[enhancement] mcollective agent as non-root

[GeoffWilliams]

Summary

It would be a nice enhancement if the mcollective agent installed via:

include r10k::mcollective

Had an option to execute the r10k command as an unprivileged user. Running as non-root is a requirement for some deployments.

Approaches

• Switch users in files/agent/r10k.rb
• Make the mcollective listener run as non-root from the start of execution

[elyscape]

Approach 2 is nonworkable because it involves changing infrastructure that isn't actually related to this project.

[acidprime]

Sounds like a good feature request. I assume you have multiple masters right? i.e. you have to/want to use the mcollective agent rather then just run the webhook as the respective user i.e. https://github.com/acidprime/r10k#running-without-mcollective for your specific case.

If you want to submit a PR , then I would be glad to review it, issue is that it appears the shell class in mcollective does not let you pass a user.

https://github.com/puppetlabs/marionette-collective/blob/master/lib/mcollective/shell.rb#L28-L35

This likely means we would need to have it sudo -u or something similar and pass through the username like we do the branch.

We could also not use that class and start using spawn simliar to the shell agent but thats a little more then a patch https://github.com/puppetlabs/mcollective-shell-agent/blob/master/lib/mcollective/agent/shell.ddl#L20-L27

[elyscape]

The shell agent doesn't appear to actually use the user parameter.

I would highly recommend against sudo. It requires certain settings in the /etc/sudoers file, such as Defaults !requiretty. Instead, you should use su - username -c COMMAND. This will work so long as the mcollective user has superuser privileges, which is generally going to be the case.

[GeoffWilliams]

That's great feedback Eli - I'm going to start putting together a PR to add this functionality shortly, I'm planning to go down the route of using su to execute the R10K command

[elyscape]

Be advised that you'll need to quote the command if it contains spaces, otherwise all the arguments will get lost. Furthermore, we want file redirection to happen on the outside of the su command so that the files are owned by the mcollective user, so you'll want to do something like su - username -c "COMMAND" >/path/to/outfile.

Edit: Actually, since redirection can be done from the run() function, that'd be better in general.

[GeoffWilliams]

Thats really helpful, thanks so much!

I've finished for the day now but I should be able to get onto this in the next couple of days

On 24 February 2015 6:56:24 PM AEDT, Eli Young notifications@github.com wrote:

Be advised that you'll need to quote the command if it contains spaces,
otherwise all the arguments will get lost. Furthermore, we want file
redirection to happen on the outside of the su command so that the
files are owned by the mcollective user, so you'll want to do something
like su - username -c "COMMAND" >/path/to/outfile.

---

Reply to this email directly or view it on GitHub:
https://github.com/acidprime/r10k/issues/135#issuecomment-75713604

Sent from my Android device with K-9 Mail. Please excuse my brevity.

[GeoffWilliams]

Created https://github.com/acidprime/r10k/pull/141 to address this - let me know what you think. Thanks.