47

When I would like to do something that requiers sudo privelegies, the build process stucks and when ps aux for that command, it hanging in the list but doing nothing.

E.g.:

in the buildscript:

# stop nginx
echo "INFO: stopping nginx. pid [$(cat /opt/nginx/logs/nginx.pid)]"
sudo kill $(cat /opt/nginx/logs/nginx.pid)

in the gitlab ci output console:

INFO: stopping nginx. pid [2741]

kill $(cat /opt/nginx/logs/nginx.pid) # with a spinning wheel

in the bash:

> ps aux | grep nginx

root      6698  0.0  0.1  37628  1264 ?        Ss   19:25   0:00 nginx: master process /opt/nginx/sbin/nginx
nobody    6700  0.3  0.3  41776  3832 ?        S    19:25   0:00 nginx: worker process
kai   7015  0.0  0.0   4176   580 pts/0    S+   19:27   0:00 sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid)
kai   7039  0.0  0.0   7828   844 pts/2    S+   19:27   0:00 grep nginx

So:

  • not the sudo kill $(cat /opt/nginx/logs/nginx.pid) is going to execute, but sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid)
  • it is hanging up, without response (sounds for me like it asks for a password interactively)
static
  • 8,126
  • 15
  • 63
  • 89
  • Could this question http://unix.stackexchange.com/a/83405 be of any help? (even if ssh isn't involved here) – VonC Oct 15 '13 at 14:57

2 Answers2

79

There are a couple of ways to resolve this.

Grant sudo permissions

You can grant sudo permissions to the gitlab-runner user as this is who is executing the build script.

$ sudo usermod -a -G sudo gitlab-runner

You now have to remove the password restriction for sudo for the gitlab-runner user.

Start the sudo editor with

$ sudo visudo

Now add the following to the bottom of the file

gitlab-runner ALL=(ALL) NOPASSWD: ALL

Do not do this for gitlab runners that can be executed by untrusted users.

SSH Runner

You can configure the gitlab-ci-runner to connect to a remote host using SSH. You configure this to use a user remotely that has sudo permissions, and perform the build using that user. The remote host can be the same machine that the gitlab runner is executing on, or it can be another host.

This build user account will still need to have sudo and passwordless permissions. Follow the instruction below, except replace gitlab-runner with the build user.

Reactgular
  • 52,335
  • 19
  • 158
  • 208
  • 32
    Instead of allowing all command to the gitlab-runner, it is also possible to allow one command, for example only npm [(source)](http://www.atrixnet.com/allow-an-unprivileged-user-to-run-a-certain-command-with-sudo/). ```gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/npm``` If you do this, you will not need to add the user to the root group, and your system will be safer. – Bob Van de Vijver Sep 13 '16 at 13:45
  • 2
    How can i achieve this with github CI/CD? – Marcelo Fonseca Sep 11 '19 at 13:02
  • 2
    I am getting error=> "sudo : usermod command not found" when l run the first command you posted – CanCoder Oct 21 '20 at 23:42
  • 2
    sudo usermod -a -G sudo gitlab-runner After running the above command , it gives an error as `usermod: group 'sudo' does not exist` – MemZ Sep 20 '22 at 12:04
2

It worked for me as written by Reactgular.
But one little clarification. You must include a % sign before
gitlab-runner ALL = (ALL) NOPASSWD: ALL.
I could not understand for a long time why it doesn’t help me. Then I put the percentage icon and it worked.

Yunnosch
  • 26,130
  • 9
  • 42
  • 54
Павел Манкевич
  • 171
  • 1
  • 3
  • 2
    In order to clarify the exact chance you describe, please phrase e.g. like "change `wrong code` to `right %code`". (Have a look at https://stackoverflow.com/editing-help ) Ideally explain why that is necessary or at least what that syntax means. I would then consider this an acceptable "delta answer", it otherwise could be seen as a comment on the other answer, i.e. flaggable as "not an answer". Good luck. – Yunnosch Jul 08 '21 at 09:47