We use puppet to popupate /etc/sudoers.d, but stale entries are not automatically pruned. Since there shouldn't be any use cases for sudo rules not managed by puppet, we should fix up the stale entries currently present in production and then enable the profile::admin::purge_sudoers_d hiera setting.
Description
Description
Details
Details
Event Timeline
Comment Actions
Change 799268 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] hieradata: purge stale sudoers.d entries in production
Comment Actions
Change 799820 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] Remove some unmanaged files from sudoers.d
Comment Actions
similar to the previous task on apt directories, i have queried the repo for managed sudo files and ran cumin to find the additional files see below for results
===== NODE GROUP ===== (1) db1128.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- ssh: connect to host db1128.eqiad.wmnet port 22: Connection timed out ===== NODE GROUP ===== (1) netbox-dev2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- scap_sudo_rules_netbox_netbox-dev_deploy ===== NODE GROUP ===== (1) mwmaint2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_check_mcrouter_client ===== NODE GROUP ===== (4) cloudservices[2004-2005]-dev.wikimedia.org,cloudservices[1003-1004].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- designate_sudoers ===== NODE GROUP ===== (1) elastic2055.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- Warning: Permanently added the ECDSA host key for IP address '2620:0:860:101:10:192:0:180' to the list of known hosts. nagios_long_procs ===== NODE GROUP ===== (6) puppetmaster[2001-2003].codfw.wmnet,puppetmaster[1001-1003].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- labs_private_needs_merge nagios_long_procs puppet_needs_merge ===== NODE GROUP ===== (1) pki1001.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_cfssl_check_debmonitor nagios_cfssl_check_debmonitor_discovery_wmnet nagios_cfssl_check_discovery nagios_long_procs ===== NODE GROUP ===== (1) cloudcephosd1021.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- ceph-osd-smartctl ===== NODE GROUP ===== (30) cloudcephmon2004-dev.codfw.wmnet,cloudcephmon[1001-1003].eqiad.wmnet,cloudcephosd[2001-2003]-dev.codfw.wmnet,cloudcephosd[1001-1020,1022-1024].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- ceph-osd-smartctl nagios_long_procs ===== NODE GROUP ===== (1) cloudbackup1001-dev.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- cinder-common ===== NODE GROUP ===== (6) cloudcontrol[2001,2003-2004]-dev.wikimedia.org,cloudcontrol[1003-1005].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- cinder-common glance_sudoers neutron_sudoers nova-common sudoers-zvmsdk ===== NODE GROUP ===== (2) cloudbackup[2001-2002].codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- cinder-common nagios_long_procs ===== NODE GROUP ===== (2) an-test-coord1001.eqiad.wmnet,an-test-presto1001.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- alluxio nagios_long_procs ===== NODE GROUP ===== (1) pki2001.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_cfssl_check nagios_cfssl_check_debmonitor nagios_cfssl_check_debmonitor_discovery_wmnet nagios_cfssl_check_discovery nagios_long_procs nrpe_cfssl_check ===== NODE GROUP ===== (2) seaborgium.wikimedia.org,serpens.wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios nagios_long_procs ===== NODE GROUP ===== (1) deploy1002.