我们是否应该真正使用Chef来管理sudoers文件? [英] Should we really use chef to manage the sudoers file?
问题描述
这是我的问题.我担心如果Chef可能会由于厨师用户错误地使用菜谱而破坏了sudoers文件中的某些内容,那么服务器将完全无法访问.
This is my question. I am worried that if Chef breaks something in the sudoers file, probably by a Chef user using the cookbook incorrectly, then the server will be entirely inaccessible.
我不希望我们完全为客户失去生产服务器,因为我们弄乱了sudoers文件,再也无法将它装进盒子了.
I would hate for us to completely lose a production server for a customer because we messed up the sudoers file and can no longer ssh into the box.
推荐答案
Chef具有帮助此功能的功能.您可以像这样在sudoer模板上设置verifies
:
Chef has a feature to help with this, verifiers. You can set up the verifies
on your sudoer template like this:
template '/etc/sudoers' do
source 'whatever.erb
verify 'visudo -c -f %{path}'
end
如果visudo拒绝语法,则临时文件将永远不会放置到位,并且收敛将失败.当然,如果您在语法上有效但无用的sudoer,这无济于事.您可能会考虑使用/etc/sudoers.d
结构,因为这会使每个位至少保持一定程度的分离,并且更难于意外地弄乱自己.
If visudo rejects the syntax, the tempfile will never get put in place and the converge will fail. Granted, this doesn't help if you have a syntactically valid but useless sudoers. You might consider using the /etc/sudoers.d
structure as that keeps each bit at least somewhat separated and harder to accidentally whammy yourself.
这篇关于我们是否应该真正使用Chef来管理sudoers文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!