Jira (PUP-5808) puppet via sudo from nfs home is not working

[Adam Winberg (JIRA)]

Adam Winberg created an issue

Puppet / PUP-5808 puppet via sudo from nfs home is not working Issue Type: Bug Affects Versions: PUP 3.8.4 Assignee: Kylo Ginsberg Components: Types and Providers Created: 2016/02/03 8:07 AM Environment: RHEL7.2, RHEL6.7 puppet-3.8.4-1.el7.noarch, puppet-3.8.4-1.el6.noarch Priority: Normal Reporter: Adam Winberg We use NFS mounted home directories for all our users. If a sysadmin or devop wants to trigger a puppet agent run via sudo, he/she must change dir from the nfs home directory to a local directory, otherwise the puppet run will fail. This is nothing new, but I'd like to know if it is intended behaviour or if it is something that could be fixed. So, running an strace on the puppet agent run, I see that puppet executes repeatedly executes a 'chdir' to the cwd. These chdirs are typically performed before a stat operation to get the correct path for a provider (i.e. /usr/bin/mount or /usr/local/sbin/mount). When running via sudo from my homedir, this fails since root has no permissions to enter that directory. I can work around this by cd'ing to a local dir before running 'sudo puppet', or invoking sudo with the '-i' flag, but to make it failsafe for our devops it would be better if they didnt have to think about that. I would suggest to use the default tempdir of the system (linux=/tmp) instead of the cwd for these chdir operations. But I probably fail to see the complete picture. Outtake from strace log: chdir("/home/a001329") = -1 EACCES (Permission denied) write(2, "\33[1;31mError: /Stage[pre]/Core::"..., 137^[[1;31mError: /Stage[pre]/Core::Users::Update_root_pw/Exec[set_grub2_password]: Could not evaluate: Permission denied - /home/a001329^[[0m) = 137 write(2, "\n", 1 ) = 1 sendto(7, "<27>Feb 3 11:48:42 puppet-agent"..., 161, MSG_NOSIGNAL, NULL, 0) = 161 write(1, "\33[mNotice: /Stage[pre]/Core::Use"..., 131^[[mNotice: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Dependency Exec[set_grub2_password] has failures: true^[[0m) = 131 write(1, "\n", 1 ) = 1 sendto(7, "<29>Feb 3 11:48:42 puppet-agent"..., 158, MSG_NOSIGNAL, NULL, 0) = 158 write(2, "\33[1;31mWarning: /Stage[pre]/Core"..., 121^[[1;31mWarning: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Skipping because of failed dependencies^[[0m) = 121 write(2, "\n", 1 ) = 1 sendto(7, "<28>Feb 3 11:48:42 puppet-agent"..., 143, MSG_NOSIGNAL, NULL, 0) = 143 stat("/usr/bin/useradd", 0x7ffd573a3f70) = -1 ENOENT (No such file or directory) stat("/bin/useradd", 0x7ffd573a3f70) = -1 ENOENT (No such file or directory) stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0 stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0 Add Comment

This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc)

[Adam Winberg (JIRA)]

Adam Winberg updated an issue

Puppet / PUP-5808 puppet via sudo from nfs home is not working

Change By: Adam Winberg

We use NFS mounted home directories for all our users. If a sysadmin or devop wants to trigger a puppet agent run via sudo, he/she must change dir from the nfs home directory to a local directory, otherwise the puppet run will fail.  This is nothing new, but I'd like to know if it is intended behaviour or if it is something that could be fixed.  So, running an strace on the puppet agent run, I see that puppet  executes

repeatedly executes a 'chdir' to the cwd. These chdirs are typically performed before a stat operation to get the correct path for a provider (i.e. /usr/bin/mount or /usr/local/sbin/mount). When running via sudo from my homedir, this fails since root has no permissions to enter that directory.

I can work around this by cd'ing to a local dir before running 'sudo puppet', or invoking sudo with the '-i' flag, but to make it failsafe for our devops it would be better if they didnt have to think about that. I would suggest to use the default tempdir of the system (linux=/tmp) instead of the cwd for these chdir operations. But I probably fail to see the complete picture.  Outtake from strace log:

