documentation.suse.com / SUSE Linux Enterprise High Availability Documentation / Administration Guide / Appendix / Running cluster reports without root access
Applies to SUSE Linux Enterprise High Availability 15 SP5

D Running cluster reports without root access

  

All cluster nodes must be able to access each other via SSH. Tools like crm report (for troubleshooting) and Hawk2's History Explorer require passwordless SSH access between the nodes, otherwise they can only collect data from the current node.

If your security policy does not allow passwordless root SSH login, or prevents root SSH login entirely, then running crm report as root fails on all remote nodes. If the cluster was initialized by a non-root user with sudo privileges, this user can run cluster reports successfully under these restrictions. However, if the cluster was initialized by the root user, you must use the following workaround to run cluster reports:

  1. Creating a dedicated local user account (for running crm report).

  2. Configuring passwordless SSH access for that user account, ideally by using a non-standard SSH port.

  3. Configuring sudo for that user.

  4. Running crm report as that user.

D1 Creating a local user account

  

The following example creates a local user named hareport from command line. The password can be anything that meets your security requirements. Alternatively, you can create the user account and set the password with YaST.

Procedure D1: Creating a dedicated user account for running cluster reports
  

  1. Start a shell and create a user hareport with a home directory /home/hareport : 

    # useradd -m -d /home/hareport -c "HA Report" hareport

  2. Set a password for the user: 

    # passwd hareport

  3. When prompted, enter and re-enter a password for the user.

Important
Important: Same user is required on each cluster node

To create the same user account on all nodes, repeat the steps above on each cluster node.

D2 Configuring a passwordless SSH account

  
Procedure D2: Configuring the SSH daemon for a non-standard port
  

By default, the SSH daemon and the SSH client talk and listen on port 22. If your network security guidelines require the default SSH port to be changed to an alternate high numbered port, you need to modify the daemon's configuration file /etc/ssh/sshd_config.

  1. To modify the default port, search the file for the Port line, uncomment it and edit it according to your wishes. For example, set it to: 

    Port 5022

  2. If your organization does not permit the root user to access other servers, search the file for the PermitRootLogin entry, uncomment it and set it to no: 

    PermitRootLogin no

  3. Alternatively, add the respective lines to the end of the file by executing the following commands: 

    # echo “PermitRootLogin no” >> /etc/ssh/sshd_config
# echo “Port 5022” >> /etc/ssh/sshd_config

  4. After modifying /etc/ssh/sshd_config, restart the SSH daemon to make the new settings take effect: 

    # systemctl restart sshd
Important
Important: Same settings are required on each cluster node

Repeat the SSH daemon configuration above on each cluster node.

Procedure D3: Configuring the SSH client for a non-standard port
  

If the SSH port change is going to be made on all nodes in the cluster, it is useful to modify the SSH configuration file, /etc/ssh/sshd_config.

  1. To modify the default port, search the file for the Port line, uncomment it and edit it according to your wishes. For example, set it to: 

    Port 5022

  2. Alternatively, add the respective line to the end of the file by executing the following commands: 

    # echo “Port 5022” >> /etc/ssh/ssh_config
Note
Note: Settings only required on one node

The SSH client configuration above is only needed on the node on which you want to run the cluster report.

Alternatively, you can use the -X option to run the crm report with a custom SSH port or even make crm report use your custom SSH port by default. For details, see Procedure D5, “Generating a cluster report using a custom SSH port”.

Procedure D4: Configuring shared SSH keys
  

You can access other servers using SSH and not be asked for a password. While this may appear insecure, it is actually a secure access method since the users can only access servers that their public key has been shared with. The shared key must be created as the user that will use the key.

  1. Log in to one of the nodes with the user account that you have created for running cluster reports (in our example above, the user account was hareport).

  2. Generate a new key: 

    hareport > ssh-keygen -t rsa

    This command generates a 2048 bit key by default. The default location for the key is ~/.ssh/. You are asked to set a passphrase on the key. However, do not enter a passphrase because for passwordless login there must not be a passphrase on the key.

  3. After the keys have been generated, copy the public key to each of the other nodes (including the node where you created the key): 

    hareport > ssh-copy-id -i ~/.ssh/id_rsa.pub HOSTNAME_OR_IP

    In the command, you can either use the DNS name for each server, an alias, or the IP address. During the copy process you will be asked to accept the host key for each node, and you will need to provide the password for the hareport user account (this will be the only time you need to enter it).

