Should we really use chef to manage the sudoers file?

◇◆丶佛笑我妖孽 提交于 2019-12-22 10:08:40

问题


This is my question. I am worried that if Chef breaks something in the sudoers file, probably by a Chef user using the cookbook incorrectly, then the server will be entirely inaccessible.

I would hate for us to completely lose a production server for a customer because we messed up the sudoers file and can no longer ssh into the box.


回答1:


Chef has a feature to help with this, verifiers. You can set up the verifies on your sudoer template like this:

template '/etc/sudoers' do
  source 'whatever.erb
  verify 'visudo -c -f %{path}'
end

If visudo rejects the syntax, the tempfile will never get put in place and the converge will fail. Granted, this doesn't help if you have a syntactically valid but useless sudoers. You might consider using the /etc/sudoers.d structure as that keeps each bit at least somewhat separated and harder to accidentally whammy yourself.



来源:https://stackoverflow.com/questions/37209997/should-we-really-use-chef-to-manage-the-sudoers-file

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!