starred/the-bastion
1
0
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 08:25:27 +02:00
Code Issues 46 Projects Packages Wiki Activity

[GH-ISSUE #363] Deleted account name and uid blocked #98

New issue
Closed
opened 2026-05-07 00:18:51 +02:00 by BreizhHardware · 8 comments
BreizhHardware commented 2026-05-07 00:18:51 +02:00
Owner
Copy link

Originally created by @Pierrelefort on GitHub (Feb 22, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/363

Hi,

I am currently working on a terraform provider for thebastion. His main goal is to manage users of thebastion with terraform state.

During my testing phase, i created an account with these parameters: "name": "test", "uid": "99992". But, since i deleted it, those parameters seem to be locked. I am unable to create a new account with this name or this uid. This account named "test" is not visible on the return of accountList command. Any idea how to fix this ? And why did it happen ?

Provider accountCreate command: "--osh accountCreate --account test --uid-auto --no-key"
Provider accountDelete command: "--osh accountDelete --account test --no-confirm --json"

Screenshots:
Capture d’écran 2023-02-22 à 15 00 03
Capture d’écran 2023-02-22 à 15 00 14
Capture d’écran 2023-02-22 à 15 00 51

Originally created by @Pierrelefort on GitHub (Feb 22, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/363 Hi, I am currently working on a terraform provider for thebastion. His main goal is to manage users of thebastion with terraform state. During my testing phase, i created an account with these parameters: "name": "test", "uid": "99992". But, since i deleted it, those parameters seem to be locked. I am unable to create a new account with this name or this uid. This account named "test" is not visible on the return of accountList command. Any idea how to fix this ? And why did it happen ? Provider accountCreate command: "--osh accountCreate --account test --uid-auto --no-key" Provider accountDelete command: "--osh accountDelete --account test --no-confirm --json" Screenshots: <img width="646" alt="Capture d’écran 2023-02-22 à 15 00 03" src="https://user-images.githubusercontent.com/32686037/220718672-68bd6f1c-000c-4a08-b5ee-1aa6ff1f07c4.png"> <img width="675" alt="Capture d’écran 2023-02-22 à 15 00 14" src="https://user-images.githubusercontent.com/32686037/220718669-69d8bb3d-0df8-4c7d-b124-626b0376b7c8.png"> <img width="659" alt="Capture d’écran 2023-02-22 à 15 00 51" src="https://user-images.githubusercontent.com/32686037/220718667-76bec0b6-d288-4915-890e-699fff73a803.png">
BreizhHardware commented 2026-05-07 00:18:51 +02:00
Author
Owner
Copy link

@Pierrelefort commented on GitHub (Feb 27, 2023):

UPDATE: My custom terraform provider create two accounts using the "--uid-auto" option. Both tried to create an account with the same uid, creating an error. But, i don't know why the bastion has blocked the name or the uid.

<!-- gh-comment-id:1446262522 --> @Pierrelefort commented on GitHub (Feb 27, 2023): UPDATE: My custom terraform provider create two accounts using the "--uid-auto" option. Both tried to create an account with the same uid, creating an error. But, i don't know why the bastion has blocked the name or the uid.
BreizhHardware commented 2026-05-07 00:18:52 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Feb 28, 2023):

Hey @Pierrelefort ,

Nice to hear that you're working on a terraform provider! This is actually on my backlog because we also have the need internally, especially to handle add/removing of IPs in bastion groups (in that case, the account used by terraform would be an aclkeeper of these groups). I'll opensource it when it's ready (as we've done with the ansible wrapper).

Now about your issue, do you have an exact list of steps to reproduce? I've tried creating two accounts with --uid-auto, deleting the first one, then creating a third one with --uid-auto, I can't seem to stumble upon it.

On your screenshots, it would imply that the "test" account no longer exists, but its primary group (also named "test") is still there, as if the account deletion process had been interrupted; but that's just what I'm trying to infer based on your screenshots.

To get more info, you might want to try running the /opt/bastion/bin/admin/check-consistency.pl as root on the bastion server, it doesn't modify anything, just checks several things around the accounts and groups and reports inconsistencies when there are.

