search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
5.89k stars 277 forks source link

rancher-desktop fails to start on macOS with `sudo: a password is required` while running lima #1811

Open mcanalesmayo opened 2 years ago

mcanalesmayo commented 2 years ago

Actual Behavior

Rancher desktop is failing to start due to lima error

Steps to Reproduce

  1. Open Rancher desktop
  2. Make mac laptop sleep
  3. Open again, quit Rancher desktop and start it again
  4. Encountering this error

Some times restarting the laptop (instead of sleep) makes it work again, but it's not consistent. Most of the times it keeps having lima errors.

Result

Screen Shot 2022-03-15 at 10 25 30

Expected Behavior

Rancher desktop starting without issues

Additional Information

lima.log

2022-03-15T01:31:17.852Z: Running command limactl list --json...
2022-03-15T01:31:20.721Z: Running command limactl list --json...
2022-03-15T01:31:21.449Z: Running command limactl sudoers --check...
"/private/etc/sudoers.d/zzzzz-rancher-desktop-lima" is up-to-date (or sudo doesn't require a password)
2022-03-15T01:31:21.710Z: Running command limactl list --json...
2022-03-15T01:31:21.968Z: Running command limactl start --tty=false 0...
time="2022-03-15T10:31:22+09:00" level=info msg="Using the existing instance \"0\""
time="2022-03-15T10:31:22+09:00" level=info msg="Starting switch daemon for \"shared\" network"
time="2022-03-15T10:31:22+09:00" level=fatal msg="failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima]: stdout=\"\", stderr=\"sudo: a password is required\\n\": exit status 1"
2022-03-15T01:31:22.260Z: + limactl start --tty=false 0
2022-03-15T01:31:22.261Z: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
2022-03-15T01:31:22.261Z: Error starting lima: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
    at ChildProcess.<anonymous> (/Applications/Rancher Desktop.app/Contents/Resources/app.asar/dist/app/background.js:1:8692)
    at ChildProcess.emit (node:events:394:28)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:290:12)

Seems like it's the same as this #1615

Rancher Desktop Version

1.1.1

Rancher Desktop K8s Version

1.22.7

Which container runtime are you using?

moby (docker cli)

What operating system are you using?

macOS

Operating System / Build Version

Big Sur 11.6.4

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

No response

Windows User Only

No response

mcanalesmayo commented 2 years ago

When I restart my laptop and Rancher-desktop gets started, I get a password prompt and again, the same error. This is the lima.log

2022-03-15T01:41:28.528Z: Running command limactl list --json...
2022-03-15T01:41:31.370Z: Running command limactl list --json...
2022-03-15T01:41:31.982Z: Running command limactl sudoers --check...
"/private/etc/sudoers.d/zzzzz-rancher-desktop-lima" is up-to-date (or sudo doesn't require a password)
2022-03-15T01:41:32.197Z: Running command limactl list --json...
2022-03-15T01:41:32.414Z: Running command limactl start --tty=false 0...
time="2022-03-15T10:41:32+09:00" level=info msg="Using the existing instance \"0\""
time="2022-03-15T10:41:32+09:00" level=info msg="Starting switch daemon for \"shared\" network"
time="2022-03-15T10:41:32+09:00" level=fatal msg="failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima]: stdout=\"\", stderr=\"sudo: a password is required\\n\": exit status 1"
2022-03-15T01:41:32.658Z: + limactl start --tty=false 0
2022-03-15T01:41:32.658Z: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
2022-03-15T01:41:32.658Z: Error starting lima: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
    at ChildProcess.<anonymous> (/Applications/Rancher Desktop.app/Contents/Resources/app.asar/dist/app/background.js:1:8692)
    at ChildProcess.emit (node:events:394:28)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:290:12)
noventa-loft commented 2 years ago

I'm facing the very same issue. rancher v1.1.1 and macOS Monterey 12.3, x64 (Intel Core i7). I've tried to reinstall rancher several times, as well as reset to factory settings.

rkazak commented 2 years ago

I have the same issue, started after my 12.3 upgrade this morning.

noventa-loft commented 2 years ago

This workaround did the trick:

chmod 775 /private/var/run/rancher-desktop-lima

mcanalesmayo commented 2 years ago

That didn't work for me, that path already had those permissions

jandubois commented 2 years ago

Duplicate of #1812 and #1815 (yes, technically those are duplicates of this one, as it was reported first). Look for more information over there.

rkazak commented 2 years ago

I tried that all ready!

% ls -ld /private/var/run/rancher-desktop-lima
drwxrwxr-x 2 root daemon 64 Mar 15 12:35 /private/var/run/rancher-desktop-lima
jandubois commented 2 years ago

My apologies, I misread. It is not a duplicate of #1812 and #1815.

It does seem to be a duplicate of #1615, meaning your system cannot be configured to allow password-less sudo for specific commands (e.g. your company has added a rule that prevents this).

Unfortunately we don't have a workaround for this. #1224 summarizes all the tasks we need to do to make Rancher Desktop more flexible regarding root/admin requirements, but those will take a while to implement.

mcanalesmayo commented 2 years ago

Yeah this is not a duplicate IMO. Just FYI, this is the behavior after installing Rancher on a fresh new laptop with macOS v11.6.4 (not upgraded to v12.3). Tried all the things in the other issues you mentioned, but no luck. Permissions were already like this in /private/var/run/rancher-desktop-lima, so chmod does not change anything: drwxrwxr-x 8 root daemon 256 Mar 15 10:45 rancher-desktop-lima Factory reset and reinstalling doesn't change anything either.

jandubois commented 2 years ago

Yeah this is not a duplicate IMO

It is not a duplicate of #1815, but it looks like a duplicate of #1615. The key error is:

"failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima]: stdout=\"\", stderr=\"sudo: a password is required\\n\": exit status 1"

You can check that the command is included in the relevant sudoers file:

$ sudo head -1 /etc/sudoers.d/zzzzz-rancher-desktop-lima
%everyone ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima

This means you should be able to run these commands without any password prompt (the sudo -k makes sure that there is no cached authorization):

$ sudo -k
$ sudo /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima
$

The error in the log file indicates that sudo still wants you to provide your password even though the rule above says NOPASSWD.

This will be due to another rule in your /etc/sudoers file that is most likely inserted by some security or device management software of your company. It is hard to say without actually seeing the files, and changing things might be against company policy.

The default /etc/sudoers file ends with these 3 lines:

$ sudo tail -3 /etc/sudoers
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

Any rules after the #includedir line can potentially override the rules created by Rancher Desktop. E.g. this line:

username ALL=(ALL) ALL

would allow you to run all commands via sudo, but always ask for your password. But there are endless ways how corporate rules could interfere with the app-specific rules, which is why we want to move away from using the sudoers mechanism at all #1224.

mcanalesmayo commented 2 years ago

This is what I get from the corresponding sudoers file

$ sudo head -1 /etc/sudoers.d/zzzzz-rancher-desktop-lima
%everyone ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima

And this from the default sudoers

$ sudo tail -3 /etc/sudoers
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d

So I guess that, as you pointed out, there must be something else coming from the corporate policies in my laptop. Not much we can do at the moment I believe. Everybody using Rancher from my team is having similar issues, so I guess we'll have to wait till Rancher has a way to do this other than using sudoers. Thanks for the support anyways.

Congee commented 2 years ago

I don't have a corporate policy but have upgraded to 12.3. The recent upgrade to 12.3 regarding security might have caused this issue.

jandubois commented 2 years ago

@Congee The upgrade to 12.3 may has caused #1815, but has had no effect on the #1615, which has existed even before the upgrade, and has not been changed by the upgrade afaik.

mcanalesmayo commented 2 years ago

FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.

There's other issues we are facing when using Rancher Desktop that we did not have before when using Docker Desktop, but it's not related to this.

Again, thanks for your support!

jorgebnunes commented 2 years ago

Hi, do:

sudo vi /private/etc/sudoers.d/sudoers

On this file add/modify replacing it by your username:

your_user_name ALL=(ALL) NOPASSWD: ALL

Save and restart Rancher Desktop

gaktive commented 2 years ago

Updating the sudoers file should be documented once we confirm the steps required; that can at least allow people to understand what the scenario is and a way around it if we can't easily fix this.

nicolas-g commented 2 years ago

FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.

There's other issues we are facing when using Rancher Desktop that we did not have before when using Docker Desktop, but it's not related to this.

Again, thanks for your support!

That did the trick for mine to work !!!!

ngraef commented 1 year ago

FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.

That is what my team noticed too. We don't have any extra corporate configuration for sudoers.

I believe this is a bug (or a really annoying feature?) of domain-bound Macs. sudo checks with the directory service, which seems to ignore local group information after a reboot if it can't resolve from the domain. In this case, Rancher Desktop startup fails because the %everyone ... NOPASSWD: sudo rules in zzzzz-rancher-desktop-lima aren't matched for my user, even though id shows I am a member of the everyone group.

~On this file add/modify replacing it by your username:~ ~your_user_name ALL=(ALL) NOPASSWD: ALL~

Please don't do that. It allows any program running as your user to escalate privileges and run any command without your password.

I've added the following to my personal rules in sudoers.d to work around the annoyance. (The first two rules could be combined, but I've left them separate to match zzzzz-rancher-desktop-lima.)

# Overrides to support starting rancher-desktop after reboot without VPN.
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid
my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid
lindskogen commented 1 year ago

It seem like recent versions of macOS is missing the /private/etc/sudoers.d/directory. And the install script fails when it doesn't exist.

Create the directory and then restart Rancher Desktop worked for me!

sudo mkdir /private/etc/sudoers.d
rsivakanth commented 1 year ago

FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.

That is what my team noticed too. We don't have any extra corporate configuration for sudoers.

I believe this is a bug (or a really annoying feature?) of domain-bound Macs. sudo checks with the directory service, which seems to ignore local group information after a reboot if it can't resolve from the domain. In this case, Rancher Desktop startup fails because the %everyone ... NOPASSWD: sudo rules in zzzzz-rancher-desktop-lima aren't matched for my user, even though id shows I am a member of the everyone group.

~On this file add/modify replacing it by your username:~ ~your_user_name ALL=(ALL) NOPASSWD: ALL~

Please don't do that. It allows any program running as your user to escalate privileges and run any command without your password.

I've added the following to my personal rules in sudoers.d to work around the annoyance. (The first two rules could be combined, but I've left them separate to match zzzzz-rancher-desktop-lima.)

# Overrides to support starting rancher-desktop after reboot without VPN.
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid
my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid

This perfectly worked for me. I just replaced my_user, restarted the rancher desktop and the magic is done. Thanks a lot.

GmaD-X commented 1 year ago

Is there any update on this OR any workarounds besides updating the sudoers file?

Rancher Desktop Version : 1.8.1 Mac version : 13.3.1

amanbolat commented 8 months ago

The same issue happens to me on my MacBook with M2 Pro chip.

Rancher Desktop Version : 1.11.1 Mac version : 13.5

ricbar3 commented 6 months ago

I am running into this issue as well with the newest version of RD and M1 Macbook 14.3 with cyberark EPM installed

Seems tied to the sudo no password

'0' ], stdout: '', stderr: 'time="2024-02-11T19:29:31Z" level=info msg="Using the existing instance \"0\""\n' + 'time="2024-02-11T19:29:31Z" level=info msg="Starting vde_switch daemon for \"rancher-desktop-shared\" network"\n' + 'time="2024-02-11T19:29:31Z" level=fatal msg="failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run]: stdout=\"\", stderr=\"sudo: a password is required\n\": exit status 1"\n', code: 1, [Symbol(child-process.command)]: '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl.ventura start --tty=false 0' }

Has there been any movement on this issue being fixed?

I tried the rules below but no luck I think because EPM does not like the sudo command

# Overrides to support starting rancher-desktop after reboot without VPN.
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid
my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid
ashishsanodia-harness commented 2 months ago

@ricbar3 Did you find the solution? I'm also facing the same issue.

fethiarras commented 2 months ago

For guys, use CyberARK EPM : Hi,

I made an Enhancement Request to CyberARK for supporting --non-interactive on EPM. Since agent 24.7, you need to open a case to CyberARK, if you want activate the support of --non-interactive and it's work :)