Fabric Sudo No Password Solution

This question is about best practices. I'm running a deployment script with Fabric. My deployment user 'deploy' needs sudo to restart services. So I am using the sudo function from fabric to run these commands in my script. This works fine but prompts for password during script execution. I DON'T want to type a password during deployments. What's the best practice here. The only solution I can think of is changing the sudo permissions to not require password for the commands my deployment user runs. This doesn't seem right to me.

As Bartek also suggests, enable password-less sudo for the deployment 'user' in the sudoers file.

Something like:

run('echo "{0} ALL=(ALL) ALL" >> /etc/sudoers'.format(env.user))

prompt-for-password-directly · Issue #497 · fabric/fabric · GitHub, The last task asks for a sudo password. password, please") is the solution, because it echos the password and it's not very flexible. In Linux, you can change sudo configuration to run some or all command with sudo but without entering password. If you are on a server, you should be extra careful specially if you have SSH enabled. Maybe, you should disable SSH access with password first. Let’s see how to use sudo with no password. But first, back up the sudoer file as a

The ideal solution is to create a user on your server that is used only for deployment (eg, deploy). Then, set env.user=deploy in your fabfile. Then on your servers, you can give the user the necessary permission on a command-by-command basis in a sudoers file:

IMPORTANT: Always use sudo visudo to modify a sudoers file

Cmnd_Alias RELOAD_SITE = /bin/bash -l -c supervisorctl*, /usr/bin/supervisorctl*
deploy ALL = NOPASSWD: RELOAD_SITE

You can add as many Cmnd_Alias directives as is needed by the deploy user, then grant NOPASSWD access for each of those commands. See man sudoers for more details.

I like to keep my deploy-specific sudoers config in /etc/sudoers.d/deploy and include that file from /etc/sudoers by adding: includedir /etc/suoders.d at the end.

Getting started, The most basic use of Fabric is to execute a shell command on a remote system via with passwordless sudo) respond to the password prompt by hand, as below. always, common problems are best solved with commonly shared solutions. All the user needs to do is ensure the sudo.password configuration value is filled  When SSH’ing into the server, I can run sudo blah and the command executes without prompting for a password. When I try to run the same command via Fabric’s sudo function, I get prompted for a password. This is because Fabric builds a command in the following manner when using sudo: sudo -S -p <sudo_prompt> /bin/bash -l -c "<command>"

You can use:

fabric.api import env
# [...]
env.password = 'yourpassword'

Fabric 3 ask sudo password once, Using run is not the ideal way to achieve this. fabric.operations.sudo(*args, above solution will only work if you can run sudo without entering your password. Th command: "ssh myUser@myec2hostname" logs in with no request for pass-phrase or password. My client OS is also FreeBSD 8.2. If there is any other information I could help provide or tests to perform I would be more than happy to do so, and Bitprophet, thank you very much for this wonderful tool.

The best way to do this is with subtasks. You can prompt for a password in the fabfile and never expose any passwords, nor make reckless configuration changes to sudo on the remote system(s).

import getpass

from fabric.api import env, parallel, run, task
from fabric.decorators import roles
from fabric.tasks import execute


env.roledefs = {'my_role': ['host1', 'host2']}


@task
# @parallel -- uncomment if you need parallel execution, it'll work!
@roles('my_role')
def deploy(*args, **kwargs):
    print 'deploy args:', args, kwargs
    print 'password:', env.password
    run('echo hello')


@task
def prompt(task_name, *args, **kwargs):
    env.password = getpass.getpass('sudo password: ')
    execute(task_name, *args, role='my_role', **kwargs)

Note that you can even combine this with parallel execution and the prompt task still only runs once, while the deploy task runs for each host in the role, in parallel.

Finally, an example of how you would invoke it:

$ fab prompt:deploy,some_arg,another_arg,key=value

[PDF] Fabric, remote system isn't configured with passwordless sudo) respond to the There are two gateway solutions available in Fabric, mirroring the  command_list – list of commands or a command alias to be run by user(s) using sudo. To allow a user (aaronkilik in the example below) to run all commands using sudo without a password, open the sudoers file: $ sudo visudo And add the following line: aaronkilik ALL=(ALL) NOPASSWD: ALL

Seems like sudo may not be that bad of an option after all. You can specify which commands a user can run and the arguments the command may take (man sudoers). If the problem is just having to type the password, an option would involve using the pexpect module to login automatically, maybe with a password that you could store encrypted:

import pexpect, sys

pwd = getEncryptedPassword()
cmd = "yourcommand" 

sCmd = pexpect.spawn('sudo {0}'.format(cmd))
sCmd.logfile_read = sys.stdout
sCmd.expect('Password:')
sCmd.sendline(pwd)
sCmd.expect(pexpect.EOF)

The environment dictionary, env, This aspect of env is largely historical: in the past, fabfiles were not pure Python and thus output stream, Fabric will automatically answer with the corresponding dictionary value. The default password to submit to sudo password prompts. then for every user that needs sudo access WITH a password: sudo adduser <user> sudo and for every user that needs sudo access WITH NO password: sudo adduser <user> admin and finally, run this: sudo service sudo restart And that's it! Edit: You may have to add the admin group as I don't think it exists by default. sudo groupadd admin

Fabric: a System Administrator's Best Friend, Not only can you run simple tasks via SSH on multiple machines, but since you're using Also note that you are prompted for the password for both SSH and sudo only once. A simple solution to that is to add this function to your fabfile: # In the default (unconfigured) configuration, sudo asks for the root password. # This allows use of an ordinary user account for administration of a freshly # installed system. When configuring sudo, delete the two # following lines: # Defaults targetpw # ask for the password of the target user i.e. root

Python fabric - run method is not being finished, I've found solution: Hide Copy Code. sudopass = Responder(pattern=r'Password​:', response='admin__password\n') def su(connection,  Along with run, the most widely used Fabric command is probably sudo. It allows the execution of a given set of commands and arguments with sudo (i.e. superuser ) privileges on the remote host. If sudo command is used with an explicitly specified user, the execution will happen not as root but another (i.e. UID 1010).

Remote task automation with Fabric, run local or remote shell commands (also with the sudo option); upload up --no​-pty do not use pseudo-terminal in run/sudo -p PASSWORD,  Is it any way to imitate "sudo su - user_name" command and then execute commands I needed? Tried run and sudo and unfortunately there is no way to make it. Please help

Comments
  • You could look into adding a new user, specifically for deploys, who has access to the commands you need to run without using sudo.
  • This is not really a good way for a couple of reasons. First, it will append this line every time the command is run. Second, the sudoers file is not meant to be modified in this way. If there is an error in the sudoers file, you may not be able to run the sudo command again without gaining root access manually.
  • My answer is to enable passwordless sudo. How the user does this is another question, I just suggested one method. And yes the user should be aware of the pitfalls you mention.
  • These stuff goes into vcs revealing passwords is never the best idea , especially we are talking about a server password here .