sudo 1.8.10 is required

Are any other features available in 1.8.10 required? Can we just backport the patch which introduces the `probe_interfaces' option?

Yes, we can backport `probe_interfaces' setting feature only

Apparently the code which handles sudo.conf changed radically between 1.8.3 and 1.8.10. Thus backporting is hardly a viable solution. On the other hand update to 1.8.10 might break the whole system (for one, lots of OpenStack components do use sudo). Also we'd need to maintain the sudo package during the MOS 5.1 lifetime.

Therefore I propose to disable probing network interfaces uncoditionally (with a one-line patch) to avoid sudo slowdown with many network interfaces (which is presumably the point of updating to 1.8.10).

We need to maintain sudo package ether it contains a one-line patch or a whole 1.8.10 version, correct?
Anyways, please propose one-line patch you mentioned.

After several internal discussions we decided that the best solution is to upgrade to 1.8.10 and verify it thoroughly, including deployment.

It looks like the version of sudo shipped with Ubuntu 14.04 supports the `probe_interfaces' option. Can we use that version (basically 1.8.9p4 with a few backports from 1.8.10) for Ubuntu? This way we get security fixes for free (14.04 is an LTS release).

Sure, we can do it for Ubuntu. Any ideas for CentOS?

Backported upstream patch (commit e9dc28c7db60 from http://www.sudo.ws/repos/sudo) for the version of sudo shipped with CentOS 6.5

I've tried to build sudo 1.8.9p4 (the version included in Ubuntu 14). Obviously the build failed.
The cause is that debian/rules was trying to update libtool/autoconf/etc helper scripts/macros, and
the source contains newer versions of those scripts. I've disabled this, thus the sudo binary (and several plugins)
can be build now. However, building the package still fails with the following error:

dh_installman: Could not determine section for build-simple/doc/sudo.mdoc
make: *** [binary-arch] Error 255
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
debuild: fatal error at line 1350:
dpkg-buildpackage -rfakeroot -D -us -uc -b failed

Newer version of sudo use mdoc for documentation, and the dh_installman version from Ubuntu 12.04
can not handle those. Updating dh_* helpers is not an option (mixing different version of Debian build
utilities is really a bad idea). Perhaps we can move various documentation files into the right locations manually.
Any better ideas?

Can we skip man pages installation for this package at the moment? This is a temporary solution and I am hoping it will be fixed after switching to Ubuntu 14.04 for MOS 6.0

Skipping man pages installation yields yet another build error (lintian complains 'binary with no manual page').
Rather than fighting with packaging scripts I've backported the `probe_interface' option for the version 1.8.3p1 (the one from Ubuntu 12.04). The patch rather small:

diffstat -p1 < sudo-1.8.3p1-probe-interfaces.patch
 plugins/sudoers/testsudoers.c | 39 +++++++++++++++++++++++++++++++++++++++
 src/load_plugins.c | 29 ++++++++++++++++++++++++++++-
 src/net_ifs.c | 8 +++++++-
 src/sudo.c | 2 ++
 4 files changed, 76 insertions(+), 2 deletions(-)

and more than a half of the patch updates the unit test (testsudoers.c)

The customized sudo package for Ubuntu 12.04 is under review at the moment, see https://gerrit.mirantis.com/#/c/18057

Unfortunately the automatic test which tries to install and remove packages fails. The cause of failure is that sudo is a bit
special in Ubuntu. Root password is blocked by default in Ubuntu, and sudo is required to gain root privileges. Therefore removing
sudo requires some additional steps (like setting the root password). The sudo-ldap package conflicts with the ordinary sudo,
so installing sudo-ldap involves removing sudo, which fails (unless the root password has been set).
Also the installation/removal tests seems to rely on sudo.

The customized sudo package for CentOS 6.5 is being reviewed here: https://gerrit.mirantis.com/#/c/18031

Pavel, could you please clarify if we actually need the customized packages?
MOS 5.1 is already frozen thus these packages won't get into 5.1.x. On the other hand 6.x is going to switch to Ubuntu 14.04 (CentOS 7), and these distributions contain the recent enough versions of sudo (which support the `probe_interfaces' option).

Alexei, you are right. Let's postpone sudo upgrade at the moment and wait for updated Ubuntu/CentOS in MOS 6.0

Apparently MOS 6.0 will be based on CentOS 6.5 (switching to the new versions of both Ubuntu and CentOS is kind of risky). Therefore it looks like we do need a customized package for CentOS 6.5

Please, commit these patches:

https://bugs.launchpad.net/mos/6.0.x/+bug/1336574/+attachment/4145634/+files/sudo-1.8.6p3-probe-interfaces-sudo-conf.patch
https://bugs.launchpad.net/mos/6.0.x/+bug/1336574/+attachment/4148618/+files/sudo-1.8.3p1-probe-interfaces.patch

sudo version 1.8.9p5-1ubuntu1 (which is shipped with Ubuntu 14.04) supports the `probe_interfaces' option, thus no patches are necessary

We need them for centos. But if those won't appear, 7.0 will also have proper sudo version. So we may probably close this ticket.

Actually only https://bugs.launchpad.net/mos/6.0.x/+bug/1336574/+attachment/4145634/+files/sudo-1.8.6p3-probe-interfaces-sudo-conf.patch is for CentOS
(the second patch is for Ubuntu 12.04)

Proper version should come in MOS 7.0 with upgrade to CentOS 7.0.

MOS 7.0 won't provide CentOS deployment.