Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sudo resource fails on 2nd converge when Cmnd_Alias is used #9001

Open
Rudikza opened this issue Oct 16, 2019 · 1 comment
Assignees

Comments

@Rudikza
Copy link

@Rudikza Rudikza commented Oct 16, 2019

Description

When testing with chef 15.4.45 and running multiple converges, using the sudo resource with a Cmnd_Alias the second converge fails due to the following error:

           Chef::Exceptions::ValidationFailed
           ----------------------------------
           template[/etc/sudoers.d/sudoreplay] (/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.4.45/lib/chef/resource/sudo.rb line 165) had an error: Chef::Exceptions::ValidationFailed: Proposed content for /etc/sudoers.d/sudoreplay failed verification cat /etc/sudoers %{path} | /usr/sbin/visudo -cf -

The second converge does not fail when using chef version 15.3.14.

As far as I can tell the issue is that when concating the /etc/sudoers file and the /etc/sudoers.d/other_sudo file the file in /etc/sudoers.d/ is called twice because of the include in /etc/sudoers.

Chef Version

15.4.45

Platform Version

Centos 7

Replication Case

Create a cookbook, add a sudo resource which creates a new sudoers entry that includes a cmnd_aliases. Run multiple converges.

I've created a basic repo where the issue can be replicated by changing the chef version in the kitchen.yml file: https://github.com/Rudikza/test-sudo.git

Client Output

https://gist.github.com/Rudikza/1cb89e20d2080d90dc720b32f26bf8fc

@fretb

This comment has been minimized.

Copy link

@fretb fretb commented Nov 13, 2019

Wondering how this can be fixed without reverting to the previous verify command... Excluding all includedir's from /etc/sudoers, adding all files in those includedir's files to the cat command, but excluding the file's path that's being verified?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.