You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -107,6 +107,13 @@ automax run \
107
107
--state-dir /var/lib/automax/runs
108
108
```
109
109
110
+
When selected remote substeps use `sudo` and the target account requires a password, keep sudo authentication explicit instead of configuring NOPASSWD on the target:
111
+
112
+
```bash
113
+
export AUTOMAX_SUDO_PASSWORD='...'
114
+
automax run --job job.yaml --inventory inventory.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD
automax run --job job.yaml --inventory inventory.yaml --secrets secrets.yaml
84
84
```
85
85
86
+
If the job uses sudo-enabled remote plugins and the remote account requires a sudo password, export it on the controller and pass only the environment variable name:
87
+
88
+
```bash
89
+
export AUTOMAX_SUDO_PASSWORD='...'
90
+
automax run --job job.yaml --inventory inventory.yaml --secrets secrets.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD
Normal `automax run` performs this OS detection and capability preflight implicitly before executing selected substeps. The older `--preflight-capabilities` flag remains accepted for compatibility, but the preflight is now the default for normal runs that require remote tools.
248
+
Normal `automax run` performs this OS detection and capability preflight implicitly before executing selected substeps. The older `--preflight-capabilities` flag remains accepted for compatibility, but the preflight is now the default for normal runs that require remote tools. If selected substeps use `sudo` and the target account requires a password, run with `--sudo-password-env ENV_NAME` instead of installing a NOPASSWD sudoers drop-in.
249
+
250
+
```bash
251
+
export AUTOMAX_SUDO_PASSWORD='...'
252
+
automax run \
253
+
--job jobs/site.yaml \
254
+
--inventory inventory/prod.yaml \
255
+
--sudo-password-env AUTOMAX_SUDO_PASSWORD
256
+
```
249
257
250
258
Missing dependencies can be installed per target from the OS-aware requirement plan:
Copy file name to clipboardExpand all lines: docs/plugins/security.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -103,7 +103,7 @@ paths.
103
103
104
104
## Capability preflight and redaction policy
105
105
106
-
Use `capabilities requirements` to derive remote tool requirements from the selected job plan after detecting each target OS family. Normal `automax run` performs the same OS-aware capability preflight implicitly before executing remote tools. Use `capabilities install --sudo-password-env ENV_NAME` to install only missing dependency packages for the selected job and target OS.
106
+
Use `capabilities requirements` to derive remote tool requirements from the selected job plan after detecting each target OS family. Normal `automax run` performs the same OS-aware capability preflight implicitly before executing remote tools. When selected substeps use `sudo`, pass `automax run --sudo-password-env ENV_NAME` so the target account can keep password-protected sudo instead of a NOPASSWD sudoers drop-in. Use `capabilities install --sudo-password-env ENV_NAME` to install only missing dependency packages for the selected job and target OS.
automax run --job job.yaml --inventory inventory.yaml --state-dir .automax/runs
55
55
```
56
56
57
+
For sudo-enabled remote substeps on targets that require a sudo password, pass the controller-side environment variable name instead of configuring passwordless sudo on the target:
58
+
59
+
```bash
60
+
export AUTOMAX_SUDO_PASSWORD='...'
61
+
automax run --job job.yaml --inventory inventory.yaml --sudo-password-env AUTOMAX_SUDO_PASSWORD
62
+
```
63
+
57
64
Preview the selected run without creating run state:
@click.option("--lock-timeout", type=float, default=0.0, show_default=True, help="Seconds to wait for locks.")
324
324
@click.option("--preflight-capabilities", is_flag=True, help="Compatibility flag; capability preflight is implicit for normal runs.")
325
+
@click.option("--sudo-password-env", help="Environment variable containing the sudo password for sudo-enabled remote substeps.")
325
326
@click.option("--format", "output_format", type=click.Choice(["text", "json"]), default="text", show_default=True, help="Output format for the final run summary.")
@click.option("--lock-timeout", type=float, default=0.0, show_default=True, help="Seconds to wait for locks.")
901
904
@click.option("--preflight-capabilities", is_flag=True, help="Check remote tools required by the selected job before execution.")
905
+
@click.option("--sudo-password-env", help="Environment variable containing the sudo password for sudo-enabled remote substeps.")
902
906
@click.option("--format", "output_format", type=click.Choice(["text", "json"]), default="text", show_default=True, help="Output format for the final resume summary.")
903
907
defresume(
904
908
run_id: str,
@@ -917,6 +921,7 @@ def resume(
917
921
lock_scope: str,
918
922
lock_timeout: float,
919
923
preflight_capabilities: bool,
924
+
sudo_password_env: str|None,
920
925
output_format: str,
921
926
) ->None:
922
927
"""Resume an existing run from failed or explicit checkpoint."""
0 commit comments