sudo make me a sandwich

As anyone who has spent much time on the command line of a UNIX-based system knows, sudo is an incredibly powerful tool that allows you to temporarily perform actions as the “root” user, making a wide range of privileged actions possible.

You can actually do quite a lot on a Linux system without sudo, and much of our user base has been happy without it. There are certain things, however, that simply require root privileges. There were also instances where it was annoying for our users to do things one way on their dev and prod machines where they had root access, and do things another way on CircleCI where they didn’t… until now!

What exactly is new?

Quite simply, any custom build steps that use the sudo command will just work. Additionally, if you SSH into a CircleCI build container, you will no longer be prompted for a password when using sudo, which makes SSH an even more powerful tool for troubleshooting build issues.

What can sudo do?

There are a lot of things that you can do with sudo, but here is a handful of common use cases:

  • Install packages: If you need a custom package that isn’t already on CircleCI, just run e.g. sudo apt-get update; sudo apt-get install gnu-smalltalk as usual. See our docs for more details.

  • Install a custom version of a service: For example, if you want to use an older version of cassandra, you can run apt-get update; apt-get remove cassandra; apt-get install cassandra=1.1.9

  • Edit system files: For example, if you want to tweak some global MySQL options, you can just edit /etc/mysql/my.cnf

  • Bind low ports: If you have integration tests that expect a web server to be accessible on port 80, you can now start processes that listen on that port.

  • Manually start services: If you want to use Docker, but you need the Docker daemon to listen on a TCP port instead of a socket, you can run sudo docker -d -e lxc -s btrfs -H 0.0.0.0:5555 instead of starting it from the “services” section of your circle.yml

A few constraints

Even with the sudo command, there are still a few constraints to what you can do inside of a build container. You won’t be able to do things like mount a filesystem, reformat a disk, or install a kernel module. In general, if you are the kind of person who is trying to do these things, you probably won’t be surprised to see that we prevent you from doing it. That said, none of these restrictions should be very limiting for most application-level needs.

A note on security

We use a number of tools, including AppArmor, unprivileged lxc containers, and user namespaces to constrain what our users can do (hence the limitations above). We also carried out a thorough third-party security review before granting sudo capabilities to any users. Please contact us if you have any further security-related questions.

This sudo thing sounds amazing! I’ll take 10!

You can get all the sudos you want by signing up here. Or if you’re already a CircleCI user, just add some commands that use sudo to your circle.yml file to experience the awesome power. If you’re an existing user who has asked us to apply custom privileged commands to your project, you can now do them yourself in your circle.yml and ask us to remove the commands from our end. Remember, you can also always SSH into build containers to experiment!

Discuss on Hacker News