1 |
On Thu, Apr 24, 2014 at 07:13:45PM -0500, Dustin C. Hatch wrote: |
2 |
> I have been struggling to get my hardened systems managed by Ansible for |
3 |
> quite some time now. I have almost everything working well now, except |
4 |
> service control. It seems like the run_init stuff in OpenRC behaves |
5 |
> strangely when /sbin/rc-service is called via exec(), |
6 |
> stdin/stdout/stderr are connected to pipes, and the whole thing is run |
7 |
> through sudo. I suspect it has something to do with the way run_init |
8 |
> tries to prompt for credentials (even though I have that "disabled"). |
9 |
[...] |
10 |
> p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'], |
11 |
> stdin=subprocess.PIPE, |
12 |
> stdout=subprocess.PIPE, |
13 |
> stderr=subprocess.PIPE) |
14 |
> o, e = p.communicate() |
15 |
> print('exitcode: {}'.format(p.returncode)) |
16 |
> print('stdout: {}'.format(o)) |
17 |
> print('stderr: {}'.format(e)) |
18 |
|
19 |
Try calling rc-service through run_init, so something like |
20 |
|
21 |
#v+ |
22 |
p = subprocess.Popen(['/sbin/run_init', '/sbin/rc-service', 'nfsmount', |
23 |
'restart']...) |
24 |
#v- |
25 |
|
26 |
[...] |
27 |
> As you can see, this happens even when SELinux is not enforcing, so I |
28 |
> don't think it is policy related. I wonder if there is some way to stop |
29 |
> run_init from trying to prompt for authentication altogether, especially |
30 |
> when stdin/stdout/stderr is not a tty. |
31 |
> |
32 |
> Any thoughts or pointers would be appreciated. |
33 |
|
34 |
There's some magic involved, see my small write-up at |
35 |
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/ |
36 |
|
37 |
Wkr, |
38 |
Sven Vermeulen |