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- mediawiki_config_needs_merge ===== NODE GROUP ===== (1) deploy2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- mediawiki_config_needs_merge nagios_long_procs nrpe-check_keyholder ===== NODE GROUP ===== (4) cloudnet[2005-2006]-dev.codfw.wmnet,cloudnet[1003-1004].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- neutron_sudoers ===== NODE GROUP ===== (36) cloudvirt[2001-2003]-dev.codfw.wmnet,cloudvirt[1017,1019-1047].eqiad.wmnet,cloudvirt-wdqs[1001-1003].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- neutron_sudoers nova-common sudoers-zvmsdk ===== NODE GROUP ===== (2) cloudstore[1008-1009].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_check_nfs_status nagios_long_procs ===== NODE GROUP ===== (974) acmechief2001.codfw.wmnet,acmechief-test1001.eqiad.wmnet,alert[1001,2001].wikimedia.org,an-airflow[1002-1003].eqiad.wmnet,an-conf[1001-1003].eqiad.wmnet,an-coord[1001-1002].eqiad.wmnet,an-druid[1001-1005].eqiad.wmnet,an-launcher1002.eqiad.wmnet,an-master[1001-1002].eqiad.wmnet,an-presto[1001-1005].eqiad.wmnet,an-test-client1001.eqiad.wmnet,an-test-druid1001.eqiad.wmnet,an-test-master[1001-1002].eqiad.wmnet,an-test-ui1001.eqiad.wmnet,an-test-worker[1001-1003].eqiad.wmnet,an-tool[1008-1010].eqiad.wmnet,an-web1001.eqiad.wmnet,an-worker[1078-1141].eqiad.wmnet,analytics[1058-1077].eqiad.wmnet,aphlict1001.eqiad.wmnet,apt[1001,2001].wikimedia.org,aqs[1004-1015].eqiad.wmnet,archiva1002.wikimedia.org,authdns[1001,2001].wikimedia.org,backup[2001-2003].codfw.wmnet,backup[1001,1003].eqiad.wmnet,bast[1003,2002,3004-3005,4003,5001-5002].wikimedia.org,centrallog1001.eqiad.wmnet,chartmuseum2001.codfw.wmnet,chartmuseum1001.eqiad.wmnet,clouddb2001-dev.codfw.wmnet,cloudelastic[1001-1006].wikimedia.org,cloudmetrics[1001-1002].eqiad.wmnet,conf[2004-2006].codfw.wmnet,conf[1004-1006].eqiad.wmnet,contint[1001,2001].wikimedia.org,cuminunpriv1001.eqiad.wmnet,debmonitor2002.codfw.wmnet,debmonitor1002.eqiad.wmnet,deneb.codfw.wmnet,dns[1001-1002,2001-2002,3001-3002,4001-4002,5001-5002].wikimedia.org,doc2001.codfw.wmnet,doc[1001-1002].eqiad.wmnet,doh[1001-1002,2001-2002,3001-3002,4001-4002,5001-5002].wikimedia.org,dragonfly-supernode2001.codfw.wmnet,dragonfly-supernode1001.eqiad.wmnet,druid[1004-1008].eqiad.wmnet,dumpsdata[1001-1005].eqiad.wmnet,durum[2001-2002].codfw.wmnet,durum[1001-1002].eqiad.wmnet,durum[5001-5002].eqsin.wmnet,durum[3001-3002].esams.wmnet,durum[4001-4002].ulsfo.wmnet,elastic[2025-2032,2034,2036-2050,2052-2054,2056-2060].codfw.wmnet,elastic[1048-1067].eqiad.wmnet,eventlog1003.eqiad.wmnet,failoid2002.codfw.wmnet,failoid1002.eqiad.wmnet,flerovium.eqiad.wmnet,flowspec1001.eqiad.wmnet,furud.codfw.wmnet,ganeti[3001-3003].esams.wmnet,gerrit[1001,2001].wikimedia.org,gitlab1001.wikimedia.org,grafana2001.codfw.wmnet,grafana1002.eqiad.wmnet,htmldumper1001.eqiad.wmnet,idp[1001,2001].wikimedia.org,idp-test[1001,2001].wikimedia.org,install[1003,2003,3001,4001,5001].wikimedia.org,irc[1001,2001].wikimedia.org,kafka-jumbo[1001-1009].eqiad.wmnet,kafka-logging[2001-2003].codfw.wmnet,kafka-logging[1001-1003].eqiad.wmnet,kafka-main[2004-2005].codfw.wmnet,kafka-main[1004-1005].eqiad.wmnet,kafka-test[1006-1010].eqiad.wmnet,kafkamon2002.codfw.wmnet,kafkamon1002.eqiad.wmnet,krb2001.codfw.wmnet,krb1001.eqiad.wmnet,kubestagetcd[2001-2003].codfw.wmnet,kubestagetcd[1004-1006].eqiad.wmnet,kubetcd[2004-2006].codfw.wmnet,kubetcd[1004-1006].eqiad.wmnet,labstore[1004-1005].eqiad.wmnet,labweb[1001-1002].wikimedia.org,ldap-corp[1001,2001].wikimedia.org,ldap-replica[1003-1004,2005-2006].wikimedia.org,lists1001.wikimedia.org,logstash[2001-2003,2023-2031,2033-2035].codfw.wmnet,logstash[1010-1012,1023-1035].eqiad.wmnet,lvs[2007-2010].codfw.wmnet,lvs[5001-5003].eqsin.wmnet,lvs[3005-3007].esams.wmnet,lvs[4005-4007].ulsfo.wmnet,maps[2005-2010].codfw.wmnet,maps[1005-1010].eqiad.wmnet,matomo1002.eqiad.wmnet,mc[2019-2027,2029-2037].codfw.wmnet,mc[1037-1054].eqiad.wmnet,mc-gp[2001-2003].codfw.wmnet,mc-gp[1001-1003].eqiad.wmnet,miscweb2002.codfw.wmnet,miscweb1002.eqiad.wmnet,ml-etcd[2001-2003].codfw.wmnet,ml-etcd[1001-1003].eqiad.wmnet,moscovium.eqiad.wmnet,moss-be[2001-2002].codfw.wmnet,moss-be[1001-1002].eqiad.wmnet,moss-fe[2001-2002].codfw.wmnet,moss-fe[1001-1002].eqiad.wmnet,ms-be[2028-2039].codfw.wmnet,ms-be[1028-1033,1035-1039,1043-1058,1060-1067].eqiad.wmnet,mw[2251-2255,2257-2279,2281-2339,2350-2411].codfw.wmnet,mw[1307-1414,1416-1456].eqiad.wmnet,mwdebug[2001-2002].codfw.wmnet,mwdebug[1001-1002].eqiad.wmnet,mwlog2002.codfw.wmnet,mwlog1002.eqiad.wmnet,mx[1001,2001].wikimedia.org,ncredir[2001-2002].codfw.wmnet,ncredir[1001-1002].eqiad.wmnet,ncredir[5001-5002].eqsin.wmnet,ncredir[3001-3002].esams.wmnet,ncredir[4001-4002].ulsfo.wmnet,netbox[1001,2001].wikimedia.org,netboxdb2001.codfw.wmnet,netboxdb1001.eqiad.wmnet,netmon[1002,2001].wikimedia.org,orespoolcounter[2003-2004].codfw.wmnet,orespoolcounter[1003-1004].eqiad.wmnet,otrs1001.eqiad.wmnet,parse[2001-2020].codfw.wmnet,people2002.codfw.wmnet,people1003.eqiad.wmnet,phab[2001-2002].codfw.wmnet,phab[1001,1004].eqiad.wmnet,pki-root1001.eqiad.wmnet,planet2002.codfw.wmnet,planet1002.eqiad.wmnet,poolcounter[2003-2004].codfw.wmnet,poolcounter[1004-1005].eqiad.wmnet,prometheus5001.eqsin.wmnet,prometheus3001.esams.wmnet,prometheus4001.ulsfo.wmnet,puppetdb2002.codfw.wmnet,puppetdb1002.eqiad.wmnet,puppetmaster[2004-2005].codfw.wmnet,pybal-test2001.codfw.wmnet,rdb[2007-2010].codfw.wmnet,rdb[1009-1012].eqiad.wmnet,registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet,releases2002.codfw.wmnet,releases1002.eqiad.wmnet,scandium.eqiad.wmnet,schema[2003-2004].codfw.wmnet,schema[1003-1004].eqiad.wmnet,search-loader2001.codfw.wmnet,search-loader1001.eqiad.wmnet,sessionstore[2001-2003].codfw.wmnet,sessionstore[1001-1003].eqiad.wmnet,snapshot[1008-1015].eqiad.wmnet,testreduce1001.eqiad.wmnet,thanos-be[2002-2004].codfw.wmnet,thanos-be[1001-1004].eqiad.wmnet,thanos-fe[2001-2003].codfw.wmnet,thanos-fe[1001-1003].eqiad.wmnet,theemin.codfw.wmnet,thumbor[2003-2004].codfw.wmnet,thumbor[1001-1002,1005-1006].eqiad.wmnet,urldownloader[1001-1002,2001-2002].wikimedia.org,wcqs[2001-2003].codfw.wmnet,wcqs[1001-1003].eqiad.wmnet,webperf2002.codfw.wmnet,webperf1002.eqiad.wmnet,wtp[1025-1048].eqiad.wmnet,xhgui2001.codfw.wmnet,xhgui1001.eqiad.wmnet,zookeeper-test1002.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_long_procs ===== NODE GROUP ===== (1) cumin2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_long_procs scap_deploy-homer ===== NODE GROUP ===== (1) acmechief-test2001.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_long_procs nrpe-check_cert_sync_passive_node nrpe-check_keyholder ===== NODE GROUP ===== (1) acmechief1001.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios_long_procs nrpe-check_cert_sync_active_node nrpe-check_keyholder ===== NODE GROUP ===== (2) stat[1005,1008].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios-check_hadoop_mount_readability ===== NODE GROUP ===== (3) an-airflow1001.eqiad.wmnet,labstore[1006-1007].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudoe...|README" || true' ----- nagios-check_hadoop_mount_readability nagios_long_procs ================
Comment Actions
removing nagios_long_procs as it was dropped in https://gerrit.wikimedia.org/r/c/operations/puppet/+/723543/4/modules/base/manifests/monitoring/host.pp
