Error: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

[HanzzM]

I get this error when I use more than one target files.
And after changing the value or the comment in the last file (/etc/sysctl.d/90-kernel.conf).

Example code:

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '20',
      comment => 'Automatic reboot 20 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

The first puppet agent run is going well. But after changing the code (value of kernel.panic changed from 20 into 30):

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target => '/etc/sysctl.d/90-net.conf',
  }

sysctl { 'kernel.panic':
      ensure => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target => '/etc/sysctl.d/90-kernel.conf',
  }

I get the messages:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30' and live value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Error: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

It works only when I also chang the order from my code ( move the changing part to the top ) into:

   sysctl { 'kernel.panic':
      ensure  => present,
      value   => '30',
      comment => 'Automatic reboot 30 sec after kernel panic',
      target  => '/etc/sysctl.d/90-kernel.conf',
  }

  sysctl { 'net.ipv4.tcp_syncookies':
      ensure  => present,
      value   => '1',
      comment => 'Turn on protection from Denial of Service (DOS) attacks',
      target  => '/etc/sysctl.d/90-net.conf',
  }

Now the Puppet agent run is going well again:

Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/value: changed configuration value from '20' to '30'
Notice: /Stage[main]/Profile::Base::Cis/Sysctl[kernel.panic]/comment: comment changed 'Automatic reboot 20 sec after kernel panic' to 'Automatic reboot 30 sec after kernel panic'
Notice: Applied catalog in 9.14 seconds

[HanzzM]

This only happens when I use comment.
There are no problems when I leave the comment option out off my code.

sysctl { 'net.ipv4.tcp_syncookies':
      ensure => present,
      value   => '1',
      target => '/etc/sysctl.d/90-net.conf',
}

sysctl { 'kernel.panic':
      ensure => present,
      value   => '20',
      target => '/etc/sysctl.d/90-kernel.conf',
 }

[WBasson]

This happens to us, but only if we specify the tart as /etc/sysctl.d/99-sysctl.conf
We also have multiple settings going into the file, don't know if that is contributing to the problem.

[montaguethomas]

I've determined this issue is due to these lines:

puppet-augeasproviders_sysctl/lib/puppet/provider/sysctl/augeas.rb

Lines 192 to 194 in 78c2bcb

	# Prefer to create the node next to a commented out entry
	commented = aug.match("$target/#comment[.=~regexp('#{resource[:name]}([^a-z\.].*)?')]")
	aug.insert(commented.first, resource[:name], false) unless commented.empty?

When I comment out line 194 (aug.insert) the comment is updated correctly.

[montaguethomas]

After some testing, I found two options:

1. Remove this preference logic. This seems to be from along ago and actually causes a mess when comments are used:

first puppet run:

vm.min_free_kbytes = 67584
#kernel.kptr_restrict = 0
kernel.kptr_restrict = 2
# net.ipv4.tcp_invalid_ratelimit: networking tuning
net.ipv4.tcp_invalid_ratelimit = 500
# kernel.kptr_restrict: hiding kernel pointers

second puppet run:

vm.min_free_kbytes = 67584
#kernel.kptr_restrict = 0
# kernel.kptr_restrict: hiding kernel pointers
kernel.kptr_restrict = 2
# net.ipv4.tcp_invalid_ratelimit: networking tuning
net.ipv4.tcp_invalid_ratelimit = 500
# kernel.kptr_restrict: hiding kernel pointers

2. It's possible to update the logic to not try to insert after the comment when the entity already exists:

      augopen! do |aug|
        if aug.match(resource_path).empty?
          # Prefer to create the node next to a commented out entry
          commented = aug.match("$target/#comment[.=~regexp('#{resource[:name]}([^a-z\.].*)?')]")
          aug.insert(commented.first, resource[:name], false) unless commented.empty?
        end
        aug.set(resource_path, value)
        setvars(aug)
      end