capistrano
Using `as` and sudo with NOPASSD and !requiretty
I'm having a lot of trouble using the as syntax. I realize this is more of a support request than a bug report, but the results of this might go into the documentation.
What doesn't work:
task :clear_cache do
on roles :app do
as :web1 do
within shared_path do
execute :rm, '-rf', 'src/cache/twig'
end
end
end
end
However, this works:
task :clear_cache do
on roles :app do
within shared_path do
execute :sudo, '-u', 'web1', :rm, '-rf', 'src/cache/twig'
end
end
end
My sudoers file looks like this:
Cmnd_Alias CLEAR_CACHE = /usr/bin/whoami, /bin/rm -rf src/cache/twig
Defaults!CLEAR_CACHE !requiretty
david ALL=(web1) NOPASSWD: CLEAR_CACHE
I've been trying to use the debug log level in both capistrano and sshkit to figure out what the difference is between these two, more specifically how the as syntax executes the command, but all I ever got was:
** Invoke clear_cache (first_time)
** Execute clear_cache
00:00 clear_cache
01 rm -rf src/cache/twig
01 sudo: no tty present and no askpass program specified
cap aborted!
SSHKit::Runner::ExecuteError: Exception while executing as david@remote-host: rm exit status: 1
rm stdout: Nothing written
rm stderr: sudo: no tty present and no askpass program specified
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:15:in `rescue in block (2 levels) in execute'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:11:in `block (2 levels) in execute'
SSHKit::Command::Failed: rm exit status: 1
rm stdout: Nothing written
rm stderr: sudo: no tty present and no askpass program specified
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/command.rb:100:in `exit_status='
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/netssh.rb:165:in `execute_command'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:in `block in create_command_and_execute'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:in `tap'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:in `create_command_and_execute'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:74:in `execute'
/home/kwisatz/1024/projects/a_project/Capfile:35:in `block (4 levels) in <top (required)>'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:85:in `within'
/home/kwisatz/1024/projects/a_project/Capfile:34:in `block (3 levels) in <top (required)>'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:112:in `as'
/home/kwisatz/1024/projects/a_project/Capfile:33:in `block (2 levels) in <top (required)>'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:29:in `instance_exec'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:29:in `run'
/home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:12:in `block (2 levels) in execute'
Tasks: TOP => clear_cache
How can I see what exact command sshkit is running when using as ? I'd presume that it doesn't correspond to what I allowed in the sudoers file.
Hi David, First best guess is to direct you at the tests for SSHkit, there you'll find DSL tests that assert against the string representation of the various things.
I'm in Europe, and can look more thoroughly during working times tomorrow.
Sent from my phone from underway.
On Sun, 4 Mar 2018, 20:17 David Raison, [email protected] wrote:
I'm having a lot of trouble using the as syntax. I realize this is more of a support request than a bug report, but the results of this might go into the documentation.
What doesn't work:
task :clear_cache do on roles :app do as :web1 do within shared_path do execute :rm, '-rf', 'src/cache/twig' end end end end
However, this works:
task :clear_cache do on roles :app do within shared_path do execute :sudo, '-u', 'web1', :rm, '-rf', 'src/cache/twig' end end end
My sudoers file looks like this:
Cmnd_Alias CLEAR_CACHE = /usr/bin/whoami, /bin/rm -rf src/cache/twig Defaults!CLEAR_CACHE !requiretty david ALL=(web1) NOPASSWD: CLEAR_CACHE
I've been trying to use the debug log level in both capistrano and sshkit to figure out what the difference is between these two, more specifically how the as syntax executes the command, but all I ever got was:
** Invoke clear_cache (first_time) ** Execute clear_cache 00:00 clear_cache 01 rm -rf src/cache/twig 01 sudo: no tty present and no askpass program specified cap aborted! SSHKit::Runner::ExecuteError: Exception while executing as david@remote-host: rm exit status: 1 rm stdout: Nothing written rm stderr: sudo: no tty present and no askpass program specified /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:15:in
rescue in block (2 levels) in execute' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:11:inblock (2 levels) in execute' SSHKit::Command::Failed: rm exit status: 1 rm stdout: Nothing written rm stderr: sudo: no tty present and no askpass program specified /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/command.rb:100:inexit_status=' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/netssh.rb:165:inexecute_command' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:inblock in create_command_and_execute' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:intap' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:141:increate_command_and_execute' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:74:inexecute' /home/kwisatz/1024/projects/a_project/Capfile:35:inblock (4 levels) in <top (required)>' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:85:inwithin' /home/kwisatz/1024/projects/a_project/Capfile:34:inblock (3 levels) in <top (required)>' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:112:inas' /home/kwisatz/1024/projects/a_project/Capfile:33:inblock (2 levels) in <top (required)>' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:29:ininstance_exec' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/backends/abstract.rb:29:inrun' /home/kwisatz/1024/projects/a_project/.vendor/bundle/ruby/2.4.0/gems/sshkit-1.13.1/lib/sshkit/runners/parallel.rb:12:inblock (2 levels) in execute' Tasks: TOP => clear_cacheHow can I see what exact command sshkit is running when using as ? I'd presume that it doesn't correspond to what I allowed in the sudoers file.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/capistrano/sshkit/issues/420, or mute the thread https://github.com/notifications/unsubscribe-auth/AABKCMXaEWpYjeTEI0KNSwW4H7qbNd_Iks5tbD29gaJpZM4SbdRk .
You can see the actual command being generated here:
https://github.com/capistrano/sshkit/blob/c0f99e4a5027b74b6b4e0f2d54fe119f96a5a67b/lib/sshkit/command.rb#L170
Which is something like:
sudo -u [user] [env] -- sh -c '[cmd]'
