pki installer attempts to use sudo even when running under root and fails in a container without sudo

[pki-bot]

This issue was migrated from Pagure Issue #3171. Originally filed by abbra (@abbra) on 2020-04-08 14:49:21:

• Assigned to nobody

---

Attempted FreeIPA installation on Debian unstable using a container which didn't have sudo package installed, pkispawn failed with the following message in pki-ca-spawn.<DATE>.log:

2020-04-08 18:41:55 ERROR: FileNotFoundError: [Errno 2] No such file or directory: 'sudo'
  File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn
    subsystem.remove_database(force=True)
  File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 932, in remove_database
    self.run(cmd, as_current_user=as_current_user)
  File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 980, in run
    subprocess.run(cmd, check=True)
  File "/usr/lib/python3.8/subprocess.py", line 489, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib/python3.8/subprocess.py", line 854, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)

I think sudo is definitely shouldn't be needed for running as root in a container:

root@ipa:/# id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

root@ipa:/# apt-cache show pki-base |grep Version
Version: 10.8.3-2

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-04-08 15:07:26

While spawning, the removal happens as pkiuser and not the current user. This is achieved by using sudo -u in the script...

https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/subsystem.py#L943

As ab pointed out in the IRC conversation, sudo -u can be replaced by runuser -u, which is part of util-linux package

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-04-08 15:07:28

Metadata Update from @SilleBille:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-07-23 14:18:21

The issue is fixed via PR: https://github.com/dogtagpki/pki/pull/494

The PR will be merged after 10.9 branching occurs (ie) it will be included in the PKI 10.10+. This issue should stay open until the PR gets merged.

[ckelleyRH]

The fix for this is merged into master, so closing:

git log | grep -A 10 "commit 49585867207922479644a03078c29548de02cd03"
commit 49585867207922479644a03078c29548de02cd03
Author: Dinesh Prasanth M K <dmoluguw@redhat.com>
Date:   Thu Jul 23 10:56:39 2020 -0400

    Move from sudo to runuser

    This patch migrates usage of sudo to runuser. In containers
    sudo is not installed by default. Whereas, `runuser` is part of
    'util-linux' pacakge, whcih is installed by default

    Fixes: https://pagure.io/dogtagpki/issue/3171