clustershell icon indicating copy to clipboard operation
clustershell copied to clipboard

Published 20 hours ago verified publisher icon cea-hpc

Option to use sudo for --copy

Open jbenninghoff opened this issue 11 years ago • 14 comments

Passwordless ssh for root is often not allowed but is allowed for non-root account which may have sudo privileges. Broadcasting file copies with clush --copy could use an option to invoke sudo perhaps using the -l user name. This would allow files to be copied to system locations such as /etc/..... Currently --copy only uses the ssh account.

jbenninghoff avatar Dec 11 '13 22:12 jbenninghoff

Hello,

To understand well, could you provide the exact underlying command you would like to run within clush ?

For info, you can override (system or as per-user basis) in clush.conf the ssh_path to "sudo ssh" or something similar, but this has not been tested (man clush.conf). Also, clush already supports the "-l USER" option that is passed to the underlying command (ssh by default). I personally feel that passwordless ssh for root are usually much more convenient and a common method is to use ssh-agent for security purposes (from the cluster management node).

thiell avatar Dec 12 '13 09:12 thiell

@jbenninghoff A workaround might be to clush --copy to a non-privileged location, then run a clush -o'-tt' "sudo mv" command to move the file to the privileged location.

rehevkor5 avatar Jun 16 '14 18:06 rehevkor5

Thanks. That is what I do now. I was just hoping to improve ease of use by suggesting a copy with sudo to avoid the second clush command.

On 2014/6/16, 11:58 AM, Shannon Carey wrote:

@jbenninghoff https://github.com/jbenninghoff A workaround might be to |clush --copy| to a non-privileged location, then run a |clush "sudo mv"| command to move the file to the privileged location.

— Reply to this email directly or view it on GitHub https://github.com/cea-hpc/clustershell/issues/222#issuecomment-46219694.

jbenninghoff avatar Jun 17 '14 21:06 jbenninghoff

To understand well, could you provide the exact underlying command you would like to run within clush ?

@jbenninghoff I still do not understand what you would like to do. Could you give an example with ssh ?

degremont avatar Jun 18 '14 13:06 degremont

scp my-hosts-file somehost:/etc/hosts I have to be root to modify /etc/hosts but I cannot ssh as root(site policy). I can ssh as non-root and then sudo and modify/overwrite /etc/hosts The suggestion Shannon made on this list is what I have been doing to get the desired result.

Something like this would also work: cat my-hosts-file | ssh somehost 'sudo cat - > /etc/hosts' clush would need an option to go with -c or maybe a -C option that means do the file copy with sudo on the remote. The assumption being that you have passwordless sudo rights on remote host.

Hope that is clearer.

/john

On 2014/6/18, 6:35 AM, degremont wrote:

To understand well, could you provide the exact underlying command
you would like to run within clush ?

@jbenninghoff https://github.com/jbenninghoff I still do not understand what you would like to do. Could you give an example with |ssh| ?

— Reply to this email directly or view it on GitHub https://github.com/cea-hpc/clustershell/issues/222#issuecomment-46435725.

jbenninghoff avatar Jun 19 '14 03:06 jbenninghoff

cat my-hosts-file | ssh somehost 'sudo cat - > /etc/hosts'

Do you know you can do cat my-host-file | clush -w somehost 'sudo cat - > /etc/hosts' or clush -w somehost 'sudo cat - > /etc/hosts' < my-host-file

This could easily be wrapped in a simple bash script.

Note that stdin redirection implies target host count is smaller than fanout (-f)

degremont avatar Jun 19 '14 08:06 degremont

Thanks, that is better than what I have been doing but not as easy as: clush -g somegroup -C /etc/hosts

Assuming -C does copy with sudo on remote. And it handles fanout.

Its a mid-priority enhancement request ultimately. I now use clustershell as my parallel shell because of its ease of use and its readily available, e.g. EPEL. :-)

I appreciate the dialog.

On 2014/6/19, 1:41 AM, degremont wrote:

cat my-hosts-file | ssh somehost 'sudo cat - > /etc/hosts'

Do you know you can do |cat my-host-file | clush -w somehost 'sudo cat - > /etc/hosts'| or |clush -w somehost 'sudo cat - > /etc/hosts' < my-host-file|

This could easily be wrapped in a simple bash script.

Note that stdin redirection implies target host count is smaller than fanout (-f)

— Reply to this email directly or view it on GitHub https://github.com/cea-hpc/clustershell/issues/222#issuecomment-46536382.

jbenninghoff avatar Jun 19 '14 19:06 jbenninghoff

Its a mid-priority enhancement request ultimately

To be frank, this is a not so-trivial development and will have a low priority for us.

I now use clustershell as my parallel shell because of its ease of use and its readily available, e.g. EPEL. :-)

Good to hear. Just curious, what was the former one?

degremont avatar Jun 20 '14 07:06 degremont

Understandable.

Previous parallel shell was pdsh. I've tried a couple of others years ago and they were worse. I maintain a Hadoop cluster validation package that uses clustershell here: https://github.com/jbenninghoff/cluster-validation

Its derived from some similar validation I used to use for HPC clusters using pdsh.

On 2014/6/20, 12:28 AM, degremont wrote:

Its a mid-priority enhancement request ultimately

To be frank, this is a not so-trivial development and will have a low priority for us.

I now use clustershell as my parallel shell because of its ease of
use and its readily available, e.g. EPEL. :-)

Good to hear. Just curious, what was the former one?

— Reply to this email directly or view it on GitHub https://github.com/cea-hpc/clustershell/issues/222#issuecomment-46651896.

jbenninghoff avatar Jun 20 '14 18:06 jbenninghoff

see also #234 we'll see what we can do for sudo support in 1.8

thiell avatar Oct 29 '15 18:10 thiell

@jbenninghoff I am just curious. Is the not logging in directly as root meaningfully more secure than allowing multiple keys to auth for root and logging the key fingerprint with verbose sshd logging?

wt avatar Jan 07 '16 22:01 wt

@wt Typically the direct ssh in as root is not meaningfully more secure; because, all sudo commands can be logged to audit files, which on very secure systems, are not even kept on the hosts. This means that you're much more likely to get an identifiable user account with sudo privileges, than "some unknown person who happens to have root credentials, running something that we don't know because they removed the history file"

edwbuck avatar Mar 19 '19 17:03 edwbuck

This can be easily done by leveraging tee command

host1$ cat /etc/hosts | clush -w host[2-5] "sudo tee /etc/hosts" And if you happen to want to append something at the end of some privileged file, you can also use -a after tee.

one would also think I should be able to do

host1$ cat /etc/hosts | clush -w host[2-5] "sudo cat - > /etc/hosts"

but for some reason, the latter would result in permission issues. Not sure why, perhaps clustershell maintainers can provide some insights? Nonetheless, the first option works for me.

seantshen avatar Nov 01 '19 21:11 seantshen

The later isn't a clush/ssh problem, the sudo affects the command being run, but the redirection (> /etc/hosts) is done by the shell that runs sudo, before sudo runs, so it necessarily has the original user's permissions.

clush's copy can do recursive though; this can be emulated with a tar e.g. tar -C sourcedir -cz | clush -w somehosts tar -C destdir -xz which is trivial to extract with sudo.

I believe we already use tar in some cases, this one should be fairly straightforward to wrap with sudo; but we also use scp directly in other cases and we'd need to either convert these all to tar or figure something else first.

martinetd avatar Nov 02 '19 06:11 martinetd