<!-- gh-comment-id:1448333877 --> @speed47 commented on GitHub (Feb 28, 2023): Hey @Pierrelefort , Nice to hear that you're working on a terraform provider! This is actually on my backlog because we also have the need internally, especially to handle add/removing of IPs in bastion groups (in that case, the account used by terraform would be an aclkeeper of these groups). I'll opensource it when it's ready (as we've done with the ansible wrapper). Now about your issue, do you have an exact list of steps to reproduce? I've tried creating two accounts with --uid-auto, deleting the first one, then creating a third one with --uid-auto, I can't seem to stumble upon it. On your screenshots, it would imply that the "test" account no longer exists, but its primary group (also named "test") is still there, as if the account deletion process had been interrupted; but that's just what I'm trying to infer based on your screenshots. To get more info, you might want to try running the `/opt/bastion/bin/admin/check-consistency.pl ` as root on the bastion server, it doesn't modify anything, just checks several things around the accounts and groups and reports inconsistencies when there are.
BreizhHardware commented 2026-05-07 00:18:52 +02:00
Author
Owner
Copy link

@ogirardot commented on GitHub (Mar 8, 2023):

Hi @speed47 (I'm working with @Pierrelefort ), I've sent you an email related to this ongoing work which is going to be open source as well, we've focused first on users, groups and server ips if you'd like to sync up, it seems we'd both benefit to join forces.

<!-- gh-comment-id:1460149585 --> @ogirardot commented on GitHub (Mar 8, 2023): Hi @speed47 (I'm working with @Pierrelefort ), I've sent you an email related to this ongoing work which is going to be open source as well, we've focused first on users, groups and server ips if you'd like to sync up, it seems we'd both benefit to join forces.
BreizhHardware commented 2026-05-07 00:18:52 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Mar 14, 2023):

Hey @ogirardot , just replied to your email, I missed it originally!

<!-- gh-comment-id:1467771880 --> @speed47 commented on GitHub (Mar 14, 2023): Hey @ogirardot , just replied to your email, I missed it originally!
BreizhHardware commented 2026-05-07 00:18:53 +02:00
Author
Owner
Copy link

@Pierrelefort commented on GitHub (Mar 20, 2023):

Nice to hear that you're working on a terraform provider! This is actually on my backlog because we also have the need internally, especially to handle add/removing of IPs in bastion groups (in that case, the account used by terraform would be an aclkeeper of these groups). I'll opensource it when it's ready (as we've done with the ansible wrapper).

We are close to open the repository to the public! And in our case we went with an admin account for his impersonate method (adminSudo) to remove/add ingress keys to user.

Now about your issue, do you have an exact list of steps to reproduce? I've tried creating two accounts with --uid-auto, deleting the first one, then creating a third one with --uid-auto, I can't seem to stumble upon it.

It happened when we try to create two users the option --uid-auto on parallel calls. When terraform want to create resources (here missing users), he create them on parallel. When we debug the issue, we found out thebastion return the same uid on those parallel calls. Since we cannot change terraform comportement easily we decided to avoid --uid-auto option.

I managed to reproduce the error with log:

