sudo: no tty present and no askpass program specified

[millisami]

Hi I've setup the bare ubuntu 11.10 in VM Fusion.

I've the following in my .chef directory:

cat .chef/knife.rb                                                                            
node_name       "milli.example.com"
client_key      "#{ENV['HOME']}/.chef.d/milli-chef-server.pem"
validation_key  "#{ENV['HOME']}/.chef.d/milli-chef-validator.pem"

The bootstrap command: knife server bootstrap standalone --ssh-user ubuntu --node-name milli.example.com --host 172.16.17.130 all works and setsup the server successfully.

But the last line output is sudo: no tty present and no askpass program specified and if I look at the client_key file: its the same content in that file too. So, its not creating a valid pem file which blocks me to issue any knife command against this server.

Here is the log of the bootstrap cmd: https://gist.github.com/4571033

I even tried with adding the ubuntu user in /etc/sudoers file too, but still the same error.

[ghost]

In /etc/sudoers use:

ubuntu  ALL= (ALL:ALL) NOPASSWD: ALL

[millisami]

I'll try out with that setting.

But one question though, do I've to add that manually first? Isn't it suppose to install the chef-server with just a single command as in readme: knife server bootstrap ec2 --ssh-user ubuntu --node-name chefapalooza.example.com

[ghost]

For a standalone installation on VM guest on VMware Fusion you don't really need the --ssh-user ubuntu option. Amazon EC2 Ubuntu instances usually need it though. If you really need to use the --ssh-user ubuntu option with standalone mode then you have to manually update the sudoers file first to turn off password prompts for the ubuntu user. For ec2 mode you don't need to update the sudoers file.

[millisami]

@nutznboltz For a standalone installation on VM guest on VMware Fusion you don't really need the --ssh-user ubuntu option.

Do you mean that I should issue the cmd knife server bootstrap standalone --node-name knife.server.vm --host knife.server

If I issue the cmd without --ssh-user then it asks for root user password which is blocked to login in the ubuntu installations.

Another issue

I added the above tip from you in the sudoers file, but still its asking for the password. Following is the content of the sudoers file:

ubuntu@knife:~$ sudo cat /etc/sudoers
[sudo] password for ubuntu: 
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
ubuntu  ALL= (ALL:ALL) NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

[millisami]

Well, google around and I found this thread https://github.com/kubitron/redmine_git_hosting/issues/3#issuecomment-3636149 which also had the sudo: no tty ....... issue.

As suggested, I also changed the sudoers file to:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
root ALL=(ALL:ALL) ALL
ubuntu ALL=(ALL:ALL) NOPASSWD:ALL

And now ran the same cmd with the --ssh-user ubuntu intact:

knife server bootstrap standalone --ssh-user ubuntu --node-name knife.server.vm --host knife.server

And this time that sudo: no tty ..... error is gone but its last log says:

............. snipped ......
knife.server [Mon, 21 Jan 2013 00:42:20 +0545] INFO: Processing execute[a2ensite chef-server-proxy.conf] action run (chef-server::apache-proxy line 24)
knife.server 
knife.server [Mon, 21 Jan 2013 00:42:20 +0545] INFO: Chef Run complete in 0.402337 seconds
knife.server 
knife.server [Mon, 21 Jan 2013 00:42:20 +0545] INFO: Running report handlers
knife.server 
knife.server [Mon, 21 Jan 2013 00:42:20 +0545] INFO: Report handlers complete
knife.server 
knife.server + rm -rf /tmp/chef-solo
knife.server 
knife.server + printf -- '-----> Bootstraping Chef Server on knife.server.vm is complete.\n'
knife.server 
knife.server -----> Bootstraping Chef Server on knife.server.vm is complete.
knife.server 
WARNING: No knife configuration file found
Creating initial API user...
Created client[root]
Configuration file written to /root/.chef/knife.rb

And the file /root/.chef/knife.rb was created on the VM itself with the content:

ubuntu@knife:~$ sudo cat /root/.chef/knife.rb
log_level                :info
log_location             STDOUT
node_name                'root'
client_key               '/root/.chef/root.pem'
validation_client_name   'chef-validator'
validation_key           '/etc/chef/validation.pem'
chef_server_url          'http://127.0.0.1:4000'
cache_type               'BasicFile'
cache_options( :path => '/root/.chef/checksums' )

Is this the desired configuration?

[ghost]

Depends on what you want. If you want a non-root user to be able to use knife commands you need to configure knife for that user.

The part about copying the certificates here is important:

http://wiki.opscode.com/display/chef/Installing+Chef+Server+Manually#InstallingChefServerManually-ConfiguretheCommandLineClient

It doesn't mention you should erase the copies that you made of validation.pem and webui.pem after your knife configuration is complete. You probably should use shred -u ... on them.

[erikh]

Just pointing this out for others that might come across this thread:

The !requiretty trick is only necessary (and only works) on some versions of sudo, and it also depends on how sudo was compiled, for example, depending on which version of ubuntu you're on this may not be necessary or break the sudoers file. This is more common on non-linux OSes, however.

The SUDO_ASKPASS environment variable (man sudo) is sometimes a better alternative because of this, but again, it depends on the version of sudo, etc.

FWIW, even tools like knife bootstrap and capistrano break on this at times, so it's not an easy problem to solve.

I'm going to deal with this sooner or later for my own project that uses knife-server, so I'm hoping when I get some time I can assist with resolving this by the way of command-line options.

[ghost]

I tried this:
https://github.com/nutznboltz/knife-server/commit/c2b288df36817b720f9f1c81b7c1d2032e23e731
but it prompts for the password a number of time (too often for my tastes) since sudo doesn't share the cached credentials over separate ssh connections. I also gave up before I succeeded trying to get highline to not make Net:SSH conk out.

[fnichol]

I'm going to see what we can do here for a 1.1.0 release, if anything. Agreed with @erikh that it is a hard issue and if knife bootstrap has issues there isn't a lot I can do here (this code is directly or indirectly calling this specific knife plugin to get its work done).

One thing I noticed is that there was no --ssh-password vagrant option in the README which might lead to a different result. I've been adding this flag to my testing the last few days, and updated the README accordingly. I also beefed up the EC2 example with all the flags you might need to include if your knife.rb is extremely basic.

[fnichol]

I'm hoping that this is no longer an issue with stock Ubuntu cloud and VM images (at least as far as LTS releases go) and in light of the --ssh-password flag added above to README, I'll close this out.