Re: [Puppet Users] Puppet visudo/ sudoers help
1,303 views
Skip to first unread message
Dan White
Aug 29, 2012, 4:34:30 PM8/29/12
to puppet...@googlegroups.com
First suggestion:
Use a group name ( like "wheel" ) and declare the sudo privileges to the group.
Then all you need do is add that group in the "groups" parameter for puppet type user.
On Aug 29, 2012, at 11:31 AM, Tony Caffe wrote:
> Hi,
>
> I am trying to get puppet going on CentOS 6.3 and I got it installed and running. I want to create good manifests for basic stuff. I know I will learn more as I go but I am new to programming in general and puppet code. I have puppet master install on 1 cloud server and a client test puppet on another cloud server. I was able to run this code correctly. Now I want to make it better.
> Here is what I have so far for my Push to add users to my nodes.
>
> site.pp: (I know its short lol)
>
> node 'puppet-client' {
> import "classes/adduser.pp"
> }
>
>
> adduser.pp located in /etc/puppet/manifests/classes/
>
> define custom_user($passwd) {
> user { "${name}":
> ensure => present,
> password => $passwd,
> shell => "/bin/bash",
> managehome => true,
> }
> }
> custom_user {
> "anthony":
> passwd => 'Removed real hash here',
> }
> custom_user {
> "admin":
> passwd => 'Hash for password gone',
> }
> custom_user {
> "luca":
> passwd => 'My Password Hash Here',
> }
>
>
> So I am testing on a test-only server till I get the hang of it. So I have many cloud servers and need to be able to add my admin users. I need help now to modify /etc/sudoers or visudo and add these people to the doc with ALL=(ALL) ALL
>
> Please help me. I know I need to add a template and also a module of my own. I mainly need help with code and learning to build off this for future system changes. Please help me keep this simple and dumb-down lol. FYI - After this I want to start on Apache and editing the config and setting up new servers from an image. This is more practical and important to start with.
>
> Thanks all.
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/k7r-BpgI4s4J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Use a group name ( like "wheel" ) and declare the sudo privileges to the group.
Then all you need do is add that group in the "groups" parameter for puppet type user.
On Aug 29, 2012, at 11:31 AM, Tony Caffe wrote:
> Hi,
>
> I am trying to get puppet going on CentOS 6.3 and I got it installed and running. I want to create good manifests for basic stuff. I know I will learn more as I go but I am new to programming in general and puppet code. I have puppet master install on 1 cloud server and a client test puppet on another cloud server. I was able to run this code correctly. Now I want to make it better.
> Here is what I have so far for my Push to add users to my nodes.
>
> site.pp: (I know its short lol)
>
> node 'puppet-client' {
> import "classes/adduser.pp"
> }
>
>
> adduser.pp located in /etc/puppet/manifests/classes/
>
> define custom_user($passwd) {
> user { "${name}":
> ensure => present,
> password => $passwd,
> shell => "/bin/bash",
> managehome => true,
> }
> }
> custom_user {
> "anthony":
> passwd => 'Removed real hash here',
> }
> custom_user {
> "admin":
> passwd => 'Hash for password gone',
> }
> custom_user {
> "luca":
> passwd => 'My Password Hash Here',
> }
>
>
> So I am testing on a test-only server till I get the hang of it. So I have many cloud servers and need to be able to add my admin users. I need help now to modify /etc/sudoers or visudo and add these people to the doc with ALL=(ALL) ALL
>
> Please help me. I know I need to add a template and also a module of my own. I mainly need help with code and learning to build off this for future system changes. Please help me keep this simple and dumb-down lol. FYI - After this I want to start on Apache and editing the config and setting up new servers from an image. This is more practical and important to start with.
>
> Thanks all.
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/k7r-BpgI4s4J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Tony Caffe
Aug 29, 2012, 5:13:34 PM8/29/12
to puppet...@googlegroups.com
I understand but that is not what I asked for help. I would like some help on making or writing the code needed to add users to visudo.
Christopher Wood
Aug 29, 2012, 5:16:26 PM8/29/12
to puppet...@googlegroups.com
You learn from use one of these:
http://forge.puppetlabs.com/modules?q=sudo
> [1]https://groups.google.com/d/msg/puppet-users/-/k7r-BpgI4s4J.
> > To post to this group, send email to [2]puppet...@googlegroups.com.
>
> Visible links
> 1. https://groups.google.com/d/msg/puppet-users/-/k7r-BpgI4s4J
> 2. javascript:
> 3. javascript:
> 4. http://groups.google.com/group/puppet-users?hl=en
> 5. https://groups.google.com/d/msg/puppet-users/-/ebP58zFazv0J
http://forge.puppetlabs.com/modules?q=sudo
> > To post to this group, send email to [2]puppet...@googlegroups.com.
> > To unsubscribe from this group, send email to
> [3]puppet-users...@googlegroups.com.
> > For more options, visit this group at
> [4]http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> [5]https://groups.google.com/d/msg/puppet-users/-/ebP58zFazv0J.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> Visible links
> 1. https://groups.google.com/d/msg/puppet-users/-/k7r-BpgI4s4J
> 2. javascript:
> 3. javascript:
> 4. http://groups.google.com/group/puppet-users?hl=en
> 5. https://groups.google.com/d/msg/puppet-users/-/ebP58zFazv0J
Ramin K
Aug 29, 2012, 5:23:29 PM8/29/12
to puppet...@googlegroups.com
you can just drop a file per user into that dir. Make Puppet manage the
whole dir and purge anything it doesn't recognize and you're all set.
