Bug #5010
closedcf-* commands are no longer in PATH
Description
We made a change to include in /etc/profile a change to the shell's PATH to use /var/rudder/cfengine-community/bin (or /opt/rudder/bin) so that "cf-agent" was available directly without using the full path.
However, this no longer works. I am unsure why.
Note: targeting for 2.10, but this may also apply to older versions. Please check.
Updated by Jonathan CLARKE over 10 years ago
- Target version changed from 2.10.3 to 2.10.4
Updated by Nicolas PERRON over 10 years ago
- Target version changed from 2.10.4 to 2.10.5
Updated by Vincent MEMBRÉ over 10 years ago
- Target version changed from 2.10.5 to 2.10.6
Updated by Jonathan CLARKE over 10 years ago
This is ANNOYING. It needs fixing ASAP!
Updated by Matthieu CERDA over 10 years ago
- Status changed from 8 to In progress
Taking care of this.
Updated by Matthieu CERDA over 10 years ago
- Status changed from In progress to Discussion
- Assignee changed from Matthieu CERDA to Jonathan CLARKE
I tested on five different machines ranging from 2.10 (the version where this change was introduced) to 2.12 (bleeding edge) and on every machine, /etc/profile.d/rudder-agent.sh contains the right value and alters the PATH to have cf-* binaries in it.
The best I can come with would be a machine ignoring profile.d or altering PATH in a local .profile / .bashrc / .xxxrc, breaking this.
I am unable to reproduce this :( Can you tell me in which conditions (OS, ...) you encoutered this problem ?
Updated by Jonathan CLARKE over 10 years ago
- Status changed from Discussion to Rejected
Well, that is WEIRD.
I saw this at a customer's just a few weeks ago. He was using Rudder 2.11 on CentOS 6. I just installed a new CentOS 6 box with Rudder 2.11 (via vagrant) and it works...
I'll reject this. Thanks for looking into it Matthieu.
Updated by Nicolas CHARLES over 10 years ago
I've seens that quite a lot. It seems that it happens on upgraded systems
Updated by Nicolas CHARLES over 10 years ago
- Status changed from Rejected to Discussion
Ha, i've been trying this, on 5 different debian 7.4 generated by vagrant
They all have the file /etc/profile.d/rudder-agent.sh, but none of them have a proper PATH setup
Updated by Jonathan CLARKE over 10 years ago
- Assignee changed from Jonathan CLARKE to Matthieu CERDA
Thanks for the update Nico. Matthieu, could you look into this please?
Updated by Matthieu CERDA over 10 years ago
- Target version changed from 2.10.6 to 2.10.7
Updated by Matthieu CERDA over 10 years ago
- Assignee changed from Matthieu CERDA to Jonathan CLARKE
- When you run as a normal user, no problem: cf-agent is in the PATH
- When you run a root shell using either sudo -i (simulate initial login) or sudo bash/sh, it works too. Same goes for direct root logins via console or SSH.
- The problems happens when you use sudo -s (run the target user shell directly) or sudo su, in this case you bypass the call to /etc/profile (or for the first case, sudo cleans up the environment to only expose variables he deems safe, cleaning PATH in the process) and the PATH is not updated: no direct cf-agent call possible.
For me, it is to be expected, and changing this would mean altering the system far beyond what we are supposed to do for a simple tool calling helper (modifying sudoers, possibly global bashrc's / shellrc's, and so on) and is not adviseable.
What do you think jon ?
Updated by Vincent MEMBRÉ about 10 years ago
- Target version changed from 2.10.7 to 2.10.8
Updated by Jonathan CLARKE about 10 years ago
- Assignee changed from Jonathan CLARKE to Matthieu CERDA
Matthieu CERDA wrote:
We tried together to reproduce this, the problem is simple:
- When you run as a normal user, no problem: cf-agent is in the PATH
- When you run a root shell using either sudo -i (simulate initial login) or sudo bash/sh, it works too. Same goes for direct root logins via console or SSH.
- The problems happens when you use sudo -s (run the target user shell directly) or sudo su, in this case you bypass the call to /etc/profile (or for the first case, sudo cleans up the environment to only expose variables he deems safe, cleaning PATH in the process) and the PATH is not updated: no direct cf-agent call possible.
For me, it is to be expected, and changing this would mean altering the system far beyond what we are supposed to do for a simple tool calling helper (modifying sudoers, possibly global bashrc's / shellrc's, and so on) and is not adviseable.
What do you think jon ?
Thank you for this detailed analysis. This now makes sense.
I think the best solution is to publish a blog post titled "10 reasons why sudo -s is considered harmful (#7 will blow your mind)" and not do anything else.
Er, sorry, just kidding, serious mode back on...
Since we are about to implement a "rudder" CLI for 3.0, that should wrap all necessary commands around cf-* binaries, I actually think it now makes sense to not have them in the path. However, it may make sense to have the rudder command installed under /usr/bin or /usr/sbin to make it available everywhere and avoid this problem.
Thoughts?
Updated by Matthieu CERDA about 10 years ago
Why not, actually we could just install it in /opt/rudder/bin and symlink it from /usr/bin. dpkg and rpm makes it quite easy, and we already do this with ncf actually :)
Updated by Matthieu CERDA about 10 years ago
- Assignee changed from Matthieu CERDA to Jonathan CLARKE
Would that be an appropriate approach ?
Updated by Vincent MEMBRÉ about 10 years ago
- Target version changed from 2.10.8 to 2.10.9
Updated by Vincent MEMBRÉ almost 10 years ago
- Target version changed from 2.10.9 to 2.10.10
Updated by Vincent MEMBRÉ almost 10 years ago
- Target version changed from 2.10.10 to 2.10.11
Updated by Vincent MEMBRÉ almost 10 years ago
- Target version changed from 2.10.11 to 2.10.12
Updated by Vincent MEMBRÉ almost 10 years ago
- Target version changed from 2.10.12 to 2.10.13
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 2.10.13 to 2.10.14
Updated by Benoît PECCATTE over 9 years ago
- Status changed from Discussion to Rejected
Mathieu is right in hi analysis of the sudo -s, this is expected.
As for the rudder command line, it is now in the path.
Closing this bug unless someone complains about PATH again.