https://rancher.com/ logo
Title
b

broad-train-31975

11/14/2022, 8:08 PM
I’ve noticed an unexpected behavior related to Administrative Access: 1. At some point, RD stopped asking for sudo password 2. I opened Preferences and *un*checked the “Allow Rancher Desktop to acquire administrative credentials (sudo access) 3. RD restarted (VM and k3s) 4. I opened Preferences again and checked the “Allow Rancher Desktop to acquire administrative credentials (sudo access) 5. RD restarted (VM and k3s), but never asked for sudo password It happened before, and I’m not sure what is my current configuration. @fast-garage-66093 macOS Monterey, RD 1.6.2
f

fast-garage-66093

11/14/2022, 8:18 PM
It will only ask you for the password when it needs it. It is used for different purposes: for vmnet to get a routable IP address, and for creating the
/var/run/docker.sock
socket.
For vmnet access it creates the file
/etc/sudoers.d/zzzzz-rancher-desktop-lima
to allow it to start/stop the privileged daemon repeatedly. This file will not get deleted when you tell RD to not use admin access; it will just not start the daemon anymore.
So when you re-enable admin access (with an otherwise unchanged configuration), it will find that the sudoers file is still valid and will just use it again
Similar with
/var/run/docker.sock
, it will only get deleted when you reboot the machine, at which point it will ask you for the password again.
You could argue that the sudoers file should be deleted when you disable admin access. But we are planning to move away from using sudo completely and use a privileged helper process instead in the future, so we are unlikely to change anything until we have implemented the helper process.
b

broad-train-31975

11/14/2022, 8:28 PM
Thank you for the explanation, @fast-garage-66093! It actually proves that my system works as expected.
@fast-garage-66093 you might still consider removing docker socket and sudoers file in case of Factory Reset, for a consistent experience. I just did a factory reset and it didn’t ask me anything. If I were to take it to extreme, I’d treat Factory Reset as a fresh install. Just a suggestion/opinion, no hard feelings either way 🙂
f

fast-garage-66093

11/16/2022, 9:39 PM
I do want to remove the sudoers file once we don't use it anymore at all. I'm not convinced removing the socket helps with anything, but once we have the privileged helper it should be simple enough to do on shutdown of the app
b

broad-train-31975

11/16/2022, 9:40 PM
Oh, I’m glad I checked - the Factory Reset set my CPUs to 2, dropping from 18. But left RAM unchanged, I think; 6GB. If you compute these numbers, from OS resources, I have 10 cores/20 threads and 128GB RAM in this box. Hope this helps
f

fast-garage-66093

11/16/2022, 9:40 PM
It left the RAM at 6 because that is the default 😄
b

broad-train-31975

11/16/2022, 9:41 PM
once we have the privileged helper…
Ah, yes indeed, you’ll only ask for root permission once for that helper, and won’t need them anymore.
RAM at 6 because that is the default
fair enough, so we get defaults after factory reset. Consistent experience 🙂
f

fast-garage-66093

11/16/2022, 9:43 PM
That is the idea of factory-reset: all custom settings are discarded; the configuration is like a fresh install
b

broad-train-31975

11/16/2022, 9:43 PM
Right, that’s how I understand it. Red font helps, too
f

fast-garage-66093

11/16/2022, 9:44 PM
I just argued again this morning that the factory reset should not by default delete cached Kubernetes images because they are not custom settings; just additional content that is downloaded at a later time. Deleting it doesn't reset anything because it will just be replaced again with identical content when needed
b

broad-train-31975

11/16/2022, 9:50 PM
I agree with that; it helps to save bandwidth and does not test patience of those users with slow or intermittent Internet connections. The content is identical to the level of enforcement; in my co people started using Nexus development Docker repos that allow redeployment, for production, thus version/tag meant nothing because the content could and did change. Worst experience I ever had. But of course we trust GCR to not change the content without changing tags, or else the whole world will be broken :)
f

fast-garage-66093

11/16/2022, 9:57 PM
Well, it is the package owner you have to trust... You can use sha256 checksums instead of tags in your image names, if you want to be sure
b

broad-train-31975

11/16/2022, 9:59 PM
Of course, we do that in some cases. Tags can be moved, checksums, good luck with that