D Running cluster reports without root
access #
All cluster nodes must be able to access each other via SSH. Tools like
crm report
(for
troubleshooting) and Hawk2's require
passwordless SSH access between the nodes, otherwise they can only collect
data from the current node.
If passwordless SSH root
access does not comply with regulatory
requirements, you can use a work-around for running cluster reports. It
consists of the following basic steps:
Creating a dedicated local user account (for running
crm report
).Configuring passwordless SSH access for that user account, ideally by using a non-standard SSH port.
Configuring
sudo
for that user.Running
crm report
as that user.
By default when crm report
is run, it attempts to
log in to
remote nodes first as root
, then as user
hacluster
. However, if your
local security policy prevents root
login using SSH, the script
execution will fail on all remote nodes. Even attempting to run the script
as user hacluster
will fail
because this is a service account, and its shell is set to
/bin/false
, which prevents login. Creating a
dedicated local user is the only option to successfully run the
crm report
script on
all nodes in the High Availability cluster.
D.1 Creating a local user account #
In the following example, we will create a local user named
hareport
from command line. The
password can be anything that meets your security requirements.
Alternatively, you can create the user account and set the password with
YaST.
Start a shell and create a user
hareport
with a home directory/home/hareport
:#
useradd -m -d /home/hareport -c "HA Report" hareport
Set a password for the user:
#
passwd hareport
When prompted, enter and re-enter a password for the user.
To create the same user account on all nodes, repeat the steps above on each cluster node.
D.2 Configuring a passwordless SSH account #
By default, the SSH daemon and the SSH client talk and listen on port
22
. If your network security guidelines require the
default SSH port to be changed to an alternate high numbered port, you
need to modify the daemon's configuration file
/etc/ssh/sshd_config
.
To modify the default port, search the file for the
Port
line, uncomment it and edit it according to your wishes. For example, set it to:Port 5022
If your organization does not permit the
root
user to access other servers, search the file for thePermitRootLogin
entry, uncomment it and set it tono
:PermitRootLogin no
Alternatively, add the respective lines to the end of the file by executing the following commands:
#
echo “PermitRootLogin no” >> /etc/ssh/sshd_config
#
echo “Port 5022” >> /etc/ssh/sshd_config
After modifying
/etc/ssh/sshd_config
, restart the SSH daemon to make the new settings take effect:#
systemctl restart sshd
Repeat the SSH daemon configuration above on each cluster node.
If the SSH port change is going to be made on all nodes in the cluster,
it is useful to modify the SSH configuration file,
/etc/ssh/sshd_config
.
To modify the default port, search the file for the
Port
line, uncomment it and edit it according to your wishes. For example, set it to:Port 5022
Alternatively, add the respective line to the end of the file by executing the following commands:
#
echo “Port 5022” >> /etc/ssh/ssh_config
The SSH client configuration above is only needed on the node on which you want to run the cluster report.
Alternatively, you can use the -X
option to run the
crm report
with a custom SSH port or even make
crm report
use your custom SSH port by default. For
details, see Procedure D.5, “Generating a cluster report using a custom SSH port”.
You can access other servers using SSH and not be asked for a password. While this may appear insecure at first sight, it is actually a very secure access method since the users can only access servers that their public key has been shared with. The shared key must be created as the user that will use the key.
Log in to one of the nodes with the user account that you have created for running cluster reports (in our example above, the user account was
hareport
).Generate a new key:
hareport >
ssh-keygen –t rsaThis command will generate a 2048 bit key by default. The default location for the key is
~/.ssh/
. You are asked to set a passphrase on the key. However, do not enter a passphrase because for passwordless login there must not be a passphrase on the key.After the keys have been generated, copy the public key to each of the other nodes (including the node where you created the key):
hareport >
ssh-copy-id -i ~/.ssh/id_rsa.pub HOSTNAME_OR_IPIn the command, you can either use the DNS name for each server, an alias, or the IP address. During the copy process you will be asked to accept the host key for each node, and you will need to provide the password for the
hareport
user account (this will be the only time you need to enter it).After the key is shared to all cluster nodes, test if you can log in as user
hareport
to the other nodes by using passwordless SSH:hareport >
ssh HOSTNAME_OR_IPYou should be automatically connected to the remote server without being asked to accept a certificate or enter a password.
If you intend to run the cluster report from the same node each time, it is sufficient to execute the procedure above on this node only. Otherwise repeat the procedure on each node.
D.3 Configuring sudo
#
The sudo
command allows a regular user to quickly
become root
and issue a command, with or without providing a
password. Sudo access can be given to all root-level commands or to
specific commands only. Sudo typically uses aliases to define the entire
command string.
To configure sudo either use visudo
(not vi) or YaST.
For sudo configuration from command line, you must edit the sudoers file
as root
with visudo
. Using any other editor may
result in syntax or file permission errors that prevent sudo from
running.
Log in as
root
.To open the
/etc/sudoers
file, entervisudo
.Look for the following categories:
Host alias specification
,User alias specification
,Cmnd alias specification
, andRunas alias specification
.Add the following entries to the respective categories in
/etc/sudoers
:Host_Alias CLUSTER = alice,bob,charlie 1 User_Alias HA = hareport 2 Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report *3 Runas_Alias R = root 4
The host alias defines on which server (or range of servers) the sudo user has rights to issue commands. In the host alias you can use DNS names, or IP addresses, or specify an entire network range (for example,
172.17.12.0/24
). To limit the scope of access you should specify the host names for the cluster nodes only.The user alias allows you to add multiple local user accounts to a single alias. However, in this case you could avoid creating an alias since only one account is being used. In the example above, we added the
hareport
user which we have created for running cluster reports.The command alias defines which commands can be executed by the user. This is useful if you want to limit what the non-root user can access when using
sudo
. In this case thehareport
user account will need access to the commandscrm report
andsu
.The
runas
alias specifies the account that the command will be run as. In this caseroot
.Search for the following two lines:
Defaults targetpw ALL ALL=(ALL) ALL
As they would conflict with the setup we want to create, disable them:
#Defaults targetpw #ALL ALL=(ALL) ALL
Look for the
User privilege specification
category. After having defined the aliases above, you can now add the following rule there:HA CLUSTER = (R) NOPASSWD:HA_ALLOWED
The
NOPASSWORD
option ensures that the userhareport
can execute the cluster report without providing a password.(Optional) To allow the user
hareport
to run cluster reports using your local SSH keys, add the following line to theDefaults specification
category. This preserves theSSH_AUTH_SOCK
environment variable, which is required for SSH agent forwarding.Defaults!HA_ALLOWED env_keep+=SSH_AUTH_SOCK
When you log into a node as the user
hareport
viassh -A
, and usesudo
to runcrm report
, your local SSH keys are passed to the node for authentication.
This sudo configuration must be made on all nodes in the cluster. No other changes are needed for sudo and no services need to be restarted.
D.4 Generating a cluster report #
To run cluster reports with the settings you have configured above, you need to be logged
in to one of the nodes as user hareport
.
To start a cluster report, use the crm report
command.
For example:
hareport >
sudo crm report -f 0:00 -n "alice bob charlie"
This command will extract all information since 0 am
on the named nodes
and create a *.tar.bz2
archive named
pcmk-DATE.tar.bz2
in
the current directory.
When using a custom SSH port, use the
-X
withcrm report
to modify the client's SSH port. For example, if your custom SSH port is5022
, use the following command:#
crm report -X "-p 5022" [...]
To set your custom SSH port permanently for
crm report
, start the interactive crm shell:#
crm options
Enter the following:
crm(live)options#
set core.report_tool_options "-X -oPort=5022"