Comment Actions
Change 799871 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] monitoring::icinga::git_merge: use sudo::rule
Comment Actions
new updated list with removed nagios_long_procs and also with a fixed file list
sudo cumin -x '*' 'ls -1 /etc/sudoers.d/ | grep -Ev "scap_deploy-service_arclamp|ceph-smartctl|scap_deploy-service_wdqs-categories|nrpe_check_client_bucket_large_file|nagios_megaraid|scap_sudo_rules_netbox_netbox_deploy|nagios_trafficserver_check_trafficserver_backend_config_status|acme-chief|scap_analytics_deploy|maps-admins|scap_deploy-service_tilerator|gitpuppet|zuul-deployers|analytics-search|scap_analytics-research|aqs-roots|scap_sudo_rules_phab-deploy_phabricator_deployment|deploy-aqs|dns-admins|nagios_ssacli|scap_sudo_rules_deploy-service_striker_deploy|analytics-admins|analytics-product|nagios_varnish_uds|logstash-roots|nagios_check_anycast_healthchecker|gerrit-root|druid-admins|scap_deploy-service_restbase|nfsmanager|deployment-ci-admins|wdqs-test-roots|airflow-search-admins|prometheus_sudo_for_pdns_recursor|vrts-roots|contint-users|www-data|parsoid-admin|scap_dumpsgen|vcs|nagios_check_newest_file_age|nagios_hpssacli|wmcs-roots|nrpe_certificate_check_cloud_wmnet_ca|kartotherian-admin|ldap-admins|absent|releasers-blubber|deploy-ml-service|scap_analytics_deploy_superset|nagios_mailman_queue|releasers-mobile|analytics-privatedata-users|deploy_restart_fpm|nagios-check_hdfs_active_namenode|scap_sudo_rules_deploy-service_ores_deploy|scap_netbox_netbox|parsoid-test-roots|mwdeploy|analytics-research-admins|analytics-wmde-users|wdqs-roots|nagios_check_redis|wdqs-admins|analytics|tilerator-admin|snapshot-users|airflow_checks_research|nagios_puppetrun|dumpsdata-admins|deploy_build_image|nagios_exim_queue|scap_sudo_rules_deploy-debmonitor_debmonitor_deploy|datacenter-ops|analytics-privatedata|snapshot-admins|adm|labs_private_needs_merge|authdns|deploy-design|deploy-phabricator|analytics-deployers|scap_deploy-service_apache2|nrpe_certificate_check_discovery|wmcs-admin|nagios_check_keyholder|scap_deploy-service_wcqs-blazegraph|gerrit-admin|restbase-roots|nagios_check_ferm|deployment|varnish-log-readers|deploy-service|mediawiki-testers|scap_gerrit2|opensearch-dashboards-deploy-phatality|scap_analytics_deploy_turnilo|contint-admins|analytics-platform-eng|nagios_neutron_l3_agent_conntrack|perf-team|render|parsoid-roots|nagios_trafficserver_check_trafficserver_log_fifo_notpurge_backend|all-users|analytics-search-users|releases_dput|scap_deploy-service_iegreview|elasticsearch-roots|scap_deploy-zuul|scap_deploy-service_striker|nagios_raid|releasers-mwcli|scap_deploy-ci-docroot|fr-tech-admins|mediawiki_config_needs_merge|scap_deploy-service_kartotherian|gerrit-deployers|nagios_check_drbd|scap_analytics-deploy|sudo-mwbuilder-docker-pusher|nrpe_certificate_check_kafka|scap_deploy-service_wcqs-updater|research-deployers|sitemaps-admins|contint-roots|ores-admin|restbase-admins|scap_deploy-service_statsv|airflow_checks_analytics_test|scap-master-sync|sretest-roots|phabricator-roots|scap_deploy-service|nagios_ipmi_sensor|graphite-admins|airflow_checks_platform_eng|scap_deploy-debmonitor_debmonitor|scap_deploy-debmonitor|scap_deploy-librenms|analytics-platform-eng-admins|perf-roots|phabricator-admin|sre-admins|sessionstore-roots|docker|prometheus_sudo_for_pdns|check_puppet_run-command|udp2log-users|releasers-mediawiki|analytics-product-users|scap_deploy-service_navtiming|releasers-wikibase|scap_deploy-service_analytics-search|scap_sudo_rules_deploy-service_performance_coal|releasers-parsoid|scap_deploy-service_wdqs-updater|puppet_needs_merge|htmldumps-admin|maps-roots|scap_deploy-design|blazegraph-reload-nginx|aqs-admins|scap_deploy-service_ores|reprepro|nrpe_certificate_check_debmonitor|ml-team-admins|swift-roots|scap_analytics|eventlogging-admins|nagios_service_restart_check|scap_phab-deploy|labtest-roots|airflow_checks_analytics|dumps-roots|gitlab-roots|phabricator-bulk-manager|wikidev|restricted|scap_netbox|mw-log-readers|mailman3-roots|maintenance-log-readers|nagios_acme-chief_fileage_checks|analytics-research|scap_deploy-service_tileratorui|parsoid-test-admins|scap_deploy-service_coal|nagios_backup_freshness|scap_deploy-service_aqs|releasers-wikidiff2|cloudelastic-roots|ops|scap_deploy-service_wcqs-categories|os-installers|l10nupdate|scap_deploy-service_wdqs-blazegraph|sudo-jenkins-slave-docker-pusher|tilerator-notification|scap_mwdeploy|scap_eventlogging|README"' IGNORE EXIT CODES mode enabled, all commands executed will be considered successful 1957 hosts will be targeted: acmechief2001.codfw.wmnet,acmechief1001.eqiad.wmnet,acmechief-test2001.codfw.wmnet,acmechief-test1001.eqiad.wmnet,alert[1001,2001].wikimedia.org,an-airflow[1001-1003].eqiad.wmnet,an-conf[1001-1003].eqiad.wmnet,an-coord[1001-1002].eqiad.wmnet,an-db[1001-1002].eqiad.wmnet,an-druid[1001-1005].eqiad.wmnet,an-launcher1002.eqiad.wmnet,an-master[1001-1002].eqiad.wmnet,an-presto[1001-1005].eqiad.wmnet,an-test-client1001.eqiad.wmnet,an-test-coord[1001-1002].eqiad.wmnet,an-test-druid1001.eqiad.wmnet,an-test-master[1001-1002].eqiad.wmnet,an-test-presto1001.eqiad.wmnet,an-test-ui1001.eqiad.wmnet,an-test-worker[1001-1003].eqiad.wmnet,an-tool[1005,1007-1011].eqiad.wmnet,an-web1001.eqiad.wmnet,an-worker[1078-1141].eqiad.wmnet,analytics[1058-1077].eqiad.wmnet,aphlict1001.eqiad.wmnet,apifeatureusage2001.codfw.wmnet,apifeatureusage1001.eqiad.wmnet,apt[1001,2001].wikimedia.org,aqs[2001-2012].codfw.wmnet,aqs[1004-1015].eqiad.wmnet,archiva1002.wikimedia.org,authdns[1001,2001].wikimedia.org,backup[2001-2008].codfw.wmnet,backup[1001-1008].eqiad.wmnet,backupmon1001.eqiad.wmnet,bast[1003,2002,3004-3005,4003,5001-5002,6001].wikimedia.org,build2001.codfw.wmnet,centrallog2002.codfw.wmnet,centrallog1001.eqiad.wmnet,chartmuseum2001.codfw.wmnet,chartmuseum1001.eqiad.wmnet,cloudbackup[1001-1002]-dev.eqiad.wmnet,cloudbackup[2001-2002].codfw.wmnet,cloudbackup[1003-1004].eqiad.wmnet,cloudcephmon[2004-2006]-dev.codfw.wmnet,cloudcephmon[1001-1003].eqiad.wmnet,cloudcephosd[2001-2003]-dev.codfw.wmnet,cloudcephosd[1001-1024].eqiad.wmnet,cloudcontrol[2001,2003-2004]-dev.wikimedia.org,cloudcontrol[1003-1005].wikimedia.org,clouddb2001-dev.codfw.wmnet,clouddb[1013-1021].eqiad.wmnet,cloudelastic[1001-1006].wikimedia.org,cloudgw[2001-2002]-dev.codfw.wmnet,cloudgw[1001-1002].eqiad.wmnet,cloudmetrics[1001-1004].eqiad.wmnet,cloudnet[2005-2006]-dev.codfw.wmnet,cloudnet[1003-1004].eqiad.wmnet,cloudservices[2004-2005]-dev.wikimedia.org,cloudservices[1003-1004].wikimedia.org,cloudstore[1008-1009].wikimedia.org,cloudvirt[2001-2003]-dev.codfw.wmnet,cloudvirt[1017,1019-1047].eqiad.wmnet,cloudvirt-wdqs[1001-1003].eqiad.wmnet,cloudweb2002-dev.wikimedia.org,conf[2004-2006].codfw.wmnet,conf[1004-1006].eqiad.wmnet,contint[1001,2001-2002].wikimedia.org,cp[2027-2042].codfw.wmnet,cp[6001-6016].drmrs.wmnet,cp[1075-1090].eqiad.wmnet,cp[5001-5016].eqsin.wmnet,cp[3050-3065].esams.wmnet,cp[4021-4030,4032-4036].ulsfo.wmnet,cumin2002.codfw.wmnet,cumin1001.eqiad.wmnet,cuminunpriv1001.eqiad.wmnet,datahubsearch[1001-1003].eqiad.wmnet,db[2071-2152].codfw.wmnet,db[1096,1098-1184].eqiad.wmnet,dborch1001.wikimedia.org,dbprov[2001-2003].codfw.wmnet,dbprov[1001-1003].eqiad.wmnet,