DevOps Zone is brought to you in partnership with:

Mark is a graph advocate and field engineer for Neo Technology, the company behind the Neo4j graph database. As a field engineer, Mark helps customers embrace graph data and Neo4j building sophisticated solutions to challenging data problems. When he's not with customers Mark is a developer on Neo4j and writes his experiences of being a graphista on a popular blog at He tweets at @markhneedham. Mark is a DZone MVB and is not an employee of DZone and has posted 553 posts at DZone. You can read more from them at their website. View Full User Profile

Puppet: sudo, sudo -i and sudo su

  • submit to reddit

On the project I’m currently working on we’re doing quite a bit of puppet and although we’re using the puppet master approach in production & test environments it’s still useful to be able to run puppet headless to test changes locally.

Since several of the commands require having write access to ‘root’ folders we need to run ‘puppet apply’ as a super user using sudo. We also need to run it in the context of some environment variables which the root user has.

One way to do this would be to run the following command:

sudo su

That runs the ‘su’ command as root which means that we can run root’s shell as the root user without needing to know the root password.

The cool thing about using ‘su’ like this is that it leaves us in the same directory that we were in before we ran the command.

mneedham@ubuntu:/home/mneedham/puppet$ sudo su

If instead we want to be positioned in the root home directory we could use the following:

mneedham@ubuntu:/home/mneedham/puppet$ sudo su -
root@ubuntu:~# pwd

We can achieve a similar outcome using ‘sudo -i’, a flag I didn’t know about until my colleague Phil Potter showed me:

mneedham@ubuntu:/home/mneedham/puppet$ sudo -i
root@ubuntu:~# pwd

-i [command]

The -i (simulate initial login) option runs the shell specified in the passwd(5) entry of the target user as a login shell. This means that
login-specific resource files such as .profile or .login will be read by the shell.

If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed.

sudo attempts to change to that user’s home directory before running the shell. It also initializes the environment, leaving DISPLAY and TERM unchanged, setting HOME, SHELL, USER, LOGNAME, and PATH, as well as the contents of /etc/environment on Linux and AIX systems. All other environment variables are removed.

Interestingly with ‘sudo -i’ we can pass a command which will be executed in the root context which would be useful in this situation as we wouldn’t need to keep switching to the root shell to run puppet.

One of the things that changes if we’re in the root shell is the value of $HOME so I started with that to check I was passing the command correctly:

mneedham@ubuntu:/home/mneedham/puppet$ sudo -i echo $HOME

Unfortunately the echo statement is getting evaluated in the context of the current user’s shell rather than the root shell and my colleague Rob Hunter showed me the ‘set -x’ tool/flag so that I could figure out what was going on with the escaping in the shell:

mneedham@ubuntu:/home/mneedham/puppet$ sudo -i echo $HOME
+ sudo -i echo /home/mneedham

As we can see, the $HOME value is expanded too early so we need to escape it like so:

mneedham@ubuntu:/home/mneedham/puppet$ sudo -i echo \$HOME
+ sudo -i echo '$HOME'

If we disable that flag:

mneedham@ubuntu:/home/mneedham/puppet$ set +x
+ set +x
mneedham@ubuntu:/home/mneedham/puppet$ sudo -i echo \$HOME

We can see that $HOME is being evaluated in the root shell context and we can also call our ‘puppet apply’ script in a similar vein.


Published at DZone with permission of Mark Needham, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)