Page MenuHomeDevCentral

Create an ops group with full sudo capability
ClosedPublic

Authored by dereckson on Oct 19 2017, 16:47.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 14, 05:46
Unknown Object (File)
Wed, Nov 13, 23:49
Unknown Object (File)
Tue, Nov 12, 01:10
Unknown Object (File)
Wed, Nov 6, 17:57
Unknown Object (File)
Tue, Oct 29, 21:10
Unknown Object (File)
Tue, Oct 29, 21:10
Unknown Object (File)
Tue, Oct 29, 21:10
Unknown Object (File)
Tue, Oct 29, 21:10
Subscribers
None

Details

Summary

The 'ops' group contains operations squad members with root access
to Eglide or the Docker engine (dereckson, sandlayth).

The GID is keep in sync with Woods Cloud groups configuration.

This will allow to drop the kludge to restore a wheel group,
and avoid to fight OS like Debian who want to manage such gid=0 group.

Ref T1034.

Test Plan

sudo whoami

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
T1034
Build Status
Buildable 1685
Build 1933: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Oct 19 2017, 21:46

@Sandlayth As Salt master isn't available, could you put the roles/core/sudo/files/ops file in /etc/sudoers.d/ops
+ add the following line:

%wheel ALL = (ALL) NOPASSWD: ALL

I'll then do the deployment through salt-call.

Now we've a correct state

Salt master
$ salt eglide state.apply roles/shellserver/users

----------                                                                                                                                                     
          ID: group_ops                                                                 
    Function: group.present                                                                                                                                    
        Name: ops                                                                                                                                            
      Result: True                                                                                                                                             
     Comment: New group ops created                                                                                                                            
     Started: 00:56:24.790152                                                                                                                                
    Duration: 835.725 ms                                                                    
     Changes:                                                                               
              ----------                                                                                                                                     
              gid:                                                                                                                                           
                  3001                                                            
              members:                                                                                                                                       
                  - dereckson                                                                                                                                
                  - sandlayth                                                                                                                                  
              name:                                                                                                                                          
                  ops                                                                       
              passwd:                                                                                                                                        
                  x                       

$ salt eglide state.apply roles/core/sudo
eglide:
----------
          ID: /etc/sudoers.d/ops
    Function: file.managed
      Result: True
     Comment: File /etc/sudoers.d/ops updated
     Started: 01:27:44.142002
    Duration: 217.149 ms
     Changes:   
              ----------
              diff:
                  New file
              mode:
                  0644

Summary for eglide
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time: 217.149 ms
Eglide
$ id
uid=5001(dereckson) gid=5001(dereckson) groups=5001(dereckson),0(wheel),200(shell),828(deployment),829(nasqueron-irc),3001(ops)
$ sudo whoami
root
$ sudo salt-call --local test.ping
local:
    True
This revision was automatically updated to reflect the committed changes.