Foreman Smart Proxy PuppetCA sudo trouble

I'm upgrading a Foreman server to 1.8 at work, so am also upgrading the
foreman-proxy installs on the 4 Puppet servers we have on the network.

Not sure if these were ever working properly as there are errors every time
I try to list the certificates from Foreman's Smart Proxy page.

I get:

Warning!
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates
([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy
https://puppet.example.com:8443/puppet/ca

in the browser, and

D, [2015-07-31T17:07:32.387228 #5662] DEBUG – : verifying remote client
192.168.0.1 against trusted_hosts puppet.example.com
D, [2015-07-31T17:07:32.391611 #5662] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2015-07-31T17:07:32.392552 #5662] DEBUG – : Found sudo at /usr/bin/sudo
D, [2015-07-31T17:07:32.392725 #5662] DEBUG – : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-07-31T17:07:32.476678 #5662] WARN – : Failed to run puppetca:
E, [2015-07-31T17:07:32.477272 #5662] ERROR – : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0916
D, [2015-07-31T17:07:32.645011 #5662] DEBUG – : verifying remote client
192.168.0.1 against trusted_hosts puppet.example.com
D, [2015-07-31T17:07:32.646037 #5662] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2015-07-31T17:07:32.646235 #5662] DEBUG – : Found sudo at /usr/bin/sudo
D, [2015-07-31T17:07:32.647429 #5662] DEBUG – : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-07-31T17:07:32.715052 #5662] WARN – : Failed to run puppetca:
E, [2015-07-31T17:07:32.715733 #5662] ERROR – : Failed to list
certificates: Execution of puppetca failed, check log files
10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721

in /var/log/foreman-proxy/proxy.log

We use an IPA service to manage sudo access though, so I'm not as certain
that the rule is in place properly. How can I test the rule is in place?
I can run the sudo command above as my own user and get the expected
results. Whenever I su to the foreman-proxy user, it asks me for passwords
when I try the above sudo commands.

Duncan

Try running "sudo -l" to see what's available. You ought to see:

User foreman-proxy may run the following commands on this host:
(root) NOPASSWD: /usr/bin/puppet cert *
(root) NOPASSWD: /usr/bin/puppet kick *

··· On 31/07/15 17:40, Duncan Innes wrote: > D, [2015-07-31T17:07:32.646235 #5662] DEBUG -- : Found sudo at /usr/bin/sudo > D, [2015-07-31T17:07:32.647429 #5662] DEBUG -- : Executing /usr/bin/sudo > -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all > W, [2015-07-31T17:07:32.715052 #5662] WARN -- : Failed to run puppetca: > E, [2015-07-31T17:07:32.715733 #5662] ERROR -- : Failed to list > certificates: Execution of puppetca failed, check log files > 10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721 > > in /var/log/foreman-proxy/proxy.log > > We use an IPA service to manage sudo access though, so I'm not as > certain that the rule is in place properly. How can I test the rule is > in place? I can run the sudo command above as my own user and get the > expected results. Whenever I su to the foreman-proxy user, it asks me > for passwords when I try the above sudo commands.


Dominic Cleal
Red Hat Engineering

I've actually just finished diagnosing a similar issue with a smart-proxy
on my puppet-ca node.
I had to strace it in the end to find out that it was due to sudo requiring
a tty.
Unfortunately, even with the foreman-proxy running with DEBUG logging, it
did not report the actual error.

D, [2015-08-03T16:31:35.067366 #47518] DEBUG – : verifying remote client
192.168.1.1 against trusted_hosts ["foreman.local"]
D, [2015-08-03T16:31:35.076693 #47518] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2015-08-03T16:31:35.077481 #47518] DEBUG – : Found sudo at
/usr/bin/sudo
D, [2015-08-03T16:31:35.077948 #47518] DEBUG – : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-08-03T16:31:35.129065 #47518] WARN – : Failed to run puppetca:
E, [2015-08-03T16:31:35.129611 #47518] ERROR – : Failed to list
certificates: Execution of puppetca failed, check log files

The gem found from strace:

[pid 47530] write(2, "sorry, you must have a tty to run sudo", 38) = 38

The fix:

in /etc/sudoers or /etc/sudoers.d/foreman:

foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty

Dominic,

sudo -l as the foreman-proxy user prompts me for a password. Probably
because this machine is linked to our IPA server and we've not excluded the
foreman-proxy user from IPA authentication. I modified the sssd.conf to
exclude authentication of puppet, foreman, and foreman-proxy users/groups,
but I still get asked for a password once I've su'd to foreman-proxy from
root.

