sudo brew services on Linux broken (me too)

[mdsteveb]

I'm having exactly the same issue as #594. It was closed with a comment that it was the OP's shell configuration that was broken, with no explanation of what exactly needed to be fixed. I've experimented with many things, making sure HOMEBREW_ env vars are set e.g. via brew shellenv (my paths were set but the HOMEDIR_ vars were not originally), but none of that has changed the behavior.

I believe the response may have been to the FIRST error shown in the command output which was "brew: command not found" however that is resolvable by fixing the environment, which I did. (I have to run the "sudo" version of the command in a root login shell from sudo -i so that all the variables will be properly set, but at that point root has the full homebrew environment set.)

myuserid@myhost:~$ sudo -i
root@myhost:~# env
SHELL=/bin/bash
SUDO_GID=1000
SUDO_COMMAND=/bin/bash
HOMEBREW_PREFIX=/home/linuxbrew/.linuxbrew
SUDO_USER=myuserid
PWD=/root
LOGNAME=root
HOME=/root
LANG=en_US.UTF-8
LS_COLORS=.......
INFOPATH=/home/linuxbrew/.linuxbrew/share/info:
LESSCLOSE=/usr/bin/lesspipe %s %s
TERM=screen.xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=root
HOMEBREW_CELLAR=/home/linuxbrew/.linuxbrew/Cellar
SHLVL=1
HOMEBREW_REPOSITORY=/home/linuxbrew/.linuxbrew/Homebrew
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
SUDO_UID=1000
MAIL=/var/mail/root
_=/usr/bin/env

Then I try to start a brew service, however, I get the SECOND error shown in that posting (which the OP got when specifying the full path in the sudo command) which was:

root@myhost:~# brew services start fail2ban
Error: Need to download https://formulae.brew.sh/api/formula.jws.json but cannot as root! Run `brew update` without `sudo` first then try again.

Besides the annoyance of not being able to use brew directly in a sudo command because sudo strips the environment, can you please clarify what is needed to get this working? Obviously I tried running brew update as shown in the error message and it does nothing (since I had already run a brew update prior to attempting the services command.)

Interestingly, brew services ls works fine under my account, but fails with the same error message when run in the root shell.

myuser@myhost:~$ brew services ls
Name     Status User File
fail2ban none
myuser@myhost:~$ sudo -i
[sudo] password for myuser:
root@myhost:~# brew services ls
Error: Need to download https://formulae.brew.sh/api/formula.jws.json but cannot as root! Run `brew update` without `sudo` first then try again.

Host is Ubuntu 20.04 and I was looking for a clean way to get an up-to-date and maintainable installation of fail2ban running. It's the first time I've tried to run any homebrew services on any host. Is this supposed to work?

[MikeMcQuaid]

It was closed with a comment that it was the OP's shell configuration that was broken

That was the sudo: brew: command not found in the output. There was also not (nearly) enough information in that issue to do any further debugging.

Is this supposed to work?

Yes.

---

When you run sudo env: what do you see as $HOME? Can you run sudo brew config and, if so, what does it output?

[mdsteveb]

As I stated above, it seems a little difficult to get brew to work under sudo, because it clears environment variables that brew wants to use and resets a to a sanitized system-only PATH. I'm sure there are ways to get sudo to work but I didn't go there (yet).

So as I showed above, I just set up root's dot files so that I could run a root login shell via sudo -i which would have the correct environment (shown above). I'm not trying to use sudo, that's not the question here. EDIT: I mean, yes I'm using sudo -i to get a root login shell that sources all the dot files, so that the environment variables are set correctly for homebrew, but for now I'm not trying to get a sudo one-liner working. The point is, the environment I'm trying to run the command in has the same environment variables set as my normal login shell where I use brew commands without root.

I just want brew services commands to work without the error.

root@myhost:~# brew services ls
Error: Need to download https://formulae.brew.sh/api/formula.jws.json but cannot as root! Run `brew update` without `sudo` first then try again.

[mdsteveb]

To answer your question about command output from brew commands (as root but without sudo):

root@myhost:~# brew config
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.
root@myhost:~# echo $HOME
/root

[MikeMcQuaid]

it seems a little difficult to get brew to work under sudo

This seems to be a Linux-distro specific thing. Many people have used Homebrew on macOS (and some forms of Linux) for a long time without these issues. I suspect it's because your distro/sudo configuration is unsetting HOME which means these files cannot be found.

