Mcollective + Choria client + Puppet Run Failure

Support
1

Problem:
The root user is not allowed to run the mco command due to a limitation with the choria client (security). So I set the mcollective user to foreman_proxy and made appropriate changes to sudoers file.

The foreman-proxy tries to use sudo when executing mco. I manually executed the same command as the foreman-proxy and get the following output:

user foreman-proxy is not allowed to execute '/opt/puppetlabs/bin/mco puppet runonce -I <REDACTED>

The foreman-proxy user can execute the mco command without sudo without trouble.

Expected outcome:
Puppet Run should be able to use mco without issues sudo so that mco can kick puppet agents.

Foreman and Proxy versions:
1.17.1

Foreman and Proxy plugin versions:

1.17.1

2

That sounds a lot like the sudo issue we saw on Ubuntu. Could you try this patch and report if it works? If it does, we should cherry pick it into 1.17.2:

https://github.com/theforeman/smart-proxy/commit/6e81b2ed589061348076ea021411ed65d69d47ce

2 Likes
3

I wrote a small script to test out the patch.

#!/bin/bash
/usr/bin/sudo -u foreman-proxy /opt/puppetlabs/bin/mco ping
/usr/bin/sudo -Hu foreman-proxy /opt/puppetlabs/bin/mco ping
/opt/puppetlabs/bin/mco ping

I ran the following command:
sudo su -s /bin/bash foreman-proxy

Then ran the script.
For both sudo commands, I get the following error

Sorry, user foreman-proxy is not allowed to execute '/opt/puppetlabs/bin/mco ping

But for the non-sudo case, the command succeeds.

4

Sounds like the sudo config you have still isn’t quite right.

Until that patch is released you can work around it by adding a file to /etc/sudoers.d that looks like this. I don’t think you can set mcollective_user to foreman-proxy though as that user normally has it’s shell set to /bin/false. We use another system account specifically for the purpose so the choria certs can be secured properly and not kept in /usr/share/foreman-proxy.

change mcollective_user to the service account of your choice

Defaults:foreman-proxy !requiretty
Defaults:foreman-proxy env_keep -= \"HOME\"
foreman-proxy ALL = (mcollective_user) NOPASSWD : /opt/puppetlabs/bin/mco puppet runonce *

after the patch the following line will not be required

Defaults:foreman-proxy env_keep -= \"HOME\"

cheers

Matt

1 Like
5

The patch plus the changes to the foreman-proxy sudoers file worked!

The problem is that the foreman-proxy suoders file is controlled by the foreman-proxy puppet module. So I have to keep puppet turned off otherwise, puppet will revert my changes.

6

Just put it in another file next to the foreman-proxy file that puppet doesn’t know about. We use another module to deploy the config. Snippit:

2 Likes
7

We should probably modify the puppet module to set up the sudo line around here for the mcollective provider as well:

2 Likes
8

Yeah I meant to put something together for that and make a PR. I’ll do it as soon as I can.

1 Like
9

Probably not worth doing as MCO has been deprecated in puppet 6. I guess we should start looking at Bolt!

10

Choria isn’t going away though so may be worth keeping it in depending on how many move over to keep the functionality. https://choria.io/

Bolt will be cool if we don’t have to put shared ssh keys in admin accounts everywhere, I believe it supports kerberos.