[foreman-users] Foreman Smart Proxy PuppetCA sudo trouble

Discussion:

Duncan Innes

2015-07-31 16:40:08 UTC

I'm upgrading a Foreman server to 1.8 at work, so am also upgrading the
foreman-proxy installs on the 4 Puppet servers we have on the network.

Not sure if these were ever working properly as there are errors every time
I try to list the certificates from Foreman's Smart Proxy page.

I get:

Warning!
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates
([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy
https://puppet.example.com:8443/puppet/ca

in the browser, and

D, [2015-07-31T17:07:32.387228 #5662] DEBUG -- : verifying remote client
192.168.0.1 against trusted_hosts puppet.example.com
D, [2015-07-31T17:07:32.391611 #5662] DEBUG -- : Found puppetca at
/usr/bin/puppet
D, [2015-07-31T17:07:32.392552 #5662] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2015-07-31T17:07:32.392725 #5662] DEBUG -- : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-07-31T17:07:32.476678 #5662] WARN -- : Failed to run puppetca:
E, [2015-07-31T17:07:32.477272 #5662] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0916
D, [2015-07-31T17:07:32.645011 #5662] DEBUG -- : verifying remote client
192.168.0.1 against trusted_hosts puppet.example.com
D, [2015-07-31T17:07:32.646037 #5662] DEBUG -- : Found puppetca at
/usr/bin/puppet
D, [2015-07-31T17:07:32.646235 #5662] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2015-07-31T17:07:32.647429 #5662] DEBUG -- : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-07-31T17:07:32.715052 #5662] WARN -- : Failed to run puppetca:
E, [2015-07-31T17:07:32.715733 #5662] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721

in /var/log/foreman-proxy/proxy.log

We use an IPA service to manage sudo access though, so I'm not as certain
that the rule is in place properly. How can I test the rule is in place?
I can run the sudo command above as my own user and get the expected
results. Whenever I su to the foreman-proxy user, it asks me for passwords
when I try the above sudo commands.

Duncan

--
You received this message because you are subscribed to the Google Groups "Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+***@googlegroups.com.
To post to this group, send email to foreman-***@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Dominic Cleal

2015-08-03 15:23:57 UTC

Permalink

Post by Duncan Innes
D, [2015-07-31T17:07:32.646235 #5662] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2015-07-31T17:07:32.647429 #5662] DEBUG -- : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
E, [2015-07-31T17:07:32.715733 #5662] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721
in /var/log/foreman-proxy/proxy.log
We use an IPA service to manage sudo access though, so I'm not as
certain that the rule is in place properly. How can I test the rule is
in place? I can run the sudo command above as my own user and get the
expected results. Whenever I su to the foreman-proxy user, it asks me
for passwords when I try the above sudo commands.

Try running "sudo -l" to see what's available. You ought to see:

User foreman-proxy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/puppet cert *
(root) NOPASSWD: /usr/bin/puppet kick *
--
Dominic Cleal
Red Hat Engineering

jamese

2015-08-03 15:44:11 UTC

Permalink

I've actually just finished diagnosing a similar issue with a smart-proxy
on my puppet-ca node.
I had to strace it in the end to find out that it was due to sudo requiring
a tty.
Unfortunately, even with the foreman-proxy running with DEBUG logging, it
did not report the actual error.

D, [2015-08-03T16:31:35.067366 #47518] DEBUG -- : verifying remote client
192.168.1.1 against trusted_hosts ["foreman.local"]
D, [2015-08-03T16:31:35.076693 #47518] DEBUG -- : Found puppetca at
/usr/bin/puppet
D, [2015-08-03T16:31:35.077481 #47518] DEBUG -- : Found sudo at
/usr/bin/sudo
D, [2015-08-03T16:31:35.077948 #47518] DEBUG -- : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-08-03T16:31:35.129065 #47518] WARN -- : Failed to run puppetca:
E, [2015-08-03T16:31:35.129611 #47518] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files

The gem found from strace:

