我们是否应该真正使用Chef来管理sudoers文件? [英] Should we really use chef to manage the sudoers file?

问题描述

这是我的问题.我担心如果Chef可能会由于厨师用户错误地使用菜谱而破坏了sudoers文件中的某些内容，那么服务器将完全无法访问.

This is my question. I am worried that if Chef breaks something in the sudoers file, probably by a Chef user using the cookbook incorrectly, then the server will be entirely inaccessible.

我不希望我们完全为客户失去生产服务器，因为我们弄乱了sudoers文件，再也无法将它装进盒子了.

I would hate for us to completely lose a production server for a customer because we messed up the sudoers file and can no longer ssh into the box.

推荐答案

Chef具有帮助此功能的功能.您可以像这样在sudoer模板上设置verifies:

Chef has a feature to help with this, verifiers. You can set up the verifies on your sudoer template like this:

template '/etc/sudoers' do
  source 'whatever.erb
  verify 'visudo -c -f %{path}'
end

如果visudo拒绝语法，则临时文件将永远不会放置到位，并且收敛将失败.当然，如果您在语法上有效但无用的sudoer，这无济于事.您可能会考虑使用/etc/sudoers.d结构，因为这会使每个位至少保持一定程度的分离，并且更难于意外地弄乱自己.

If visudo rejects the syntax, the tempfile will never get put in place and the converge will fail. Granted, this doesn't help if you have a syntactically valid but useless sudoers. You might consider using the /etc/sudoers.d structure as that keeps each bit at least somewhat separated and harder to accidentally whammy yourself.

这篇关于我们是否应该真正使用Chef来管理sudoers文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！