Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following:
They suggest adding
username ALL=(ALL) NOPASSWD: /usr/bin/podman
However, this must be very insecure as now you could do,
sudo podman run -ti -v /etc/shadow:/etc/shadow:rw alpine:3 /bin/sh
And not have to authenticate.
Why is this requirement in place? Is there an alternative?
答案1
This requirement is in place because they call sudo podman
from their application. This is strange because minikube expects that an unprivileged user will run the application, then expects(needs) root privileges. Furthermore, minikube
runs sudo non-interactively. Sudo isn't designed for that.
In terms of alternatives, most applications that need root privileges would detect whether they are root or not on launch, then fail if they aren't. Example:
$ dpkg -i *.deb
dpkg: error: requested operation requires superuser privilege
$ mount /dev/sda /mnt
mount: /mnt: must be superuser to use mount.
Can you imagine if apt
put it's own passwordless entry into sudoers, then elevated itself instead of requiring the user's explicit consent?
The other option is applications will use polkit
instead of sudo
. polkit
is like sudo
for GUIs. It's non interactive with the application, but will use the polkit
interface with your desktop environment to interact with the user and authenticate. If you're on gnome and see the screen go grey and a password prompt show up, that's polkit.
So really, I think it's poor design on minikube
's part.
It appears podman
needs root privileges. You as a user have three options:
- Give the
minikube
the passwordless sudo access as it wants topodman
(this is weird). - If you are ok with giving this software root access, run it as root. Use
sudo minikube
whenever you run it. If it is already root, it shouldn't need password-less sudo access anymore. - If you're not ok giving it root access find different software.