voxpupuli · bwitt · Sep 14, 2025
diff --git a/lib/puppet/provider/sysctl/augeas.rb b/lib/puppet/provider/sysctl/augeas.rb
@@ -42,7 +42,8 @@ def self.sysctl_get(key)
 
   confine feature: :augeas
 
-  def self.collect_augeas_resources(res, entries, target = '/etc/sysctl.conf', resources)
+  def self.collect_augeas_resources(res, entries, tgt, resources)
+    tgt ||= target
     resources ||= []
 
     augopen(res) do |aug|
@@ -58,7 +59,7 @@ def self.collect_augeas_resources(res, entries, target = '/etc/sysctl.conf', res
           ensure: :present,
           persist: :true,
           value: value,
-          target: target
+          target: tgt
         }
 
         # Only match comments immediately before the entry and prefixed with
@@ -82,14 +83,26 @@ def self.instances(reference_resources = nil)
 
     if reference_resources
       reference_resource_titles = reference_resources.map { |_ref_name, ref_obj| ref_obj.title }
-      resource_dup = reference_resources.first.last.dup
 
-      collect_augeas_resources(
-        resource_dup,
-        reference_resource_titles,
-        resource_dup[:target],
-        resources
-      )
+      # Get all resources with their targets
+      resources_by_target = {}
+      reference_resources.each do |_ref_name, ref_obj|
+        tgt = ref_obj[:target] || target
+        resources_by_target[tgt] ||= []
+        resources_by_target[tgt] << ref_obj.title
+      end
+
+      # Now collect resources from each target
+      resources_by_target.each do |target, res_titles|
+        tmp_res = Puppet::Resource.new('sysctl', 'ignored')
+        tmp_res[:target] = target
+        collect_augeas_resources(
+          tmp_res,
+          res_titles,
+          target,
+          resources
+        )
+      end
 
       sysctl_args = if Facter.value(:kernel) == 'OpenBSD'
                       # OpenBSD doesn't support -e
@@ -107,7 +120,7 @@ def self.instances(reference_resources = nil)
         sysctl_output += sysctl(sysctl_args.flatten)
       end
     else
-      targets = ['/etc/sysctl.d/*.conf', '/etc/sysctl.conf']
+      targets = ['/etc/sysctl.d/*.conf', target]
       targets = [target] if target
 
       Dir.glob(targets).reverse.each do |config_file|

diff --git a/spec/acceptance/sysctl_spec.rb b/spec/acceptance/sysctl_spec.rb
@@ -261,6 +261,96 @@
             end
           end
         end
+
+        context 'with no value' do
+          let(:manifest) do
+            "sysctl { 'vm.swappiness': }"
+          end
+
+          it 'works with no errors' do
+            apply_manifest_on(host, manifest, catch_failures: true)
+          end
+
+          it 'is idempotent' do
+            apply_manifest_on(host, manifest, catch_changes: true)
+          end
+        end
+
+        context 'when setting multiple values' do
+          let(:manifest) do
+            <<-EOS
+              sysctl { 'vm.swappiness': value => '60' }
+              sysctl { 'net.ipv4.ip_forward': value => '0' }
+            EOS
+          end
+
+          it 'works with no errors' do
+            apply_manifest_on(host, manifest, catch_failures: true)
+          end
+
+          it 'is idempotent' do
+            apply_manifest_on(host, manifest, catch_changes: true)
+          end
+        end
+
+        context 'when removing multiple values' do
+          let(:manifest_one) do
+            <<-EOS
+              sysctl { 'vm.swappiness': value => '60' }
+              sysctl { 'net.ipv4.ip_forward': value => '0' }
+            EOS
+          end
+          let(:manifest_two) do
+            <<-EOS
+              sysctl { 'vm.swappiness': ensure => 'absent' }
+              sysctl { 'net.ipv4.ip_forward': ensure => 'absent' }
+            EOS
+          end
+
+          it 'is idempotent' do
+            apply_manifest_on(host, manifest_one, catch_failures: true)
+            apply_manifest_on(host, manifest_two, catch_failures: true)
+            apply_manifest_on(host, manifest_two, catch_changes: true)
+          end
+        end
+
+        context 'when managing multiple files' do
+          let(:manifest) do
+            <<-EOS
+              sysctl{'net.ipv6.conf.all.disable_ipv6': ensure => present, value => 1, target => '/etc/sysctl.d/99-disable-ipv6.conf' }
+              sysctl{'net.ipv4.tcp_syncookies':         ensure => present, value => 2, target => '/etc/sysctl.d/99-ddos-abwehr.conf'}
+            EOS
+          end
+
+          it 'works with no errors' do
+            apply_manifest_on(host, manifest, catch_failures: true)
+          end
+
+          it 'is idempotent' do
+            apply_manifest_on(host, manifest, catch_changes: true)
+          end
+
+          describe 'removing one of two settings' do
+            let(:manifest_one) do
+              <<-EOS
+                sysctl{'net.ipv6.conf.all.disable_ipv6': ensure => present, value => 1, target => '/etc/sysctl.d/99-disable-ipv6.conf' }
+                sysctl{'net.ipv4.tcp_syncookies':         ensure => present, value => 2, target => '/etc/sysctl.d/99-ddos-abwehr.conf'}
+              EOS
+            end
+            let(:manifest_two) do
+              <<-EOS
+                sysctl{'net.ipv6.conf.all.disable_ipv6': ensure => present, value => 1, target => '/etc/sysctl.d/99-disable-ipv6.conf' }
+                sysctl{'net.ipv4.tcp_syncookies':         ensure => absent, target => '/etc/sysctl.d/99-ddos-abwehr.conf'}
+              EOS
+            end
+
+            it 'is idempotent' do
+              apply_manifest_on(host, manifest_one, catch_failures: true)
+              apply_manifest_on(host, manifest_two, catch_failures: true)
+              apply_manifest_on(host, manifest_two, catch_changes: true)
+            end
+          end
+        end
       end
     end
   end