sudo/root access for cf dev destroy

[C-Otto]

On my machine I'm allowed to start and use PCF Dev as a non-root user. Only when I want to run cf dev destroy, I need root access using sudo. On my particular machine I am root, but sudo was not setup for my user (which I changed).

In general, I'd like PCF Dev to either not need root access, or communicate this before creating the VM.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[C-Otto]

I just found this on https://docs.pivotal.io/pcf-dev/configuring.html

Note: If you run cf dev destroy and are prompted to enter your password, this is because the plugin is attempting to remove PCF Dev-specific certificates from your certificate store.

I did not setup any certificates (to my knowledge), so the password prompt should not be given.

[mdelillo]

@C-Otto does the VM fail to be destroyed? We do attempt to run commands using sudo but we should be ignoring any error that occurs and continuing to destroy.

The reason for needing sudo access is the way certificates are stored on linux. When we go to destroy the VM, we have no way of knowing if the PCF Dev certs have been added to your cert store. So we always run update-ca-certificates --fresh and update-ca-trust extract which will refresh your cert store and remove whatever we have added. One or both of those commands are likely to fail, so we do not stop in that case.

If you just run cf dev start, no certs will be added to your cert store. cf dev trust (or cf dev start -k) will add the PCF Dev certs to your store (so that you don't need to use --skip-ssl-validation when using the CF CLI).

[C-Otto]

@mdelillo I did not try (and right now I can't reproduce). But I think the mere fact that a root/sudo access is prompted without any need is confusing for people - especially those who do not have root access and were able to start/use PCFDev nevertheless.

Could you remember if certificates were added (presumably requiring root access) and, if this is not the case, do not try to remove them? If done like that, the prompt would disappear.

As I now understand the issue, I see that it is quite minor - maybe it suffices to add an explanation to the output of cf dev destroy to mitigate this.

[sclevine]

Is there a reason we can't figure out if our certificate is installed without requiring root access or storing state? This seems like it would be fairly straightforward.

(As a side note, we should probably detect if sudo and update-ca-certificates are actually available on Linux systems before we try to use them. Neither are required system packages in most distributions.)

[mdelillo]

From what I remember, we had trouble putting the certificate in an accessible place (such as /usr/local/share/ca-certificates) with a name such as pcfdev.crt and having sudo update-ca-certificates add it to the cert store. We had to append the cert to /etc/ssl/certs/ca-certificates.crt (or a different file depending on the OS) by hand. Removing it by hand is more difficult because we need to know which cert in the file to remove. This would require us to either check every cert or to know the original cert (which may not be available if the VM is in a bad state).

There may be a better way of adding/removing the certs, but we couldn't find anything that worked for most distros aside from commands like update-ca-certificates or editing the ca-certificates list manually.

[C-Otto]

I see. What about "Would you like to scan for PCFDev certificates and remove them? (Requires sudo with root access) [Y/n]"?

[aemengo]

This issue is no longer applicable to the latest iteration of CF Dev.