madscience_gem icon indicating copy to clipboard operation
madscience_gem copied to clipboard
verified publisher icon noahgibbs

chruby and sudo usage

Open stephaneliu opened this issue 10 years ago • 6 comments

If using chruby, be aware of known gem path issue with sudo.

Current work around:

> sudo -E chruby-exec 2.2.0 -- ~/[path-to-madscience]/madscience setup

stephaneliu avatar Mar 19 '15 21:03 stephaneliu

That makes sense. I'm probably going to wind up with a whole family of "how to run this with various Ruby version managers" -- RVM already has its exception in the docs.

Glad you're warning folks (and me)! :-)

noahgibbs avatar Mar 19 '15 23:03 noahgibbs

Why does it need sudo / ruby version changer in the first place?

artm avatar Mar 25 '15 09:03 artm

Ha, interesting. It needs sudo to run ruby-based tools (librarian-chef and chef-solo?) on my machine so that:

  1. it'll have to unchown some files from root
  2. it needs special instructions to run complex ruby sripts under sudo

Isn't this super brittle?

artm avatar Mar 25 '15 09:03 artm

It's actually running Chef in order to install Vagrant and Virtualbox. So needing sudo access is non-negotiable.

As for special instructions, every Ruby version changer has this problem -- sudo doesn't let a lot of standard Ruby environment variables through by default, such as those that specify where all your gems are. You can get around this by telling sudo to just let all those variables through, but nobody does.

Eventually I could write a horrible script that explicitly passes all those variables through sudo (basically: make a list of them with values and run a script through sudo that first sets them all), but that, too, is ugly and brittle.

The unchowning from root, yeah, that's a bit of a hack. I'll fix it at some point. But it's actually pretty solid in practice at this point.

noahgibbs avatar Mar 25 '15 14:03 noahgibbs

Well, the problem with the current script is that I read it now and figured out what it does and I dare to run it with sudo. Next time I refresh the repo and wish to run it again I will have to read it again to see what you've come up with next. Sorry for my lack of trust, but that's just how I am.

Chef only needs to run something with root privileges if my laptop is behind in some versions. I would rather the script told me what I'm missing and suggested to run sudo librarian-chef install and sudo chef-solo whatnot. I stress me because I don't mean everyone would have to do it the hard way.

Do you think it is possible to run some librarian / chef-solo subcommand just to check the configuration? If so I'm willing to step in and make a pull request with a more paranoid-friendly CLI (while keeping the current interface intact).

artm avatar Mar 25 '15 14:03 artm

I know Chef client has a dry-run mode (--why-run), which I haven't tried with my stuff. Don't know if you can do it as a random user, but it's worth a look. That would be easy to package up in a "madscience verify" command or something of the kind.

As for lack of trust -- the first time you run it, you're extremely unlikely to already have the exact version of Chef, Vagrant, VirtualBox and a handful of Vagrant plugins that MadScience specifically requires -- and that exact version requirement is basically necessary. So you have to trust me on the first run, pretty much regardless.

noahgibbs avatar Mar 25 '15 16:03 noahgibbs