2023-03-20T17:46:09.402+0100 [INFO]  provider.terraform-provider-thebastion: Request bastion: --osh accountCreate --account "test2" --uid-auto --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcjliyS0gOlGrxz0bX0S6GV1roGW2beEiIB+/yzygXzL7vzRU3u6Ty/wODC+kABNebtgJ7TCFj387drS3A14bojFlbSlS+r9bdToczfc0ZxwV89ToEGkw4hWIsTSw2ADg9aTIDclAZjNtE+SQUZLSS1gKJSHKah4SWaMf7CSHy7zKg4Q70qHEXJ+UCPfR30glX7joH5kny81aY9vRtRQKs6/RbG8Zd2CoxBkNAYA2k9NPVKEv3eUhiwkK+c1Zf9L5Fk2mW1jhvOwQ4auvZdV/mh/mY5uWqV2Q7KjhpucnVVgv87Uv6drL2lvQyDOvl1G03ab+rXS7eKD3aX1MkphxCrSsNaG4lTT0NB72Wa64CrCHGMcqPrdAhHkRnze/XdmXW7FOlo+nmLPRBZlBME+XT9yyQFNxksJpTAZEK33Xwccoq9PwqPsOFIHPS8PiVifQMarLXonlCz++wzoFEsdYCxdvU/jJmjBvsBcFXV+V5whtOc9JGAJ6JrtnEJJd774c=" --json: tf_provider_addr=hashicorp.com/ovh/thebastion tf_req_id=56f88413-8cad-c58e-3206-3baa5a60c9d9 tf_rpc=ConfigureProvider thebastion_host=*** @caller=/Users/pierre/Documents/terraform-provider-thebastion/thebastion/clients/client_ssh.go:64 thebastion_path_private_key=/Users/pierre/Documents/terraform-provider-thebastion/idthebastion thebastion_username=poweruser @module=thebastion thebastion_path_known_host=/Users/pierre/.ssh/known_hosts timestamp=2023-03-20T17:46:09.401+0100
2023-03-20T17:46:09.402+0100 [INFO]  provider.terraform-provider-thebastion: Request bastion: --osh accountCreate --account "test1" --uid-auto --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcjliyS0gOlGrxz0bX0S6GV1roGW2beEiIB+/yzygXzL7vzRU3u6Ty/wODC+kABNebtgJ7TCFj387drS3A14bojFlbSlS+r9bdToczfc0ZxwV89ToEGkw4hWIsTSw2ADg9aTIDclAZjNtE+SQUZLSS1gKJSHKah4SWaMf7CSHy7zKg4Q70qHEXJ+UCPfR30glX7joH5kny81aY9vRtRQKs6/RbG8Zd2CoxBkNAYA2k9NPVKEv3eUhiwkK+c1Zf9L5Fk2mW1jhvOwQ4auvZdV/mh/mY5uWqV2Q7KjhpucnVVgv87Uv6drL2lvQyDOvl1G03ab+rXS7eKD3aX1MkphxCrSsNaG4lTT0NB72Wa64CrCHGMcqPrdAhHkRnze/XdmXW7FOlo+nmLPRBZlBME+XT9yyQFNxksJpTAZEK33Xwccoq9PwqPsOFIHPS8PiVifQMarLXonlCz++wzoFEsdYCxdvU/jJmjBvsBcFXV+V5whtOc9JGAJ6JrtnEJJd774c=" --json: tf_provider_addr=hashicorp.com/ovh/thebastion tf_req_id=56f88413-8cad-c58e-3206-3baa5a60c9d9 tf_rpc=ConfigureProvider thebastion_username=poweruser @caller=/Users/pierre/Documents/terraform-provider-thebastion/thebastion/clients/client_ssh.go:64 thebastion_host=*** thebastion_path_known_host=/Users/pierre/.ssh/known_hosts thebastion_path_private_key=/Users/pierre/Documents/terraform-provider-thebastion/idthebastion @module=thebastion timestamp=2023-03-20T17:46:09.401+0100
2023-03-20T17:46:09.929+0100 [DEBUG] provider.terraform-provider-thebastion: Called provider defined Resource Create: tf_req_id=80f6d29a-6d74-bc7e-eef1-648e4b6370d5 @caller=/Users/pierre/go/pkg/mod/github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_createresource.go:98 @module=sdk.framework tf_provider_addr=hashicorp.com/ovh/thebastion tf_resource_type=thebastion_user tf_rpc=ApplyResourceChange timestamp=2023-03-20T17:46:09.929+0100
2023-03-20T17:46:09.930+0100 [ERROR] provider.terraform-provider-thebastion: Response contains error diagnostic: tf_proto_version=6.3 tf_provider_addr=hashicorp.com/ovh/thebastion tf_rpc=ApplyResourceChange diagnostic_summary="Error creating user" @caller=/Users/pierre/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov6/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_detail="Could not create user, unexpected error: thebastion error code: ERR_USERADD_FAILED / msg: Error while running useradd for test1 UID/GID 9997 (Command exited with status 4)" diagnostic_severity=ERROR tf_req_id=80f6d29a-6d74-bc7e-eef1-648e4b6370d5 tf_resource_type=thebastion_user timestamp=2023-03-20T17:46:09.930+0100
2023-03-20T17:46:09.954+0100 [ERROR] vertex "thebastion_user.test1" error: Error creating user
2023-03-20T17:46:10.439+0100 [DEBUG] provider.terraform-provider-thebastion: Response bastion: ---e54a37e12616---------------------------------------the-bastion-3.09.00-rc3---
=> create a new bastion account
--------------------------------------------------------------------------------
~ Creating group test2 with GID 9997...
~ Creating user test2 with UID 9997...
~ Creating tty group of account...
~ Adding account to potential supplementary groups...
~ Creating needed files and directories with proper permissions in home...
~ Creating some more directories...
~ Applying proper ownerships...
~ Adding provided public key in authorized_keys file...
~ Generating account personal bastion key...
~ Account successfully created!
~ Configuring sudoers for this account

