Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

knife bootstrap with a different root password to the authenticated user #10181

Closed
kmf opened this issue Jul 21, 2020 · 11 comments · Fixed by #10410
Closed

knife bootstrap with a different root password to the authenticated user #10181

kmf opened this issue Jul 21, 2020 · 11 comments · Fixed by #10410
Assignees
@kvivek1115
Labels
Status: Untriaged An issue that has yet to be triaged.

Comments

@kmf
Copy link

kmf commented Jul 21, 2020
edited
Loading

Description

When bootstrapping a client with a different root password than the authenticated user,
doesn't work, tested on CentOS and AIX

It does ask for to enter bob's password

Enter password for bob@164.90.200.96:

but not for root

Chef Version

Chef Workstation 20.7.96

Platform Version

AIX 7.2
CentOS 8.2

Replication Case

Provision a CentOS Node
root login is disabled via ssh
set the root password as password1024
create a user called bob password as password
try and bootstrap the node

Client Output

➜ knife bootstrap 164.90.200.96 -U bob -N somenode --use-sudo-password
Connecting to 164.90.200.96 using ssh
The authenticity of host '164.90.200.96 ()' can't be established.
fingerprint is SHA256:371UcjLgI53M2pVDu6cGfjF4SOXY+/k7WxE+LB1ANnU.

Are you sure you want to continue connecting
? (Y/N) y
Connecting to 164.90.200.96 using ssh
WARN: [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user bob@164.90.200.96>)
WARNING: Failed to authenticate bob to 164.90.200.96 - trying password auth
Enter password for bob@164.90.200.96:

Connecting to 164.90.200.96 using ssh
Creating new client for somenode
Creating new node for somenode
Bootstrapping 164.90.200.96
 [164.90.200.96] -----> Installing Chef Omnibus (stable/16)
downloading https://omnitruck.chef.io/chef/install.sh
  to file /tmp/install.sh.5581/install.sh
trying curl...
 [164.90.200.96] el 8 x86_64
Getting information for chef stable 16 for el...
downloading https://omnitruck.chef.io/stable/chef/metadata?v=16&p=el&pv=8&m=x86_64
  to file /tmp/install.sh.5599/metadata.txt
 [164.90.200.96] trying curl...
 [164.90.200.96] sha1	f8760715679d82608f1e4db7708d1a1464b3f929
sha256	f303db725483ee049f5227f963250d4f78ec2ab53ab4bfd70fedbb2c8d500a88
url	https://packages.chef.io/files/stable/chef/16.2.73/el/8/chef-16.2.73-1.el7.x86_64.rpm
version	16.2.73
 [164.90.200.96]
 [164.90.200.96] downloaded metadata file looks valid...
 [164.90.200.96] downloading https://packages.chef.io/files/stable/chef/16.2.73/el/8/chef-16.2.73-1.el7.x86_64.rpm
  to file /tmp/install.sh.5599/chef-16.2.73-1.el7.x86_64.rpm
 [164.90.200.96] trying curl...
 [164.90.200.96] Comparing checksum with sha256sum...
 [164.90.200.96] Installing chef 16
installing with rpm...
 [164.90.200.96] warning: /tmp/install.sh.5599/chef-16.2.73-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
 [164.90.200.96] error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
 [164.90.200.96] Installation failed
Version: 16

Please file a Bug Report at https://github.com/chef/omnitruck/issues/new
Alternatively, feel free to open a Support Ticket at https://www.chef.io/support/tickets
More Chef support resources can be found at https://www.chef.io/support

Please include as many details about the problem as possible i.e., how to reproduce
the problem (if possible), type of the Operating System and its version, etc.,
and any other relevant details that might help us with troubleshooting.

 [164.90.200.96] mkdir: cannot create directory '/etc/chef': Permission denied
 [164.90.200.96] /tmp/chef_ougdEL/bootstrap.sh: line 181: /etc/chef/client.pem: No such file or directory
ERROR: The following error occurred on 164.90.200.96:
ERROR: warning: /tmp/install.sh.5599/chef-16.2.73-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
     error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
     mkdir: cannot create directory '/etc/chef': Permission denied
     /tmp/chef_ougdEL/bootstrap.sh: line 181: /etc/chef/client.pem: No such file or directory

Linked Issues
@kmf kmf added the Status: Untriaged An issue that has yet to be triaged. label Jul 21, 2020
@kvivek1115
Copy link
Contributor

Hey @kmf thanks for reporting the bug, I guess it is asking for bob@164.90.200.96: would be the expected behavior, as you have not provided the password for bob user.

Could you please add --sudo option the see the behavior to omit the permission issue first.

knife bootstrap 164.90.200.96 -U bob -N somenode --use-sudo-password --sudo

@kmf
Copy link
Author

kmf commented Jul 23, 2020
edited
Loading

knife bootstrap 164.90.200.96 -U bob -N somenode --use-sudo-password --sudo

Connecting to 164.90.200.96 using ssh
The authenticity of host '164.90.200.96 ()' can't be established.
fingerprint is SHA256:371UcjLgI53M2pVDu6cGfjF4SOXY+/k7WxE+LB1ANnU.

