Problem:
The root user is not allowed to run the mco command due to a limitation with the choria client (security). So I set the mcollective user to foreman_proxy and made appropriate changes to sudoers file.
The foreman-proxy tries to use sudo when executing mco. I manually executed the same command as the foreman-proxy and get the following output:
user foreman-proxy is not allowed to execute '/opt/puppetlabs/bin/mco puppet runonce -I <REDACTED>
The foreman-proxy user can execute the mco command without sudo without trouble.
Expected outcome:
Puppet Run should be able to use mco without issues sudo so that mco can kick puppet agents.
That sounds a lot like the sudo issue we saw on Ubuntu. Could you try this patch and report if it works? If it does, we should cherry pick it into 1.17.2:
Sounds like the sudo config you have still isn’t quite right.
Until that patch is released you can work around it by adding a file to /etc/sudoers.d that looks like this. I don’t think you can set mcollective_user to foreman-proxy though as that user normally has it’s shell set to /bin/false. We use another system account specifically for the purpose so the choria certs can be secured properly and not kept in /usr/share/foreman-proxy.
change mcollective_user to the service account of your choice
The patch plus the changes to the foreman-proxy sudoers file worked!
The problem is that the foreman-proxy suoders file is controlled by the foreman-proxy puppet module. So I have to keep puppet turned off otherwise, puppet will revert my changes.