*** Regenerating account 'test2' sudoers file from templates

`-> ... generating /etc/sudoers.d/osh-account-test2_126a8a

`-> [ OK ]
~ ==> alias fix-my-config-please-missing-bastion-name='ssh test2@e54a37e12616 -t -- '
~ To test his access, ask this user to set the above alias in their .bash_aliases, then run `fix-my-config-please-missing-bastion-name --osh info'


JSON_START
{"error_message":"OK","error_code":"OK","value":null,"command":"accountCreate"}
JSON_END
-------------------------------------------------------------</accountCreate>---

This log is quite verbose but you can see with :

  • ERR_USERADD_FAILED / msg: Error while running useradd for test1 UID/GID 9997 (Command exited with status 4)
  • Creating group test2 with GID 9997... ~ Creating user test2 with UID 9997...
    That they are created with the same uid/gid.

Then i have done the following commands on my bastion server:

poweruser@fix-my-config-please-missing-bastion-name(master)> accountList
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ list bastion accounts
├───────────────────────────────────────────────────────────────────────────────
│ healthcheck          9999
│ poweruser            9998
│ test2                9997
╰──────────────────────────────────────────────────────────────</accountList>───
poweruser@fix-my-config-please-missing-bastion-name(master)> accountDelete --account test2 --no-confirm
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ delete an existing bastion account
├───────────────────────────────────────────────────────────────────────────────
│ ❗ Hint: account test2 is currently ACTIVE (i.e. not disabled), think twice before removing it!
│
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
│ Backing up home directory...
*** Deleting account 'test2' sudoers file
`-> ... deleting /etc/sudoers.d/osh-account-test2_126a8a
`-> [ OK ]
│ Backup done
│ Removing 'test2' group membership from 'keyreader' user
│ Deleting system user 'test2'...
│ Deleting group test2-tty...

│ Account test2 has been deleted
╰────────────────────────────────────────────────────────────</accountDelete>───
poweruser@fix-my-config-please-missing-bastion-name(master)> accountCreate --account test1 --uid 9997 --no-key
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3───
│ ▶ create a new bastion account
├───────────────────────────────────────────────────────────────────────────────
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_TERMINAL = "iTerm2",
	LANG = "fr_FR.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

│
│ ⛔ The group test1 already exists
╰────────────────────────────────────────────────────────────</accountCreate>───

Hope that will help you understand the issue !

On your screenshots, it would imply that the "test" account no longer exists, but its primary group (also named "test") is still there, as if the account deletion process had been interrupted; but that's just what I'm trying to infer based on your screenshots.

To get more info, you might want to try running the /opt/bastion/bin/admin/check-consistency.pl as root on the bastion server, it doesn't modify anything, just checks several things around the accounts and groups and reports inconsistencies when there are.

We got the following response from the bastion server:

