Project

General

Profile

Actions

Bug #14551

closed

Remote run is broken on centos7 because of selinux

Added by François ARMAND over 5 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
System integration
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Priority:
43
Name check:
Fix check:
Regression:

Description

This happened on rudder 5.0, but it looks like it's not specific to that version of Rudder.
Maybe linked to #14391 (found in the same use case).

[root@server vagrant]# curl -X POST 'http://localhost/rudder/relay-api/remote-run/nodes' -d "asynchronous=false" -d "keep_output=true" -d "nodes=a81c4150-974f-4155-a9b9-3cd2c38dbf96" 
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: unable to open audit system: Permission denied
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: pam_open_session: System error
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: policy plugin failed session initialization

It's SELinux related, because with "setenforce 0", the remote run is correctly started - so perhaps linked to rudder version after all.

journalctl logs are:

server sudo[11520]:   rudder : TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local
server sudo[11520]: PAM audit_open() failed: Permission denied
server sudo[11520]: PAM audit_open() failed: Permission denied
server sudo[11520]:   rudder : pam_open_session: System error ; TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local
server sudo[11520]: PAM audit_open() failed: Permission denied

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #14391: Only one Node below a Rudder server can be run through remote run APIReleasedAlexis MoussetActions
Actions #1

Updated by François ARMAND over 5 years ago

  • Related to Bug #14391: Only one Node below a Rudder server can be run through remote run API added
Actions #2

Updated by François ARMAND over 5 years ago

  • Description updated (diff)
Actions #3

Updated by François ARMAND over 5 years ago

  • Subject changed from Remote run is broken on centos7 to Remote run is broken on centos7 because of selinux
Actions #4

Updated by François ARMAND over 5 years ago

  • Description updated (diff)
  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #5

Updated by François ARMAND over 5 years ago

After some more fidling, the problem seems to be with sudo and not with apache.

Actions #6

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 4.1.21 to 4.1.22
Actions #7

Updated by François ARMAND over 5 years ago

  • Status changed from In progress to New
  • Assignee deleted (François ARMAND)
  • Severity set to Major - prevents use of part of Rudder | no simple workaround
  • User visibility set to Operational - other Techniques | Rudder settings | Plugins
  • Priority changed from 0 to 51

I'm setting to major because it's really not easy to understand that the problem is with SELinux and that a "setenforce 0" can workaround it - even if it's not a real solution.

Someone with selinux knowledge should look at it - I didn't understand what is going wrong.

Actions #8

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 4.1.22 to 4.1.23
Actions #9

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 4.1.23 to 4.1.24
Actions #10

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 4.1.24 to 588
  • Priority changed from 51 to 50
Actions #11

Updated by Alexis Mousset over 5 years ago

  • Target version changed from 588 to 5.0.13
Actions #12

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.13 to 5.0.14
  • Priority changed from 50 to 48
Actions #13

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 5.0.14 to 5.0.15
Actions #14

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 5.0.15 to 5.0.16
  • Priority changed from 48 to 46
Actions #15

Updated by Alexis Mousset almost 5 years ago

  • Target version changed from 5.0.16 to 5.0.17
  • Priority changed from 46 to 44
Actions #16

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 5.0.17 to 5.0.18
  • Priority changed from 44 to 43
Actions #17

Updated by Alexis Mousset over 4 years ago

  • Status changed from New to Rejected

Validated in 6.1. Previous remote-run implementation in 5.0 has been removed in 6.0, closing.

Actions

Also available in: Atom PDF