When you run sudo env: what do you see as $HOME? Can you run sudo brew config and, if so, what does it output?

These are the commands whose output I need to know. Running as root is insufficient to debug the issue.

The issue is titled sudo brew services is broken so how things run as a root user is irrelevant as we intentionally do not wish to support that.

[mdsteveb]

You asked what $HOME was when running sudo:

myuser@myhost:~$ sudo env | grep HOME
HOME=/root

I'm honestly not trying to be difficult here but I can rename the issue if it helps. I'm not sure what the difference is between supporting a command running under sudo with a proper environment and directly under a root shell with a proper environment. Either way, it's root and it has an environment set; it should effectively be the same thing.

That said, here's some more about the sudo issue:

Per the sudoers(5) man page:

By default, the env_reset flag is enabled. This causes commands to be executed with a new, minimal environment. .... The HOME, MAIL, SHELL, LOGNAME and USER environment variables are initialized based on the target user and the SUDO_* variables are set based on the invoking user. Additional variables, such as DISPLAY, PATH and TERM, are preserved from the invoking user’s environment if permitted by the env_check or env_keep options.

And also:

If the secure_path setting is enabled, its value will be used for the PATH environment variable. This flag is on by default.

My PATH is not being inherited, which makes sense given the stated defaults above, and also that both of those seem to be explicitly set in the default Ubuntu /etc/sudoers file. So that is why just plain sudo brew doesn't find brew in a non-system directory (/home/linuxbrew/.linuxbrew/bin) without some extra work.

Can you recommend a sudoers entry for running brew services commands then? I've looked and I really don't see much. What actually needs to be set for brew services to function? Does it only need brew in the PATH or does it need all the other stuff set too? I'm not especially eager to put homebrew's path into the sudo secure_path settings because I don't necessarily trust every single executable in homebrew's bin directory enough to potentially run it as root.

But back to my real problem:

Because brew not being in the sudo secure_path seems to be the sticking point here, maybe we can get past that if I tell you that if I run sudo with the full path to brew specified it still gives exactly the same error:

myuser@myhost:~$ sudo /home/linuxbrew/.linuxbrew/bin/brew services ls
Error: Need to download https://formulae.brew.sh/api/formula.jws.json but cannot as root! Run `brew update` without `sudo` first then try again.
myuser@myhost:~$ brew update
==> Updating Homebrew...
Already up-to-date.
myuser@myhost:~$ sudo /home/linuxbrew/.linuxbrew/bin/brew services ls
Error: Need to download https://formulae.brew.sh/api/formula.jws.json but cannot as root! Run `brew update` without `sudo` first then try again.

[MikeMcQuaid]

You asked what $HOME was when running sudo:
that if I run sudo with the full path to brew specified it still gives exactly the same error:

Yup, this is your problem: your sudo needs to be configured to not override $HOME (and $PATH, see your brew issues) by default for Homebrew.

Something like Defaults env_keep += "HOME" in your sudoers file should do it.

[mdsteveb]

Ok, that did in fact fix it, thank you. But why? What is it using $HOME for when I thought all brew stuff was relative to $HOMEBREW_PREFIX ?

For future reference, I made a sudoers entry /etc/sudoers.d/homebrew that contains:

# Cmnd alias specification
Cmnd_Alias C_BREW = /home/linuxbrew/.linuxbrew/bin/brew services *

Defaults!C_BREW		env_keep += "HOMEBREW_PREFIX HOMEBREW_CELLAR HOMEBREW_REPOSITORY HOME"

ALL ALL = (root) C_BREW

That does allow sudo /home/linuxbrew/.linuxbrew/bin/brew services ls to work, although having to type out the path is kind of annoying. But I can live with it.

[MikeMcQuaid]

But why? What is it using $HOME for when I thought all brew stuff was relative to $HOMEBREW_PREFIX ?

Homebrew's cache is stored in your $HOME.

That does allow sudo /home/linuxbrew/.linuxbrew/bin/brew services ls to work, although having to type out the path is kind of annoying.

You can also fix sudo to tell it to not strip your PATH but it seems you'd rather not do that.