| 1 |
On Thu, Apr 24, 2014 at 07:13:45PM -0500, Dustin C. Hatch wrote: |
| 2 |
> I have been struggling to get my hardened systems managed by Ansible for |
| 3 |
> quite some time now. I have almost everything working well now, except |
| 4 |
> service control. It seems like the run_init stuff in OpenRC behaves |
| 5 |
> strangely when /sbin/rc-service is called via exec(), |
| 6 |
> stdin/stdout/stderr are connected to pipes, and the whole thing is run |
| 7 |
> through sudo. I suspect it has something to do with the way run_init |
| 8 |
> tries to prompt for credentials (even though I have that "disabled"). |
| 9 |
[...] |
| 10 |
> p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'], |
| 11 |
> stdin=subprocess.PIPE, |
| 12 |
> stdout=subprocess.PIPE, |
| 13 |
> stderr=subprocess.PIPE) |
| 14 |
> o, e = p.communicate() |
| 15 |
> print('exitcode: {}'.format(p.returncode)) |
| 16 |
> print('stdout: {}'.format(o)) |
| 17 |
> print('stderr: {}'.format(e)) |
| 18 |
|
| 19 |
Try calling rc-service through run_init, so something like |
| 20 |
|
| 21 |
#v+ |
| 22 |
p = subprocess.Popen(['/sbin/run_init', '/sbin/rc-service', 'nfsmount', |
| 23 |
'restart']...) |
| 24 |
#v- |
| 25 |
|
| 26 |
[...] |
| 27 |
> As you can see, this happens even when SELinux is not enforcing, so I |
| 28 |
> don't think it is policy related. I wonder if there is some way to stop |
| 29 |
> run_init from trying to prompt for authentication altogether, especially |
| 30 |
> when stdin/stdout/stderr is not a tty. |
| 31 |
> |
| 32 |
> Any thoughts or pointers would be appreciated. |
| 33 |
|
| 34 |
There's some magic involved, see my small write-up at |
| 35 |
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/ |
| 36 |
|
| 37 |
Wkr, |
| 38 |
Sven Vermeulen |
Archives