ansible icon indicating copy to clipboard operation
ansible copied to clipboard
verified publisher icon prometheus-community

Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service

Open trunet opened this issue 11 months ago • 0 comments

I'm trying to make ipmi-exporter run as a non root user (the default if no variables are set by the user).

As per https://github.com/prometheus-community/ipmi_exporter/blob/master/docs/privileges.md, my playbook is like this:

- name: Configure IPMI exporter
  hosts: all
  tasks:
    - name: Create sudoers file
      ansible.builtin.copy:
        src: ipmi_exporter.sudoers
        dest: /etc/sudoers.d/ipmi_exporter
        mode: '0400'

- name: Install monitoring stack
  hosts: all
  roles:
    - prometheus.prometheus.node_exporter
    - prometheus.prometheus.ipmi_exporter
  vars:
    ipmi_exporter_modules:
      default:
        collectors:
          - bmc
          - ipmi
          - dcmi
          - chassis
          - sel
        collector_cmd:
          bmc: /usr/bin/sudo
          ipmi: /usr/bin/sudo
          dcmi: /usr/bin/sudo
          chassis: /usr/bin/sudo
          sel: /usr/bin/sudo
        custom_args:
          ipmi:
            - "/usr/sbin/ipmimonitoring"
          sel:
            - "/usr/sbin/ipmi-sel"
          bmc:
            - "/usr/sbin/bmc-info"
          chassis:
            - "/usr/sbin/ipmi-chassis"
          dcmi:
            - "/usr/sbin/ipmi-dcmi"

ipmi_exporter.sudoers:

ipmi-exp ALL = NOPASSWD: /usr/sbin/ipmimonitoring,\
                         /usr/sbin/ipmi-sensors,\
                         /usr/sbin/ipmi-dcmi,\
                         /usr/sbin/ipmi-raw,\
                         /usr/sbin/bmc-info,\
                         /usr/sbin/ipmi-chassis,\
                         /usr/sbin/ipmi-sel

When applied, I got the following on ipmi_exporter logs:

Jan 29 16:45:35 [REDACTED] ipmi_exporter[2861019]: ts=2025-01-29T15:45:35.475Z caller=collector_sel.go:60 level=error msg="Failed to collect SEL data" target=[local] error="error running /usr/bin/sudo: exit status 1: sudo: The \"no new privileges\" flag is set, which prevents sudo from running as root.\nsudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.\n"

This is due to protections in place on https://github.com/prometheus-community/ansible/blob/main/roles/ipmi_exporter/templates/ipmi_exporter.service.j2

On my tests, 3 lines in systemd service needs to be removed to allow sudo to run:

NoNewPrivileges=yes
ProtectKernelModules=true
ProtectKernelTunables=yes

I can send a PR, if you can clarify which approach is preferred:

  • Ansible role default is using ipmi-exp user/group. Therefore, the default should be also to add sudoers.d file in place and remove those 3 lines from systemd
  • Another approach is to change the default user/group to root, and add a new flag variable eg. ipmi_run_as_non_root that will configure all of those

trunet avatar Jan 29 '25 16:01 trunet