Ramin
Tony Caffe
Aug 29, 2012, 5:28:04 PM8/29/12
to puppet...@googlegroups.com, ramin...@badapple.net
Would I still need to write ruby code? I dont know ruby or really any other programming language.
So I would create a duplicate of the sudoers file in /etc/sudoers.d/ that adds a user to it and it will work? I am not to sure of how sudoers.d works.
Thanks.
Tim Mooney
Aug 29, 2012, 6:30:05 PM8/29/12
to puppet...@googlegroups.com
In regard to: Re: [Puppet Users] Puppet visudo/ sudoers help, Tony Caffe...:
> I understand but that is not what I asked for help. I would like some help
> on making or writing the code needed to add users to visudo.
$ cat puppet/modules/sudo/manifests/config.pp
define sudo::config($content='', $source='') {
case $content {
'': {
file {"/etc/sudoers.d/${name}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0440',
source => $source,
}
}
default: {
file {"/etc/sudoers.d/${name}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0440',
content => $content,
}
}
}
}
# vim:sm:ts=2:expandtab
Example usage for "source":
sudo::config{ 'networker-jukebox':
source => 'puppet:///networker/networker_jb_sudoers',
}
Example usage for "contents":
sudo::config{ 'myuser':
content => "myuser ALL = (ALL) ALL\n"
}
Note that both RHEL 5.x and 6.x have a sudo that supports the include
mechanism, but only RHEL 6.x ships with an /etc/sudoers.d and an
/etc/sudoers that has the "include /etc/sudoers.d/*" pre-populated.
Since both flavors support it, we just have our sudo init.pp make sure
the directory is present and make certain that the /etc/sudoers has the
necessary "include" statement. From then on, it's just puppet dropping
files into /etc/sudoers.d via the sudo::config() define.
The bad part about our current implementation is that there's no syntax
checking for the contents/source, so a bad entry can sneak in and cause
sudo to completely not work until it's fixed. There are ways around this
but it's more complicated than we felt like getting for now.
If you need to support systems where sudo is old enough that "include"
isn't even an option, then I highly recommend you look at the "concat"
module, and build up your sudoers file from file fragments.
Another option for older sudo versions that don't support including
fragments is using file_line from puppetlabs-stdlib.
Tim
>>> To post to this group, send email to puppet...@googlegroups.com<javascript:>.
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
> I understand but that is not what I asked for help. I would like some help
> on making or writing the code needed to add users to visudo.
define sudo::config($content='', $source='') {
case $content {
'': {
file {"/etc/sudoers.d/${name}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0440',
source => $source,
}
}
default: {
file {"/etc/sudoers.d/${name}":
ensure => file,
owner => 'root',
group => 'root',
mode => '0440',
content => $content,
}
}
}
}
# vim:sm:ts=2:expandtab
Example usage for "source":
sudo::config{ 'networker-jukebox':
source => 'puppet:///networker/networker_jb_sudoers',
}
Example usage for "contents":
sudo::config{ 'myuser':
content => "myuser ALL = (ALL) ALL\n"
}
Note that both RHEL 5.x and 6.x have a sudo that supports the include
mechanism, but only RHEL 6.x ships with an /etc/sudoers.d and an
/etc/sudoers that has the "include /etc/sudoers.d/*" pre-populated.
Since both flavors support it, we just have our sudo init.pp make sure
the directory is present and make certain that the /etc/sudoers has the
necessary "include" statement. From then on, it's just puppet dropping
files into /etc/sudoers.d via the sudo::config() define.
The bad part about our current implementation is that there's no syntax
checking for the contents/source, so a bad entry can sneak in and cause
sudo to completely not work until it's fixed. There are ways around this
but it's more complicated than we felt like getting for now.
If you need to support systems where sudo is old enough that "include"
isn't even an option, then I highly recommend you look at the "concat"
module, and build up your sudoers file from file fragments.
Another option for older sudo versions that don't support including
fragments is using file_line from puppetlabs-stdlib.
Tim
>>
>>> To unsubscribe from this group, send email to
>> puppet-users...@googlegroups.com <javascript:>.
>>> To unsubscribe from this group, send email to
>>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>>
>
>
--
>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>>
>
>
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Tony Caffe
Aug 29, 2012, 7:03:27 PM8/29/12
to puppet...@googlegroups.com, tim.m...@ndsu.edu
Thanks. I used this:
file {'puppet_sudo':
ensure => present,
path => '/tmp/puppet_sudo',
source => 'puppet:///files/puppet_sudo',
owner => 'root',
group => 'root',
mode => 0440,
}
file {'move_puppet_sudo':
ensure => present,
path => '/etc/sudoers.d/',
source => '/tmp/puppet_sudo',
owner => 'root',
group => 'root',
mode => 0440,
require => file['puppet_sudo'],
}
but My Puppet master is 6.3 and all my puppet clients are all 5.8. 5.8 doesnt have the line
#includedir /etc/sudoers.d
nor does it have a DIRECTORY /etc/sudoers.d/, just a file called /etc/sudoers.d
Any Idea about that? I am avoiding writing code since I dont know how.
Reply all
Reply to author
Forward
0 new messages