Superchain: sudo broken?

[udondan]

Describe the bug

Since August 31 I'm getting errors from my guthub action which uses jsii/superchain:1-buster-slim, failing to run a command with sudo. The command is unchanged and was running since pretty much forever:

sudo npm i -g typescript

Which now results in

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

I see that there was a change on the sudoers settings on September 1: https://github.com/aws/jsii/pull/3737/files

So yeah, I realize that this change was made 1 day after it started to fail for me. Also, I see nothing wrong with the change, IMHO it should work with both. But the fact that the change was made very closely to when it started to fail on my end is a smoking gun. Maybe you @RomainMuller tried to actually fix the very same problem I'm experiencing?

Also what is strange is, this only happens in a github action. Locally no issues:

docker run -i --rm  jsii/superchain:1-buster-slim sudo whoami

I prepared a demo repo with a minimal example https://github.com/udondan/superchain-sudo-test

Since the action output is not public, I'm attaching a screenshot:

Expected Behavior

sudo should execute, as per sudoers setting

Current Behavior

sudo fails as if sudoers settings are not available/correct

Reproduction Steps

In a github action, run a sudo command

Possible Solution

No response

Additional Information/Context

No response

SDK version used

Environment details (OS name and version, etc.)

[kaizencc]

Hi @udondan! Indeed, we were trying to fix the same problem that you've encountered. It's a weird one. Right now, the best I can do is to add --group-add sudo to your github workflow:

---
name: Test

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  test-sudo:
    name: Test sudo
    runs-on: ubuntu-latest
    container:
      image: jsii/superchain:1-buster-slim-node14
      options: --group-add sudo
    steps:
      - name: Run command with sudo
        run: |
          whoami
          sudo whoami

This is the workaround for me at the moment. If you're using projen, the fix looks something like this:

const buildWorkflow = project.tryFindObjectFile('.github/workflows/build.yml');
buildWorkflow.patch(JsonPatch.add('/jobs/build/container/options', '--group-add sudo'));

Hopefully this information helps!

[udondan]

It's a weird one.

Absolutely!

Thanks for the workaround. That fixed it.

I guess we leave this open until we at least understand the problem? Or feel free to close. Setting the option is perfectly fine for me.

[RomainMuller]

Yeah this is particularly odd as we changed nothing related to our sudo configuration, and are unable to reproduce the issue in most set-ups (although it steadily reproduces in GitHub Actions runners). It's not clear to me what could cause this difference in behavior.

[RomainMuller]

It appears the latest jsii/superchain is fixed, so I'm resolving.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.