{noformat}

chdir("/home/a001329")                  = -1 EACCES (Permission denied) write(2, "\33[1;31mError: /Stage[pre]/Core::"..., 137^[[1;31mError: /Stage[pre]/Core::Users::Update_root_pw/Exec[set_grub2_password]: Could not evaluate: Permission denied - /home/a001329^[[0m) = 137 write(2, "\n", 1 )                       = 1 sendto(7, "<27>Feb  3 11:48:42 puppet-agent"..., 161, MSG_NOSIGNAL, NULL, 0) = 161 write(1, "\33[mNotice: /Stage[pre]/Core::Use"..., 131^[[mNotice: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Dependency Exec[set_grub2_password] has failures: true^[[0m) = 131 write(1, "\n", 1 )                       = 1 sendto(7, "<29>Feb  3 11:48:42 puppet-agent"..., 158, MSG_NOSIGNAL, NULL, 0) = 158 write(2, "\33[1;31mWarning: /Stage[pre]/Core"..., 121^[[1;31mWarning: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Skipping because of failed dependencies^[[0m) = 121 write(2, "\n", 1 )                       = 1 sendto(7, "<28>Feb  3 11:48:42 puppet-agent"..., 143, MSG_NOSIGNAL, NULL, 0) = 143 stat("/usr/bin/useradd", 0x7ffd573a3f70) = -1 ENOENT (No such file or directory) stat("/bin/useradd", 0x7ffd573a3f70)    = -1 ENOENT (No such file or directory) stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0 stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0

{noformat}

Add Comment

[Adam Winberg (JIRA)]

Adam Winberg updated an issue

Puppet / PUP-5808 puppet via sudo from nfs home is not working Change By: Adam Winberg

We use NFS mounted home directories for all our users. If a sysadmin or devop wants to trigger a puppet agent run via sudo, he/she must change dir from the nfs home directory to a local directory, otherwise the puppet run will fail.  This is nothing new, but I'd like to know if it is intended behaviour or if it is something that could be fixed.

So, running an strace on the puppet agent run, I see that puppet repeatedly executes a 'chdir' to the cwd. These chdirs are typically performed before a stat operation to get the correct path for a provider (i.e. /usr/bin/mount or /usr/local/sbin/mount). When running via sudo from my homedir, this fails since root has no permissions to enter that directory.  I can work around this by cd'ing to a local dir before running 'sudo puppet', or invoking sudo with the '-i' flag, but to make it failsafe for our devops it would be better if they didnt have to think about that. I would suggest to use the default tempdir of the system (linux=/tmp) instead of the cwd for these chdir operations . But , but  I  probably  might  fail to see the complete picture.

Outtake from strace log: {noformat} chdir("/home/a001329")                  = -1 EACCES (Permission denied) write(2, "\33[1;31mError: /Stage[pre]/Core::"..., 137^[[1;31mError: /Stage[pre]/Core::Users::Update_root_pw/Exec[set_grub2_password]: Could not evaluate: Permission denied - /home/a001329^[[0m) = 137 write(2, "\n", 1 )                       = 1 sendto(7, "<27>Feb  3 11:48:42 puppet-agent"..., 161, MSG_NOSIGNAL, NULL, 0) = 161 write(1, "\33[mNotice: /Stage[pre]/Core::Use"..., 131^[[mNotice: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Dependency Exec[set_grub2_password] has failures: true^[[0m) = 131 write(1, "\n", 1 )                       = 1 sendto(7, "<29>Feb  3 11:48:42 puppet-agent"..., 158, MSG_NOSIGNAL, NULL, 0) = 158 write(2, "\33[1;31mWarning: /Stage[pre]/Core"..., 121^[[1;31mWarning: /Stage[pre]/Core::Users::Update_root_pw/Exec[grub2-mkconfig]: Skipping because of failed dependencies^[[0m) = 121 write(2, "\n", 1 )                       = 1 sendto(7, "<28>Feb  3 11:48:42 puppet-agent"..., 143, MSG_NOSIGNAL, NULL, 0) = 143 stat("/usr/bin/useradd", 0x7ffd573a3f70) = -1 ENOENT (No such file or directory) stat("/bin/useradd", 0x7ffd573a3f70)    = -1 ENOENT (No such file or directory) stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0 stat("/usr/sbin/useradd", {st_mode=S_IFREG|0750, st_size=114064, ...}) = 0 {noformat}

Add Comment

[Adam Winberg (JIRA)]

Adam Winberg commented on PUP-5808

Re: puppet via sudo from nfs home is not working Any comments on this? Seems like we are the only ones affected by this 'bug'...

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[R.I.Pienaar (JIRA)]

R.I.Pienaar commented on PUP-5808

Re: puppet via sudo from nfs home is not working

Adam Winberg always better to show the .pp code whenever puppet tells you its failing on some specific .pp code.

Add Comment

[Adam Winberg (JIRA)]

Adam Winberg commented on PUP-5808

Re: puppet via sudo from nfs home is not working

R.I.Pienaar Not sure what you mean. Puppet is not failing on some specific code, it's failing because I run it via sudo from a directory which root does not have permission to (nfs in this case).

