D Running cluster reports without root
access #
All cluster nodes must be able to access each other via SSH. Tools like
crm report
(for
troubleshooting) and Hawk2's require
passwordless SSH access between the nodes, otherwise they can only collect
data from the current node.
If your security policy does not allow passwordless root
SSH login,
then running crm report
as root
fails on all remote nodes.
In this case, you can still run cluster reports with one of the following options:
If the cluster was initialized by a non-root user with
sudo
privileges, this user can run cluster reports.If the cluster was initialized by the
root
user, you can create a dedicated non-root user to run cluster reports.
The following procedure describes how to give a non-root user limited privileges so
that it can use sudo
to run crm report
, but
otherwise has no sudo
access.
D.1 Configuring limited sudo
privileges for a non-root user #
The sudo
command allows a regular user to quickly
become root
and issue a command, with or without providing a
password. Sudo access can be given to all root-level commands or to
specific commands only. This procedure describes how to configure sudo
privileges only for the specific commands required to run cluster reports.
Sudo typically uses aliases to define the entire command string.
To configure sudo either use visudo
(not vi) or YaST.
For sudo configuration from command line, you must edit the sudoers file
as root
with visudo
. Using any other editor may
result in syntax or file permission errors that prevent sudo from
running.
A non-root user with no
sudo
privileges. The following procedure uses an example user calledhareport
.The user
hareport
exists on all nodes in the cluster.The user
hareport
can access all other nodes in the cluster via passwordless SSH.
sudo
privileges for a non-root user #Log in as
root
.To open the
/etc/sudoers
file, entervisudo
.Look for the following categories:
Host alias specification
,User alias specification
,Cmnd alias specification
, andRunas alias specification
.Add the following entries to the respective categories in
/etc/sudoers
:Host_Alias CLUSTER = alice,bob,charlie 1 User_Alias HA = hareport 2 Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report*3 Runas_Alias R = root 4
The host alias defines on which server (or range of servers) the sudo user has rights to issue commands. In the host alias you can use DNS names, or IP addresses, or specify an entire network range (for example,
172.17.12.0/24
). To limit the scope of access you should specify the host names for the cluster nodes only.The user alias allows you to add multiple local user accounts to a single alias. However, in this case only one account is being used.
The command alias defines which commands can be executed by the user. This is useful if you need to limit what the non-root user can access when using
sudo
. In this case thehareport
user account needs access to the commandscrm report
andsu
.The
runas
alias specifies the account that the command will be run as, in this caseroot
.Search for the following two lines:
Defaults targetpw ALL ALL=(ALL) ALL
As they would conflict with the setup we want to create, disable them:
#Defaults targetpw #ALL ALL=(ALL) ALL
Look for the
User privilege specification
category. After having defined the aliases above, you can now add the following rule there:HA CLUSTER = (R) NOPASSWD:HA_ALLOWED
The
NOPASSWORD
option ensures that the userhareport
can execute the cluster report without providing a password.(Optional) To allow the user
hareport
to run cluster reports using your local SSH keys, add the following line to theDefaults specification
category. This preserves theSSH_AUTH_SOCK
environment variable, which is required for SSH agent forwarding.Defaults!HA_ALLOWED env_keep+=SSH_AUTH_SOCK
When you log in to a node as the user
hareport
viassh -A
and usesudo
to runcrm report
, your local SSH keys are passed to the node for authentication.
This sudo configuration must be made on all nodes in the cluster. No other changes are needed for sudo and no services need to be restarted.