I have a script that needs to mount a Windows share to a Linux box, run a script, then unmount it. Despite following the man page for mount.cifs the command fails to recognize the credential file.
I made sure file sharing packages were present:
sudo yum install samba-client samba-common cifs-utils
Created drive that network share will mount to
sudo mkdir /share/
Created the credential file
sudo vim /root/.cifs
.cifs file contents
username=uname
password=pword
Created my .sh file
sudo vim /usr/bin/scritp.sh
script.sh contents
#!bin/bash
mount.cifs //ipaddress/share /share/ -o credentials=/root/.cifs
<script which makes use of the share>
umount /share/
Made the script executable
sudo chmod u+x /usr/bin/script.sh
Tested script
cd /usr/bin
sudo ./script.sh
Despite having the credential file specified, I am still prompted for a password for root user (connecting to Windows share with no "root" user"
Output from running script:
Password for root#//ipaddress/share:
Can anyone figure out what I have done wrong? It seems consistent with all documentation I have read.
For some reason, modifying the script to the following worked:
mount -t cifs -o credentials=/root/.cifs //ipaddress/share /share/
cd /share/
./script.sh
umount /share/
Not sure why, since mount -t cifs just invokes mount.cifs, but if you are experiencing the same issue, that's how I finally got around it.
When I try to run simple docker commands like:
$ docker ps -a
I get an error message:
Got permission denied ... /var/run/docker.sock: connect: permission denied
When I check permissions with
$ ls -al /var/run/
I see this line:
srw-rw---- root docker docker.sock
So, I follow an advice from many forums and add local user to docker group:
$ sudo usermod -aG docker $USER
But it does not help. I still get the very same error message. How can I fix it?
For those new to the shell, the command:
$ sudo usermod -aG docker $USER
needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.
Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:
$ newgrp docker
to get access to that group in your current shell.
Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.
Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.
Quick Fix:
Run the command as root using sudo.
sudo docker ps
Change the permissions of /var/run/docker.sock for the current user.
sudo chown $USER /var/run/docker.sock
Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by #AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.
Permanent Solution:
Add the current user to the docker group.
sudo usermod -a -G docker $USER
Note: You have to log out and log in again for the changes to take effect.
Refer to this blog to know more about managing Docker as a non-root user.
Make sure your $USER variable is set
$ echo $USER
$ sudo usermod -aG docker $USER
logout
Upon login, restart the docker service
$ sudo systemctl restart docker
$ docker ps
enter the command and explore docker without sudo command
sudo chmod 666 /var/run/docker.sock
As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal
But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away
So below command did do its job, its just a re-login was missed
sudo usermod -aG docker $USER
You need to manage docker as a non-root user.
To create the docker group and add your user:
Create the docker group.
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
$ newgrp docker
Verify that you can run docker commands without sudo.
$ docker run hello-world
As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.
Then reboot or refresh /etc/group. Now, you can use docker without sudo.
Regards.
***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by
sudo yum install -y docker
The first thing you should do, after installing Docker, is
sudo tail /etc/group
it should say something like
......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:
In this case, it is "dockerroot" not "docker". So,
sudo usermod -aG dockerroot yourusername
logout
When I try to run simple docker commands like: $ docker ps -a
I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.
[…] How can I fix it?
TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).
Just to recall the context, the Docker daemon socket is owned by root:docker:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock
so with this default setup, one needs to prepend all docker CLI commands by sudo.
To avoid this, one can either:
add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.
See also:
this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
this page that documents the related exploit:
https://fosterelli.co/privilege-escalation-via-docker.html
one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):
__docker() {
if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
docker "$#"
else
sudo docker "$#"
fi
}
alias docker=__docker
Then one can test this by opening a new terminal and typing:
docker run --pul〈TAB〉 # → docker run --pull
# autocompletion works
docker run --pull always --rm -it debian:11 # ask one's password
\docker run --help # bypass the alias (thanks to the \) and ask no password
With the help of the below command I was able to execute the docker command without sudo
sudo setfacl -m user:$USER:rw /var/run/docker.sock
bash into container as root user
docker exec -it --user root <dc5> bash
create docker group if it's not already created
groupadd -g 999 docker
add user to docker group
usermod -aG docker jenkins
change permissions
chmod 777 /var/run/docker.sock
You have to use pns executer instead of docker.
run the following patch which modifies the configmap and you are all set.
kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;
ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s
I want to create a cloud9 automated setup script for an application, which uses couchdb for database. Part of the script, is the setup of the application database, which needs couchdb running, in order to function properly.
