Welcome to the Open Source Puppet Sudo Users Quick Start Guide. This document provides instructions for getting started managing sudo privileges across your Puppet deployment, using a module from the Puppet Forge in conjunction with a simple module you will write.

In most cases, managing sudo on your agents involves controlling which users have access to elevated privileges. Using this guide, you will learn how to do the following tasks:

Before starting this walk-through, complete the previous exercises in the essential configuration tasks. Log in as root or administrator on your nodes.

Prerequisites: This guide assumes you’ve already installed Puppet, and have installed at least one *nix agent.

Note: You can add the sudo and privileges classes to as many agents as needed, although we describe only one for ease of explanation.

Install the saz-sudo module

The saz-sudo module, available on the Puppet Forge, is one of many modules written by a member of the Puppet user community. You can learn more about the module by visiting http://forge.puppet.com/saz/sudo.

To install the saz-sudo module:

As the root user on the Puppet master, run puppet module install saz-sudo.

You should see output similar to the following:

    Notice: Downloading from http://forgeapi.puppetlabs.com ...
    Notice: Installing -- do not interrupt ...
    └── saz-sudo (v2.3.6)
          └── puppetlabs-stdlib (3.2.2) [/opt/puppet/share/puppet/modules]

That’s it! You’ve just installed the saz-sudo module.

Write the privileges class

Some modules can be large, complex, and require a significant amount of trial and error as you create them, while others often work right out of the box. This module will be a very simple module to write. It contains just one class.

A quick note about modules directories

By default, Puppet keeps modules in an environment’s modulepath, which for the production environment defaults to /etc/puppetlabs/code/environments/production/modules. This includes modules that Puppet installs, those that you download from the Forge, and those you write yourself.

Note: Puppet also creates another module directory: /opt/puppetlabs/puppet/modules. Don’t modify or add anything in this directory, including modules of your own.

There are plenty of resources about modules and the creation of modules that you can reference. Check out Module Fundamentals, the Beginner’s Guide to Modules, and the Puppet Forge.

Modules are directory trees. For this task, you’ll create the following files:

  • privileges/ (the module name)
    • manifests/
      • init.pp (contains the privileges class)

To write the privileges class:

  1. From the command line on the Puppet master, navigate to the modules directory: cd /etc/puppetlabs/code/environments/production/modules.
  2. Run mkdir -p privileges/manifests to create the new module directory and its manifests directory.
  3. From the manifests directory, use your text editor to create the init.pp file, and edit it so it contains the following Puppet code:

     class privileges {
       sudo::conf { 'admins':
       ensure  => present,
       content => '%admin ALL=(ALL) ALL',
  4. Save and exit the file.

That’s it! You’ve written a module that contains a class that, once applied, ensures that your agents have the correct sudo privileges set for the root user and the “admins” and “wheel” groups.

Note the following about the resource in the privileges class:

  • The sudo::conf ‘admins’ line creates a sudoers rule to ensure that members of the admins group have the ability to run any command using sudo. This resource creates configuration fragment file to define this rule in /etc/sudoers.d/. It will be called something like 10_admins.

Add the privileges and sudo classes

  1. From the command line on the Puppet master, navigate to the main manifest: cd /etc/puppetlabs/code/environments/production/manifests.
  2. Open site.pp with your text editor and add the following Puppet code to the default node:
class { 'sudo': }
sudo::conf { 'web':
  content  => "web ALL=(ALL) NOPASSWD: ALL",
class { 'privileges': }
sudo::conf { 'jargyle':
  priority => 60,
  content  => "jargyle ALL=(ALL) NOPASSWD: ALL",
  1. Save and exit the file.

  2. From the command line on your Puppet master, run puppet parser validate site.pp to ensure that there are no errors. The parser will return nothing if there are no errors.

  3. From the command line on your Puppet agent, run puppet agent -t to trigger a Puppet run.

That’s it! You have successfully installed the Sudo module and applied privileges and classes to it.

Note the following about your new resources in the site.pp file:

  • sudo::conf ‘web’: Creates a sudoers rule to ensure that members of the web group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/.

  • sudo::conf ‘admins’: Creates a sudoers rule to ensure that members of the admins group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/. It will be called something like 10_admins.

  • sudo::conf ‘jargyle’: Creates a sudoers rule to ensure that the user jargyle has the ability to run any command using sudo. This resource creates a configuration fragment to define this rule in /etc/sudoers.d/. It will be called something like 60_jargyle.

From the command line on the Puppet agent, run sudo -l -U jargyle to confirm it worked. The results should resemble the following:

 Matching Defaults entries for jargyle on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE

 User jargyle may run the following commands on this host:

Other resources

For more information about working with Puppet and Sudo Users, check out our Module of The Week: saz/sudo - Manage sudo configuration blog post.

