Add support for sudo-rs

thallgren · thallgren · commit 1a456ce707bc · 2026-01-20T23:51:25.000+01:00
Telepresence now supports running the root daemon using `sudo-rs`. This is necessary on Ubuntu where `sudo-rs` has become the default for `sudo`. Closes #3992 Signed-off-by: Thomas Hallgren <thomas@tada.se>
diff --git a/CHANGELOG.yml b/CHANGELOG.yml
@@ -27,6 +27,11 @@ items:
   - version: 2.26.0
     date: (TBD)
     notes:
+      - type: bugfix
+        title: Add support for sudo-rs
+        body: >-
+          Telepresence now supports running the root daemon using `sudo-rs`. This is necessary on Ubuntu where `sudo-rs` has become the
+          default for `sudo`.
       - type: feature
         title: Add ability for cluster admins to revoke other users' intercepts.
         body: |-
diff --git a/docs/release-notes.md b/docs/release-notes.md
@@ -2,6 +2,12 @@
 [comment]: # (Code generated by relnotesgen. DO NOT EDIT.)
 # <img src="images/logo.png" height="64px"/> Telepresence Release Notes
 ## Version 2.26.0
+## <div style="display:flex;"><img src="images/bugfix.png" alt="bugfix" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Add support for sudo-rs</div></div>
+<div style="margin-left: 15px">
+
+Telepresence now supports running the root daemon using `sudo-rs`. This is necessary on Ubuntu where `sudo-rs` has become the default for `sudo`.
+</div>
+
 ## <div style="display:flex;"><img src="images/feature.png" alt="feature" style="width:30px;height:fit-content;"/><div style="display:flex;margin-left:7px;">Add ability for cluster admins to revoke other users' intercepts.</div></div>
 <div style="margin-left: 15px">
 
diff --git a/docs/release-notes.mdx b/docs/release-notes.mdx
@@ -8,6 +8,12 @@ import { Note, Title, Body } from '@site/src/components/ReleaseNotes'
 
 # Telepresence Release Notes
 ## Version 2.26.0
+<Note>
+	<Title type="bugfix">Add support for sudo-rs</Title>
+	<Body>
+Telepresence now supports running the root daemon using `sudo-rs`. This is necessary on Ubuntu where `sudo-rs` has become the default for `sudo`.
+  </Body>
+</Note>
 <Note>
 	<Title type="feature">Add ability for cluster admins to revoke other users' intercepts.</Title>
 	<Body>
diff --git a/pkg/client/cli/connect/connector.go b/pkg/client/cli/connect/connector.go
@@ -85,11 +85,11 @@ func findHostConnectorInfo(ctx context.Context) (*daemon.Info, error) {
 }
 
 func quitHostConnector(ctx context.Context) {
-	progress.Working(ctx, "Quitting")
 	info, err := findHostConnectorInfo(ctx)
 	if err == nil {
 		ctx, err = ExistingDaemon(ctx, info)
 	}
+	progress.Working(ctx, "Quitting")
 	var errs error
 	rootWillContinue := false
 	if err != nil {
diff --git a/pkg/client/cli/connect/init_command.go b/pkg/client/cli/connect/init_command.go
@@ -58,8 +58,6 @@ func InitCommand(cmd *cobra.Command) (err error) {
 			flags.DeprecationIfChanged(cmd, global.FlagDocker, "use telepresence connect to initiate the connection")
 			flags.DeprecationIfChanged(cmd, global.FlagContext, "use telepresence connect to initiate the connection")
 		}
-		progress.Start(ctx, "Connecting")
-		progressStarted = true
 		ctx, err = EnsureUserDaemon(ctx, v == ann.Required)
 		if err != nil {
 			if v == ann.Optional && (errors.Is(err, daemon.ErrNoUserDaemon) || errcat.GetCategory(err) == errcat.Config) {
@@ -80,10 +78,8 @@ func InitCommand(cmd *cobra.Command) (err error) {
 	}
 
 	if v := as[ann.Session]; v == ann.Optional || v == ann.Required {
-		if !progressStarted {
-			progress.Start(ctx, "Connecting")
-			progressStarted = true
-		}
+		progress.Start(ctx, "Connecting")
+		progressStarted = true
 		ctx, err = EnsureSession(ctx, cmd.UseLine(), v == ann.Required)
 		defer progress.Stop(ctx)
 		if err != nil {
diff --git a/pkg/proc/exec_unix.go b/pkg/proc/exec_unix.go
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"os"
 	"os/exec" //nolint:depguard // We want no logging and no soft-context signal handling
+	"slices"
+	"strings"
 
 	"golang.org/x/sys/unix"
 
@@ -41,18 +43,26 @@ func startInBackground(includeEnv bool, args ...string) error {
 	return nil
 }
 
-func startInBackgroundAsRoot(_ context.Context, args ...string) error {
+func startInBackgroundAsRoot(ctx context.Context, args ...string) error {
 	if isAdmin() {
 		return startInBackground(false, args...)
 	}
 	// Run sudo with a prompt explaining why root credentials are needed.
-	cmd := exec.Command("sudo", append([]string{
-		"-b", "-p",
-		fmt.Sprintf(
-			"Need root privileges to run: %s\nPassword:",
-			shellquote.ShellString(args[0], args[1:])),
-	}, args...)...)
-	return cmd.Run()
+	const promptContext = "telepresence network daemon"
+	err := exec.Command("sudo", append([]string{"-b", "-p", fmt.Sprintf("[sudo: %s] Password: ", promptContext)}, args...)...).Run()
+	if err == nil {
+		return nil
+	}
+	// Are we using sudo-rs?
+	out, err2 := exec.Command("sudo", "--version").CombinedOutput()
+	if err2 != nil || !strings.Contains(string(out), "sudo-rs") {
+		// return the original error
+		return err
+	}
+	// sudo-rs does not support the "-b" (background) option. We need it to start a shell command that backgrounds the executable
+	// once the user has entered their password.
+	cmdString := shellquote.ShellArgsString(slices.Insert(args, 0, "setsid")) + "</dev/null >/dev/null 2>&1 &"
+	return exec.Command("sudo", "-p", promptContext, "sh", "-c", cmdString).Run()
 }
 
 func terminate(p *os.Process) error {

Original file line number	Diff line number	Diff line change
`@@ -85,11 +85,11 @@ func findHostConnectorInfo(ctx context.Context) (*daemon.Info, error) {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`func quitHostConnector(ctx context.Context) {`
`88`		`- progress.Working(ctx, "Quitting")`
`89`	`88`	`info, err := findHostConnectorInfo(ctx)`
`90`	`89`	`if err == nil {`
`91`	`90`	`ctx, err = ExistingDaemon(ctx, info)`
`92`	`91`	`}`
	`92`	`+ progress.Working(ctx, "Quitting")`
`93`	`93`	`var errs error`
`94`	`94`	`rootWillContinue := false`
`95`	`95`	`if err != nil {`