Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-39761

Only apply ACLs for Remote Execution when needed

XMLWordPrintable

    • 5
    • False
    • Satellite Endeavour Sprint 16
    • sat-endeavour
    • None
    • None
    • Proposed
    • To Do

      Description of problem:

      Remote execution requires setfacl binary. This is not mentioned in documentation and there's also no dependency on acl package (which provides setfacl binary). Remote Execution job fail when the package is not installed on host.

      Steps to Reproduce:

      1. have a host registered to Satellite
      2. check that acl is not installed on host
      3. create ssh user and effective user 

      command=useradd sshuser -G wheel; echo ssh_user:<sshuser password> | chpasswd; useradd effuser -G wheel; echo effuser:<effuser password> | chpasswd

      4. run job 

       

       

      hammer job-invocation create --job-template="Run Command - Script Default" --inputs="command=touch /home/effuser/ibUwDNZPsu" --search-query="name ~ <client hostname>" --ssh-user="sshuser" --password="<sshuser password>" --effective-user="effuser" --effective-user-password="<effuser password>" 

       

      Actual results:

      The script fails with following message
       

      1:  Error initializing command: RuntimeError - Failed to run command setfacl -m u:effuser:rx /var/tmp/foreman-ssh-cmd-<id>/script on remote machine, exit code: 127
2:  Exit status: EXCEPTION
3:  StandardError: Job execution failed

      Expected results:

      Jobs don't fail on a missing binary that is not documented.
      For jobs where either the connection user or the effective user is root, there is no need for filesystem ACLs, so jobs falling into this category should pass even without acl package installed on the managed host.

      For the relatively niche cases where both connection and effective users are unprivileged users, we will continue relying on ACLs. This needs to be documented - both the package being installed as well as filesystem support in the working directory on the managed host.

      Additional info:

      The acl package in not part of dnf group "Minimal Installation" of RHEL. It's part of "Standard" group, which is only Optional. Try:

      # dnf group info "Minimal Install"
Environment Group: Minimal Install
 Description: Basic functionality.
 Mandatory Groups:
   Core
 Optional Groups:
   Standard
# dnf group info "Standard" | grep acl
    acl

      Maybe introduced by fix of SAT-31303

      Related robottelo testcase: https://github.com/SatelliteQE/robottelo/blob/9af701d061cef0255a26f6a84a5539e632eeba90/tests/foreman/cli/test_remoteexecution.py#L257

       

          1.
          		 Adjust robottelo to cover all the possible user transitions Sub-task New Undefined Unassigned
          2.
          		 Document ACL requirements on managed clients Sub-task New Undefined Akshay Gadhave
          3.
          		 Do not rely on ACLs where not strictly necessary Sub-task New Undefined Unassigned

              pondrejk@redhat.com Peter Ondrejka
              rhn-support-rmynar Radek Mynar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: