Project

General

Profile

Feature #15509

Feature #15499: Update Puppet modules: 2018Q2 → 2018Q3 edition

Switch to saz/puppet-sudo

Added by intrigeri about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
04/09/2018
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

The shared puppet-sudo module is deprecated: https://gitlab.com/shared-puppet-modules-group/sudo/issues/1


Related issues

Blocks Tails - Feature #13284: Core work: Sysadmin (Adapt our infrastructure) Confirmed 06/30/2017

History

#1 Updated by intrigeri about 1 year ago

  • Blocks Feature #13284: Core work: Sysadmin (Adapt our infrastructure) added

#2 Updated by intrigeri about 1 year ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Only bits that need porting:

  • modules/tails/manifests/base.pp: include sudo: does nothing more than ensuring the sudo package is installed, which saz/puppet-sudo's main class does as well
  • modules/tails/manifests/base.pp: sudo::sudoer {'sudo-group-sudo': group => sudo, nopasswd => true }: can be replaced with saz/puppet-sudo's sudo::conf

Note that we manage quite a few bits in /etc/sudoers.d/ with File resources so we'll need to either tell saz/puppet-sudo to leave our config alone or port these bits to saz/puppet-sudo's sudo::conf.

#3 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to groente
  • Target version changed from Tails_3.9 to Tails_3.7
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Done all this! 3f941eeec6e16640a2c7349793e5b2c114e60f00..d7eb983865b6cb10a82d8c8a58367d42d82ad385 in our manifests repo.

#4 Updated by groente about 1 year ago

  • Assignee changed from groente to intrigeri
  • % Done changed from 50 to 80
  • QA Check changed from Ready for QA to Pass

Looks good! I've altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp
This should mean we're ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!

#5 Updated by intrigeri about 1 year ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

groente wrote:

Looks good! I've altered the last relevant bit of sudoers.d file config to sudo::conf style in manifests/reprepro/snapshots/time_based.pp

Looks good to me.

This should mean we're ready to set config_file_replace to true and enforce that all sudo config is done through this puppet module, feel free to deploy!

I see little benefit in replacing the default /etc/sudoers conffile shipped by Debian; e.g. if Debian defaults change I'd rather not rely on saz/puppet-sudo to update them accordingly in their own copy; so config_file_replace => false still seems OK to me.

Regarding /etc/sudoers.d/*, purge => true is the default so all files in /etc/sudoers.d/ that are not managed by Puppet will be cleaned up already (which just happened for tails-publish-tagged-apt-snapshot for example :)

Also available in: Atom PDF