Feature #15509
Switch to saz/puppet-sudo
100%
Description
The shared puppet-sudo module is deprecated: https://gitlab.com/shared-puppet-modules-group/sudo/issues/1
Subtasks
Related issues
Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) | Confirmed | 2017-06-30 |
History
#1 Updated by intrigeri 2018-04-09 13:48:01
- blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added
#2 Updated by intrigeri 2018-04-09 13:59:49
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
Only bits that need porting:
modules/tails/manifests/base.pp: include sudo
: does nothing more than ensuring thesudo
package is installed, which saz/puppet-sudo’s main class does as wellmodules/tails/manifests/base.pp: sudo::sudoer {'sudo-group-sudo': group => sudo, nopasswd => true }
: can be replaced with saz/puppet-sudo’ssudo::conf
Note that we manage quite a few bits in /etc/sudoers.d/
with File
resources so we’ll need to either tell saz/puppet-sudo to leave our config alone or port these bits to saz/puppet-sudo’s sudo::conf
.
#3 Updated by intrigeri 2018-04-09 14:57:31
- Assignee changed from intrigeri to groente
- Target version changed from Tails_3.9 to Tails_3.7
- % Done changed from 10 to 50
- QA Check set to Ready for QA
Done all this! 3f941eeec6e16640a2c7349793e5b2c114e60f00..d7eb983865b6cb10a82d8c8a58367d42d82ad385 in our manifests repo.
#4 Updated by groente 2018-05-02 09:35:05
- Assignee changed from groente to intrigeri
- % Done changed from 50 to 80
- QA Check changed from Ready for QA to Pass
Looks good! I’ve altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp
This should mean we’re ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!
#5 Updated by intrigeri 2018-05-02 10:43:27
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
groente wrote:
> Looks good! I’ve altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp
Looks good to me.
> This should mean we’re ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!
I see little benefit in replacing the default /etc/sudoers
conffile shipped by Debian; e.g. if Debian defaults change I’d rather not rely on saz/puppet-sudo to update them accordingly in their own copy; so config_file_replace => false
still seems OK to me.
Regarding /etc/sudoers.d/*
, purge => true
is the default so all files in /etc/sudoers.d/
that are not managed by Puppet will be cleaned up already (which just happened for tails-publish-tagged-apt-snapshot
for example :)