root@arkhn-bastion: ~# /opt/bastion/bin/admin/check-consistency.pl
found 3 key groups
found 22 bastion users
found 166 groups
<!-- gh-comment-id:1476619075 --> @Pierrelefort commented on GitHub (Mar 20, 2023): > Nice to hear that you're working on a terraform provider! This is actually on my backlog because we also have the need internally, especially to handle add/removing of IPs in bastion groups (in that case, the account used by terraform would be an aclkeeper of these groups). I'll opensource it when it's ready (as we've done with the ansible wrapper). We are close to open the repository to the public! And in our case we went with an admin account for his impersonate method (adminSudo) to remove/add ingress keys to user. > Now about your issue, do you have an exact list of steps to reproduce? I've tried creating two accounts with --uid-auto, deleting the first one, then creating a third one with --uid-auto, I can't seem to stumble upon it. It happened when we try to create two users the option --uid-auto on parallel calls. When terraform want to create resources (here missing users), he create them on parallel. When we debug the issue, we found out thebastion return the same uid on those parallel calls. Since we cannot change terraform comportement easily we decided to avoid `--uid-auto` option. I managed to reproduce the error with log: ``` 2023-03-20T17:46:09.402+0100 [INFO] provider.terraform-provider-thebastion: Request bastion: --osh accountCreate --account "test2" --uid-auto --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcjliyS0gOlGrxz0bX0S6GV1roGW2beEiIB+/yzygXzL7vzRU3u6Ty/wODC+kABNebtgJ7TCFj387drS3A14bojFlbSlS+r9bdToczfc0ZxwV89ToEGkw4hWIsTSw2ADg9aTIDclAZjNtE+SQUZLSS1gKJSHKah4SWaMf7CSHy7zKg4Q70qHEXJ+UCPfR30glX7joH5kny81aY9vRtRQKs6/RbG8Zd2CoxBkNAYA2k9NPVKEv3eUhiwkK+c1Zf9L5Fk2mW1jhvOwQ4auvZdV/mh/mY5uWqV2Q7KjhpucnVVgv87Uv6drL2lvQyDOvl1G03ab+rXS7eKD3aX1MkphxCrSsNaG4lTT0NB72Wa64CrCHGMcqPrdAhHkRnze/XdmXW7FOlo+nmLPRBZlBME+XT9yyQFNxksJpTAZEK33Xwccoq9PwqPsOFIHPS8PiVifQMarLXonlCz++wzoFEsdYCxdvU/jJmjBvsBcFXV+V5whtOc9JGAJ6JrtnEJJd774c=" --json: tf_provider_addr=hashicorp.com/ovh/thebastion tf_req_id=56f88413-8cad-c58e-3206-3baa5a60c9d9 tf_rpc=ConfigureProvider thebastion_host=*** @caller=/Users/pierre/Documents/terraform-provider-thebastion/thebastion/clients/client_ssh.go:64 thebastion_path_private_key=/Users/pierre/Documents/terraform-provider-thebastion/idthebastion thebastion_username=poweruser @module=thebastion thebastion_path_known_host=/Users/pierre/.ssh/known_hosts timestamp=2023-03-20T17:46:09.401+0100 2023-03-20T17:46:09.402+0100 [INFO] provider.terraform-provider-thebastion: Request bastion: --osh accountCreate --account "test1" --uid-auto --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcjliyS0gOlGrxz0bX0S6GV1roGW2beEiIB+/yzygXzL7vzRU3u6Ty/wODC+kABNebtgJ7TCFj387drS3A14bojFlbSlS+r9bdToczfc0ZxwV89ToEGkw4hWIsTSw2ADg9aTIDclAZjNtE+SQUZLSS1gKJSHKah4SWaMf7CSHy7zKg4Q70qHEXJ+UCPfR30glX7joH5kny81aY9vRtRQKs6/RbG8Zd2CoxBkNAYA2k9NPVKEv3eUhiwkK+c1Zf9L5Fk2mW1jhvOwQ4auvZdV/mh/mY5uWqV2Q7KjhpucnVVgv87Uv6drL2lvQyDOvl1G03ab+rXS7eKD3aX1MkphxCrSsNaG4lTT0NB72Wa64CrCHGMcqPrdAhHkRnze/XdmXW7FOlo+nmLPRBZlBME+XT9yyQFNxksJpTAZEK33Xwccoq9PwqPsOFIHPS8PiVifQMarLXonlCz++wzoFEsdYCxdvU/jJmjBvsBcFXV+V5whtOc9JGAJ6JrtnEJJd774c=" --json: tf_provider_addr=hashicorp.com/ovh/thebastion tf_req_id=56f88413-8cad-c58e-3206-3baa5a60c9d9 tf_rpc=ConfigureProvider thebastion_username=poweruser @caller=/Users/pierre/Documents/terraform-provider-thebastion/thebastion/clients/client_ssh.go:64 thebastion_host=*** thebastion_path_known_host=/Users/pierre/.ssh/known_hosts thebastion_path_private_key=/Users/pierre/Documents/terraform-provider-thebastion/idthebastion @module=thebastion timestamp=2023-03-20T17:46:09.401+0100 2023-03-20T17:46:09.929+0100 [DEBUG] provider.terraform-provider-thebastion: Called provider defined Resource Create: tf_req_id=80f6d29a-6d74-bc7e-eef1-648e4b6370d5 @caller=/Users/pierre/go/pkg/mod/github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_createresource.go:98 @module=sdk.framework tf_provider_addr=hashicorp.com/ovh/thebastion tf_resource_type=thebastion_user tf_rpc=ApplyResourceChange timestamp=2023-03-20T17:46:09.929+0100 2023-03-20T17:46:09.930+0100 [ERROR] provider.terraform-provider-thebastion: Response contains error diagnostic: tf_proto_version=6.3 tf_provider_addr=hashicorp.com/ovh/thebastion tf_rpc=ApplyResourceChange diagnostic_summary="Error creating user" @caller=/Users/pierre/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov6/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_detail="Could not create user, unexpected error: thebastion error code: ERR_USERADD_FAILED / msg: Error while running useradd for test1 UID/GID 9997 (Command exited with status 4)" diagnostic_severity=ERROR tf_req_id=80f6d29a-6d74-bc7e-eef1-648e4b6370d5 tf_resource_type=thebastion_user timestamp=2023-03-20T17:46:09.930+0100 2023-03-20T17:46:09.954+0100 [ERROR] vertex "thebastion_user.test1" error: Error creating user 2023-03-20T17:46:10.439+0100 [DEBUG] provider.terraform-provider-thebastion: Response bastion: ---e54a37e12616---------------------------------------the-bastion-3.09.00-rc3--- => create a new bastion account -------------------------------------------------------------------------------- ~ Creating group test2 with GID 9997... ~ Creating user test2 with UID 9997... ~ Creating tty group of account... ~ Adding account to potential supplementary groups... ~ Creating needed files and directories with proper permissions in home... ~ Creating some more directories... ~ Applying proper ownerships... ~ Adding provided public key in authorized_keys file... ~ Generating account personal bastion key... ~ Account successfully created! ~ Configuring sudoers for this account *** Regenerating account 'test2' sudoers file from templates `-> ... generating /etc/sudoers.d/osh-account-test2_126a8a `-> [ OK ] ~ ==> alias fix-my-config-please-missing-bastion-name='ssh test2@e54a37e12616 -t -- ' ~ To test his access, ask this user to set the above alias in their .bash_aliases, then run `fix-my-config-please-missing-bastion-name --osh info' JSON_START {"error_message":"OK","error_code":"OK","value":null,"command":"accountCreate"} JSON_END -------------------------------------------------------------</accountCreate>--- ``` This log is quite verbose but you can see with : - `ERR_USERADD_FAILED / msg: Error while running useradd for test1 UID/GID 9997 (Command exited with status 4)` - `Creating group test2 with GID 9997... ~ Creating user test2 with UID 9997...` That they are created with the same uid/gid. Then i have done the following commands on my bastion server: ```shell poweruser@fix-my-config-please-missing-bastion-name(master)> accountList perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). ╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3─── │ ▶ list bastion accounts ├─────────────────────────────────────────────────────────────────────────────── │ healthcheck 9999 │ poweruser 9998 │ test2 9997 ╰──────────────────────────────────────────────────────────────</accountList>─── poweruser@fix-my-config-please-missing-bastion-name(master)> accountDelete --account test2 --no-confirm perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). ╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3─── │ ▶ delete an existing bastion account ├─────────────────────────────────────────────────────────────────────────────── │ ❗ Hint: account test2 is currently ACTIVE (i.e. not disabled), think twice before removing it! │ perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). │ Backing up home directory... *** Deleting account 'test2' sudoers file `-> ... deleting /etc/sudoers.d/osh-account-test2_126a8a `-> [ OK ] │ Backup done │ Removing 'test2' group membership from 'keyreader' user │ Deleting system user 'test2'... │ Deleting group test2-tty... │ Account test2 has been deleted ╰────────────────────────────────────────────────────────────</accountDelete>─── poweruser@fix-my-config-please-missing-bastion-name(master)> accountCreate --account test1 --uid 9997 --no-key perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). ╭──e54a37e12616───────────────────────────────────────the-bastion-3.09.00-rc3─── │ ▶ create a new bastion account ├─────────────────────────────────────────────────────────────────────────────── perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_TERMINAL = "iTerm2", LANG = "fr_FR.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). │ │ ⛔ The group test1 already exists ╰────────────────────────────────────────────────────────────</accountCreate>─── ``` Hope that will help you understand the issue ! > On your screenshots, it would imply that the "test" account no longer exists, but its primary group (also named "test") is still there, as if the account deletion process had been interrupted; but that's just what I'm trying to infer based on your screenshots. > > To get more info, you might want to try running the `/opt/bastion/bin/admin/check-consistency.pl ` as root on the bastion server, it doesn't modify anything, just checks several things around the accounts and groups and reports inconsistencies when there are. We got the following response from the bastion server: ```shell root@arkhn-bastion: ~# /opt/bastion/bin/admin/check-consistency.pl found 3 key groups found 22 bastion users found 166 groups ```
BreizhHardware commented 2026-05-07 00:18:53 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Mar 21, 2023):

