I noticed repeated Puppet updates to /etc/resolv.conf, but /var/log/syslog showed only changes in one "direction" (here for tools-dev):
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content)
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) --- /etc/resolv.conf#0112015-03-23 08:27:57.160205067 +0000
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +++ /tmp/puppet-file20150323-20208-ri9403-0#0112015-03-23 08:33:05.240215730 +0000
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) @@ -1,3 +1,9 @@
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## THIS FILE IS MANAGED BY PUPPET
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +##
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## source: modules/base/resolv.conf.labs.erb
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## from: base::resolving
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) domain eqiad.wmflabs
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) -search eqiad.wmflabs
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +search eqiad.wmflabs labs.eqiad.wmnet
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +options timeout:5 ndots:2
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) nameserver 10.68.16.1
Mar 23 08:33:05 tools-dev puppet-agent[20208]: FileBucket got a duplicate file {md5}62f5c3a6299680b7d0be8120fb03fa84
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]) Filebucketed /etc/resolv.conf to puppet with sum 62f5c3a6299680b7d0be8120fb03fa84
Mar 23 08:33:05 tools-dev puppet-agent[20208]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) content changed '{md5}62f5c3a6299680b7d0be8120fb03fa84' to '{md5}aab4d07473a21395f5bee957079fae9b'
[…]
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content)
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) --- /etc/resolv.conf#0112015-03-23 17:45:16.764937164 +0000
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +++ /tmp/puppet-file20150323-14358-s8oskv-0#0112015-03-23 17:53:19.856940248 +0000
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) @@ -1,3 +1,9 @@
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## THIS FILE IS MANAGED BY PUPPET
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +##
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## source: modules/base/resolv.conf.labs.erb
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +## from: base::resolving
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) domain eqiad.wmflabs
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) -search eqiad.wmflabs
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +search eqiad.wmflabs labs.eqiad.wmnet
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) +options timeout:5 ndots:2
Mar 23 17:53:19 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) nameserver 10.68.16.1
Mar 23 17:53:20 tools-dev puppet-agent[14358]: FileBucket got a duplicate file {md5}62f5c3a6299680b7d0be8120fb03fa84
Mar 23 17:53:20 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]) Filebucketed /etc/resolv.conf to puppet with sum 62f5c3a6299680b7d0be8120fb03fa84
Mar 23 17:53:20 tools-dev puppet-agent[14358]: (/Stage[main]/Base::Resolving/File[/etc/resolv.conf]/content) content changed '{md5}62f5c3a6299680b7d0be8120fb03fa84' to '{md5}aab4d07473a21395f5bee957079fae9b'Looking at the timestamps of the files showed a correlation with dhclient:
Mar 23 08:27:56 tools-dev dhclient: DHCPREQUEST of 10.68.16.8 on eth0 to 10.68.16.1 port 67 Mar 23 08:27:57 tools-dev dhclient: DHCPACK of 10.68.16.8 from 10.68.16.1 Mar 23 08:27:57 tools-dev dhclient: bound to 10.68.16.8 -- renewal in 33439 seconds. […] Mar 23 17:45:16 tools-dev dhclient: DHCPREQUEST of 10.68.16.8 on eth0 to 10.68.16.1 port 67 Mar 23 17:45:16 tools-dev dhclient: DHCPACK of 10.68.16.8 from 10.68.16.1 Mar 23 17:45:16 tools-dev dhclient: bound to 10.68.16.8 -- renewal in 39803 seconds.
So it appears that dhclient in saving the nameserver information received during DHCP to /etc/resolv.conf does not only update the nameserver directive, but replaces the whole file instead.
Googling suggests that this is part of a greater Ubuntu scheme called "resolvconf" (cf. resolvconf(8)) where options like ndots & Co. need to go in /etc/resolvconf/resolv.conf.d/tail and search domains are a bit more complicated (all unconfirmed).
I'll play around with it for a bit to see what sticks.