Add Comment

[R.I.Pienaar (JIRA)]

R.I.Pienaar commented on PUP-5808

Re: puppet via sudo from nfs home is not working

/Stage[pre]/Core::Users::Update_root_pw/Exec[set_grub2_password]: Could not evaluate: Permission denied - /home/a001329 it's failing on Core::Users::Update_root_pw which is some kind of exec. Or are you saying every single resource type of every resource you have in your catalog fails in this manner?

Add Comment

[Adam Winberg (JIRA)]

Adam Winberg commented on PUP-5808

Re: puppet via sudo from nfs home is not working

ah, ok - yes, it fails repeatedly, not only for this resource. Sorry for the confusion. It fails since puppet tries to do 'chdir(cwd)' (which is not in my exec resource code) and the current working directory is unavailable for the root user. I should mention that i tried changing the 'cwd' parameter to the exec resource before I discovered that this was not caused by the exec resource in itself and also affected other resources. It should be easily reproduced by running puppet via sudo from a nfs share (make sure no_root_squash is not set).

Add Comment

[R.I.Pienaar (JIRA)]

R.I.Pienaar commented on PUP-5808

Re: puppet via sudo from nfs home is not working

Adam Winberg ok, yeah that's what I wanted to determine, thanks. Well I've not seen anyone else complain about this but likewise I am not a Puppet dev so was just curious to see if we can get more info about the scenario maybe it rings bells to others

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-5808

puppet via sudo from nfs home is not working

Change By: Henrik Lindberg Scrum Team: Client Platform

Add Comment

[Adam Winberg (JIRA)]

Adam Winberg commented on PUP-5808

Re: puppet via sudo from nfs home is not working Since our users keep getting hit by this I've done some more digging. The 'problem' lies in the ruby code for the exec resource - puppet/lib/puppet/provider/exec.rb In the 'run' method the method 'checkexe' is called to verify existence of the executable. This code fails if you are running puppet via sudo standing in a directory where root has no permissions - for example an nfs mounted home directory. The reason for this, I'm guessing, is that 'checkexe' uses system calls which inherently tries to operate on the cwd. Setting the 'cwd' parameter for the exec resource in my puppet code has no effect, since the 'chdir' to cwd in puppet/lib/puppet/provider/exec.rb happens after the check_exe call. If I do a Dir.chdir "/tmp" before the 'checkexe' call, everything works as expected. So, to resolve this, which I would consider a bug, I would propose to implement a chdir to a tmp directory on the filesystem before anything else in the run method in puppet/lib/puppet/provider/exec.rb. Any thoughts on this?

Add Comment

[Thomas Mueller (JIRA)]

Thomas Mueller commented on PUP-5808

Re: puppet via sudo from nfs home is not working

I've also seen this failure. we allow every user to trigger a puppet run with sudo. if I'm in the nfs-mounted homedir - where root has no access - I also see puppet runs failing. workaround is to switch cwd to something root-accessible. like cd /; sudo puppet agent -t

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-5808

puppet via sudo from nfs home is not working

Change By: Henrik Lindberg Labels: triaged

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg assigned an issue to Unassigned

Puppet / PUP-5808 puppet via sudo from nfs home is not working

Change By: Henrik Lindberg Assignee: Kylo Ginsberg

Add Comment

[Henrik Lindberg (JIRA)]

Henrik Lindberg updated an issue

Puppet / PUP-5808 puppet via sudo from nfs home is not working

Change By: Henrik Lindberg Team: Agent

Add Comment

[James Ralston (JIRA)]

James Ralston commented on PUP-5808

Re: puppet via sudo from nfs home is not working For posterity: the issue with the exec resource failing due to receiving EACCES when attempting to call chdir() to the cwd was resolved as a (perhaps intentional) side-effect of changes made to how the exec resource is implemented. (In essence, Puppet now calls chdir() in the child process it forks to perform the exec, not in the parent process.) But the root cause of this issue—that it is never safe to call chdir() except in a child process—is not completely resolved. See PUP-9997 for details.

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[James Ralston (JIRA)]

James Ralston updated an issue

Puppet / PUP-5808

puppet via sudo from nfs home is not working

From digging, it was PUP-6919 (specifically, commit ebb57c3e) that rewrote the exec resource to have the child process call Dir.chdir(). Puppet 5.5.7 was the first version to contain the fix. Change By: James Ralston Fix Version/s: PUP 5.5.7

Add Comment