How to run sudo commands inside a container without the -S flag?

vrms · December 8, 2019, 12:29pm

Thus far my experience with containers (mainly ubuntu or debian containers, debian host, snap LXD 3.18) is that you need to add the -S flag in order to run sudo commands (otherwise it’ll get you a sudo: no tty present and no askpass program specified error).

That can create errors when you run a scripts that uses sudo. In my use case I run the frappe tool bench to maintain en ERPNext instance which apparently also uses sudo.

So I wonder whether there is a way make a container to not require the -S flag for running sudo commands

simos · December 9, 2019, 5:26pm

Hi!

Are you uploading a script at the container, which has selectively some sudo commands?
By default, you get a root shell to a container, which would make you avoid using sudo.

Can you show an example with an Ubuntu container where you get sudo: no tty present in a command?

vrms · December 14, 2019, 5:41pm

sorry, I did not see this earlier

I am running ERPNext inside an ubuntu 18.04 conainer. There comes a tool named bench that comes with ERPNext and is needed to maintain the application (which is a multiservice webapplication with tools such as mariadb, supervisor, nginx, … involved).

there is a dedidcated user for runnig and maintaining erpnext through the bench tool. This dedicated user is member of the sudo group and I access container with lxc exec [container] -- su - [erpnext-user] and then run most of the bench commands just directly without adding the sudo prefix.

here an example: bench restart

[erpnext-user@ubn1804:~/frappe-bench$ bench restart
sudo: no tty present and no askpass program specified
Traceback (most recent call last):
  File "/usr/local/bin/bench", line 11, in <module>
    load_entry_point('bench', 'console_scripts', 'bench')()
  File "/home/franch/.bench/bench/cli.py", line 40, in cli
    bench_command()
  File "/usr/lib/python3/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3/dist-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/home/franch/.bench/bench/commands/utils.py", line 24, in restart
    restart_supervisor_processes(bench_path='.', web_workers=web)
  File "/home/franch/.bench/bench/utils.py", line 396, in restart_supervisor_processes
    supervisor_status = subprocess.check_output(['sudo', 'supervisorctl', 'status'], cwd=bench_path)
  File "/usr/lib/python3.6/subprocess.py", line 356, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['sudo', 'supervisorctl', 'status']' returned non-zero exit status 1.

EDIT: when I add [erpnext-user] ALL=(ALL) NOPASSWD: ALL to the sudoers file the above command bench restart (without sudo prefix as before) runs through as it should. I doubt the NOPASSWD: ALL situation is ideal from a security perspective though, is it?