How to use saz-sudo puppet module to deploy the own sudoers file with hiera

hierapuppetsudo

I have saz-sudo installed and have created a site_sudo module based (I hope) on it.
Here's what I have in my site_sudo/manifest/init.pp file:

class { 'site_sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers',
    }
    sudo::conf { 'syseng':
      priority => 10,
      content  => "%sysadm ALL=(ALL) NOPASSWD: ALL",
    }

include sudo

No matter what I do, the sudoers file on the target is always overwritten with the sudoers.rhel6 file from saz-sudo module.

I'm using common.yaml too:

classes:
  - site_sudo

Best Answer

Is that an exact copy from your file? The class { 'site_sudo': } line would include that class into the config, not define the class as you should be doing in the init.pp for the module. This will prevent the rest of the config in the file from being applied (since this file is only being evaluated to load that class; the other lines won't be evaluated as they would in an import statement).

Instead, it should look like this:

class site_sudo { 
  include sudo
  sudo::conf { 'web':
    source => 'puppet:///files/etc/sudoers',
  }
  sudo::conf { 'syseng':
    priority => 10,
    content  => "%sysadm ALL=(ALL) NOPASSWD: ALL",
  }
}

Related Solutions

Linux – Adding an existing user to a group with puppet

If you declare users as virtual resources , you can then use 'realize' or the collection syntax ( User <| ... |>). Here's an example:

@user { 'foo':
  groups     => ['somegroup'],
  membership => minimum,
}

Then realize that virtual user with then collection syntax:

User <| title == foo |>

And elsewhere you can add to the parameters for that virtual resource using plusignment:

User <| title == foo |> { groups +> "svn" }

How to redefine parameters in subclass

Answer the meta question of how do you make this work, If you're using Passenger to run your Puppet master, which you should if you've a system of any size, there is a simple workaround to the madness that is the puppetlabs module. You simply drop a new file called /etc/puppet/puppetmaster.conf and maybe some other bits of config in a new module called puppetmaster and also add this line to the config.ru

ARGV << "--config=/etc/puppet/puppetmaster.conf"

You can use some of the logic inside the puppetlabs module, but it might be simpler to just push a file or less complex template if you don't care about having every single bit of config as a parameter. Then include puppetmaster on the nodes that are masters and you're set. You can also modify the existing puppetlabs to do the above.

Addressing the original question, Hiera might be the simplest solution. Use this in the init.pp

$master                   = hiera('puppet_master','false'),

and then set puppet_master: true for the machines that need it. Personally my preference is for the first method.

Best Answer

Related Solutions

Linux – Adding an existing user to a group with puppet

How to redefine parameters in subclass

Related Topic