D

··· On Monday, 3 August 2015 16:24:03 UTC+1, Dominic Cleal wrote: > > On 31/07/15 17:40, Duncan Innes wrote: > > D, [2015-07-31T17:07:32.646235 #5662] DEBUG -- : Found sudo at > /usr/bin/sudo > > D, [2015-07-31T17:07:32.647429 #5662] DEBUG -- : Executing /usr/bin/sudo > > -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all > > W, [2015-07-31T17:07:32.715052 #5662] WARN -- : Failed to run puppetca: > > E, [2015-07-31T17:07:32.715733 #5662] ERROR -- : Failed to list > > certificates: Execution of puppetca failed, check log files > > 10.97.227.95 - - [31/Jul/2015 17:07:32] "GET HTTP/1.1" 406 74 0.0721 > > > > in /var/log/foreman-proxy/proxy.log > > > > We use an IPA service to manage sudo access though, so I'm not as > > certain that the rule is in place properly. How can I test the rule is > > in place? I can run the sudo command above as my own user and get the > > expected results. Whenever I su to the foreman-proxy user, it asks me > > for passwords when I try the above sudo commands. > > Try running "sudo -l" to see what's available. You ought to see: > > User foreman-proxy may run the following commands on this host: > (root) NOPASSWD: /usr/bin/puppet cert * > (root) NOPASSWD: /usr/bin/puppet kick * > > -- > Dominic Cleal > Red Hat Engineering >

jamse,

I'd missed out the !requiretty in IPA initially, thanks for picking that
up. It's in the Foreman manual after all. It lists as one of the options
for the sudo command:

[root@ipa01 ~]# ipa sudorule-find foreman-proxy

··· ------------------- 1 Sudo Rule matched ------------------- Rule name: foreman-proxy Enabled: TRUE User category: all Hosts: puppet02.example.com, puppet01.example.com, puppet03.example.com, puppet04.example.com Sudo Allow Commands: /usr/bin/puppet cert *, /usr/bin/puppet kick * Sudo Option: !authenticate, !requiretty ---------------------------- Number of entries returned 1 ---------------------------- [root@ipa01 ~]#

(I’ve left it open to all users so I can test it from my own user for now)

but when I list the sudo options for my user, I’m not seeing the
!requiretty passing through:

[innesd@puppet01 ~]$ sudo -l
User innesd may run the following commands on this host:
(root) /bin/su
(root) NOPASSWD: /usr/bin/puppet cert *, /usr/bin/puppet kick *
[innesd@puppet01 ~]$

which ends up working when I test it for my user, but then I’m running in a
tty.

D

On Monday, 3 August 2015 16:44:11 UTC+1, jamese wrote:

I’ve actually just finished diagnosing a similar issue with a smart-proxy
on my puppet-ca node.
I had to strace it in the end to find out that it was due to sudo
requiring a tty.
Unfortunately, even with the foreman-proxy running with DEBUG logging, it
did not report the actual error.

D, [2015-08-03T16:31:35.067366 #47518] DEBUG – : verifying remote client
192.168.1.1 against trusted_hosts [“foreman.local”]
D, [2015-08-03T16:31:35.076693 #47518] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2015-08-03T16:31:35.077481 #47518] DEBUG – : Found sudo at
/usr/bin/sudo
D, [2015-08-03T16:31:35.077948 #47518] DEBUG – : Executing /usr/bin/sudo
-S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2015-08-03T16:31:35.129065 #47518] WARN – : Failed to run puppetca:
E, [2015-08-03T16:31:35.129611 #47518] ERROR – : Failed to list
certificates: Execution of puppetca failed, check log files

The gem found from strace:

[pid 47530] write(2, “sorry, you must have a tty to run sudo”, 38) = 38

The fix:

in /etc/sudoers or /etc/sudoers.d/foreman:

foreman-proxy ALL = NOPASSWD: /usr/bin/puppet cert *
Defaults:foreman-proxy !requiretty

OK - I made some sideways headway with this.

After putting the #includedir /etc/sudoers.d line into the sudoers file, I
managed to get a foreman config file read for both myself and the
foreman-proxy user. This allows the commands to be run as expected.

However, IT Security are not happy about this as it does allow the
possibility that sudo commands are set up locally rather than centrally.
Plus the Puppet servers control the /etc/sudoers file, so will be
overwriting my change in around 20 mins time.

Will post on the IPA mailing list to find out what the correct method for
the sudoers rule might be when using IPA. I think it's the !requiretty
part that I'm not getting right.

Thanks guys,

D