[pid 47530] write(2, "sorry, you must have a tty to run sudo", 38) = 38

The fix:

in /etc/sudoers or /etc/sudoers.d/foreman:

foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty

Duncan Innes

2015-08-04 08:47:04 UTC

Permalink

jamse,

I'd missed out the !requiretty in IPA initially, thanks for picking that
up. It's in the Foreman manual after all. It lists as one of the options
for the sudo command:

[***@ipa01 ~]# ipa sudorule-find foreman-proxy
-------------------
1 Sudo Rule matched
-------------------
Rule name: foreman-proxy
Enabled: TRUE
User category: all
Hosts: puppet02.example.com, puppet01.example.com,
puppet03.example.com, puppet04.example.com
Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick *
Sudo Option: !authenticate, !requiretty
----------------------------
Number of entries returned 1
----------------------------
[***@ipa01 ~]#

(I've left it open to all users so I can test it from my own user for now)

but when I list the sudo options for my user, I'm not seeing the
!requiretty passing through:

[***@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
(root) /bin/su
(root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[***@puppet01 ~]$

which ends up working when I test it for my user, but then I'm running in a
tty.

D

Post by jamese
I've actually just finished diagnosing a similar issue with a smart-proxy
on my puppet-ca node.
I had to strace it in the end to find out that it was due to sudo
requiring a tty.
Unfortunately, even with the foreman-proxy running with DEBUG logging, it
did not report the actual error.
D, [2015-08-03T16:31:35.067366 #47518] DEBUG -- : verifying remote client
192.168.1.1 against trusted_hosts ["foreman.local"]
D, [2015-08-03T16:31:35.076693 #47518] DEBUG -- : Found puppetca at
/usr/bin/puppet
D, [2015-08-03T16:31:35.077481 #47518] DEBUG -- : Found sudo at
/usr/bin/sudo
D, [2015-08-03T16:31:35.077948 #47518] DEBUG -- : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
E, [2015-08-03T16:31:35.129611 #47518] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files
[pid 47530] write(2, "sorry, you must have a tty to run sudo", 38) = 38
foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty

Duncan Innes

2015-08-04 09:34:52 UTC

Permalink

OK - I made some sideways headway with this.

After putting the #includedir /etc/sudoers.d line into the sudoers file, I
managed to get a foreman config file read for both myself and the
foreman-proxy user. This allows the commands to be run as expected.

However, IT Security are not happy about this as it does allow the
possibility that sudo commands are set up locally rather than centrally.
Plus the Puppet servers control the /etc/sudoers file, so will be
overwriting my change in around 20 mins time.

Will post on the IPA mailing list to find out what the correct method for
the sudoers rule might be when using IPA. I think it's the !requiretty
part that I'm not getting right.

Thanks guys,

D

Duncan Innes

2015-08-04 08:38:00 UTC

Permalink

Dominic,

sudo -l as the foreman-proxy user prompts me for a password. Probably
because this machine is linked to our IPA server and we've not excluded the
foreman-proxy user from IPA authentication. I modified the sssd.conf to
exclude authentication of puppet, foreman, and foreman-proxy users/groups,
but I still get asked for a password once I've su'd to foreman-proxy from
root.

D

Post by Duncan Innes

Post by Duncan Innes
D, [2015-07-31T17:07:32.646235 #5662] DEBUG -- : Found sudo at

/usr/bin/sudo

Post by Duncan Innes
D, [2015-07-31T17:07:32.647429 #5662] DEBUG -- : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
E, [2015-07-31T17:07:32.715733 #5662] ERROR -- : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721
in /var/log/foreman-proxy/proxy.log
We use an IPA service to manage sudo access though, so I'm not as
certain that the rule is in place properly. How can I test the rule is
in place? I can run the sudo command above as my own user and get the
expected results. Whenever I su to the foreman-proxy user, it asks me
for passwords when I try the above sudo commands.

(root) NOPASSWD: /usr/bin/puppet cert *
(root) NOPASSWD: /usr/bin/puppet kick *
--
Dominic Cleal
Red Hat Engineering