admin/bri-sandbox-development-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DEPLOY.md: drop NOPASSWD advice, document interactive sudo

Browse Source 
Company VM — no sudoers changes. Replace the 'set up sudoers
NOPASSWD' step with a brief note that every sudo call will
prompt for the password and the user types it. The 15-minute
sudo timestamp means the user only types it once per shell
session, but they will see the prompt several times across
the deploy as they run multiple sudo commands.

Update the step-1 diagnostic outcomes to point at the new
no-policy-change reality: NOPASSWD or different passwords
both still work, the user just types the right one at each
sudo prompt.
This commit is contained in:
Achmad
2026-06-24 05:16:52 +00:00
parent 1eddef9f65
commit d11723ee63
1 changed files with 6 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DEPLOY.md
+6 -18
View File
@@ -32,29 +32,17 @@ sudo -n true 2>/dev/null && echo "NOPASSWD sudo" || echo "needs password"
sudo echo hi
```
- Works without a password prompt → NOPASSWD, skip step 2.
- Prompts and accepts the password you type → SSH password == sudo password, skip step 2.
- Prompts and rejects your password → passwords differ. Note your actual sudo password for step 2.
- Works without a password prompt → NOPASSWD sudo, you don't need to remember a sudo password.
- Prompts and accepts the password you type → SSH password == sudo password. You'll type the same password at every `sudo:` prompt.
- Prompts and rejects your password → the passwords differ. Remember the sudo one; you'll need it at every `sudo:` prompt.
Type `exit` to leave 92. Repeat for 186 (`ssh administrator@172.18.139.186`).
## 2. Set up sudo on each VM (only if step 1 said passwords differ)
## 2. Sudo on the company VMs
On 92:
The VMs are company-owned and you don't change sudo policy. Every `sudo` call will prompt you for the password — you type it. The sudo timestamp (default 15 min) means you only type it once per shell session, but you'll see the prompt several times across the deploy as you run multiple `sudo` commands. That's expected.
```bash
ssh administrator@172.18.136.92
```
(You'll be prompted for the SSH password. Once in, `sudo tee` will prompt for the sudo password — that's the one you just confirmed.)
```bash
echo 'administrator ALL=(ALL) NOPASSWD: /bin/systemctl, /usr/bin/install, /usr/bin/journalctl' | sudo tee /etc/sudoers.d/sdp-deploy
sudo chmod 440 /etc/sudoers.d/sdp-deploy
exit
```
Repeat for 186 (substitute the 186 IP). After this, `administrator` can run `systemctl`, `install`, and `journalctl` with `sudo` without typing a password. Nothing else is opened up.
If your SSH password and sudo password are different, type the sudo one at the `sudo:` prompt — the SSH password you used to log in doesn't apply.
## 3. Kill old SDP processes on each VM (skip on a fresh VM)