Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service #526

Open
trunet opened this issue Jan 29, 2025 · 0 comments
Open

Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service #526

trunet opened this issue Jan 29, 2025 · 0 comments

Comments

@trunet
Copy link

trunet commented Jan 29, 2025
edited
Loading

I'm trying to make ipmi-exporter run as a non root user (the default if no variables are set by the user).

As per https://github.com/prometheus-community/ipmi_exporter/blob/master/docs/privileges.md, my playbook is like this:

- name: Configure IPMI exporter
  hosts: all
  tasks:
    - name: Create sudoers file
      ansible.builtin.copy:
        src: ipmi_exporter.sudoers
        dest: /etc/sudoers.d/ipmi_exporter
        mode: '0400'

- name: Install monitoring stack
  hosts: all
  roles:
    - prometheus.prometheus.node_exporter
    - prometheus.prometheus.ipmi_exporter
  vars:
    ipmi_exporter_modules:
      default:
        collectors:
          - bmc
          - ipmi
          - dcmi
          - chassis
          - sel
        collector_cmd:
          bmc: /usr/bin/sudo
          ipmi: /usr/bin/sudo
          dcmi: /usr/bin/sudo
          chassis: /usr/bin/sudo
          sel: /usr/bin/sudo
        custom_args:
          ipmi:
            - "/usr/sbin/ipmimonitoring"
          sel:
            - "/usr/sbin/ipmi-sel"
          bmc:
            - "/usr/sbin/bmc-info"
          chassis:
            - "/usr/sbin/ipmi-chassis"
          dcmi:
            - "/usr/sbin/ipmi-dcmi"

ipmi_exporter.sudoers:

ipmi-exp ALL = NOPASSWD: /usr/sbin/ipmimonitoring,\
                         /usr/sbin/ipmi-sensors,\
                         /usr/sbin/ipmi-dcmi,\
                         /usr/sbin/ipmi-raw,\
                         /usr/sbin/bmc-info,\
                         /usr/sbin/ipmi-chassis,\
                         /usr/sbin/ipmi-sel

When applied, I got the following on ipmi_exporter logs:

Jan 29 16:45:35 [REDACTED] ipmi_exporter[2861019]: ts=2025-01-29T15:45:35.475Z caller=collector_sel.go:60 level=error msg="Failed to collect SEL data" target=[local] error="error running /usr/bin/sudo: exit status 1: sudo: The \"no new privileges\" flag is set, which prevents sudo from running as root.\nsudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.\n"

This is due to protections in place on https://github.com/prometheus-community/ansible/blob/main/roles/ipmi_exporter/templates/ipmi_exporter.service.j2

On my tests, 3 lines in systemd service needs to be removed to allow sudo to run:

NoNewPrivileges=yes
ProtectKernelModules=true
ProtectKernelTunables=yes

I can send a PR, if you can clarify which approach is preferred:

  • Ansible role default is using ipmi-exp user/group. Therefore, the default should be also to add sudoers.d file in place and remove those 3 lines from systemd
  • Another approach is to change the default user/group to root, and add a new flag variable eg. ipmi_run_as_non_root that will configure all of those
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@trunet