  4. After the key is shared to all cluster nodes, test if you can log in as user hareport to the other nodes by using passwordless SSH: 

    hareport > ssh HOSTNAME_OR_IP

    You should be automatically connected to the remote server without being asked to accept a certificate or enter a password.

Note
Note: Settings only required on one node

If you intend to run the cluster report from the same node each time, it is sufficient to execute the procedure above on this node only. Otherwise repeat the procedure on each node.

D3 Configuring sudo

  

The sudo command allows a regular user to quickly become root and issue a command, with or without providing a password. Sudo access can be given to all root-level commands or to specific commands only. Sudo typically uses aliases to define the entire command string.

To configure sudo either use visudo (not vi) or YaST.

Warning
Warning: Do not use vi

For sudo configuration from command line, you must edit the sudoers file as root with visudo. Using any other editor may result in syntax or file permission errors that prevent sudo from running.

  1. Log in as root.

  2. To open the /etc/sudoers file, enter visudo.

  3. Look for the following categories: Host alias specification,User alias specification, Cmnd alias specification, and Runas alias specification.

  4. Add the following entries to the respective categories in /etc/sudoers: 

    Host_Alias	CLUSTER = alice,bob,charlie 1
User_Alias HA = hareport 2
Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report *3
Runas_Alias R = root 4

    1

    The host alias defines on which server (or range of servers) the sudo user has rights to issue commands. In the host alias you can use DNS names, or IP addresses, or specify an entire network range (for example, 172.17.12.0/24). To limit the scope of access you should specify the host names for the cluster nodes only.

    2

    The user alias allows you to add multiple local user accounts to a single alias. However, in this case you could avoid creating an alias since only one account is being used. In the example above, we added the hareport user which we have created for running cluster reports.

    3

    The command alias defines which commands can be executed by the user. This is useful if you want to limit what the non-root user can access when using sudo. In this case the hareport user account will need access to the commands crm report and su.

    4

    The runas alias specifies the account that the command will be run as. In this case root.

  5. Search for the following two lines:

    Defaults targetpw
ALL     ALL=(ALL) ALL

    As they would conflict with the setup we want to create, disable them:

    #Defaults targetpw
#ALL     ALL=(ALL) ALL

  6. Look for the User privilege specification category. After having defined the aliases above, you can now add the following rule there:

    HA	CLUSTER = (R) NOPASSWD:HA_ALLOWED

    The NOPASSWORD option ensures that the user hareport can execute the cluster report without providing a password.

  7. (Optional) To allow the user hareport to run cluster reports using your local SSH keys, add the following line to the Defaults specification category. This preserves the SSH_AUTH_SOCK environment variable, which is required for SSH agent forwarding. 

    Defaults!HA_ALLOWED env_keep+=SSH_AUTH_SOCK

    When you log in to a node as the user hareport via ssh -A and use sudo to run crm report, your local SSH keys are passed to the node for authentication.

    Note
    Note: SSH agent forwarding for crm report only

    SSH agent forwarding is only supported for crm report, not for any other crmsh functions.

Important
Important: Same sudo configuration is required on each cluster node

This sudo configuration must be made on all nodes in the cluster. No other changes are needed for sudo and no services need to be restarted.

D4 Generating a cluster report

  

To run cluster reports with the settings you have configured above, you need to be logged in to one of the nodes as user hareport. To start a cluster report, use the crm report command. For example: 

hareport > sudo crm report -f 0:00 -n "alice bob charlie"

This command extracts all information since 0 am on the named nodes and create a *.tar.bz2 archive named pcmk-DATE.tar.bz2 in the current directory.

Procedure D5: Generating a cluster report using a custom SSH port
  

  1. When using a custom SSH port, use the -X with crm report to modify the client's SSH port. For example, if your custom SSH port is 5022, use the following command:

    # crm report -X "-p 5022" [...]

  2. To set your custom SSH port permanently for crm report, start the interactive CRM Shell:

    # crm options

  3. Enter the following: 

    crm(live)options#  set core.report_tool_options "-X -oPort=5022"