Managing sudoers With Puppet
In my last post, I described how to distribute an SSH authorized_keys file using Puppet. My reasoning for this was to help us utilize our existing set of home-grown scripts to administer machines - with Puppet we don’t have to wonder if our keys are set up on every host. Well, I’m sure a few of you spotted the flaw in this. Most of us have learned not to run scripts as root when it isn’t necessary. Instead we use sudo to grant limited root powers for specific commands. Sudo is a well-designed piece of software; it’s configuration file, the sudoers file, is setup in such a way that the same sudoers file may be used on many machines. This makes it ripe for management in Puppet.
Building on top of the configuration we created in my last post, here is the site.pp manifest after adding sudo to the mix:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | node default { file { ‘/root/.ssh/authorized_keys’: owner => root, group => root, mode => 644, source => ‘puppet:///root/.ssh/authorized_keys’ } file { ‘/etc/sudoers’: owner => root, group => root, mode => 440, source => ‘puppet:///etc/sudoers’ require => [ Package[“sudo”] ] } package { sudo: ensure => installed } } |
The first definition is mostly familiar; we defined a file resource like it last time. There is something new here, however:
14 | require => [ Package[“sudo”] ] |
The require parameter describes a dependency. Before this resource is applied, Puppet will look for a package resource with the name “sudo” and apply that resource first. Next we define that package resource:
17 | package { sudo: ensure => installed } |
All we want is to make sure that sudo is installed. Perhaps the coolest part of this is that it doesn’t matter that I am using Debian here, Puppet supports a wide range of package systems under the hood, and it will choose the one most appropriate for the system it is configuring. If I add a FreeBSD machine to my network, I should not have to make any changes to my Puppet configuration - I can still depend on sudo getting installed!
Next, we need to add an etc mount to our Puppet fileserver. Here is the resulting fileserver.conf:
1 2 3 4 5 6 7 | [root] path /etc/puppet/files/root allow 10.0.0.0/8 [etc] path /etc/puppet/files/etc allow 10.0.0.0/8 |
Put your sudoers file in /etc/puppet/files/etc and wait for your clients to check in with puppetmasterd. Alternately, you can log in to a client and run puppetd –test to pull down the new configuration. If sudo was not installed, it should be, and /etc/sudoers will be downloaded as well.