[jira] [Commented] (CLOUDSTACK-8339) Allow non-root credentials for adding KVM hypervisor

Sun, 24 May 2015 11:16:58 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14557815#comment-14557815
 ] 

ASF GitHub Bot commented on CLOUDSTACK-8339:
--------------------------------------------

Github user remibergsma commented on the pull request:

    https://github.com/apache/cloudstack/pull/288#issuecomment-105045696
  
    @bhaisaab, I tested your patch and ran to an issue where a TTY is required 
to run sudo, but not requested. The host cannot be added.
    
    Logs:
    ```
    2015-05-24 13:48:44,175 DEBUG [c.c.u.s.SSHCmdHelper] 
(ApiServer-8:ctx-0b7d379a ctx-5e04fa3a) sudo cloudstack-setup-agent  -m 
192.168.22.61 -z 1 -p 1 -c 1 -g 57acd541-cd37-34ea-af6a-dc6ecd007325 -a 
--pubNic=cloudbr0 --prvNi
    c=cloudbr0 --guestNic=cloudbr0 --hypervisor=kvm output:sudo: sorry, you 
must have a tty to run sudo
    ```
    Because it always uses 'sudo' you cannot add a host as 'root' nor as other 
user. To test:
    
    ```
    [root@cs1 ~]# ssh root@kvm1 sudo whoami
    root@kvm1's password: 
    sudo: sorry, you must have a tty to run sudo
    ```
    
    Two possible solutions:
    1. Specify -t parameter or similar to request a TTY:
    
    ```
    [root@cs1 ~]# ssh -t root@kvm1 sudo whoami
    root@kvm1's password: 
    root
    Connection to kvm1 closed.
    ```
    
    I prefer this solution since we then solve it on the CloudStack side. 
Alternatively, one can remove the TTY requirement from /etc/sudoers file:
    
    ```
    Defaults    requiretty
    ```
    
    I've continued my tests with altering the /etc/sudoers file and then I can 
add the host as user 'root' again, and also as user 'cloud' that I added to the 
/etc/sudoers file to allow it root without a password.
    
    Result:
    
    ```
    [root@kvm2 ~]# ps aux | grep cloud
    root     23044  0.7  0.0 133128  4748 ?        Ss   14:03   0:00 sshd: 
cloud [priv]
    cloud    23048  0.0  0.0 133128  2216 ?        S    14:03   0:00 sshd: 
cloud@notty
    root     23062  0.0  0.0 188720  2588 ?        Ss   14:03   0:00 sudo 
cloudstack-setup-agent -m 192.168.22.61 -z 2 -p 2 -c 3 -g 
57acd541-cd37-34ea-af6a-dc6ecd007325 -a --pubNic=cloudbr0 --prvNic=cloudbr0 
--guestNic=cloudbr0 --hypervisor=kvm
    root     23073  0.8  0.1 199392  9740 ?        S    14:03   0:00 
/usr/bin/python /bin/cloudstack-setup-agent -m 192.168.22.61 -z 2 -p 2 -c 3 -g 
57acd541-cd37-34ea-af6a-dc6ecd007325 -a --pubNic=cloudbr0 --prvNic=cloudbr0 
--guestNic=cloudbr0 --hypervisor=kvm
    ```
    
    Could you see if you can add a TTY request to your 'sudo 
cloudstack-setup-agent' call?
    
    Apart from this: works-like-a-sharm :-)


> Allow non-root credentials for adding KVM hypervisor
> ----------------------------------------------------
>
>                 Key: CLOUDSTACK-8339
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8339
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: KVM
>    Affects Versions: 4.5.0
>            Reporter: Marcus Sorensen
>            Assignee: Marcus Sorensen
>             Fix For: 4.6.0
>
>
> Users prefer to not provide root ssh just to run the hypervisor add from the 
> UI. Testing a fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to