- Red Hat Satellite 6
- How to setup Remote Execution using non-root user on RHEL system connected to Red Hat Satellite 6?
On the client machine, create a user and add the account to sudoers file.
[root@client ~]# useradd rexuser [root@client ~]# passwd rexuser [root@client ~]# echo "rexuser ALL=NOPASSWD: ALL" | tee -a /etc/sudoers.d/rexuser
In case you only need this rexuser to run yum related commands and nothing else, you may use:
# echo "%rexuser ALL = NOPASSWD: /usr/bin/yum *, /var/tmp/foreman-ssh-cmd*/script" | tee -a /etc/sudoers.d/rexuser
rexusercan run the
sudocommands without password.
[root@client ~]# su - rexuser [rexuser@client ~]# sudo yum install tree
Copy over the
foreman-proxypublic key under
rexuseraccount on client.example.com
[root@satellite ~]# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub firstname.lastname@example.org
Now check if
rexusercan execute the sudo commands without requiring any password interactions, using
id_rsa_foreman_proxyprivate key from Satellite server
[root@satellite ~]# ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy email@example.com 'sudo yum repolist'
foreman-proxyuser can execute commands, then add the following parameter to the client host from the Satellite Server.
Satellite webUI >> Hosts >> All Hosts >> Edit the client.example.com >> Parameters tab >> Add Parameter >> Specify Name as remote_execution_ssh_user and set its value to rexuser >> click Submit
The same can be done through hammer for individual clients:
# hammer host list | grep client.example.com
idfrom the output and run:
# hammer host set-parameter --host-id=XX --name='remote_execution_ssh_user' --parameter-type='string' --value='rexuser'
XXwith the id from the previous output.
Please note that parameter
remote_execution_ssh_usercan also be set by Host Group, Operating System, Domain, Location, or Organization as well as globally.
Now Remote Execution jobs can be scheduled using a non-root user.
On Red Hat Satellite 6.4 and above:
Remote execution is possible without deploying the SSH keys, no requirement to set NOPASSWD in sudoers file and also if private key is guarded by a password, that too can be specified during the REX operation through Remote Job Advanced fields.
When executing scheduling a job, click on
Display advanced fields>> specify the options
Sudo password, which should allow REX job to be completed configuring SSH keys or NOPASSWD in sudoers file.
To set SSH user and Effective user globally, change the respective parameters from
Remote Executiontab or using the following hammer commands
[root@satellite ~]# hammer settings set --name remote_execution_ssh_user --value rexuser [root@satellite ~]# hammer settings set --name remote_execution_effective_user --value root
Note: When running Ansible roles on a client using non root user in this case if you set the SSH user and Effective user as the same user then Ansible will not work because Ansible allows you to ‘become’ another user, different from the user that logged into the machine (remote user). For more information refer this article.
Video : Overview of Red Hat Satellite Remote Execution
- Red Hat Satellite
- Learn more
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.