minikube should not ask for the (sudo) password more than once

[FlorianLudwig]

Steps to reproduce the issue:

1. minikube --driver=kvm2
2. get prompted for password ~ 20 times

System:

Fedora 31
$ minikube version
minikube version: v1.9.2
commit: 93af9c1e43cab9618e301bc9fa720c63d5efa393

[FlorianLudwig]

This is especially frustrating since it is not possible to run minicube as root (see length discussion over at #8257)

[afbjorklund]

This is usually the case when you haven't added your user to the libvirt group.

[FlorianLudwig]

@afbjorklund which I for security reasons don't intend to do. I thought it might be possible to ask once for the password and keep the connection to libvirtd open?

[afbjorklund]

I'm not sure what other options that libvirt provides, but you might want to check there ?

We discussed the user sessions at one time, but it didn't really work out... #3467 #4288

Basically there are issues with the networking, when trying to run minikube as a regular user.

So we defer that endeavor to other projects, such as "usernetes". And require root/sudo/admin/etc.

[afbjorklund]

We are supposed to check for this, to give a better solution message: #5617

And also improve the documentation in general, about the requirements #7963
(that issue is for the kic drivers specifically, but all the drivers require admin...)

Not sure the exact security model that VirtualBox uses, but it's more when installing ?

[FlorianLudwig]

I think we have a misunderstanding: I am fine running a VM and that my user is not allowed to access it. 99% of the time I interact with my local cluster I do so via kubectl - which I execute as normal user. But to start/stop/delete/etc. the local cluster I have to use minicube which will need access to kvm - and asks for sudo password to get it. All of this is expected.

Summary:

Exception (if user is not in libvirt group):

Variant A:

1. run minicube start
2. enter password
3. cluster is running

Variant B:

1. run sudo minicube start
2. enter password
3. cluster is running

Current situation

1. run minicube start
2. enter password
3. enter password
4. enter password
5. enter password
6. enter password
7. enter password
8. enter password
9. enter password
10. enter password
11. enter password
12. enter password
13. enter password
14. enter password
15. enter password
16. enter password
17. cluster is running

[afbjorklund]

There are lots of different ways to run docker and libvirt, we just settled on the groups since they seemed to be the most common setups and recommended by the distributions (such as Ubuntu).

Some other security frameworks (other than pkexec or whatever libvirt uses) have the possibility to cache credentials in some daemon or whatever, but not something that we have actively looked into.

[FlorianLudwig]

I just came up with a workaround:

1. Create a user "root2" add it to libvirt group
2. use sudo -u root2 minikube to execute minicube.
3. Make /home/root2/.minikube/profiles/minikube/client.* readable to my main user to be able to use kubectl from my user.

[afbjorklund]

If that workaround is OK for you, then we'll leave this at that. I assume you did the same for kubeconfig ?

Basically:
~/.kube/config
~/.minikube/ca.crt
~/.minikube/profiles/minikube/client.crt
~/.minikube/profiles/minikube/client.key

[FlorianLudwig]

I merged the ~/.kube/config into my config but yeah :)