppet_running_on failed (check backtrace for location) because: Host 'cy21od14dqt4842.delivery.puppetlabs.net' exited with 1 running:
   puppet agent --test --server cy21od14dqt4842.delivery.puppetlabs.net
  Last 10 lines of output were:
        Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x]/ensure: created
        Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x/apt_key]/ensure: created
        Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x/apt_key/patch_openuri.rb]/ensure: defined content as '{md5}951bad007a3b5db035be069c1d1c9c09'
        Info: Loading facts
        Info: Caching catalog for cy21od14dqt4842.delivery.puppetlabs.net
        Info: Applying configuration version '1510298856'
        Error: Found 1 dependency cycle:
        (Anchor[apt_key B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 present] => Apt::Key[Add key: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 from Apt::Source apt.postgresql.org] => Apt::Source[apt.postgresql.o
 rg] => Package[dirmngr] => Apt::Key[Add key: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 from Apt::Source apt.postgresql.org] => Anchor[apt_key B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 present])
        Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz
        Error: Failed to apply catalog: One or more resource dependency cycles detected in graph


 For the record these are the modules installed:
 root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# puppet module list
 /etc/puppetlabs/code/environments/production/modules
 ├── puppetlabs-apt (v4.3.0)
 ├── puppetlabs-concat (v4.1.0)
 ├── puppetlabs-firewall (v1.9.0)
 ├── puppetlabs-inifile (v2.0.0)
 ├── puppetlabs-postgresql (v5.1.0)
 ├── puppetlabs-puppetdb (v6.0.2)
 └── puppetlabs-stdlib (v4.21.0)
 /etc/puppetlabs/code/modules (no modules installed)
 /opt/puppetlabs/puppet/modules (no modules installed)


 Grepping for dirmngr in the modulepath I see:

 root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# vi apt/manifests/key.pp
     28         apt_key { $title:
     29           ensure  => $ensure,
     30           id      => $id,
     31           source  => $source,
     32           content => $content,
     33           server  => $server,
     34           options => $options,
     35         } -> anchor { "apt_key ${id} present": }
     36 
     37         case $facts['os']['name'] {
     38           'Debian': {
     39             if versioncmp($facts['os']['release']['full'], '9.0') >= 0 {
     40               Apt::Key<| title == $title |> {
     41                 require => Package['dirmngr']
     42               }
     43             }
     44           }


 root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# vi apt/manifests/init.pp
    182   # required for adding GPG keys on Debian 9 (and derivatives)
    183   case $facts['os']['name'] {
    184     'Debian': {
    185       if versioncmp($facts['os']['release']['full'], '9.0') >= 0 {
    186         ensure_packages(['dirmngr'])
    187       }
    188     }


 First guess is that implicit (manifest) ordering might be causing the ensure_packages call to create a pacakge resource that depends on sources/keys defined previously in the init.pp. Looking at the postgresql module it doesn't seem that the apt init.pp is used to instantiate the apt::source resource that is part of the cycle. I pass `--ordering title-hash` and `--ordering random` for several invocations and get the same results, I assume this is because of an explicit ordering issue, not implicit manifest ordering.

 Looking at explicit ordering of the apt::source I see it is supposed to come before any packages with the tag postgresql. Commenting out the below line makes this work:

 root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# tail postgresql/manifests/repo/apt_postgresql_org.pp
      source => 'https://www.postgresql.org/media/keys/ACCC4CF8.asc',
    },
    include  => {
      src => false,
    },
  }

  # Apt::Source['apt.postgresql.org']->Package<|tag == 'postgresql'|>
  # Class['Apt::Update'] -> Package<|tag == 'postgresql'|>
 }



 Which leads me to think that setting a dependency for
 packages collected by a tag search causes the dependency to 
 be placed on all packages.

 I wrote a small simpler test case, that fails to reproduce the issue tag based collection seems like it would be a language level issue, so using notify would work in that case.


 sellout:puppet justin$ cat test.pp
 notify { "First Notify":
  tag => 'foo',
 }

 notify { "Last Notify":
  tag => 'bar',
 }

 notify { "Middle Notify":
  tag => 'baz',
 }

 Notify['Middle Notify']->Notify<|tag == 'bar'|>


 If collecting based on tag added dependencies for all instances of a type then I would expect Notify['Middle Notify'] happen BEFORE both First and Last notifies.


 sellout:puppet justin$ bundle exec puppet apply test.pp
 /Users/justin/.puppetlabs/opt/puppet/cache/lib/puppet_x/chocolatey/chocolatey_version.rb:8: warning: already initialized constant PuppetX::Chocolatey::ChocolateyVersion::OLD_CHOCO_MESSAGE
 /Users/justin/.puppetlabs/etc/code/environments/production/modules/chocolatey/lib/puppet_x/chocolatey/chocolatey_version.rb:8: warning: previous definition of OLD_CHOCO_MESSAGE was here
 Notice: Compiled catalog for localhost in environment production in 0.04 seconds
 Notice: First Notify
 Notice: /Stage[main]/Main/Notify[First Notify]/message: defined 'message' as 'First Notify'
 Notice: Middle Notify
 Notice: /Stage[main]/Main/Notify[Middle Notify]/message: defined 'message' as 'Middle Notify'
 Notice: Last Notify
 Notice: /Stage[main]/Main/Notify[Last Notify]/message: defined 'message' as 'Last Notify'
 Notice: Applied catalog in 0.02 seconds


 But that doesn't happen...

 Next idea, ensure_packages, is a function to create package resources, why not just create the resource? Could there be an issue with ensure_packages.

