How to setup Remote Execution using non-root user on RHEL systems connected to Red Hat Satellite 6?

Resolution

• On the client machine, create a user and add the account to sudoers file.

  [root@client ~]# useradd rexuser
  [root@client ~]# passwd rexuser
  [root@client ~]# echo "rexuser   ALL=NOPASSWD:   ALL" | tee -a /etc/sudoers.d/rexuser
  

• If you want to restrict the sudo user to as minimal programs to be granted, follow this solution

• Check if rexuser can run the sudo commands without password.

  [root@client ~]# su - rexuser
  [rexuser@client ~]# sudo yum install tree
  

• Copy over the foreman-proxy public key under rexuser account on client.example.com

  [root@satellite ~]# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub rexuser@client.example.com
  

• Now check if rexuser can execute the sudo commands without requiring any password interactions, using id_rsa_foreman_proxy private key from Satellite server

  [root@satellite ~]# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy rexuser@client.example.com 'sudo yum repolist'
  

• If foreman-proxy user can execute commands, then add the following parameter to the client host from the Satellite Server.
  Satellite webUI >> Hosts >> All Hosts >> Edit the client.example.com >> Parameters tab >> Add Parameter >> Specify Name as remote_execution_ssh_user and set its value to rexuser >> click Submit

• The same can be done through hammer for individual clients:

  # hammer host list | grep client.example.com
  

  Note the id from the output and run:

  # hammer host set-parameter --host-id=XX --name='remote_execution_ssh_user' --parameter-type='string' --value='rexuser'
  

  Replace XX with the id from the previous output.

• Please note that parameter remote_execution_ssh_user can also be set by Host Group, Operating System, Domain, Location, or Organization as well as globally. E.g:

  • Globally: Go to Administer > Settings > Tab "Remote Execution" > Set "SSH User"
  • Organization: Go to Administer > Organizations > Select an Organization > Parameters > Add Parameter "remote_execution_ssh_user"

• Now Remote Execution jobs can be scheduled using a non-root user.

On Red Hat Satellite 6.4 and above:

• Remote execution is possible without deploying the SSH keys, no requirement to set NOPASSWD in sudoers file and also if private key is guarded by a password, that too can be specified during the REX operation through Remote Job Advanced fields.

• When executing scheduling a job, click on Display advanced fields >> specify the options Effective user, Password and Sudo password, which should allow REX job to be completed configuring SSH keys or NOPASSWD in sudoers file.

• To set SSH user and Effective user globally, change the respective parameters from Administer >> Settings >> Remote Execution tab or using the following hammer commands

  [root@satellite ~]# hammer settings set --name remote_execution_ssh_user --value rexuser
  [root@satellite ~]# hammer settings set --name remote_execution_effective_user --value root
  

• Note: When running Ansible roles on a client using non root user in this case if you set the SSH user and Effective user as the same user then Ansible will not work because Ansible allows you to ‘become’ another user, different from the user that logged into the machine (remote user). For more information refer this article.

• Configure the satellite remote execution to use SSH key other than foreman-proxy SSH key

Video : Overview of Red Hat Satellite Remote Execution

For more KB articles/solutions related to Red Hat Satellite 6.x Remote Execution Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Remote Execution Issues