Skip to content
This repository has been archived by the owner on Nov 24, 2022. It is now read-only.

Avoiding 'sudo' passwords

Jump to bottom
fgrehm edited this page Oct 19, 2014 · 8 revisions

This plugin requires a lot of sudoing since user namespaces are not supported on mainstream kernels.

Starting with vagrant-lxc 1.0.0 we'll now have a vagrant lxc sudoers command that creates a sudoers file with all commands used by the plugin.

If you are using a previous version or want to create it by hand, here's a script that can do the trick for you:

#!/bin/bash

if [ "$(id -u)" != "0" ]; then
    echo "You should run this script as root (sudo)."
    exit 1
fi

echo "# lxc
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-ls, /usr/bin/lxc-info, /usr/bin/lxc-attach
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/which lxc-*

# vagrant-lxc (startup)
$SUDO_USER   ALL=(root) NOPASSWD: /bin/cat /var/lib/lxc/*, /bin/mkdir -p /var/lib/lxc/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/su root -c sed -e '*' -ibak /var/lib/lxc/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/su root -c echo '*' >> /var/lib/lxc/*
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-start -d --name *

# vagrant-lxc (create)
$SUDO_USER   ALL=(root) NOPASSWD: /bin/cp $HOME/.vagrant.d/boxes/*/lxc/lxc-template /usr/lib/lxc/templates/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/cp $HOME/.vagrant.d/boxes/*/lxc/lxc-template /usr/share/lxc/templates/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/rm /usr/lib/lxc/templates/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/rm /usr/share/lxc/templates/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/chmod +x /usr/lib/lxc/*
$SUDO_USER   ALL=(root) NOPASSWD: /bin/chmod +x /usr/share/lxc/*
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-create --template * --name * -- --tarball $HOME/.vagrant.d/boxes/*

# vagrant-lxc (shutdown & destroy)
$SUDO_USER   ALL=(root) NOPASSWD: /bin/rm -rf /var/lib/lxc/*/rootfs/tmp/*
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-shutdown --name *
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-stop --name *
$SUDO_USER   ALL=(root) NOPASSWD: /usr/bin/lxc-destroy --name *" > /etc/sudoers.d/vagrant-lxc

chmod 440 /etc/sudoers.d/vagrant-lxc

Make the script executable and run it:

chmod a+x lxc-sudoers.sh
sudo ./lxc-sudoers.sh

Notes from pre 1.0.0 versions

If you are using Ubuntu 12.04 (or any other OS with sudo < 1.8.4) you might be affected by a bug preventing your sudo password to be cached. You can work around the issue by disabling tty_tickets: execute sudo visudo and add the following line:

     Defaults   !tty_tickets

Using a wrapper script + NOPASSWD

Another option is to use a really dumb AND INSECURE Ruby wrapper script like the one below and add a NOPASSWD entry to our /etc/sudoers file:

#!/usr/bin/env ruby
exec ARGV.join(' ')

For example, you can save the code above under your /usr/bin/lxc-vagrant-wrapper, turn it into an executable script by running chmod +x /usr/bin/lxc-vagrant-wrapper and add the line below to your /etc/sudoers file:

USERNAME ALL=NOPASSWD:/usr/bin/lxc-vagrant-wrapper

WARNING: the /usr/bin/lxc-vagrant-wrapper + /etc/sudoers combination above allows USERNAME to run any privileged command without a password. You might want to think twice before using that on a machine with sensitive data.

In order to tell vagrant-lxc to use that script when sudo is needed, you can pass in the path to the script as a configuration for the provider:

Vagrant.configure("2") do |config|
  config.vm.provider :lxc do |lxc|
    lxc.sudo_wrapper = '/usr/bin/lxc-vagrant-wrapper'
  end
end

If you want to set the sudo_wrapper globally, just add the code above to your ~/.vagrant.d/Vagrantfile.

Clone this wiki locally