Actions
Bug #14551
closed
Remote run is broken on centos7 because of selinux
Pull Request:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Priority:
43
Name check:
Fix check:
Regression:
Description
This happened on rudder 5.0, but it looks like it's not specific to that version of Rudder.
Maybe linked to #14391 (found in the same use case).
[root@server vagrant]# curl -X POST 'http://localhost/rudder/relay-api/remote-run/nodes' -d "asynchronous=false" -d "keep_output=true" -d "nodes=a81c4150-974f-4155-a9b9-3cd2c38dbf96" a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: unable to open audit system: Permission denied a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: pam_open_session: System error a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: policy plugin failed session initialization
It's SELinux related, because with "setenforce 0", the remote run is correctly started - so perhaps linked to rudder version after all.
journalctl logs are:
server sudo[11520]: rudder : TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local server sudo[11520]: PAM audit_open() failed: Permission denied server sudo[11520]: PAM audit_open() failed: Permission denied server sudo[11520]: rudder : pam_open_session: System error ; TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local server sudo[11520]: PAM audit_open() failed: Permission denied
Updated by François ARMAND about 5 years ago
- Related to Bug #14391: Only one Node below a Rudder server can be run through remote run API added
Updated by François ARMAND about 5 years ago
- Subject changed from Remote run is broken on centos7 to Remote run is broken on centos7 because of selinux
Updated by François ARMAND about 5 years ago
- Description updated (diff)
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND about 5 years ago
After some more fidling, the problem seems to be with sudo and not with apache.
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 4.1.21 to 4.1.22
Updated by François ARMAND almost 5 years ago
- Status changed from In progress to New
- Assignee deleted (
François ARMAND) - Severity set to Major - prevents use of part of Rudder | no simple workaround
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Priority changed from 0 to 51
I'm setting to major because it's really not easy to understand that the problem is with SELinux and that a "setenforce 0" can workaround it - even if it's not a real solution.
Someone with selinux knowledge should look at it - I didn't understand what is going wrong.
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 4.1.22 to 4.1.23
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 4.1.23 to 4.1.24
Updated by Vincent MEMBRÉ almost 5 years ago
- Target version changed from 4.1.24 to 588
- Priority changed from 51 to 50
Updated by Alexis Mousset almost 5 years ago
- Target version changed from 588 to 5.0.13
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.13 to 5.0.14
- Priority changed from 50 to 48
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.14 to 5.0.15
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.15 to 5.0.16
- Priority changed from 48 to 46
Updated by Alexis Mousset about 4 years ago
- Target version changed from 5.0.16 to 5.0.17
- Priority changed from 46 to 44
Updated by Vincent MEMBRÉ about 4 years ago
- Target version changed from 5.0.17 to 5.0.18
- Priority changed from 44 to 43
Updated by Alexis Mousset almost 4 years ago
- Status changed from New to Rejected
Validated in 6.1. Previous remote-run implementation in 5.0 has been removed in 6.0, closing.
Actions