Yesterday has been a very frustrating day of devops for me. Our current servers run Debian 9 and I’ve been trying to ensure that Ubuntu 18.04 LTS (until the 20.04 LTS comes out in a few months) can also be used as an OS in our EC2 instances.
All our provisioning / deployment is done through Ansible, and the two OSes are quite similar, so I thought everything would work out of the box.
As if I didn’t know how software works.
In any case, rants aside, I have been extremely frustrated to find out that our playbooks wouldn’t just work. And the reason?
Sudo.
In a nutshell, some of our playbooks concern a nodeJS application (sigh) and therefore we would have a command like.
sudo -u $NODE_USER npm install --unsafe-perm --prefix $NODE_APP_FOLDER
(The reason why we need to use sudo -u and not simply the become_user directive of Ansible is the topic for another day)
Running this command would work totally fine with Debian, but not with Ubuntu where my playbook would fail with errors like.
npm WARN [email protected] No description
npm ERR! path /home/$USER/.npm
npm ERR! code EACCES
npm ERR! errno -13
npm ERR! syscall mkdir
npm ERR! Error: EACCES: permission denied, mkdir '/home/$USER/.npm'
npm ERR! { [Error: EACCES: permission denied, mkdir '/home/$USER/.npm']
npm ERR! stack:
npm ERR! 'Error: EACCES: permission denied, mkdir \'/home/$USER/.npm\'',
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'mkdir',
npm ERR! path: '/home/$USER/.npm' }
npm ERR!
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR!
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator (though this is not recommended).
Essentially, npm was complaining that it couldn’t create the temp folder .npm with my current user… which makes sense as the user $NODE_USER definitely doesn’t have the permissions to do that.
I had no choice but to RTFM and, one man sudoers later, I gained the following insights:
- By default, whenever you give a
sudocommand, the command will be executed with a new, minimal environment. Such environment is initialized from scratch with the content of/etc/environment. change your current environment into a minimal one. The manual says that
[…] the new environment contains TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_ variables […]
The complete list of environment variables that sudo allows or denies is contained in the output of
sudo -Vwhen run as root. Please note that this list varies based on the operating system sudo is running on.
HOMEwas configured as being preserved in Ubuntu, whereas in Debian it was not.
So, essentially, when running the command on Debian, it would switch the home folder to the home folder of the target user $NODEUSER and when running the command under Ubuntu it would keep the home folder of the current $USER.
So, I needed to change the command as:
sudo -H -u $NODE_USER npm install --unsafe-perm --prefix $NODE_APP_FOLDER
where the -H flag instructs sudo to set HOME as the home folder of the target user of -u.
I learned, once again, that there is no better solution than RTFM.