Are you sure you want to continue connecting
? (Y/N) Y
Connecting to 164.90.200.96 using ssh
WARN: [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user bob@164.90.200.96>)
WARNING: Failed to authenticate bob to 164.90.200.96 - trying password auth
Enter password for bob@164.90.200.96:

Connecting to 164.90.200.96 using ssh
ERROR: Train::UserError: Sudo failed: We trust you have received the usual lecture from the local System
     Administrator. It usually boils down to these three things:

         #1) Respect the privacy of others.
         #2) Think before you type.
         #3) With great power comes great responsibility.

     sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper```

@kmf
Copy link
Author

kmf commented Jul 28, 2020

@vsingh-msys bump

@kmf
Copy link
Author

kmf commented Aug 4, 2020

14 Days?

@kvivek1115
Copy link
Contributor

kvivek1115 commented Aug 9, 2020
edited
Loading

@kmf I tried to replicate it on centos8 did the following steps:

  • Provision a centos vagrant node
  • root login is disabled via ssh
  • set the root password as password1024
  • create a user called bob password as password
  • try and bootstrap the node
knife bootstrap node10.test -U bob -N node10 --use-sudo-password  --sudo

Console output:

Connecting to node10.test using ssh
The authenticity of host 'node10.test (192.168.33.50)' can't be established.
fingerprint is SHA256:XNuZCnRkwSadkJ0FwKNxJjv1SkMxI0Xi0eFADHnSmLw.

Are you sure you want to continue connecting
? (Y/N) Y
Connecting to node10.test using ssh
WARN: [SSH] connection failed, terminating (#<Net::SSH::AuthenticationFailed: Authentication failed for user bob@node10.test>)
WARNING: Failed to authenticate bob to node10.test - trying password auth
Enter password for bob@node10.test: 
Connecting to node10.test using ssh
WARNING: Failed to authenticate bob to node10.test - Sudo failed: Sudo requires a password, please configure it. 
        sudo: 1 incorrect password attempt
Enter sudo password for bob@node10.test: 
ERROR: Train::UserError: Sudo failed: [sudo] password for bob: bob is not in the sudoers file.  This incident will be reported.

This is the expected behavior.

Note: I think the user must have sudo(in case we use --sudo) or enough privileges to manage chef related permissions.

mkdir: cannot create directory '/etc/chef': Permission denied
 [164.90.200.96] /tmp/chef_ougdEL/bootstrap.sh: line 181: /etc/chef/client.pem: No such file or directory
ERROR: The following error occurred on 164.90.200.96:
ERROR: warning: /tmp/install.sh.5599/chef-16.2.73-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
     error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)

Sorry for the late reply.

Could you please try with -VV for more verbose?

I manually try sudo su and getting a somewhat similar error that you have provided.

which also required to configure sudo password for bob user.

sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bob: 
Sorry, try again.

@kmf
Copy link
Author

kmf commented Aug 9, 2020
edited
Loading

This is not expected behaviour.

I'm using this on AIX which doesn't have sudo and I'm not allowed to install it.

@mattray sorry for dragging you into this, do you understand my problem?

@kvivek1115
Copy link
Contributor

kvivek1115 commented Aug 16, 2020
edited
Loading

@kmf seems I have put this into another direction.

At present --use-sudo-password has no means without --sudo option. Also, user should have required permissions or sudo user privileges.

So if the logged user doesn't have sufficient permissions(sudo), switching to the root user(or privileged user) would be a valid use case and we need to maintain another session in between with valid user/password

In order to achieve this, I would prefer to add new --su-user and --su-user-password bootstrap options and send data with current user sessions.

Thanks!

@kmf
Copy link
Author

kmf commented Aug 17, 2020

In order to achieve this, I would prefer to add new --su-user and --su-user-password bootstrap options and send data with > current user sessions.

@vsingh-msys would be awesome!

@kvivek1115 kvivek1115 self-assigned this Sep 2, 2020
@calwynb
Copy link

calwynb commented Sep 2, 2020

Any news/progress on this issue?

@kmf
Copy link
Author

kmf commented Sep 3, 2020

@vsingh-msys bump

@kvivek1115
Copy link
Contributor

Hi @calwynb & @kmf still working of this issue, dealing with challenges regarding opening other user sessions at inspec/train side will update soon thanks!

This was referenced Sep 4, 2020
Closed
Merged
@tas50 tas50 mentioned this issue Feb 2, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kvivek1115 kvivek1115

Labels
Status: Untriaged An issue that has yet to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

handles su - USER session to perform bootstrap chef/chef
3 participants
@kmf @calwynb @kvivek1115