Open SeanPMiller opened 2 years ago
Hi,
My understanding of -n/--non-interactive
is it avoids creating a prompt and if one is necessary it errors out. There are about a dozen input plugins that use this same option so I would like to ensure any change is actually necessary.
You said that the last-run timestamp for sudo
is old. 1) How did you determine this? 2) How did you know this is the issue?
Can you also provide the actual error message you get please?
Thanks, Joshua. The error that we observed follows:
Nov 02 16:22:08 fqdn.removed.com telegrafctl[38108]: 2021-11-02T16:22:08Z E! [inputs.ipmi_sensor] Error in plugin: failed to run command sudo -n /usr/bin/ipmitool sdr elist:...is required
Nov 02 16:22:34 fqdn.removed.com sudo[11269]: telegraf : a password is required ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/ipmitool sdr elist
The most convincing piece of evidence is that we resolved this issue by simply adding a cronjob on every server that executes sudo id
as user telegraf
every four minutes, while we execute the input plugin via the Telegraf daemon every five minutes. The cronjob updates the sudo timestamp so that the -n
check passes during the plugin execution.
We're using a custom PAM, so bypassing that PAM because the timestamp is old is a fatal error for us. To be fair, this is probably a rare use case, as most companies likely do not write their own PAMs. And there is a reasonable argument that sudo should not skip PAM execution just because it thinks that is equivalent to a password request.
Are you thinking this is a problem with sudo rather than Telegraf?
Does your initial run of sudo require a password due to the way you have PAM setup?
No, it does not. We are effectively passwordless via this setup, which uses https://www.athenz.io/, but this requires that the PAM shared object actually get called.
I could invite some folks who know more about the details into this discussion if you like.
Feature Request
We use a nonhuman user named
telegraf
to run telegraf. To authenticate nonhuman users, we use a custom PAM forsudo
. We configure theipmi_sensor
input plugin withuse_sudo=true
, and we configure sudoers carefully, so that usertelegraf
can execute theipmi
command.However, the
use_sudo
configuration option causes the-n
option to be passed tosudo
as shown below:https://github.com/influxdata/telegraf/blob/38aefd99b55450a6338c3e843487712110c2f3d2/plugins/inputs/ipmi_sensor/ipmi.go#L164-L168
When given this option, and the last-run timestamp for
sudo
is old, thensudo
exits without calling into the PAM:https://github.com/sudo-project/sudo/blob/bb5843055ef0c3b84254769926f07cc9d668288b/plugins/sudoers/check.c#L128-L133
Consequently, the input plugin cannot work.
Proposal:
Add a new configuration field to the input plugin that skips adding
-n
for our use case. Presumably, the plugin would need to change how it deals with thesudo
command outcome.Current behavior:
Plugin does not work.
Desired behavior:
Plugin works.
Use case:
See above. Sorry, not used to writing issues. Let me know if you need any more information.