The problem is that the only available solution about couchdb on cloud9 helps you instantiate couchdb as a foreground procedure. So if you want to test the correctness of the instantiation, or execute any other command you need to open a second terminal tab as documented in the above solution, but this is not functional in my case.
So how do I make couchdb run in the background?
Ok CouchDB can be executed in the background on Cloud9, if you pass the parameter -b to the executable, or by reconfiguring the executable to run in the background by default. But if you try to run couchdb like this, you will run into unexisting log files and permission errors when couchdb tries to create them.
So following the bellow steps will get couchdb up and running smoothly.
1. Create log files (and give proper permissions to couchdb user)
sudo su couchdb -c 'touch /var/log/couchdb/couchdb.stdout'
sudo su couchdb -c 'touch /var/log/couchdb/couchdb.stderr'
sudo chown couchdb: /var/log/couchdb
sudo chmod u+w /var/log/couchdb
2. Create CouchDB pid storage dir
sudo mkdir -p /var/run/couchdb
sudo chown couchdb:couchdb /var/run/couchdb
3.Reconfigure Executable
sudo nano /usr/bin/couchdb
Change STDERR_FILE:couchdb.stderr with STDERR_FILE:/var/log/couchdb/couchdb.stderr
And STDERR_FILE:couchdb.stdout with STDERR_FILE:/var/log/couchdb/couchdb.stdout
4.Run in background
sudo su couchdb -c '/usr/bin/couchdb -b'
5.Test
curl http://127.0.0.1:5984
+Bonus1
If you want to run CouchDB on the background, without the -b parameter, like this: sudo su couchdb -c /usr/bin/couchdb then in step 3, when reconfiguring the couchdb executable, you should also change BACKGROUND=false with BACKGROUND=true
+Bonus2
bash script version: Create a .sh file, add the following commands and run it on cloud9 workspace to properly set up couchdb for background execution. After executing the script start CouchDB with sudo su couchdb -c /usr/bin/couchdb.
sudo su couchdb -c 'touch /var/log/couchdb/couchdb.stdout'
sudo su couchdb -c 'touch /var/log/couchdb/couchdb.stderr'
sudo chown couchdb: /var/log/couchdb
sudo chmod u+w /var/log/couchdb
sudo mkdir -p /var/run/couchdb
sudo chown couchdb:couchdb /var/run/couchdb
sudo sed -i 's_couchdb.stderr_/var/log/couchdb/couchdb.stderr_g' /usr/bin/couchdb
sudo sed -i 's_couchdb.stdout_/var/log/couchdb/couchdb.stdout_g' /usr/bin/couchdb
sudo sed -i 's_BACKGROUND=false_BACKGROUND=true_g' /usr/bin/couchdb
I am unable to create a directory using sudo priveleges from root user and If I login to user , I can create an directory under /root using sudo. Also I have added to allow all commands in /etc/sudoers file and the details are below:
[root#linux home]# cat /etc/sudoers | grep tes
test ALL= NOPASSWD: ALL
Error
[root#linux home]# sudo -u test mkdir /var/log/test3
mkdir: cannot create directory ‘/var/log/test3’: Permission denied
Any Ideas ?
Thanks
By running 'sudo -u test', you're giving yourself lower privileges than the roor user because you're running the command as the user 'test', not 'root'. From the root user, you can just run:
mkdir /var/log/test3
Read man sudo for more info.
Or:
Run visudo and uncomment the wheel group, then add the user test to the wheel group.
If you don't mind me asking, why do you need to create a directory as a certain user from the root user? Especially since the directory you're making will not be user specific?
Also, in the sudoers file , you should what added test ALL=(ALL) NOPASSWD: ALL, not test ALL= NOPASSWD: ALL
I want to make a script that runs some commands with sudo permission & some commmands with sudo -u username permission.
Currently,
I run script using sudo permission, which executes each command in the script with sudo permission. But what I want to do is run some commands with normal user permissions. For example: If I create a directory then I don't want to be created by super-user. Otherwise it becomes difficult to delete it from file manager until I open file manager in root mode.
#!/bin/bash
# this declares that current user is a sudoer
sudo tee /etc/sudoers.d/$USER <<END
END
# write the content of your script here
sudo npm install hexo-cli -g
mkdir Untitled
sudo apt-get install python
# then to remove the sudo access from the current user
sudo /bin/rm /etc/sudoers.d/$USER
sudo -k
You either run a script as a user, and put some sudo command in it, or you run the script with sudo, and use su to run specific commands within the script as a certain user.