How to avoid sudo when entering `hab studio` on linux


#1

i’m trying to avoid using sudo when entering hab studio on linux. i heard the way to avoid sudo is to use docker and i see this as part of the hab-studio help

-D Use a Docker Studio instead of a chroot Studio (only available on Linux)

but when i run hab studio -D i still get prompted by sudo for my password
is there something else i’m missing?


#2

@jeremiahsnapp I don’t believe there’s an obligation for sudo when entering the studio with docker so long as the user account running the command has the appropriate permissions. Docker by default requires elevated privileges or for the user to be a member of the docker system group:

If you could give this a shot - create the docker group and add your user:

Create the docker group.

    $ sudo groupadd docker

Add your user to the docker group.

    $ sudo usermod -aG docker $USER

If this doesn’t work then it’s possible that I’m mistaken and we still obligate sudo for a docker based studio but i don’t believe that’s the case.


#3

Thanks @eeyun, you can see here that my user is already a member of the docker group and still is asked for sudo password. And this happens before a docker container is spun up.

[buildkite-agent ~]$ id
uid=501(buildkite-agent) gid=502(buildkite-agent) groups=502(buildkite-agent),501(docker)
[buildkite-agent ~]$ hab studio enter -D
[sudo hab-studio] password for buildkite-agent:

And then if I try using the root user it doesn’t have any problem entering the studio using a docker container.

 [root ~]# hab studio enter -D
0.54.0: Pulling from studio
57310166fe88: Pull complete
8c975f6a747a: Pull complete
0445e9f973ee: Pull complete
e7119de59a04: Pull complete
Digest: sha256:0aa4369e146e38c90858636c5fa83a9d7178159153a4e97e6524766ad4a30270
Status: Downloaded newer image for habitat-docker-registry.bintray.io/studio:0.54.0
   hab-studio: Creating Studio at /hab/studios/src (default)
   hab-studio: Importing 'chef' secret origin key
» Importing origin key from standard input
★ Imported secret origin key chef-20160614114050.
   hab-studio: Importing 'chef' public origin key
» Importing origin key from standard input
★ Imported public origin key chef-20160614114050.
   hab-studio: Entering Studio at /hab/studios/src (default)

[1][default:/src:0]# 

So is there another way to work around this?


#4

Looking through the studio code it looks like this actually gets picked up before the docker code is even fired off. We effectively check for root privileges and if we don’t have them we ask for sudoers rights. That isn’t to say that this is the correct behavior ( maybe we could add a check to make sure the user making the call has either root privileges or the appropriate docker group?) but that is the way it appears to function today.


#5

Thanks, I was just looking at the same code. I’m confused though why if I run the hab studio enter command on macOS it doesn’t require sudo. I guess it’s using a different code path?


#6

Right. On OSX the start function is here, it effectively bypasses a need for root because the expectation can be made with docker for mac that you’ll have the appropriate permissions to start docker:

I think this should definitely be considered a bug in the studio code. Would you have time to open an issue on this? Or would you prefer that I do it?


#7

Ah ok, thanks for clearing that up! I’ll open an issue for it.


#8

Here’s the issue I opened.


#9

Thank you for doing that!