error when sudo requires a password

[haraldkoch]

k3sup appears to require root access or passwordless sudo.

Expected Behaviour

Either the documentation should contain a note that passwordless sudo is required when using a non-root user for SSH, or the software should allow the user to enter a sudo password. This could be done on the command line (like ansible) or by using "ssh -t" to create a proper terminal so that sudo can prompt the user that is running k3sup for a sudo password.

Current Behaviour

[INFO]  Using v0.9.1 as release
[INFO]  Downloading hash https://github.com/rancher/k3s/releases/download/v0.9.1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/rancher/k3s/releases/download/v0.9.1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
Error: Error received processing command: Process exited with status 1

Possible Solution

use "ssh -t" to open a tty between the remote and the local user, so that sudo can ask for a password

Steps to Reproduce (for bugs)

1. create a user on the remote system that requires a password for sudo (the default, really)
2. use k3sup --user to install as that user

Context

Your Environment

Linux (Arch) on both hosts, VM locally hosted using libvirt/KVM

[alexellis]

How do tools like Ansible work in this scenario?

[alexellis]

( @rgee0 may know or @chris-short)

[chris-short]

Ansible allows for prompting for SSH and/or sudo password as part of an ansible.cfg file: https://docs.ansible.com/ansible/latest/installation_guide/intro_configuration.html

Probably ANSIBLE_BECOME_ASK_PASS is what you're wanting? https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_BECOME_ASK_PASS

[ihgann]

Can confirm I'm noticing this as well against a typical Ubuntu 18.04 VM. Enabling passwordless sudo was a suitable workaround.

[alexellis]

@ihgann this doesn't happen with the Ubuntu images provided by cloud providers.

Have you considered updating your SUDOERS file?

[ihgann]

@alexellis I ran a direct iso download from https://ubuntu.com/download/server, version 18.04.3. It was a fresh VM, so I had not changed anything from the defaults.

[jamshid]

IMO it's not obvious or common to have passwordless sudo configured on a machine when you e.g. ask IT to give you three centos7 boxes. Please document this requirement for that error. Btw enabling passwordless sudo can be tricky, e.g. on centos I had to add the NOPASSWD: line after the #includedir (https://serverfault.com/questions/160581/how-to-setup-passwordless-sudo-on-linux). Thanks for this project, been looking for something like docker-machine for kubernetes.

[qmacro]

I encountered the same issue today, while starting to look into k3sup and k3s on Crostini (ChromeOS Linux) containers. The target container for the k3s install was an Ubuntu 18.04 based image.

I worked around the issue using the -t switch with ssh.

I recorded an asciicast to show the details, in case it's helpful. Thanks for k3sup and the great content at https://blog.alexellis.io/raspberry-pi-homelab-with-k3sup/.

[alexellis]

Installing k3s on Crostini is way out of scope, please don’t expect that to be supported, or to work. However, if you using a remote machine, then it may work since k3sup uses ssh.

What did the -t switch do for ssh?

[alexellis]

@jamshid happy to link to a page showing how to enable passwordless sudo on CentOS, I don’t use Red Hat software at the moment so it’s not a path I’ve set out to or have time to support. If there’s enough demand, I may revisit where I put my limited time on this project so that CentOS, RHEL, Fedora etc are part of the happy path. cc @ibuildthecloud

[qmacro]

@alexellis don't worry, not expecting support in the Crostini container context at all*. I just wanted to add some extra info to this specific issue, which I encountered too. The -t flag forced a tty which allowed sudo to surface its request for a password.

* In theory I might get somewhere with this journey anyway, which will be a bonus, but that's secondary of course.

[alexellis]

If I added -t as an optional flag like --tty to install/join would that help you? I'm not sure how you overcome typing a password in when automating though.

[jamshid]

Thanks yes a tty option so the password can be typed manually is ideal, since running visudo and configuring NOPASSWD is sometimes not easy or possible. Ideally the k3up error when sudo fails would hint at the problem.

[dazzag24]

I'm seeing the same issue on a scaleway provided Ubuntu 16.04 LTS image when using a non root user who has sudo permissions but requires a password.

sudo: no tty present and no askpass program specified Error: error received processing command: Process exited with status 1

[Opswatch]

Im getting the same error on a ubuntu 16.04 and 18.04 installed on a vm from a regular ubuntu server iso. sudo: no tty present and no askpass program specified Error: error received processing command: Process exited with status 1 Even with a root user, worked a couple weeks ago

[chris-short]

This seems very much like an SSH/Ansible configuration problem and not a k3s issue.

