The following function is based on code I found here in an earlier
thread.
define sudoer() {
augeas { "sudo${name}":
context => "/files/etc/sudoers",
changes => [
"set spec[last() + 1]/user ${name}",
"set spec[last()]/host_group/host ALL",
"set spec[last()]/host_group/command NOPASSWD: ALL",
"set spec[last()]/host_group/command/runas_user ALL",
],
}
In that example, the command line looked like this:
"set spec[last()]/host_group/command ALL",
I added NOPASSWD: and it barfs with this message:
err: //user::unixadmins/User::Virtual::Sudoer[joe]/Augeas[sudojoe]/
returns: change from need_to_run to 0 failed: Save failed with return
code false
The problem seems to be the colon '':'' since NOPASSWD:ALL also
fails
but this doesn''t error:
"set spec[last()]/host_group/command NOPASSWD ALL",
Unfortunately, that doesn''t produce a desirable output.
Any suggestions?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Jun 30, 2010, at 9:12 AM, Jeff wrote:> In that example, the command line looked like this: > > "set spec[last()]/host_group/command ALL", > > I added NOPASSWD: and it barfs with this message: > > err: //user::unixadmins/User::Virtual::Sudoer[joe]/Augeas[sudojoe]/ > returns: change from need_to_run to 0 failed: Save failed with return > code false > > The problem seems to be the colon '':'' since NOPASSWD:ALL also fails > but this doesn''t error: > > "set spec[last()]/host_group/command NOPASSWD ALL", > > Unfortunately, that doesn''t produce a desirable output.I don’t know about the colon, but any value with a space in it needs to be quoted. Does your undesirable-but-working example command set the value to “NOPASSWD ALL” or just to “NOPASSWD”? In any case, I would try this: "set spec[last()]/host_group/command ''NOPASSWD: ALL’”, Also note that your example as written will add this entry to the file on every single Puppet run. You could add an “onlyif”, but by using `last() + 1` and “onlyif” you can only add entries. You can’t modify them later. Well, maybe with a really horrible looking “onlyif”, but forget that. This is what my `sudoers` changes look like. augeas { "sudorob": context => "/files/etc/sudoers", changes => [ "set spec[user = ''rmcbroom'']/user rmcbroom", "set spec[user = ''rmcbroom'']/host_group/host ALL", "set spec[user = ''rmcbroom'']/host_group/command ALL", "set spec[user = ''rmcbroom'']/host_group/command/runas_user ALL”, ], } This will add the entry if it doesn’t exist, but it will also apply changes to individual settings (like host_group/command). And if the entry exists as defined, Puppet does nothing, which is what you want. -- Rob McBroom <http://www.skurfer.com/> Don''t try to tell me something is important to you if the whole of your “support” entails getting Congress to force *others* to spend time and money on it. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 30, 2010, at 10:36 AM, Rob McBroom wrote:> In any case, I would try this: > > "set spec[last()]/host_group/command ''NOPASSWD: ALL’”,And of course replace the fancy quotes my mail client inserted. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Rob,
Thanks for the reply. I took a step back and starting googling Augeas
instead of puppet and Augeas. Here''s how I was able to solve this
problem:
define sudoer() {
augeas { "sudo${name}":
context => "/files/etc/sudoers",
changes => [
"set spec[last() + 1]/user ${name}",
"set spec[last()]/host_group/host ALL",
"set spec[last()]/host_group/command ALL",
"set spec[last()]/host_group/command/runas_user ALL",
"set spec[last()]/host_group/command/tag NOPASSWD",
],
onlyif => "match *[user = ''${name}''] size ==
0",
}
}
On Jun 30, 10:39 am, Rob McBroom <mailingli...@skurfer.com>
wrote:> On Jun 30, 2010, at 10:36 AM, Rob McBroom wrote:
>
> > In any case, I would try this:
>
> > "set spec[last()]/host_group/command ''NOPASSWD:
ALL’”,
>
> And of course replace the fancy quotes my mail client inserted.
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Jun 30, 2010, at 1:14 PM, Jeff wrote:> onlyif => "match *[user = ''${name}''] size == 0”,I originally had that exact thing, but like I said, it will only add the entry. If you ever change the command, tag, etc. Puppet won’t do anything because the user already has an entry. Maybe you’re OK with that, but it’s something to be aware of. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 30, 1:25 pm, Rob McBroom <mailingli...@skurfer.com> wrote:> On Jun 30, 2010, at 1:14 PM, Jeff wrote: > > > onlyif => "match *[user = ''${name}''] size == 0”, > > I originally had that exact thing, but like I said, it will only add the entry. If you ever change the command, tag, etc. Puppet won’t do anything because the user already has an entry. Maybe you’re OK with that, but it’s something to be aware of. >Rob, When I removed that line, I got a new entry each time puppet ran... Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 30, 2010, at 1:52 PM, Jeff wrote:> When I removed that line, I got a new entry each time puppet ran...I know. I wasn’t referring to the “onlyif” line alone, but the whole thing. See my original post, starting where I said “Also note that your example as written will add this entry to the file on every single Puppet run. You could add an ‘onlyif’, but by using `last() + 1` and ‘onlyif’ you can only add entries.” for a solution. -- Rob McBroom <http://www.skurfer.com/> Don''t try to tell me something is important to you if the whole of your “support” entails getting Congress to force *others* to spend time and money on it. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have liked this solution.. I was using an erb template to manage
the /etc/sudoers file.
Using augeas seems to be much better. However, I have one question,
that is due to my lack of experience with augeas. If the command has
multiple values, each one separated with a comma, how would I pass
this to augeas? I have tried to do something like this:
sudoer { "sudoer_test":
name => "test",
command => ["/etc/init.d/abc-ctl",
"/etc/init.d/def-ctl"],
}
define sudoer($command) {
augeas { "sudo${name}":
context => "/files/etc/sudoers",
changes => [
"set spec[last() + 1]/user ${name}",
"set spec[last()]/host_group/host ALL",
"set spec[last()]/host_group/command $
{command}",
"set spec[last()]/host_group/command/
runas_user ALL",
"set spec[last()]/host_group/command/tag
NOPASSWD",
],
onlyif => "match *[user = ''${name}'']
size == 0",
}
}
but it doesn''t work...
Any ideas?
Cheers,
Gus
On Jun 30, 3:40 pm, Rob McBroom <mailingli...@skurfer.com>
wrote:> On Jun 30, 2010, at 1:52 PM, Jeff wrote:
>
> > When I removed that line, I got a new entry each time puppet ran...
>
> I know. I wasn’t referring to the “onlyif” line alone, but the whole thing.
>
> See my original post, starting where I said “Also note that your example as
written will add this entry to the file on every single Puppet run. You could
add an ‘onlyif’, but by using `last() + 1` and ‘onlyif’ you can only add
entries.” for a solution.
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
>
> Don''t try to tell me something is important to you if the whole of
your “support” entails getting Congress to force *others* to spend time and
money on it.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.