Okay, so this is clearly a race condition when two creations happen exactly at the same time.
The --uid-auto option doesn't pick a random UID, it picks the highest-still-available one. This is to avoid "stealing" a lower UID that you might need later. This is because, in our use case, we have specific UIDs for humans (the same UID across all the infrastructures), but don't have those for M2M/automation accounts, and we use --uid-auto on those.

I can add a mutex there to avoid two simultaneous creations from picking the same UID. Thanks for the detailed report! 👍 . I'll have a branch for you to test with Terraform, using --uid-auto.

<!-- gh-comment-id:1477491497 --> @speed47 commented on GitHub (Mar 21, 2023): Okay, so this is clearly a race condition when two creations happen exactly at the same time. The ``--uid-auto`` option doesn't pick a random UID, it picks the highest-still-available one. This is to avoid "stealing" a lower UID that you might need later. This is because, in our use case, we have specific UIDs for humans (the same UID across all the infrastructures), but don't have those for M2M/automation accounts, and we use ``--uid-auto`` on those. I can add a mutex there to avoid two simultaneous creations from picking the same UID. Thanks for the detailed report! :+1: . I'll have a branch for you to test with Terraform, using `--uid-auto`.
BreizhHardware commented 2026-05-07 00:18:53 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Mar 21, 2023):

Could you try the branch of PR #377 ?

<!-- gh-comment-id:1477647711 --> @speed47 commented on GitHub (Mar 21, 2023): Could you try the branch of PR #377 ?
BreizhHardware commented 2026-05-07 00:18:53 +02:00
Author
Owner
Copy link

@Pierrelefort commented on GitHub (Mar 22, 2023):

I try the branch of PR with the same operations i did for the log and it work fine !

<!-- gh-comment-id:1479129422 --> @Pierrelefort commented on GitHub (Mar 22, 2023): I try the branch of [PR](https://github.com/ovh/the-bastion/pull/377) with the same operations i did for the log and it work fine !
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
expifix
groupcreate_fix_uid
fix_group_gid_fast
gh-pages
clush
expiration
jsonvalidator
v3.23.01
v3.23.00
v3.22.00
v3.21.00
v3.20.00
v3.19.01
v3.19.00
v3.18.99-rc1
v3.18.00
v3.17.01
v3.17.00
v3.16.99-rc3
v3.16.99-rc2
v3.16.99-rc1
v3.16.01
v3.16.00
v3.15.00
v3.14.16
v3.14.15
v3.14.00
v3.13.01
v3.13.00
v3.12.00
v3.11.02
v3.11.01
v3.11.00
v3.10.00
v3.09.02
v3.09.00-really
v3.09.00
v3.09.00-rc3
v3.09.00-rc2
v3.09.00-rc1
v3.08.01
v3.08.00
v3.07.00
v3.06.00
v3.05.01
v3.05.00
v3.04.00
v3.03.99-rc2
v3.03.99-rc1
v3.03.01
v3.03.00
v3.02.00
v3.01.99-rc4
v3.01.99-rc3
v3.01.99-rc2
v3.01.99-rc1
v3.01.03
v3.01.02
v3.01.01
v3.01.00
v3.00.02
v3.00.01
v3.00.00
Labels
Clear labels   
answered

   
bug

   
documentation

   
enhancement

   
enhancement

   
feature

   
feature

   
kept-open-for-info

   
pull-request
Mirrored from GitHub Pull Request

  
question
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/the-bastion#98
No description provided.