On Sun, Mar 8, 2020 at 1:46 AM Hugo Pinheiro notifications@github.com wrote:

Im getting the same error on a ubuntu 16.04 and 18.04 installed on a vm from a regular ubuntu server iso. sudo: no tty present and no askpass program specified Error: error received processing command: Process exited with status 1 Even with a root user, worked a couple weeks ago

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/alexellis/k3sup/issues/100?email_source=notifications&email_token=AAKUD6NB2IAUA52FRLU2HPTRGM5KTA5CNFSM4JOFOTQ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOEOBBA#issuecomment-596172932, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKUD6MX6W4RSNJPWEWT3ADRGM5KTANCNFSM4JOFOTQQ .

--

Chris Short He/Him/His Web https://chrisshort.net/ | Newsletter https://devopsish.com/ | Twitter https://twitter.com/ChrisShort | LinkedIn https://linkedin.com/in/thechrisshort

[phobos-dthorga]

I know this isn't exactly related as to the above, but I came here through a search on Google where I'm encountering the same problem with self-hosted GitLab's CI/CD with regard to the Docker containers used.

A solution where sudo does not ask for the password would be absolutely fantastic for my organization.

[alexellis]

@phobos-dthorga what are you looking for?

[naude-r]

@Opswatch @dazzag24 @haraldkoch add to ~/.ssh/config

host master01 worker01 worker02
        RequestTTY force

above has the same effect as ssh -t

[Opswatch]

@naude-r Thanks :)

[eloekset]

@qmacro how did you export kubeconfig after using the command in the video you linked to? I successfully installed on all nodes using your command, but then I can't use kubectl because of missing kubeconfig.

@alexellis when is that -t option supported? I tried running k3sup install --ip $IP -t --user $USER, using version 0.9.6

[alexellis]

What kind of cloud images are folks using where the remote machine has sudo requiring a password? k3sup and the k3s installer are relying on a password-less sudo configuration.

I don't think that make k3sup require an interactive prompt is the right answer, imagine you're creating a cluster with 10 nodes (1 master, 9 clients), you'll have to type the password in ~ 20 times.

[eloekset]

Maybe my case is not so relevant for k3sup. I'm just trying to learn Kubernetes using an on-prem box running Promox with four nodes on Ubuntu Server 18.04.5.

I think I'll try to do a more manual setup first to learn the basics following this video maybe: https://www.youtube.com/watch?v=XQvQUE7tAsk

[eloekset]

I'm setting up new VMs now, and I plan to follow this guide.

I've never thought of it until now, this might be the reason my VMs require option -t?

[slemik1]

Hello. This kind of problem often occurs with jenkins. There is a simple solution: You need to create a file myuser, you can read in more detail here: cat /etc/sudoers.d/README

Place the 0440 mode file in /etc/sudoers.d/myuser with the following content: myuser ALL = (ALL) NOPASSWD: ALL and don't forget to chmod 0440 /etc/sudoers.d/myuser

[alexellis]

I'm going to close this issue as #wontfix but please feel free to keep commenting, and we may review it again in the future.

[si458]

Hi @alexellis sorry to tag onto this but im experiencing the same issue as above clean ubuntu 20.04.1 install using mini.iso (virtuozzo KVM) user called ubuntu was the any progress with this type of issue? or a workaround?

Simon@SiMacBookPro ~ % k3sup install --cluster --ip 192.168.168.75 --k3s-channel stable  --k3s-extra-args '--write-kubeconfig-mode=644 --flannel-backend=none --disable-network-policy --disable=traefik' --user ubuntu    
Running: k3sup install
2021/01/23 11:44:21 192.168.168.75
Public IP: 192.168.168.75
[INFO]  Finding release for channel stable
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
[INFO]  Using v1.20.2+k3s1 as release
[INFO]  Downloading hash https://github.com/rancher/k3s/releases/download/v1.20.2+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/rancher/k3s/releases/download/v1.20.2+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
Error: error received processing command: Process exited with status 1
Simon@SiMacBookPro ~ % 

[si458]

@alexellis its ok figured it out 👍

add (YOUR USER) ALL=(ALL) NOPASSWD: ALL into the visudo