Feature #15509

Switch to saz/puppet-sudo

Added by intrigeri 2018-04-09 13:47:53 . Updated 2018-05-02 10:43:27 .

Status:
Resolved
Priority:
Normal
Assignee:
intrigeri
Category:
Infrastructure
Target version:
Tails_3.7
Start date:
2018-04-09
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

The shared puppet-sudo module is deprecated: https://gitlab.com/shared-puppet-modules-group/sudo/issues/1

Subtasks

Related issues

Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 2017-06-30

History

#1 Updated by intrigeri 2018-04-09 13:48:01

  • blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#2 Updated by intrigeri 2018-04-09 13:59:49

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Only bits that need porting:

  • modules/tails/manifests/base.pp: include sudo: does nothing more than ensuring the sudo package is installed, which saz/puppet-sudo’s main class does as well
  • modules/tails/manifests/base.pp: sudo::sudoer {'sudo-group-sudo': group => sudo, nopasswd => true }: can be replaced with saz/puppet-sudo’s sudo::conf

Note that we manage quite a few bits in /etc/sudoers.d/ with File resources so we’ll need to either tell saz/puppet-sudo to leave our config alone or port these bits to saz/puppet-sudo’s sudo::conf.

#3 Updated by intrigeri 2018-04-09 14:57:31

  • Assignee changed from intrigeri to groente
  • Target version changed from Tails_3.9 to Tails_3.7
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Done all this! 3f941eeec6e16640a2c7349793e5b2c114e60f00..d7eb983865b6cb10a82d8c8a58367d42d82ad385 in our manifests repo.

#4 Updated by groente 2018-05-02 09:35:05

  • Assignee changed from groente to intrigeri
  • % Done changed from 50 to 80
  • QA Check changed from Ready for QA to Pass

Looks good! I’ve altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp
This should mean we’re ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!

#5 Updated by intrigeri 2018-05-02 10:43:27

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

groente wrote:
> Looks good! I’ve altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp

Looks good to me.

> This should mean we’re ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!

I see little benefit in replacing the default /etc/sudoers conffile shipped by Debian; e.g. if Debian defaults change I’d rather not rely on saz/puppet-sudo to update them accordingly in their own copy; so config_file_replace => false still seems OK to me.

Regarding /etc/sudoers.d/*, purge => true is the default so all files in /etc/sudoers.d/ that are not managed by Puppet will be cleaned up already (which just happened for tails-publish-tagged-apt-snapshot for example :)