This visudo checker I've written (based on some examples from the web
and puppet training materials) causes a dependency loop -- but only
when I include the unless => "diff ...". It seems someone got clever
and decided to look at exec's and look for managed filenames in
argument lists and create implicit dependencies from them? Argh!
I also tried just making the exec a refreshonly from the sudoers_check
file's notify, but then the sudoers file itself ignored the bad return
from the exec even though it requires => the exec.
My best solution so far is to just let the visudo run every time...
$ puppet --version
2.6.4
define sudo::fragment($source, $order=10) {
concat::fragment { "${name}_sudoers":
source => $source,
target => $sudo::config::sudoers,
}
concat::fragment { "${name}_sudoers_check":
source => $source,
target => $sudo::config::sudoers_check,
}
}
class sudo::config($sudoers="/etc/sudoers") {
$sudoers_check = "${sudoers}.check"
}
class sudo {
include concat::setup
$sudoers = $sudo::config::sudoers
$sudoers_check = $sudo::config::sudoers_check
package { "sudo":
ensure => installed,
}
concat { $sudoers_check:
owner => root,
group => root,
mode => 440,
warn => true,
}
exec { "visudo -cf $sudoers_check":
path => "/usr/sbin/:/usr/bin",
require => [Concat[$sudoers_check], Package["sudo"]],
unless => "diff $sudoers $sudoers_check",
}
concat { $sudoers:
owner => root,
group => root,
mode => 440,
require => [Exec["visudo -cf $sudoers_check"], File[$sudoers_check]],
warn => true,
}
}
class { "sudo::config": sudoers => "/tmp/sudoers" }
sudo::fragment { "ob":
source => "puppet:///modules/sudo/sudoers",
#source => "/etc/passwd",
}
err: Could not apply complete catalog: Found dependency cycles in the
following relationships: Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] => File[/tmp/sudoers], Exec[concat_/tmp/sudoers]
=> File[/tmp/sudoers], File[/tmp/sudoers] => Exec[visudo -cf
/tmp/sudoers.check],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
=> Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =>
Exec[concat_/tmp/sudoers], Exec[visudo -cf /tmp/sudoers.check] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out] =>
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat] =>
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
=> File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
File[/var/lib/puppet/concat/_tmp_sudoers] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat],
Exec[visudo -cf /tmp/sudoers.check] =>
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat]; try using
the '--graph' option and open the '.dot' files in OmniGraffle or
GraphViz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