dbproxy[2001-2004].codfw.wmnet,dbproxy[1012-1021].eqiad.wmnet,dbstore[1003,1005,1007].eqiad.wmnet,debmonitor2002.codfw.wmnet,debmonitor1002.eqiad.wmnet,deneb.codfw.wmnet,deploy2002.codfw.wmnet,deploy1002.eqiad.wmnet,dns[1001-1002,2001-2002,3001-3002,4001-4002,5001-5002,6001-6002].wikimedia.org,doc2001.codfw.wmnet,doc[1001-1002].eqiad.wmnet,doh[1001-1002,2001-2002,3001-3002,4001-4002,5001-5002,6001-6002].wikimedia.org,dragonfly-supernode2001.codfw.wmnet,dragonfly-supernode1001.eqiad.wmnet,druid[1004-1008].eqiad.wmnet,dse-k8s-worker[1001-1004].eqiad.wmnet,dumpsdata[1001-1005,1007].eqiad.wmnet,durum[2001-2002].codfw.wmnet,durum[6001-6002].drmrs.wmnet,durum[1001-1002].eqiad.wmnet,durum[5001-5002].eqsin.wmnet,durum[3001-3002].esams.wmnet,durum[4001-4002].ulsfo.wmnet,elastic[2025-2034,2036-2086].codfw.wmnet,elastic[1048-1102].eqiad.wmnet,es[2020-2034].codfw.wmnet,es[1020-1034].eqiad.wmnet,etherpad1003.eqiad.wmnet,eventlog1003.eqiad.wmnet,failoid2002.codfw.wmnet,failoid1002.eqiad.wmnet,flerovium.eqiad.wmnet,flowspec1001.eqiad.wmnet,furud.codfw.wmnet,ganeti[2009-2030].codfw.wmnet,ganeti[6001-6004].drmrs.wmnet,ganeti[1005-1032].eqiad.wmnet,ganeti[5001-5003].eqsin.wmnet,ganeti[3001-3003].esams.wmnet,ganeti[4001-4004].ulsfo.wmnet,ganeti-test[2001-2003].codfw.wmnet,gerrit[1001,2001-2002].wikimedia.org,gitlab[1001,1003-1004,2001-2003].wikimedia.org,gitlab-runner[2001-2004].codfw.wmnet,gitlab-runner[1001-1004].eqiad.wmnet,grafana2001.codfw.wmnet,grafana1002.eqiad.wmnet,graphite2003.codfw.wmnet,graphite1004.eqiad.wmnet,htmldumper1001.eqiad.wmnet,idp[1001,2001].wikimedia.org,idp-test[1001-1002,2001-2002].wikimedia.org,install[1003,2003,3001,4001,5001,6001].wikimedia.org,irc[1001,2001].wikimedia.org,kafka-jumbo[1001-1009].eqiad.wmnet,kafka-logging[2001-2003].codfw.wmnet,kafka-logging[1001-1003].eqiad.wmnet,kafka-main[2001-2005].codfw.wmnet,kafka-main[1001-1005].eqiad.wmnet,kafka-test[1006-1010].eqiad.wmnet,kafkamon2002.codfw.wmnet,kafkamon1002.eqiad.wmnet,karapace1001.eqiad.wmnet,krb[2001-2002].codfw.wmnet,krb1001.eqiad.wmnet,kubemaster[2001-2002].codfw.wmnet,kubemaster[1001-1002].eqiad.wmnet,kubernetes[2005-2022].codfw.wmnet,kubernetes[1005-1022].eqiad.wmnet,kubestage[2001-2002].codfw.wmnet,kubestage[1003-1004].eqiad.wmnet,kubestagemaster2001.codfw.wmnet,kubestagemaster1001.eqiad.wmnet,kubestagetcd[2001-2003].codfw.wmnet,kubestagetcd[1004-1006].eqiad.wmnet,kubetcd[2004-2006].codfw.wmnet,kubetcd[1004-1006].eqiad.wmnet,labstore[1004-1005].eqiad.wmnet,labstore[1006-1007].wikimedia.org,labweb[1001-1002].wikimedia.org,ldap-corp[1001,2001].wikimedia.org,ldap-replica[1003-1004,2005-2006].wikimedia.org,lists1001.wikimedia.org,logstash[2001-2003,2023-2031,2033-2035].codfw.wmnet,logstash[1010-1012,1023-1035].eqiad.wmnet,lvs[2007-2010].codfw.wmnet,lvs[6001-6003].drmrs.wmnet,lvs[1013-1020].eqiad.wmnet,lvs[5001-5003].eqsin.wmnet,lvs[3005-3007].esams.wmnet,lvs[4005-4007].ulsfo.wmnet,maps[2005-2010].codfw.wmnet,maps[1005-1010].eqiad.wmnet,matomo1002.eqiad.wmnet,mc[2019-2027,2029-2055].codfw.wmnet,mc[1037-1054].eqiad.wmnet,mc-gp[2001-2003].codfw.wmnet,mc-gp[1001-1003].eqiad.wmnet,mirror1001.wikimedia.org,miscweb2002.codfw.wmnet,miscweb1002.eqiad.wmnet,ml-cache[2001-2003].codfw.wmnet,ml-cache[1001-1003].eqiad.wmnet,ml-etcd[2001-2003].codfw.wmnet,ml-etcd[1001-1003].eqiad.wmnet,ml-serve[2001-2008].codfw.wmnet,ml-serve[1001-1008].eqiad.wmnet,ml-serve-ctrl[2001-2002].codfw.wmnet,ml-serve-ctrl[1001-1002].eqiad.wmnet,ml-staging[2001-2002].codfw.wmnet,ml-staging-ctrl[2001-2002].codfw.wmnet,ml-staging-etcd[2001-2003].codfw.wmnet,moscovium.eqiad.wmnet,moss-be[2001-2002].codfw.wmnet