Skip to content

Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service #526

New issue
New issue
Open
Open
Not possible to run ipmi-exporter as non-root due to NoNewPrivileges in systemd service#526
@trunet

Description

@trunet
trunet
opened on Jan 29, 2025

I'm trying to make ipmi-exporter run as a non root user (the default if no variables are set by the user).

As per https://github.com/prometheus-community/ipmi_exporter/blob/master/docs/privileges.md, my playbook is like this:

- name: Configure IPMI exporter
  hosts: all
  tasks:
    - name: Create sudoers file
      ansible.builtin.copy:
        src: ipmi_exporter.sudoers
        dest: /etc/sudoers.d/ipmi_exporter
        mode: '0400'

- name: Install monitoring stack
  hosts: all
  roles:
    - prometheus.prometheus.node_exporter
    - prometheus.prometheus.ipmi_exporter
  vars:
    ipmi_exporter_modules:
      default:
        collectors:
          - bmc
          - ipmi
          - dcmi
          - chassis
          - sel
        collector_cmd:
          bmc: /usr/bin/sudo
          ipmi: /usr/bin/sudo
          dcmi: /usr/bin/sudo
          chassis: /usr/bin/sudo
          sel: /usr/bin/sudo
        custom_args:
          ipmi:
            - "/usr/sbin/ipmimonitoring"
          sel:
            - "/usr/sbin/ipmi-sel"
          bmc:
            - "/usr/sbin/bmc-info"
          chassis:
            - "/usr/sbin/ipmi-chassis"
          dcmi:
            - "/usr/sbin/ipmi-dcmi"

ipmi_exporter.sudoers:

ipmi-exp ALL = NOPASSWD: /usr/sbin/ipmimonitoring,\
                         /usr/sbin/ipmi-sensors,\
                         /usr/sbin/ipmi-dcmi,\
                         /usr/sbin/ipmi-raw,\
                         /usr/sbin/bmc-info,\
                         /usr/sbin/ipmi-chassis,\
                         /usr/sbin/ipmi-sel

When applied, I got the following on ipmi_exporter logs:

Jan 29 16:45:35 [REDACTED] ipmi_exporter[2861019]: ts=2025-01-29T15:45:35.475Z caller=collector_sel.go:60 level=error msg="Failed to collect SEL data" target=[local] error="error running /usr/bin/sudo: exit status 1: sudo: The \"no new privileges\" flag is set, which prevents sudo from running as root.\nsudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.\n"

This is due to protections in place on https://github.com/prometheus-community/ansible/blob/main/roles/ipmi_exporter/templates/ipmi_exporter.service.j2

On my tests, 3 lines in systemd service needs to be removed to allow sudo to run:

NoNewPrivileges=yes
ProtectKernelModules=true
ProtectKernelTunables=yes

I can send a PR, if you can clarify which approach is preferred:

  • Ansible role default is using ipmi-exp user/group. Therefore, the default should be also to add sudoers.d file in place and remove those 3 lines from systemd
  • Another approach is to change the default user/group to root, and add a new flag variable eg. ipmi_run_as_non_root that will configure all of those

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions