Schedule salt execution from Foreman doesn't work

kiwimato · June 5, 2020, 12:12pm

Problem:
So I tried following this tutorial here: Foreman :: Plugin Manuals
The jobs fail when I try to schedule from Foreman UI from “Schedule Remote Job” -> “Salt”. When I looked at the logs I see:

 > ==> /var/log/foreman/production.log <==
 > 2020-06-05T11:35:48 [I|app|2be7cafd] Processing by ForemanTasks::Api::TasksController#callback as */*
 > 2020-06-05T11:35:48 [I|app|2be7cafd]   Parameters: {"callback"=>{"task_id"=>"f7ef62dd-05e1-4cdd-b834-981b3a4a572a", "step_id"=>3}, "data"=>{"result"=>[{"output_type"=>"stdout", "output"=>"\e[0;32mAuthentication error occurred.\e[0;0m\r\n", "timestamp"=>1591356947.5486667}], "runner_id"=>"9d5ed141-7f03-4c8e-a5ed-55457968947b", "exit_status"=>1}, "task"=>{}}

in another log I get this:

> Step 073da94b-e49d-4f23-a5a9-b407b5d93ae5: 2 running >> suspended in phase Run SmartProxySaltCore::SaltTaskLauncher::SaltRunnerActionstart runner 9d5ed141-7f03-4c8e-a5ed-55457968947bRunning command 'salt --show-jid --saltfile=/etc/foreman-proxy/settings.d/salt.saltfile 3dhubs-ecs-staging-i-0ef2abcd072359ea6 state.template_str state.highstate:

Even though I have :salt_command_user: root in /etc/foreman-proxy/settings.d/salt.yml, the command doesn’t even try sudo . Looking at the code in salt_runner.rb it seems it was never supposed to worked like that and only cli.rb has something for sudo, thought I couldn’t find how that’s used in the UI. Unfortunately there’s no easy way to grant access foreman-proxy to the salt command without sudo.
I confirmed that this is the problem by trying to execute that command using foreman-proxy

> -bash-4.2$ salt --show-jid --saltfile=/etc/foreman-proxy/settings.d/salt.saltfile 3dhubs-ecs-staging-i-0ef2abcd072359ea6 state.template_str state.highstate
> Authentication error occurred.

For now, the easy hack for me was to modify salt_runner.rb:43 and add sudo:
> command = %w(sudo salt --show-jid)

Expected outcome:
I expect “Schedule Remote Job” -> “Salt” to work after I followed the tutorial.

Foreman and Proxy versions:
> foreman.noarch 1.24.3-1.el7 @foreman
> foreman-release.noarch 1.24.3-1.el7 @foreman
> foreman-release-scl.noarch 7-2.el7 @foreman
Foreman and Proxy plugin versions:
> foreman-proxy.noarch 1.24.3-1.el7 @foreman
> rubygem-smart_proxy_ansible.noarch 3.0.1-1.fm1_23.el7 @foreman-plugins
> rubygem-smart_proxy_dynflow.noarch 0.2.4-1.el7 @foreman-plugins
> rubygem-smart_proxy_salt.noarch 3.1.1-1.el7 @foreman-plugins

Distribution and version:
CentOS 7

Other relevant data:
My question is, am doing something wrong or is there another way to fix this?
Thank you!

aruzicka · June 5, 2020, 1:06pm

Hi,
from what I remember when using Salt as a remote execution provider you should it shouldn’t use sudo to elevate its privileges before issuing salt commands. Instead, at least according to the docs, you should configure salt master to accept jobs from foreman-proxy user.

kiwimato · June 5, 2020, 2:06pm

Yes, that did the trick!
Thank you Adam for the fast response!

Jeff_Sparrow · August 1, 2024, 5:21pm

Thanks. This solved my issues as well. Adding some more logging here incase someone googles/searches and this thread doesnt come up:

2024-08-01T17:12:00 ab7967bf [E] Script execution failed
2024-08-01T17:12:00 ab7967bf [D]          Step 162fcfff-5f07-4c92-aeee-85bbe80a4810: 3   running >>     error in phase Finalize Proxy::Salt::SaltTaskLauncher::SaltRunnerAction
2024-08-01T17:12:00  [D] ExecutionPlan 162fcfff-5f07-4c92-aeee-85bbe80a4810      running >>   stopped

foreman salt proxy execution failure
foreman salt run failure