,moss-be[1001-1002].eqiad.wmnet,moss-fe[2001-2002].codfw.wmnet,moss-fe[1001-1002].eqiad.wmnet,ms-backup[2001-2002].codfw.wmnet,ms-backup[1001-1002].eqiad.wmnet,ms-be[2028-2069].codfw.wmnet,ms-be[1028-1033,1035-1058,1060-1071].eqiad.wmnet,ms-fe[2009-2012].codfw.wmnet,ms-fe[1009-1012].eqiad.wmnet,mw[2251-2255,2257-2279,2281-2339,2350-2419].codfw.wmnet,mw[1307-1414,1416-1456].eqiad.wmnet,mwdebug[2001-2002].codfw.wmnet,mwdebug[1001-1002].eqiad.wmnet,mwlog2002.codfw.wmnet,mwlog1002.eqiad.wmnet,mwmaint2002.codfw.wmnet,mwmaint1002.eqiad.wmnet,mx[1001,2001].wikimedia.org,ncredir[2001-2002].codfw.wmnet,ncredir[6001-6002].drmrs.wmnet,ncredir[1001-1002].eqiad.wmnet,ncredir[5001-5002].eqsin.wmnet,ncredir[3001-3002].esams.wmnet,ncredir[4001-4002].ulsfo.wmnet,netbox1002.eqiad.wmnet,netbox[1001,2001].wikimedia.org,netbox-dev2002.codfw.wmnet,netboxdb2001.codfw.wmnet,netboxdb1001.eqiad.wmnet,netflow2002.codfw.wmnet,netflow6001.drmrs.wmnet,netflow1002.eqiad.wmnet,netflow5002.eqsin.wmnet,netflow3002.esams.wmnet,netflow4002.ulsfo.wmnet,netmon[1002-1003,2001].wikimedia.org,ores[2001-2009].codfw.wmnet,ores[1001-1009].eqiad.wmnet,orespoolcounter[2003-2004].codfw.wmnet,orespoolcounter[1003-1004].eqiad.wmnet,otrs1001.eqiad.wmnet,parse[2001-2020].codfw.wmnet,parse[1001-1024].eqiad.wmnet,pc[2011-2014].codfw.wmnet,pc[1011-1014].eqiad.wmnet,people2002.codfw.wmnet,people1003.eqiad.wmnet,phab[2001-2002].codfw.wmnet,phab[1001,1004].eqiad.wmnet,ping2002.codfw.wmnet,ping1002.eqiad.wmnet,ping3002.esams.wmnet,pki[2001-2002].codfw.wmnet,pki1001.eqiad.wmnet,pki-root1001.eqiad.wmnet,planet2002.codfw.wmnet,planet1002.eqiad.wmnet,poolcounter[2003-2004].codfw.wmnet,poolcounter[1004-1005].eqiad.wmnet,prometheus[2005-2006].codfw.wmnet,prometheus6001.drmrs.wmnet,prometheus[1005-1006].eqiad.wmnet,prometheus5001.eqsin.wmnet,prometheus3001.esams.wmnet,prometheus4001.ulsfo.wmnet,puppetboard2002.codfw.wmnet,puppetboard1002.eqiad.wmnet,puppetdb2002.codfw.wmnet,puppetdb1002.eqiad.wmnet,puppetmaster[2001-2005].codfw.wmnet,puppetmaster[1001-1005].eqiad.wmnet,pybal-test[2001-2003].codfw.wmnet,rdb[2007-2010].codfw.wmnet,rdb[1009-1012].eqiad.wmnet,registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet,releases2002.codfw.wmnet,releases1002.eqiad.wmnet,relforge[1003-1004].eqiad.wmnet,restbase[2012-2027].codfw.wmnet,restbase[1016-1033].eqiad.wmnet,restbase-dev[2001-2003].codfw.wmnet,restbase-dev[1004-1006].eqiad.wmnet,rpki2002.codfw.wmnet,rpki1001.eqiad.wmnet,scandium.eqiad.wmnet,schema[2003-2004].codfw.wmnet,schema[1003-1004].eqiad.wmnet,seaborgium.wikimedia.org,search-loader2001.codfw.wmnet,search-loader1001.eqiad.wmnet,serpens.wikimedia.org,sessionstore[2001-2003].codfw.wmnet,sessionstore[1001-1003].eqiad.wmnet,snapshot[1008-1015].eqiad.wmnet,sretest[1001-1002].eqiad.wmnet,stat[1004-1008].eqiad.wmnet,testreduce1001.eqiad.wmnet,testvm[2001-2005].codfw.wmnet,thanos-be[2001-2004].codfw.wmnet,thanos-be[1001-1004].eqiad.wmnet,thanos-fe[2001-2003].codfw.wmnet,thanos-fe[1001-1003].eqiad.wmnet,theemin.codfw.wmnet,thumbor[2003-2006].codfw.wmnet,thumbor[1001-1002,1005-1006].eqiad.wmnet,urldownloader[1001-1002,2001-2002].wikimedia.org,wcqs[2001-2003].codfw.wmnet,wcqs[1001-1003].eqiad.wmnet,wdqs[2001-2012].codfw.wmnet,wdqs[1003-1013].eqiad.wmnet,webperf[2002-2004].codfw.wmnet,webperf[1002-1004].eqiad.wmnet,wtp[1025-1048].eqiad.wmnet,xhgui2001.codfw.wmnet,xhgui1001.eqiad.wmnet,zookeeper-test1002.eqiad.wmnet Ok to proceed on 1957 hosts? Enter the number of affected hosts to confirm or "q" to quit 1957 ===== NODE GROUP ===== (2) an-test-coord1001.eqiad.wmnet,an-test-presto1001.