#3171 pki installer attempts to use sudo even when running under root and fails in a container without sudo
Closed: migrated a year ago by dmoluguw. Opened 2 years ago by abbra.

Attempted FreeIPA installation on Debian unstable using a container which didn't have sudo package installed, pkispawn failed with the following message in pki-ca-spawn.<DATE>.log:

2020-04-08 18:41:55 ERROR: FileNotFoundError: [Errno 2] No such file or directory: 'sudo'
  File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn
    subsystem.remove_database(force=True)
  File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 932, in remove_database
    self.run(cmd, as_current_user=as_current_user)
  File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 980, in run
    subprocess.run(cmd, check=True)
  File "/usr/lib/python3.8/subprocess.py", line 489, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib/python3.8/subprocess.py", line 854, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)

I think sudo is definitely shouldn't be needed for running as root in a container:

root@ipa:/# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

root@ipa:/# apt-cache show pki-base |grep Version
Version: 10.8.3-2

While spawning, the removal happens as pkiuser and not the current user. This is achieved by using sudo -u in the script...

https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/subsystem.py#L943

As ab pointed out in the IRC conversation, sudo -u can be replaced by runuser -u, which is part of util-linux package

Metadata Update from @dmoluguw:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

2 years ago

The issue is fixed via PR: https://github.com/dogtagpki/pki/pull/494

The PR will be merged after 10.9 branching occurs (ie) it will be included in the PKI 10.10+. This issue should stay open until the PR gets merged.

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3288

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata