Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/scp/rsync?
On 9/7/06, Nick list@everywhereinternet.com wrote:
Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/scp/rsync?
I do, but I use the group access directive '%' to give access to people in the 'wheel' group.
I have scripts which manage users across a bunch of machines which allow me to create a user and have his account and SSH key distributed to 10-15 machines without much work.
Something like cfengine (cfengine.org) might be overkill here. I can't see anything wrong with a daily / hourly rsync of the sudoers file. The only thing I'd say is why do you need to make configuration changes so often? Can you not group these users into a group (or multiple groups?)
Phil.
On Thu, Sep 07, 2006 at 09:21:06AM +0100, Philip Reynolds wrote:
On 9/7/06, Nick list@everywhereinternet.com wrote:
Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/scp/rsync?
I do, but I use the group access directive '%' to give access to people in the 'wheel' group. ...
We've added a group to our NIS group map and then use that with the % directive to give access to the people in that group. Thus it only requires an update to a single NIS map and, if desired immediately, a NIS map push (ours are set to automatically update regularly so the push isn't needed if we're willing to wait).
Debbie
On Thu, 7 Sep 2006, Nick wrote:
Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/scp/rsync?
I use cfengine for this task -- but it doesn't work with your choice of adverbs. The day that "painlessly" can be applied to "configuration management" will be a good one indeed! :-)
Paul Heinlein wrote:
I use cfengine for this task -- but it doesn't work with your choice of adverbs. The day that "painlessly" can be applied to "configuration management" will be a good one indeed! :-)
Hehehehehe.
Puppet seems to be like cfengine with added acetylsalicylic acid to take away a bit of pain.
Though I only know it in theory only, not in practice, as we still use cfengine (and buy the aspirin at the drug store).
See for yourself:
http://reductivelabs.com/projects/puppet/documentation/notcfengine.html
Cheers,
Ralph
On 9/7/06, Ralph Angenendt ra+centos@br-online.de wrote:
Puppet seems to be like cfengine with added acetylsalicylic acid to take away a bit of pain.
I'm in the middle of having to make a choice between cfengine and puppet at the moment. Does anyone have experience with it? Is it stable enough to use in production?
Phil.
Philip Reynolds wrote:
On 9/7/06, Ralph Angenendt ra+centos@br-online.de wrote:
Puppet seems to be like cfengine with added acetylsalicylic acid to take away a bit of pain.
I'm in the middle of having to make a choice between cfengine and puppet at the moment. Does anyone have experience with it? Is it stable enough to use in production?
It's supposed to be stable enough, yes. No, I don't run it, as I just got my colleagues up to date with cfengine.
You might want to read around in Luke's blog: http://madstop.com/.
Personally I'd go for puppet.
Ralph
Ralph Angenendt wrote:
Personally I'd go for puppet.
Especially as the design leans towards real world applications and not anomalie detection, for which Marc Burgess mostly uses cfengine.
This said I'm just pushing looking at puppet some lines upward on my todo list.
Ralph
Nick wrote:
Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/scp/rsync?
I interpret that to mean, "Can I change it with unofficial tools (ie, not visudo?"
Yes, I regularly customise mine during (kickstart) install with sed, ed or similar. Since you're not using the supplied checker, the onus is on you to get it right.
Just wondering if anyone out there is using sudo across a bunch of machines and has a system/script for painlessly distributing a master sudoers file? is it as easy as a daily cronjob running wget/ scp/rsync?
sudoers is just a text file; nothing magical about it. i'd recommend the following:
1) you can use rsync or whatnot to push sudoers out to other hosts, but you should use visudo to make your edits to the master copy. the syntax checking is worthwhile. 2) sudo is sensitive to permissions on /etc/sudoers; whatever method you use, make extra sure it's setting the permissions and ownership correctly.
on the other hand, if you have an LDAP infrastructure in place, you can just store sudoers in LDAP:
http://www.courtesan.com/sudo/readme_ldap.html
depending on how you're trying to scale this solution, this might be a better way to go altogether.
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
-
Debbie Tropiano -
John Summerfied -
Nick -
Paul Heinlein -
Philip Reynolds -
Ralph Angenendt -
Steve Huff