Today I had little problems with Puppet’s augeas. I tried hard to find some documentation helping me out but did not find anything suitable. So I think I’m not the only one facing that problem so I want to share what I did.
I want to change the /etc/sudoers file on Linux system with Puppet. What I want to do is negate the requiretty default and add SSH_AUTH_SOCK to the env_keep list.
My first problem was the requitetty setting. I tried a lot until I got a working solution. The problem was the value needed in the Puppet augeas set statement. I developed the following solution:
augeas { "sudoers":
context => '/files/etc/sudoers/',
changes => ["set Defaults/requiretty/negate ''"];
}
The second problem was a little bit harder to solve. Adding the SSH_AUTH_SOCK value to the env_keep list of the defaults. First of all env_keep is a list as mentioned before.
Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Above you can see the settings for env_keep which I want to change. I want to add SSH_AUTH_SOCK at the end of the list. And I only want to add the value once and not with every Puppet run. So I need a possibility to check if the setting is already done. To achive this, there is an „onlyif“ statement you can add to the augeas call. But it was a little bit difficult to find a way how to do it because
match /files/etc/sudoers/Defaults/env_keep not_includes SSH_AUTH_SOCK
won’t work. The reason why it is not working is that the match returns a list of env_keep lines.The not_included checks the return value of the „match <arg>“ command which is a list in our case.
After figuring out the problem with the match art I found asolution to get it work:
augeas { "sudoers-env":
onlyif => "match /files/etc/sudoers/Defaults/env_keep[last()]/var[.='SSH_AUTH_SOCK'] size == 0",
changes => "set /files/etc/sudoers/Defaults/env_keep[last()]/var[last()+1]/ SSH_AUTH_SOCK"
}
The SSH_AUTH_SOCK value is always appended to the end of the last env_keep line. The result after the Puppet run looks like this
Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY SSH_AUTH_SOCK"
Finally I succeeded. But it costs me a lot of time for Googling and trying out things. So I hope this short documentation will help anyone else to get a quicker solution and save time for anybody else.