Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Friday, November 23, 2012

Puppet, Augeas and sudoers

I'm developing some puppet modules in these days and I'm working on a Moodle module.

The interesting thing is that Moodle has a nice CLI interface that is possible to use to make the installation unattended and not iterative so is possible to create a puppet module that manages the whole installation by itself.
The module is still in the works, but I'm trying to make it as modular as possible since I could need to have the MySQL DB in a different host and so I prefer to set up the module to delegate to MySQL the task of building the DB.
This is something that many modules around to not take into consideration: not all environments have the DB in the same host as the application you are installing.  In my case is particularly true in my case since I work in a cloud environment and I need the machine to be automatically deployed in CloudStack letting the Moodle machine to export the DB need to the MySQL central machine.

To solve this problem I'm using the exported resources and I can say that it works pretty well as I posted some times ago.

With this approach the Moodle module just takes care of the Moodle stuff and demand (issues a export resource and MySQL will catch it and create the DB) to other modules the task of managing their resources.

Thankfully puppetlabs is working hard to provide a set of good basic modules to manage thinks like MySQL (had to use the GIT version since there is a bug that has been fixed there)
One of the thingsI had a really awful time to solve is the use of Augeas in puppet to configure the /etc/sudoers file.
The problem is that Moodle CLI wants to be executed as the Apache user, but the apache user do not have TTY and is not allower to work without a password so googling around (I'm not a sysop, more a jack-of-all-trades and thus have to google a lot in my day :-) ) it turned out I had to have sudo and write /etc/sudoers to enable apache to work.
It seems easy ... (at least if you use visudo), but using puppet ...
Looking around I felt lucky augeas can write on /etc/sudoers ... but how?  No good example around so after many trials and error I decided to make this post to help others not loosing all the time I did:

augeas { "sudoapache":
    context => "/files/etc/sudoers",
    changes => [
      "set spec[user = '$moodle::params::web_user']/user \"$moodle::params::web_user\"",
      "set spec[user = '$moodle::params::web_user']/host_group/host \"ALL\"",
      "set spec[user = '$moodle::params::web_user']/host_group/command \"ALL\"",
      "set spec[user = '$moodle::params::web_user']/host_group/command/runas_user \"ALL\"",
      "set spec[user = '$moodle::params::web_user']/host_group/command/tag \"NOPASSWD\"",
      "set Defaults[type=':$moodle::params::web_user']/type :$moodle::params::web_user",
      "set Defaults[type=':$moodle::params::web_user']/requiretty/negate \"\""],

This will produce the two rows in the file that allowed the CLI to make its own work.

Defaults:apache !requiretty

Good puppetizing!

0 commenti: