Open mcanalesmayo opened 2 years ago
When I restart my laptop and Rancher-desktop gets started, I get a password prompt and again, the same error. This is the lima.log
2022-03-15T01:41:28.528Z: Running command limactl list --json...
2022-03-15T01:41:31.370Z: Running command limactl list --json...
2022-03-15T01:41:31.982Z: Running command limactl sudoers --check...
"/private/etc/sudoers.d/zzzzz-rancher-desktop-lima" is up-to-date (or sudo doesn't require a password)
2022-03-15T01:41:32.197Z: Running command limactl list --json...
2022-03-15T01:41:32.414Z: Running command limactl start --tty=false 0...
time="2022-03-15T10:41:32+09:00" level=info msg="Using the existing instance \"0\""
time="2022-03-15T10:41:32+09:00" level=info msg="Starting switch daemon for \"shared\" network"
time="2022-03-15T10:41:32+09:00" level=fatal msg="failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima]: stdout=\"\", stderr=\"sudo: a password is required\\n\": exit status 1"
2022-03-15T01:41:32.658Z: + limactl start --tty=false 0
2022-03-15T01:41:32.658Z: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
2022-03-15T01:41:32.658Z: Error starting lima: Error: /Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl exited with code 1
at ChildProcess.<anonymous> (/Applications/Rancher Desktop.app/Contents/Resources/app.asar/dist/app/background.js:1:8692)
at ChildProcess.emit (node:events:394:28)
at Process.ChildProcess._handle.onexit (node:internal/child_process:290:12)
I'm facing the very same issue. rancher v1.1.1 and macOS Monterey 12.3, x64 (Intel Core i7). I've tried to reinstall rancher several times, as well as reset to factory settings.
I have the same issue, started after my 12.3 upgrade this morning.
This workaround did the trick:
chmod 775 /private/var/run/rancher-desktop-lima
That didn't work for me, that path already had those permissions
Duplicate of #1812 and #1815 (yes, technically those are duplicates of this one, as it was reported first). Look for more information over there.
I tried that all ready!
% ls -ld /private/var/run/rancher-desktop-lima
drwxrwxr-x 2 root daemon 64 Mar 15 12:35 /private/var/run/rancher-desktop-lima
My apologies, I misread. It is not a duplicate of #1812 and #1815.
It does seem to be a duplicate of #1615, meaning your system cannot be configured to allow password-less sudo for specific commands (e.g. your company has added a rule that prevents this).
Unfortunately we don't have a workaround for this. #1224 summarizes all the tasks we need to do to make Rancher Desktop more flexible regarding root/admin requirements, but those will take a while to implement.
Yeah this is not a duplicate IMO. Just FYI, this is the behavior after installing Rancher on a fresh new laptop with macOS v11.6.4 (not upgraded to v12.3).
Tried all the things in the other issues you mentioned, but no luck. Permissions were already like this in /private/var/run/rancher-desktop-lima
, so chmod does not change anything:
drwxrwxr-x 8 root daemon 256 Mar 15 10:45 rancher-desktop-lima
Factory reset and reinstalling doesn't change anything either.
Yeah this is not a duplicate IMO
It is not a duplicate of #1815, but it looks like a duplicate of #1615. The key error is:
"failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima]: stdout=\"\", stderr=\"sudo: a password is required\\n\": exit status 1"
You can check that the command is included in the relevant sudoers file:
$ sudo head -1 /etc/sudoers.d/zzzzz-rancher-desktop-lima
%everyone ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima
This means you should be able to run these commands without any password prompt (the sudo -k
makes sure that there is no cached authorization):
$ sudo -k
$ sudo /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima
$
The error in the log file indicates that sudo
still wants you to provide your password even though the rule above says NOPASSWD
.
This will be due to another rule in your /etc/sudoers
file that is most likely inserted by some security or device management software of your company. It is hard to say without actually seeing the files, and changing things might be against company policy.
The default /etc/sudoers
file ends with these 3 lines:
$ sudo tail -3 /etc/sudoers
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
Any rules after the #includedir
line can potentially override the rules created by Rancher Desktop. E.g. this line:
username ALL=(ALL) ALL
would allow you to run all commands via sudo
, but always ask for your password. But there are endless ways how corporate rules could interfere with the app-specific rules, which is why we want to move away from using the sudoers mechanism at all #1224.
This is what I get from the corresponding sudoers file
$ sudo head -1 /etc/sudoers.d/zzzzz-rancher-desktop-lima
%everyone ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run/rancher-desktop-lima
And this from the default sudoers
$ sudo tail -3 /etc/sudoers
## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
So I guess that, as you pointed out, there must be something else coming from the corporate policies in my laptop. Not much we can do at the moment I believe. Everybody using Rancher from my team is having similar issues, so I guess we'll have to wait till Rancher has a way to do this other than using sudoers. Thanks for the support anyways.
I don't have a corporate policy but have upgraded to 12.3. The recent upgrade to 12.3 regarding security might have caused this issue.
@Congee The upgrade to 12.3 may has caused #1815, but has had no effect on the #1615, which has existed even before the upgrade, and has not been changed by the upgrade afaik.
FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.
There's other issues we are facing when using Rancher Desktop that we did not have before when using Docker Desktop, but it's not related to this.
Again, thanks for your support!
Hi, do:
sudo vi /private/etc/sudoers.d/sudoers
On this file add/modify replacing it by your username:
your_user_name ALL=(ALL) NOPASSWD: ALL
Save and restart Rancher Desktop
Updating the sudoers file should be documented once we confirm the steps required; that can at least allow people to understand what the scenario is and a way around it if we can't easily fix this.
FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.
There's other issues we are facing when using Rancher Desktop that we did not have before when using Docker Desktop, but it's not related to this.
Again, thanks for your support!
That did the trick for mine to work !!!!
FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.
That is what my team noticed too. We don't have any extra corporate configuration for sudoers.
I believe this is a bug (or a really annoying feature?) of domain-bound Macs. sudo
checks with the directory service, which seems to ignore local group information after a reboot if it can't resolve from the domain. In this case, Rancher Desktop startup fails because the %everyone ... NOPASSWD:
sudo rules in zzzzz-rancher-desktop-lima
aren't matched for my user, even though id
shows I am a member of the everyone
group.
~On this file add/modify replacing it by your username:~ ~your_user_name ALL=(ALL) NOPASSWD: ALL~
Please don't do that. It allows any program running as your user to escalate privileges and run any command without your password.
I've added the following to my personal rules in sudoers.d
to work around the annoyance. (The first two rules could be combined, but I've left them separate to match zzzzz-rancher-desktop-lima
.)
# Overrides to support starting rancher-desktop after reboot without VPN.
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid
my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid
It seem like recent versions of macOS is missing the /private/etc/sudoers.d/
directory. And the install script fails when it doesn't exist.
Create the directory and then restart Rancher Desktop worked for me!
sudo mkdir /private/etc/sudoers.d
FYI I noticed that it fails when I'm not connected to the company VPN. After connecting to the VPN it can start successfully.
That is what my team noticed too. We don't have any extra corporate configuration for sudoers.
I believe this is a bug (or a really annoying feature?) of domain-bound Macs.
sudo
checks with the directory service, which seems to ignore local group information after a reboot if it can't resolve from the domain. In this case, Rancher Desktop startup fails because the%everyone ... NOPASSWD:
sudo rules inzzzzz-rancher-desktop-lima
aren't matched for my user, even thoughid
shows I am a member of theeveryone
group.~On this file add/modify replacing it by your username:~ ~your_user_name ALL=(ALL) NOPASSWD: ALL~
Please don't do that. It allows any program running as your user to escalate privileges and run any command without your password.
I've added the following to my personal rules in
sudoers.d
to work around the annoyance. (The first two rules could be combined, but I've left them separate to matchzzzzz-rancher-desktop-lima
.)# Overrides to support starting rancher-desktop after reboot without VPN. my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid
This perfectly worked for me. I just replaced my_user, restarted the rancher desktop and the magic is done. Thanks a lot.
Is there any update on this OR any workarounds besides updating the sudoers file?
Rancher Desktop Version : 1.8.1 Mac version : 13.3.1
The same issue happens to me on my MacBook with M2 Pro chip.
Rancher Desktop Version : 1.11.1 Mac version : 13.5
I am running into this issue as well with the newest version of RD and M1 Macbook 14.3 with cyberark EPM installed
Seems tied to the sudo no password
'0' ], stdout: '', stderr: 'time="2024-02-11T19:29:31Z" level=info msg="Using the existing instance \"0\""\n' + 'time="2024-02-11T19:29:31Z" level=info msg="Starting vde_switch daemon for \"rancher-desktop-shared\" network"\n' + 'time="2024-02-11T19:29:31Z" level=fatal msg="failed to run [sudo --user root --group wheel --non-interactive /bin/mkdir -m 775 -p /private/var/run]: stdout=\"\", stderr=\"sudo: a password is required\n\": exit status 1"\n', code: 1, [Symbol(child-process.command)]: '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl.ventura start --tty=false 0' }
Has there been any movement on this issue being fixed?
I tried the rules below but no luck I think because EPM does not like the sudo command
# Overrides to support starting rancher-desktop after reboot without VPN.
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /bin/mkdir -m 775 -p /private/var/run
my_user ALL=(root:wheel) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_vmne, /usr/bin/pkill -F /private/var/run/*.pid
my_user ALL=(daemon:everyone) NOPASSWD:NOSETENV: /opt/rancher-desktop/bin/vde_switch, /usr/bin/pkill -F /private/var/run/*.pid
@ricbar3 Did you find the solution? I'm also facing the same issue.
For guys, use CyberARK EPM : Hi,
I made an Enhancement Request to CyberARK for supporting --non-interactive on EPM. Since agent 24.7, you need to open a case to CyberARK, if you want activate the support of --non-interactive and it's work :)
Actual Behavior
Rancher desktop is failing to start due to lima error
Steps to Reproduce
Some times restarting the laptop (instead of sleep) makes it work again, but it's not consistent. Most of the times it keeps having lima errors.
Result
Expected Behavior
Rancher desktop starting without issues
Additional Information
lima.log
Seems like it's the same as this #1615
Rancher Desktop Version
1.1.1
Rancher Desktop K8s Version
1.22.7
Which container runtime are you using?
moby (docker cli)
What operating system are you using?
macOS
Operating System / Build Version
Big Sur 11.6.4
What CPU architecture are you using?
x64
Linux only: what package format did you use to install Rancher Desktop?
No response
Windows User Only
No response