Re: [rundeck] Re: sudo su functionality needed for use Rundeck in my environment

[Moses Lei]

You need a pseudo-tty in order to run sudo.

Try setting this in your /var/rundeck/projects/PROJECTNAME/etc/project.properties:

service.NodeExecutor.default.provider=script-exec

plugin.script-exec.default.command=ssh -oStrictHostKeyChecking\=no -tt ${node.username}@${node.hostname} ${exec.command}

This will enable a tty when using ssh (using openssh options).

You might get a spurious message "tcgetattr: Invalid argument". This is harmless, ssh just complains when you allocate a tty if the parent process doesn't have one.

Moses

--
Moses Lei
[ Professional Services | DTO Solutions, Inc. ]
[ mobile: +1 703.901.5969 | e-mail: ml...@dtosolutions.com | aim/gtalk: ml...@controltier.com | yahoo: moseslei | windows live (msn): ml...@dtosolutions.com ]

On Wed, Mar 13, 2013 at 2:20 PM, Sathish babu <sathis...@gmail.com> wrote:

Hi
I'm wondering if you get a way to resolve this issue. if yes please post resolution steps. Thanks

Regards
Sathish

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[pwh...@smartbrief.com]

Hi Guys!

I am having a similar issue and still am coming up short after reading over the docs, stack, and looking through this google group. I'm trying to run a command that requires sudo, but the tty thing is blocking me. We considered just doing the !requiretty route in the sudoers file, but the pseudo-tty route seems much better for us (also am I blind, or is there little or no information about enabling pseudo-tty in the rundeck docs?).

The two lines Moses posted didn't fix my problem and I am pretty sure it's because my config is slightly different. Here is what I have going on:

My project.properties file specifies jsch-ssh, so I tried just adjusting the lines Moses provided to use that instead of script-exec (since script-exec does not appear in the file, but jsch-ssh appears in it's place). so my two lines looked like this:

service.NodeExecutor.default.provider=jsch-ssh

plugin.jsch-ssh.default.command=ssh -oStrictHostKeyChecking\=no -tt ${node.username}@${node.hostname} command

Is that not what I'm supposed to do?

Also, can I specify this in the project.properties file in /etc/rundeck to enforce it across all rundeck projects?

Thanks so much!!

Patrick

[Moses Lei]

jsch-ssh doesn't use the OpenSSH binary, unfortunately, so that solution doesn't work. And I'm not aware of any way to make jsch allocate a pseudo-tty. Try it with script-exec-- that simply calls the OpenSSH on your system, see if that solves your issue.

Moses

--

Moses Lei

Principal, Village Chime LLC

mobile: +1 703 901 5969 | skype: moseslei | yahoo: moseslei

For more options, visit https://groups.google.com/d/optout.

[brian mullan]

thanks for posting this as I'm facing the same problem with a use-case that needs the execution with "sudo".

I would think this should be a common need by users of Rundeck ?  

Brian



On Wednesday, December 12, 2012 3:36:39 PM UTC-5, Bruno Rogério de Moura wrote:

Hello

I'm new with Rundeck and completely amezed with it and I'm trying to execute a job and my scenario is detailed bellow:

- Rundeck is configured with ssh password less authentication for user master.between node Server (rundeck server) and node Target (remote Solaris host)

for user "master"

- In node Target I want to execute a script /app/acme/stopApp.sh with a user appmanager

- Normally and manually, when I need to run script above I proceed with 

   ssh master@server 

   sudo su - appmanager

   or simply 

   ssh -t master@server 'sudo su - appmanager'

   works without password and finally run (as appmanager)

   /app/acme/stopApp.sh

But I'm not realize how can I reproduce these steps using Rundeck. I read in some previous 

messages that for each job line rundeck use a new ssh connection, so the workflow bellow 

always fails for me with the messages:

sudo: no tty present and no askpass program specified

Remote command failed with exit status 1

Please someone could help me with some information to solve this issue.

Without this functionality I wouldn't be able to introduce a little DevOps

in my department.

I read the user guide and admin guide but I couldn't find an easy example,

neither in this forum, to follow.

I will appreciate your help.      

[brian mullan]

I was facing the same problem and for my use-case I think I resolved it.

I am using Ubuntu 14.04 and LXC (linux containers).

I created an lxc container called "rundeck" and installed rundeck into it along with other components I utilize.

in that container I edited the sudoers file

$ sudo visudo

Add this line at the end:

rundeck ALL=(ALL) NOPASSWD: ALL

Ctrl-X to leave, save your changes, and you're done!

Now when I access Rundeck from my host OS by pointing to the IP of the LXC container (10.0.3.x:4440) & the port I login

I can create and run a job which has commands that require SUDO such as:

sudo apt-get update

Since Rundeck executes those commands as the RUNDECK user and I've modified the RUNDECK user as requiring No Password for Sudo commands this now works for me.

Obviously, because the "rundeck" user now has sudo privileges on the target machine (an lxc container on the same host in my case) those sudo commands now work correct but now care has to be given to security of access to the Admin account on Rundeck so only a sysadmin/root of the Linux host(s) is an Admin of Rundeck... that way only authorized sudo use can be maintained.

[Sunil Tantry]

Hello All,

Is there a way to make rundeck work without the NOPASSWS:ALL option.

Due to security requirements, we are not allowed to have this option in our sudoers file.

what i wish to use is ssh -t username@server sudo su - root command

Please assist.