Not All Files in /etc/sudoers.d Getting Purged about puppet-sudo HOT 10 CLOSED

purge => true must be set on the file resource /etc/sudoers.d to remove any unmanaged files. As this is some behavior of the puppet file type, it's not related to permissions (as new files are created and owned by root) or any validation command (this will only affect new or changed files).

Either those files are managed by puppet or purge_ignore is set and those files are matching and are therefore not removed (not sure if they will show up during an agent run with --debug).

Another idea: maybe something else is creating those files between agent runs?

from puppet-sudo.

Files under puppet control aren't supposed to be purged, since puppet is managing them. Only non-managed files should be purged.

from puppet-sudo.

Yes, I'm seeing files not under Puppet control that are not being purged. Some are being purged. Some are not.

from puppet-sudo.

You might be able to tell why if you run puppet with --debug.

from puppet-sudo.

@bpadgett505 can you show us some file names?

from puppet-sudo.

Hiya,

Here is an example. The files with a puppet-bak are not under puppet control but they are being handled.

115_sierra_romeo_foxtrot is being ignored by puppet and is not defined in my code.

I found at least three or four names last Friday that were being ignored.

Thanks for taking a look at my issue.

Here is a puppet debug run where I grep -i for sudo:

from puppet-sudo.

I think it's probably failing because of bad permissions. Should be 0600 or 0660, otherwise the visudo -c fails.

from puppet-sudo.

Are you sure, those files are not managed by puppet? It might be possible, that there's neither sudo nor a part of the file name in the title, which won't therefore be matched by grep.

What happens if you're manually removing such a file and run puppet right after?

Which parameters are you setting?

from puppet-sudo.

@bpadgett505 If you could also provide what your are feeding into your puppetcode, whether that be the relevant hiera entries or .pp files. That would be awesome. Would help immensely with debugging.

From what I can read out of your debug-logs etc, these 3 files are not touched by puppet.

-rw-r--r-- 1 root root 0 Oct 7 12:24 103_trout_fishing_rules.puppet-bak
-rw-r--r-- 1 root root 0 Oct 7 12:22 104_windows_sucks.puppet-bak
-rw-r--r-- 1 root root 0 Oct 7 12:27 115_sierra_romeo_foxtrot

As kenyon noted, the common denominator seems to be the file permissions. So I would like to know where they are from (manually placed, placed by something in your puppetcode or something else entirely)

PS: it seems these files are empty? maybe thats causing some misbehaviour?

from puppet-sudo.

@bpadgett505 As there's no response for a longer time and nobody else reports this behavior, I'll close the issue. If you think it's still a valid issue, please let me know.

from puppet-sudo.