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- alluxio ===== NODE GROUP ===== (1) acmechief-test2001.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nrpe-check_cert_sync_passive_node nrpe-check_keyholder ===== NODE GROUP ===== (1) acmechief1001.eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nrpe-check_cert_sync_active_node nrpe-check_keyholder ===== NODE GROUP ===== (1) deploy2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nrpe-check_keyholder ===== NODE GROUP ===== (2) seaborgium.wikimedia.org,serpens.wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nagios ===== NODE GROUP ===== (2) cloudstore[1008-1009].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nagios_check_nfs_status ===== NODE GROUP ===== (5) an-airflow1001.eqiad.wmnet,labstore[1006-1007].wikimedia.org,stat[1005,1008].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nagios-check_hadoop_mount_readability ===== NODE GROUP ===== (1) netbox-dev2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- scap_sudo_rules_netbox_netbox-dev_deploy ===== NODE GROUP ===== (1) cumin2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- scap_deploy-homer ===== NODE GROUP ===== (1) mwmaint2002.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- nagios_check_mcrouter_client ===== NODE GROUP ===== (4) cloudservices[2004-2005]-dev.wikimedia.org,cloudservices[1003-1004].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- designate_sudoers ===== NODE GROUP ===== (4) cloudnet[2005-2006]-dev.codfw.wmnet,cloudnet[1003-1004].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- neutron_sudoers ===== NODE GROUP ===== (36) cloudvirt[2001-2003]-dev.codfw.wmnet,cloudvirt[1017,1019-1047].eqiad.wmnet,cloudvirt-wdqs[1001-1003].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- neutron_sudoers nova-common sudoers-zvmsdk ===== NODE GROUP ===== (1) elastic2055.codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- Warning: Permanently added the ECDSA host key for IP address '2620:0:860:101:10:192:0:180' to the list of known hosts. ===== NODE GROUP ===== (3) cloudbackup1001-dev.eqiad.wmnet,cloudbackup[2001-2002].codfw.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- cinder-common ===== NODE GROUP ===== (6) cloudcontrol[2001,2003-2004]-dev.wikimedia.org,cloudcontrol[1003-1005].wikimedia.org ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- cinder-common glance_sudoers neutron_sudoers nova-common sudoers-zvmsdk ===== NODE GROUP ===== (31) cloudcephmon2004-dev.codfw.wmnet,cloudcephmon[1001-1003].eqiad.wmnet,cloudcephosd[2001-2003]-dev.codfw.wmnet,cloudcephosd[1001-1024].eqiad.wmnet ----- OUTPUT of 'ls -1 /etc/sudo...tlogging|README"' ----- ceph-osd-smartctl ================
Comment Actions
i also slightly update the script io used for apt to hanlde if the path parameter is used and also use the simpler pql syntax
#!/usr/bin/env python3 from pypuppetdb import connect from os.path import basename def main(): found_files = set() db = connect() pql = """ resources[parameters,title] { type = 'File' and (parameters.path ~ '^\/etc\/sudoers\.d\/' or title ~ '^\/etc\/sudoers\.d\/') } """ resources = db.pql(pql) for resource in resources: if 'path' in resource['parameters']: path = resource['parameters']['path'] else: path = resource['title'] found_files.add(basename(path)) print('|'.join(found_files)) if __name__ == '__main__': raise SystemExit(main())
Comment Actions
Change 799820 merged by Jbond:
[operations/puppet@production] Remove some unmanaged files from sudoers.d
Comment Actions
Change 799871 merged by Jbond:
[operations/puppet@production] monitoring::icinga::git_merge: use sudo::rule