This is my question. I am worried that if Chef breaks something in the sudoers file, probably by a Chef user using the cookbook incorrectly, then the server will be entirely inaccessible.
I would hate for us to completely lose a production server for a customer because we messed up the sudoers file and can no longer ssh into the box.
Chef has a feature to help with this, verifiers. You can set up the verifies
on your sudoer template like this:
template '/etc/sudoers' do
source 'whatever.erb
verify 'visudo -c -f %{path}'
end
If visudo rejects the syntax, the tempfile will never get put in place and the converge will fail. Granted, this doesn't help if you have a syntactically valid but useless sudoers. You might consider using the /etc/sudoers.d
structure as that keeps each bit at least somewhat separated and harder to accidentally whammy yourself.
来源:https://stackoverflow.com/questions/37209997/should-we-really-use-chef-to-manage-the-sudoers-file