-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: replace root by a custom user with root privileges #1009
Feature: replace root by a custom user with root privileges #1009
Conversation
7278508
to
d35e38c
Compare
1be5559
to
ed2a9e7
Compare
Thanks @aleksei-burlakov ! In my environment
And my other concern is it might impact on customers existing scripts if these commands change the path And not sure the customers will allow to change the mod like @zzhou1 @gao-yan @nicholasyang2022 What do you think? |
Instead of moving these binaries, we may create symlinks. Changing the mode of any directory to 777 is dangerous. And changing the owner of base system directories, i.e. |
a1b6ef8
to
f2419d6
Compare
4d74918
to
5ae3326
Compare
Hi @aleksei-burlakov
And for the PR title, keep the original one is good enough Thank you! |
In above process, for this info log:
I think user is not interest with these, maybe we can put these 3 lines into debug log? And I noticed this warning
Is it possible to fix this? @zzhou1 What do you think? |
For the join process, I noticed that there is a failed log:
|
So many places add
And how about using utils.add_sudo function? |
AFAI remember it fails to do the |
I want to use sudo as less as possible, only when it doesn't work completely without it. It's not all in this PR, but at least I set the direction.
I don't have a strong opinion about it, I think it was simpler to put |
Sure
I think it should be possible, but I'm in a trip and this fixing would take at least a couple of days. |
697b813
to
1dcb53e
Compare
It enables creating the cluster under a custom user Assume the users are alice@node1 and non@node2. 1) Bring the alice into sudoers file on the node1 and bob on the node2 for example $ sudo echo "alice ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers (use visudo rather than echo) 2) Bring the alice and bob into the haclient group (group 90 in the /etc/passwd) 3) add /usr/sbin to the PATH for alice and bob $ export PATH=$PATH:/usr/sbin 4) Change the owner of the /var/log/crmsh to hacluster:haclient (this is an unwanted feature and should be fixed in future) And now you can do the usual routines under alice alice@node1$ crm cluster init -y bob@node2$ crm cluster join -c alice@node1 -y or alice@node1$ crm cluster init -N bob@node2 -y The crm will start as a usual process with the same context as the current user (alice/bob). However when it would lack permissions for example to read/write file it would try again as the super-user. Demo: https://asciinema.org/connect/088c5b1b-0fdc-4686-9a20-80fad830fca2
This is just the first step to anchor the PR#1009. There will follow other more advanced tests.
1dcb53e
to
424c897
Compare
Changed! |
@liangxin1300 Maybe privilege escalation should not be used in silent. Users need to be aware that we are calling sudo. |
Partially. In this case, I see the value to message the end users, but in the very beginning. Something like, alice@15sp4-1:~> crm cluster init -s /dev/sda1 -y Then, followed by validation
Great, take your time. This indeed need fix. |
@nicholasyang2022 would you please help me with this https://github.com/ClusterLabs/crmsh/pull/1009/files#diff-4487c485cac79de78577193a11ac9f6aaf58c386a694bb96588d4a822974122bR1520 ?
|
@aleksei-burlakov This piece of code is not expected to be called when initializing a new cluster. It works only on a running cluster, and depends on The |
# Make sure ~hacluster/.ssh exist remotely (idempotent) | ||
continue_with_hacluster = True | ||
try: | ||
utils.get_stdout_or_raise_error( | ||
'/usr/bin/env python3 -m crmsh.healthcheck fix-cluster PasswordlessHaclusterAuthenticationFeature', | ||
user=remote_user, remote=seed_host, | ||
) | ||
except ValueError as err: | ||
continue_with_hacluster = False # at least we tried | ||
logger.info("Failed to create ~hacluster/.ssh") | ||
|
||
if continue_with_hacluster: | ||
swap_public_ssh_key(local_user, remote_user, 'hacluster', seed_host) | ||
swap_public_ssh_key('hacluster', remote_user, 'hacluster', seed_host) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Make sure ~hacluster/.ssh exist remotely (idempotent) | |
continue_with_hacluster = True | |
try: | |
utils.get_stdout_or_raise_error( | |
'/usr/bin/env python3 -m crmsh.healthcheck fix-cluster PasswordlessHaclusterAuthenticationFeature', | |
user=remote_user, remote=seed_host, | |
) | |
except ValueError as err: | |
continue_with_hacluster = False # at least we tried | |
logger.info("Failed to create ~hacluster/.ssh") | |
if continue_with_hacluster: | |
swap_public_ssh_key(local_user, remote_user, 'hacluster', seed_host) | |
swap_public_ssh_key('hacluster', remote_user, 'hacluster', seed_host) | |
swap_public_ssh_key('hacluster', remote_user, 'hacluster', seed_host, add=True) |
@@ -2999,9 +3162,9 @@ def get_property(name, property_type="crm_config"): | |||
""" | |||
if property_type == "crm_config": | |||
cib_path = os.getenv('CIB_file', constants.CIB_RAW_FILE) | |||
cmd = "CIB_file={} crm configure get_property {}".format(cib_path, name) | |||
cmd = "CIB_file={} sudo -E CIB_file crm configure get_property {}".format(cib_path, name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line might has issue
# CIB_file=/var/lib/pacemaker/cib/cib.xml sudo -E CIB_file crm configure get_property stonith-timeout
sudo: CIB_file: command not found
The result is the return value of get_property
is None
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My mistake. The parameter should be --preserve-env=CIB_file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in #1109
Current master code, in Azure, since
Applied with this PR, this error hint gone:
Suggest to keep this error hint unchanged |
@aleksei-burlakov |
It enables creating the cluster under a custom user
Assume the users are alice@node1 and non@node2.
Bring the alice into sudoers file on the node1
and bob on the node2
for example
$ sudo echo "alice ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
(use
visudo
rather than echo)add /usr/sbin to the PATH for alice and bob (writ it in the ~/.bashrc)
$ export PATH=$PATH:/usr/sbin
And now you can do the usual routines under alice
The crm will start as a usual process with the same context as the
current user (alice/bob). However when it would lack permissions
for example to read/write file it would try again as the super-user.