How to setup Remote Execution using non-root user on RHEL systems connected to Red Hat Satellite 6?
Environment
- Red Hat Satellite 6
Issue
- How to setup Remote Execution using non-root user on RHEL system connected to Red Hat Satellite 6?
Resolution
-
On the client machine, create a user and add the account to sudoers file.
[root@client ~]# useradd rexuser [root@client ~]# passwd rexuser [root@client ~]# echo "rexuser ALL=NOPASSWD: ALL" | tee -a /etc/sudoers.d/rexuser
-
If you want to restrict the
sudo
user to as minimal programs to be granted, follow this solution -
Check if
rexuser
can run thesudo
commands without password.[root@client ~]# su - rexuser [rexuser@client ~]# sudo yum install tree
-
Copy over the
foreman-proxy
public key underrexuser
account on client.example.com[root@satellite ~]# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub rexuser@client.example.com
-
Now check if
rexuser
can execute the sudo commands without requiring any password interactions, usingid_rsa_foreman_proxy
private key from Satellite server[root@satellite ~]# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy rexuser@client.example.com 'sudo yum repolist'
-
If
foreman-proxy
user can execute commands, then add the following parameter to the client host from the Satellite Server.
Satellite webUI >> Hosts >> All Hosts >> Edit the client.example.com >> Parameters tab >> Add Parameter >> Specify Name as remote_execution_ssh_user and set its value to rexuser >> click Submit -
The same can be done through hammer for individual clients:
# hammer host list | grep client.example.com
Note the
id
from the output and run:# hammer host set-parameter --host-id=XX --name='remote_execution_ssh_user' --parameter-type='string' --value='rexuser'
Replace
XX
with the id from the previous output. -
Please note that parameter
remote_execution_ssh_user
can also be set by Host Group, Operating System, Domain, Location, or Organization as well as globally. -
Now Remote Execution jobs can be scheduled using a non-root user.
On Red Hat Satellite 6.4 and above:
-
Remote execution is possible without deploying the SSH keys, no requirement to set NOPASSWD in sudoers file and also if private key is guarded by a password, that too can be specified during the REX operation through Remote Job Advanced fields.
-
When executing scheduling a job, click on
Display advanced fields
>> specify the optionsEffective user
,Password
andSudo password
, which should allow REX job to be completed configuring SSH keys or NOPASSWD in sudoers file. -
To set SSH user and Effective user globally, change the respective parameters from
Administer
>>Settings
>>Remote Execution
tab or using the following hammer commands[root@satellite ~]# hammer settings set --name remote_execution_ssh_user --value rexuser [root@satellite ~]# hammer settings set --name remote_execution_effective_user --value root
-
Note: When running Ansible roles on a client using non root user in this case if you set the SSH user and Effective user as the same user then Ansible will not work because Ansible allows you to ‘become’ another user, different from the user that logged into the machine (remote user). For more information refer this article.
-
Configure the satellite remote execution to use SSH key other than foreman-proxy SSH key
Video : Overview of Red Hat Satellite Remote Execution
For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments