Managing sudo on your agent nodes allows you to control which system users have access to elevated privileges. This guide provides instructions for getting started managing sudo privileges across your nodes, using a module from the Puppet Forge in conjunction with a simple module you will write.
In most cases, you want to manage sudo on your nodes to control which system users have access to elevated privileges.
Managing sudo overview
To manage sudo configuration and privileges across your deployment, you write a module.
saz-sudo module, available on the Puppet Forge, is one of many modules written by a member of our user community. To learn more about the module, visit the Puppet Forge.
You also write a simple
privileges module with a class to manage sudo privileges. The
saz-sudo module has several classes, but the module you write contains just one.
saz-sudoon Puppet Forge.
Using this guide, you:
- Install the
saz-sudomodule as the foundation for your management of sudo privileges.
- Write a simple
privilegesmodule to manage a few resources that set privileges for certain users, which will be managed by the
- Create a Sudo node group
- Add classes from the
sudomodules to your agent nodes in the console.
These instructions assume you have installed PE. Refer to the installation overview and the agent installation instructions for complete instructions. See the supported operating system documentation for supported platforms. This guide assumes that you are not using Code Manager or r10k.
About module directories
By default, Puppet keeps modules in
/etc/puppetlabs/code/environments/production/modules. This includes
modules that you download from the Forge and those you write yourself.
PE also creates two other module directories:
/etc/puppetlabs/staging-code/modules. For this guide, don't modify
or add anything to either of these directories.
There are plenty of resources about modules and the creation of modules that you can reference.
- Puppet: Module fundamentals.
- Puppet: The modulepath.
- The Beginner's guide to modules.
- The Puppet Forge.
Install the saz-sudo module
To start managing sudo configuration with Puppet Enterprise, install the
puppet module install saz-sudo.
You should see output similar to the following:
Preparing to install into /etc/puppetlabs/puppet/modules ... Notice: Downloading from http://forgeapi.puppetlabs.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/puppet/modules └── saz-sudo (v2.3.6) └── puppetlabs-stdlib (3.2.2) [/opt/puppetlabs/puppet/modules]
That's it! You've just installed the
saz-sudo module. Wait a short time for the Puppet server to refresh before the classes are available to add to your agents.
Write the privileges module
Manage sudo privileges with Puppet Enterprise, by writing a
privileges module will contain the following files:
privileges/ (the module name)
init.pp (contains the privileges class)
- From the command line on the Puppet master, navigate to the modules directory:
mkdir -p privileges/manifeststo create the new module directory and its manifests directory.
- From the
manifestsdirectory, use your text editor to create the
init.ppfile, and edit it so it contains the following Puppet code.
- Save and exit the file.
That's it! You've written a module that contains a class that, when applied, ensures that your agent nodes have the correct sudo privileges set for the root user and the "admin" and "wheel" groups. You will add this class at the same time you add the
To learn more about what the resources in this class do, see the related topic about the resources in the
About the resources in the privileges class
privileges module you wrote for managing sudo privileges in your deployment contains just one class, but several resources. Each resource has a specific job.
privileges module contains the following resources:
user 'root': This resource ensures that the root user has a centrally defined password and shell. Puppet enforces this configuration and report on and remediate any drift detected, such as if a rogue admin logs in and changes the password on an agent node.
sudo::conf 'admins': Create a sudoers rule to ensure that members of the admin group have the ability to run any command using sudo. This resource creates configuration fragment file to define this rule in
/etc/sudoers.d/. It is usually called something like
sudo::conf 'wheel': Create a sudoers rule to ensure that members of the wheel group have the ability to run any command using sudo. This resource creates a configuration fragment to define this rule in
/etc/sudoers.d/. It is usually called something like
Create the Sudo node group
To specify which nodes you want to manage sudo on, set up a designated node group.
This group, called Sudo, will contain all of your nodes. Depending on your needs or infrastructure, your group might be different.
- In the PE console, click Nodes> Classification, and click Add group.
- Specify options for the new node group:
- Parent name : select All nodes
- Group name : enter a name that describes the role of this environment node group
Environment: select production
Environment group: don't select this option
- Click Add
- Click the
Sudogroup and select the Rules tab.
- In the Fact field, enter name.
- From the Operator drop-down list, select ~ (matches regex).
- In the Value field, enter
- Click Add rule.
This rule "dynamically" pins all nodes to the Sudo group. Note that this rule is for testing purposes and that decisions about pinning nodes to groups in a production environment vary. To learn more, see the related topic about dynamically pinning nodes.
Related topics: Adding nodes "dynamically"
Add the privileges and sudo classes
To manage sudo configuration and privileges for the nodes in your Sudo group, add the
sudo classes to your node group.
privileges module you wrote has only one class (
privileges), but the
saz-sudo module contains several classes. If you don't want to add these classes to all of your nodes, you can pin the nodes "statically" or write a different rule to add them "dynamically", depending on your needs. See the related topics about adding nodes dynamically or statically for more information.
- In the console, click Classification, and find and select the
- On the Configuration tab, in the Class name field, enter sudo.
- Click Add class, and commit changes.Note: The
sudoclass now appears in the list of classes for the Sudo group, but it has not yet been configured on your nodes. For that to happen, you need to kick off a Puppet run.
- Repeat steps 2 and 3 to add the
- From the command line of your Puppet master, run
puppet agent -t.
- From the command line of each PE-managed node, run
puppet agent -t.
This configures the nodes using the newly-assigned classes. Wait one or two minutes.
Congratulations! You’ve just created the
privileges class that you can use to define and enforce a sudoers configuration across your PE-managed infrastructure.