fix: remove bench and supervisor from sudoers

chore: move production prerequisites into setup_production

bench/commands/setup.py

@@ -60,16 +60,6 @@ def setup_fonts():
 @click.option("--yes", help="Yes to regeneration config", is_flag=True, default=False)
 def setup_production(user, yes=False):
 	from bench.config.production_setup import setup_production
-	# Install prereqs for production
-	from distutils.spawn import find_executable
-	if not find_executable("ansible"):
-		exec_cmd("sudo -H {0} -m pip install ansible".format(sys.executable))
-	if not find_executable("fail2ban-client"):
-		exec_cmd("bench setup role fail2ban")
-	if not find_executable("nginx"):
-		exec_cmd("bench setup role nginx")
-	if not find_executable("supervisord"):
-		exec_cmd("bench setup role supervisor")
 	setup_production(user=user, yes=yes)
 
 

bench/config/production_setup.py

@@ -4,8 +4,23 @@ from bench.config.systemd import generate_systemd_config
 from bench.config.nginx import make_nginx_conf
 from bench.config.common_site_config import get_config
 import os, subprocess
+import sys
+from distutils.spawn import find_executable
+
+
+def setup_production_prerequisites():
+	if not find_executable("ansible"):
+		exec_cmd("sudo {0} -m pip install ansible".format(sys.executable))
+	if not find_executable("fail2ban-client"):
+		exec_cmd("bench setup role fail2ban")
+	if not find_executable("nginx"):
+		exec_cmd("bench setup role nginx")
+	if not find_executable("supervisord"):
+		exec_cmd("bench setup role supervisor")
+
 
 def setup_production(user, bench_path='.', yes=False):
+	setup_production_prerequisites()
 	if get_config(bench_path).get('restart_supervisor_on_update') and get_config(bench_path).get('restart_systemd_on_update'):
 		raise Exception("You cannot use supervisor and systemd at the same time. Modify your common_site_config accordingly." )
 
@@ -109,15 +124,15 @@ def reload_supervisor():
 
 	try:
 		# first try reread/update
-		exec_cmd('sudo {0} reread'.format(supervisorctl))
-		exec_cmd('sudo {0} update'.format(supervisorctl))
+		exec_cmd('{0} reread'.format(supervisorctl))
+		exec_cmd('{0} update'.format(supervisorctl))
 		return
 	except CommandFailedError:
 		pass
 
 	try:
 		# something is wrong, so try reloading
-		exec_cmd('sudo {0} reload'.format(supervisorctl))
+		exec_cmd('{0} reload'.format(supervisorctl))
 		return
 	except CommandFailedError:
 		pass

bench/config/templates/frappe_sudoers

@@ -8,13 +8,8 @@
 {{ user }} ALL = (root) NOPASSWD: {{ systemctl }} * nginx
 {{ user }} ALL = (root) NOPASSWD: {{ systemctl }} * supervisord
 {% endif %}
-{% if supervisorctl %}
-{{ user }} ALL = (root) NOPASSWD: {{ supervisorctl }}
-{% endif %}
 {% if nginx %}
 {{ user }} ALL = (root) NOPASSWD: {{ nginx }}
 {% endif %}
 {{ user }} ALL = (root) NOPASSWD: /opt/certbot-auto
-{{ user }} ALL = (root) NOPASSWD: {{ bench }}
 Defaults:{{ user }} !requiretty
-

bench/tests/test_setup_production.py

@@ -126,12 +126,12 @@ class TestSetupProduction(TestBenchBase):
 
 
 	def assert_supervisor_process(self, bench_name, use_rq=True, disable_production=False):
-		out = bench.utils.get_cmd_output("sudo supervisorctl status")
+		out = bench.utils.get_cmd_output("supervisorctl status")
 
 		while "STARTING" in out:
 			print ("Waiting for all processes to start...")
 			time.sleep(10)
-			out = bench.utils.get_cmd_output("sudo supervisorctl status")
+			out = bench.utils.get_cmd_output("supervisorctl status")
 
 		tests = [
 			"{bench_name}-web:{bench_name}-frappe-web[\s]+RUNNING",

bench/utils.py

@@ -37,6 +37,7 @@ class CommandFailedError(Exception):
 logger = logging.getLogger(__name__)
 
 folders_in_bench = ('apps', 'sites', 'config', 'logs', 'config/pids')
+sudoers_file = '/etc/sudoers.d/frappe'
 
 
 class color:
@@ -423,16 +424,12 @@ def setup_sudoers(user):
 		if set_permissions:
 			os.chmod('/etc/sudoers', 0o440)
 
-	sudoers_file = '/etc/sudoers.d/frappe'
-
 	template = env.get_template('frappe_sudoers')
 	frappe_sudoers = template.render(**{
 		'user': user,
 		'service': find_executable('service'),
 		'systemctl': find_executable('systemctl'),
-		'supervisorctl': find_executable('supervisorctl'),
 		'nginx': find_executable('nginx'),
-		'bench': find_executable('bench')
 	})
 	frappe_sudoers = safe_decode(frappe_sudoers)
 
@@ -548,7 +545,7 @@ def restart_supervisor_processes(bench_path='.', web_workers=False):
 		exec_cmd(cmd, cwd=bench_path)
 
 	else:
-		supervisor_status = subprocess.check_output(['sudo', 'supervisorctl', 'status'], cwd=bench_path)
+		supervisor_status = subprocess.check_output(['supervisorctl', 'status'], cwd=bench_path)
 		supervisor_status = safe_decode(supervisor_status)
 
 		if web_workers and '{bench_name}-web:'.format(bench_name=bench_name) in supervisor_status:
@@ -565,7 +562,7 @@ def restart_supervisor_processes(bench_path='.', web_workers=False):
 		else:
 			group = 'frappe:'
 
-		exec_cmd('sudo supervisorctl restart {group}'.format(group=group), cwd=bench_path)
+		exec_cmd('supervisorctl restart {group}'.format(group=group), cwd=bench_path)
 
 
 def restart_systemd_processes(bench_path='.', web_workers=False):