Home / server / Questions / 771289
In Process
nulltek
Asked: 2016-04-19 13:49:54 +0800 CST

Sensu executing script sudo a password is required

  • 772

I have a sensu handler that gets triggered on an endpoint Linux box (Centos 6.6. Here is the script I'm using:

#!/bin/bash --login
sudo -n -u deploy bash --login -c "cd /var/www/vhosts/sc/current; pwd; BUNDLE_GEMFILE=/var/www/vhosts/sc/current/Gemfile RAILS_ENV=production bundle exec pumactl -F /var/www/vhosts/sc/shared/config/puma.rb stop "
sudo -n -u deploy bash --login -c "cd /var/www/vhosts/sc/current; pwd; BUNDLE_GEMFILE=/var/www/vhosts/sc/current/Gemfile RAILS_ENV=production bundle exec pumactl -F /var/www/vhosts/sc/shared/config/puma.rb start "

Running this script locally as another user works fine and I can get puma to restart sanely. Even when I give sensu a shell and execute the script on the endpoint.

When it's triggered from the sensu server I get the output of:

{"timestamp":"2016-04-18T16:45:17.581962-0500","level":"info","message":"handler output","handler":{"type":"pipe","command":"/bin/sh /etc/sensu/handlers/puma_restart.sh","name":"puma_restart"},"output":["sudo: a password is required\n","sudo: a password is required\n"]}

I thought this might be an issue with sudoers so here's my setup:

Defaults:sensu !requiretty
Defaults:sensu secure_path = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
sensu ALL = NOPASSWD: /etc/sensu/handlers/puma_restart.sh

I've also tried setting the sudo NOPASSWORD for all commands like:

sensu  ALL=(ALL)       NOPASSWD: ALL

But I still get the error when the script is fired.

Anyone have an idea what I have setup wrong? If you need more details or context, please let me know.

linux sudo centos6 sensu

1 Answers

  1. That first sudoers configuration with sensu ALL = NOPASSWD: /etc/sensu/handlers/puma_restart.sh will not do what you want. That assigns rights for the sensu user to invoke the wrapper puma_restart.sh script with sudo. The sudo commands though are inside that script and invoking bash to execute commands. You'd need to allow the sensu user to invoke bash via sudo.

    That second sudoers config sensu ALL=(ALL) NOPASSWD: ALL should work. That sounds like it may be an issue with sudoers configuration.

    A few things that might get you further:

    • Are these checks executing on the sensu server or a client? Make sure you're putting the sudoers config on the place where the check executes.
    • Move the sudo calls out of the script. Remove the sudo calls from inside the script and add sudo to the sensu check command: sudo puma_restart.sh That first sudoers config should work with this approach.
    • Debug the sudoers configuration.
      • Run sudo -l -U sensu on the sensu client host to see what rights the sudoers configs provide. With passwordless enabled for all you commands you should get back something including the following. If not it's a sudoers config issue. User sensu may run the following commands on this host: (root) NOPASSWD: ALL
    • 0