I am trying to deploy the Redmine server via Puppet. The installation procedure uses Bundle to install its dependencies. When being installed interactively, sudo prompts user for password when Bundle needs to install some system-wide libraries. Installing Redmine as root is not recommended.
I use Ubuntu 14.04 64 bit. The puppet is run from inside the LXC unprivileged container.
I used to have a walkaround that involved touching the appropriate /var/lib/sudo files prior the Bundle's installation. That is hacky, and ceased to work after recent sudo upgrade.
Is there any other way to do it? Or maybe sudo does allow granting grace period non-interactively and I simply missed it?
My sudoers file already contains the Defaults !tty_tickets entry. I would prefer not to have it, but without this line I think there is even less hope for solution.
Here is my forcesudo resource:
define forcesudo ($user = $name, $notify = $notify) {
file { "/etc/sudoers.d/fix-${user}": content => "${user} ALL = (root) NOPASSWD: ALL\n" }
file { "/etc/sudoers.d/tty_tickets": content => "Defaults !tty_tickets\n" }
file { "/var/lib/sudo/${user}":
ensure => directory,
owner => 'root',
mode => 700,
group => $user
}
file { "/var/lib/sudo/${user}/0":
content => '',
owner => 'root',
mode => 0600,
group => $user
}
touch { "/var/lib/sudo/${user}":
notify => $notify,
require => File["/var/lib/sudo/${user}"]
}
touch { "/var/lib/sudo/${user}/0":
notify => $notify,
require => File["/var/lib/sudo/${user}"]
}
}
And here is the touch resource:
define touch ($user = "root", $group = "root", $notify = $notify) {
exec { "touch ${name}":
command => "/usr/bin/touch ${name}",
user => $user,
group => $group,
notify => $notify,
refreshonly => true,
}
}
Edit:
The problem can by bypassed by running the Bundle as root, although this is discouraged by the Bundle: Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all non-root users on this machine.
This is how it is done by the https://github.com/johanek/johanek-redmine puppet module.
Since this is a workaround rather than fix, the question stands.
Update:
Have you tried using a puppet module to accomplish this? There's at least one around that claims to be able to install redmine. It might be easier to just change it to fit your needs.
You didn't actually tell us how you launch the redmine installation via puppet.
Try adding this to your sudoers.d file:
There should be no need for the user launching the redmine installation to have a tty. There should be no password prompt either.
If sudo still prompts for a password, then there's something wrong in how the redmine installer invokes sudo.
As for your security concerns:
Best practice would be to use a package (RPM, DEB, etc.) anyway, even if you have to create it yourself.
Setting up puppet to remove temporary granted sudo privileges after installation is complete should be sufficient.