54

When I would like to do something that requiers sudo privelegies, the build process stucks and when ps aux for that command, it hanging in the list but doing nothing.

E.g.:

in the buildscript:

# stop nginx echo "INFO: stopping nginx. pid [$(cat /opt/nginx/logs/nginx.pid)]" sudo kill $(cat /opt/nginx/logs/nginx.pid)

in the gitlab ci output console:

INFO: stopping nginx. pid [2741] kill $(cat /opt/nginx/logs/nginx.pid) # with a spinning wheel

in the bash:

> ps aux | grep nginx root 6698 0.0 0.1 37628 1264 ? Ss 19:25 0:00 nginx: master process /opt/nginx/sbin/nginx nobody 6700 0.3 0.3 41776 3832 ? S 19:25 0:00 nginx: worker process kai 7015 0.0 0.0 4176 580 pts/0 S+ 19:27 0:00 sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid) kai 7039 0.0 0.0 7828 844 pts/2 S+ 19:27 0:00 grep nginx

So:

  • not the sudo kill $(cat /opt/nginx/logs/nginx.pid) is going to execute, but sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid)
  • it is hanging up, without response (sounds for me like it asks for a password interactively)
Improve this question
1
  • Could this question unix.stackexchange.com/a/83405 be of any help? (even if ssh isn't involved here) Commented Oct 15, 2013 at 14:57

2 Answers 2

Reset to default
93

There are a couple of ways to resolve this.

Grant sudo permissions

You can grant sudo permissions to the gitlab-runner user as this is who is executing the build script.

$ sudo usermod -a -G sudo gitlab-runner

You now have to remove the password restriction for sudo for the gitlab-runner user.

Start the sudo editor with

$ sudo visudo

Now add the following to the bottom of the file

gitlab-runner ALL=(ALL) NOPASSWD: ALL

Do not do this for gitlab runners that can be executed by untrusted users.

SSH Runner

You can configure the gitlab-ci-runner to connect to a remote host using SSH. You configure this to use a user remotely that has sudo permissions, and perform the build using that user. The remote host can be the same machine that the gitlab runner is executing on, or it can be another host.

This build user account will still need to have sudo and passwordless permissions. Follow the instruction below, except replace gitlab-runner with the build user.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Instead of allowing all command to the gitlab-runner, it is also possible to allow one command, for example only npm (source). gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/npm If you do this, you will not need to add the user to the root group, and your system will be safer.
How can i achieve this with github CI/CD?
I am getting error=> "sudo : usermod command not found" when l run the first command you posted
sudo usermod -a -G sudo gitlab-runner After running the above command , it gives an error as usermod: group 'sudo' does not exist
@BobVandeVijver if the user needs to be able to copy into a sudo location (e.g. /var/www/) - is there a method like that which would work? Or is the only/best way just to reduce permissions/access level to the directory?
|
3

It worked for me as written by Reactgular.
But one little clarification. You must include a % sign before
gitlab-runner ALL = (ALL) NOPASSWD: ALL.
I could not understand for a long time why it doesn’t help me. Then I put the percentage icon and it worked.

Improve this answer

2 Comments

In order to clarify the exact chance you describe, please phrase e.g. like "change wrong code to right %code". (Have a look at stackoverflow.com/editing-help ) Ideally explain why that is necessary or at least what that syntax means. I would then consider this an acceptable "delta answer", it otherwise could be seen as a comment on the other answer, i.e. flaggable as "not an answer". Good luck.
I am not sure why making that change worked for you but adding the % sign changes it from user to group so you made the modifications for the group gitlab-runner not the user gitlab-runner

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.