	Seeing this failure when tring to install PDB via the module on Debian 9:

	cy21od14dqt4842.delivery.puppetlabs.net (debian9-64-1) executed in 4.38 seconds
	RuntimeError: PuppetAcceptance::DSL::Helpers.with_puppet_running_on failed (check backtrace for location) because: Host 'cy21od14dqt4842.delivery.puppetlabs.net' exited with 1 running:
	puppet agent --test --server cy21od14dqt4842.delivery.puppetlabs.net
	Last 10 lines of output were:
	Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x]/ensure: created
	Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x/apt_key]/ensure: created
	Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet_x/apt_key/patch_openuri.rb]/ensure: defined content as '{md5}951bad007a3b5db035be069c1d1c9c09'
	Info: Loading facts
	Info: Caching catalog for cy21od14dqt4842.delivery.puppetlabs.net
	Info: Applying configuration version '1510298856'
	Error: Found 1 dependency cycle:
	(Anchor[apt_key B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 present] => Apt::Key[Add key: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 from Apt::Source apt.postgresql.org] => Apt::Source[apt.postgresql.o
	rg] => Package[dirmngr] => Apt::Key[Add key: B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 from Apt::Source apt.postgresql.org] => Anchor[apt_key B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 present])
	Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz
	Error: Failed to apply catalog: One or more resource dependency cycles detected in graph


	For the record these are the modules installed:
	root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# puppet module list
	/etc/puppetlabs/code/environments/production/modules
	├── puppetlabs-apt (v4.3.0)
	├── puppetlabs-concat (v4.1.0)
	├── puppetlabs-firewall (v1.9.0)
	├── puppetlabs-inifile (v2.0.0)
	├── puppetlabs-postgresql (v5.1.0)
	├── puppetlabs-puppetdb (v6.0.2)
	└── puppetlabs-stdlib (v4.21.0)
	/etc/puppetlabs/code/modules (no modules installed)
	/opt/puppetlabs/puppet/modules (no modules installed)


	Grepping for dirmngr in the modulepath I see:

	root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# vi apt/manifests/key.pp
	28 apt_key { $title:
	29 ensure => $ensure,
	30 id => $id,
	31 source => $source,
	32 content => $content,
	33 server => $server,
	34 options => $options,
	35 } -> anchor { "apt_key ${id} present": }
	36
	37 case $facts['os']['name'] {
	38 'Debian': {
	39 if versioncmp($facts['os']['release']['full'], '9.0') >= 0 {
	40 Apt::Key<\| title == $title \|> {
	41 require => Package['dirmngr']
	42 }
	43 }
	44 }


	root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# vi apt/manifests/init.pp
	182 # required for adding GPG keys on Debian 9 (and derivatives)
	183 case $facts['os']['name'] {
	184 'Debian': {
	185 if versioncmp($facts['os']['release']['full'], '9.0') >= 0 {
	186 ensure_packages(['dirmngr'])
	187 }
	188 }


	First guess is that implicit (manifest) ordering might be causing the ensure_packages call to create a pacakge resource that depends on sources/keys defined previously in the init.pp. Looking at the postgresql module it doesn't seem that the apt init.pp is used to instantiate the apt::source resource that is part of the cycle. I pass `--ordering title-hash` and `--ordering random` for several invocations and get the same results, I assume this is because of an explicit ordering issue, not implicit manifest ordering.

	Looking at explicit ordering of the apt::source I see it is supposed to come before any packages with the tag postgresql. Commenting out the below line makes this work:

	root@y1erw9ts92yrr5k:/etc/puppetlabs/code/environments/production/modules# tail postgresql/manifests/repo/apt_postgresql_org.pp
	source => 'https://www.postgresql.org/media/keys/ACCC4CF8.asc',
	},
	include => {
	src => false,
	},
	}

	# Apt::Source['apt.postgresql.org']->Package<\|tag == 'postgresql'\|>
	# Class['Apt::Update'] -> Package<\|tag == 'postgresql'\|>
	}



	Which leads me to think that setting a dependency for
	packages collected by a tag search causes the dependency to
	be placed on all packages.

	I wrote a small simpler test case, that fails to reproduce the issue tag based collection seems like it would be a language level issue, so using notify would work in that case.


	sellout:puppet justin$ cat test.pp
	notify { "First Notify":
	tag => 'foo',
	}

	notify { "Last Notify":
	tag => 'bar',
	}

	notify { "Middle Notify":
	tag => 'baz',
	}

	Notify['Middle Notify']->Notify<\|tag == 'bar'\|>


	If collecting based on tag added dependencies for all instances of a type then I would expect Notify['Middle Notify'] happen BEFORE both First and Last notifies.


	sellout:puppet justin$ bundle exec puppet apply test.pp
	/Users/justin/.puppetlabs/opt/puppet/cache/lib/puppet_x/chocolatey/chocolatey_version.rb:8: warning: already initialized constant PuppetX::Chocolatey::ChocolateyVersion::OLD_CHOCO_MESSAGE
	/Users/justin/.puppetlabs/etc/code/environments/production/modules/chocolatey/lib/puppet_x/chocolatey/chocolatey_version.rb:8: warning: previous definition of OLD_CHOCO_MESSAGE was here
	Notice: Compiled catalog for localhost in environment production in 0.04 seconds
	Notice: First Notify
	Notice: /Stage[main]/Main/Notify[First Notify]/message: defined 'message' as 'First Notify'
	Notice: Middle Notify
	Notice: /Stage[main]/Main/Notify[Middle Notify]/message: defined 'message' as 'Middle Notify'
	Notice: Last Notify
	Notice: /Stage[main]/Main/Notify[Last Notify]/message: defined 'message' as 'Last Notify'
	Notice: Applied catalog in 0.02 seconds


	But that doesn't happen...

	Next idea, ensure_packages, is a function to create package resources, why not just create the resource? Could there be an issue with ensure_packages.