You could use environments, e.g. (in pseudocode):case environmentwhen 'dev' or 'qa'user vagrant do
...end
...when 'staging' or 'prod'
...endOr if dev is provisioned by Vagrant on workstations but the other environments live on servers, surely you can find a way for your node to identify that it's provisioned by Vagrant, and only manage the vagrant user when the VM is backed by Vagrant.
https://github.com/sethvargo/chef-sugar adds some capabilities that you might find helpful.On Fri, Mar 13, 2015 at 4:09 PM, Jimmy Huang < " target="_blank"> > wrote:Hi tayworm,Thank you for taking a look at my issue. My concern with using the sudo lwrp is that I will then have the vagrant user in my recipe, based on my current understanding. I need the vagrant user in development and intesting, but I don't need the vagrant user in staging and in production. Is there a way to have the vagrant user setup be decoupled from how the other users are set up? Thank you again.JimmyOn Fri, Mar 13, 2015 at 1:02 PM, tayworm . < " target="_blank"> > wrote:A better way to use the cookbook would be to create files in sudoers.d for each entry. https://github.com/opscode-cookbooks/sudo#lwrpOn Fri, Mar 13, 2015 at 8:52 AM, Jimmy Huang < " target="_blank"> > wrote:Hi,I am trying to figure out how best to use the sudo cookbook. My cookbook is called masterwrap.Berkesfile:source "https://supermarket.chef.io"
metadatamasterwrap/metadata.rb:name 'masterwrap'
maintainer 'The Authors'
maintainer_email ' " target="_blank"> '
license 'all_rights'
description 'Installs/Configures masterwrap'
long_description 'Installs/Configures masterwrap'
version '0.1.0'
depends 'git', '~> 4.1.0'
depends 'sudo', '~> 2.7.1'
depends 'users', '~> 1.8.0'masterwrap/recipes/default.rb:#
# Cookbook Name:: masterwrap
# Recipe:: default
#
# Copyright (c) 2015 The Authors, All Rights Reserved.
include_recipe 'git'
include_recipe 'masterwrap::users'masterwrap/recipes/users.rb:#
# Cookbook Name:: masterwrap
# Recipe:: users
#
# Copyright (c) 2015 The Authors, All Rights Reserved.
include_recipe 'sudo'
include_recipe 'users'
%w(deploy sysadmin).each do |group|
users_manage group do
data_bag 'users'
action [ :remove, :create ]
end
end
sudo 'sysadmin' do
group '%sysadmin'
nopasswd false
endIf I converge at this point, my vagrant user would stop having passwordless sudo access. To make sure that does not happen, I have the following masterwrap/.kitchen.yml file:---
driver:
name: vagrant
provisioner:
name: chef_zero
platforms:
- name: ubuntu1404
driver:
box: ubuntu/trusty64
box_url: ubuntu/trusty64
attributes:
authorization:
sudo:
users: ['vagrant']
passwordless: true
include_sudoers_d: true
suites:
- name: default
data_bags_path: 'test/fixtures/data_bags'
run_list:
- recipe[masterwrap::default]
attributes:The problem is that I DO want a password prompt for my sudo access for non-vagrant users, but I am not sure how to go about achieving that. Here is my current /etc/sudoers file after the converge:# This file is managed by Chef.
# Do NOT modify this file directly.
Defaults !lecture,tty_tickets,!fqdn
# User privilege specification
root ALL=(ALL) ALL
vagrant ALL=(ALL) NOPASSWD:ALL
# Members of the group 'sysadmin' may gain root privileges
%sysadmin ALL=(ALL) NOPASSWD:ALL
===Given the node's structure, I think the sudo cookbook assumes everyone who is granted sudo access via the cookbook will want the same setting for passwordless, which is not the desired outcome in my case. Is there a way around this assumption or a better way for me to use the sudo cookbook? Thank you for your help.Sincerely,Jimmy
Archive powered by MHonArc 2.6.16.