This visudo checker I've written (based on some examples from the web
and puppet training materials) causes a dependency loop -- but only
when I include the unless = diff It seems someone got clever
and decided to look at exec's and look for managed filenames in
argument lists and create implicit dependencies from them? Argh!
I also tried just making the exec a refreshonly from the sudoers_check
file's notify, but then the sudoers file itself ignored the bad return
from the exec even though it requires = the exec.
My best solution so far is to just let the visudo run every time...
$ puppet --version
2.6.4
define sudo::fragment($source, $order=10) {
concat::fragment { ${name}_sudoers:
source = $source,
target = $sudo::config::sudoers,
}
concat::fragment { ${name}_sudoers_check:
source = $source,
target = $sudo::config::sudoers_check,
}
}
class sudo::config($sudoers=/etc/sudoers) {
$sudoers_check = ${sudoers}.check
}
class sudo {
include concat::setup
$sudoers = $sudo::config::sudoers
$sudoers_check = $sudo::config::sudoers_check
package { sudo:
ensure = installed,
}
concat { $sudoers_check:
owner = root,
group = root,
mode= 440,
warn= true,
}
exec { visudo -cf $sudoers_check:
path= /usr/sbin/:/usr/bin,
require = [Concat[$sudoers_check], Package[sudo]],
unless = diff $sudoers $sudoers_check,
}
concat { $sudoers:
owner = root,
group = root,
mode= 440,
require = [Exec[visudo -cf $sudoers_check], File[$sudoers_check]],
warn= true,
}
}
class { sudo::config: sudoers = /tmp/sudoers }
sudo::fragment { ob:
source = puppet:///modules/sudo/sudoers,
#source = /etc/passwd,
}
err: Could not apply complete catalog: Found dependency cycles in the
following relationships: Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] = File[/tmp/sudoers], Exec[concat_/tmp/sudoers]
= File[/tmp/sudoers], File[/tmp/sudoers] = Exec[visudo -cf
/tmp/sudoers.check],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers], Exec[visudo -cf /tmp/sudoers.check] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat]; try using
the '--graph' option and open the '.dot' files in OmniGraffle or
GraphViz
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.