Call /etc/sudoers commands from fabric

Question

In my /etc/sudoers I have:

# Allow the picky user to restart its own gunicorn process
picky ALL=(ALL) NOPASSWD: /usr/bin/supervisorctl restart picky

I can indeed run this command from the picky user:

$ su picky
$ sudo supervisorctl restart picky

In my fabfile.py I have the following:

from fabric.api import sudo

def restart():
    sudo("supervisorctl restart picky")

However, when I run my fabric file, it still prompts for a password:

[picky@myhost] sudo: supervisorctl restart picky
[picky@myhost] out: sudo password: 

How can I run sudo commands inside Fabric such that I don't need to provide a password?

Edit:

I've noticed this works:

from fabric.api import run

def restart():
    run("sudo supervisorctl restart picky")

Answer 1

As noted in https://stackoverflow.com/questions/3737003/can-i-prevent-fabric-from-prompting-me-for-a-sudo-password, when you use the fabric sudo command that command is sent to a shell. The real command that is executed contains a call to /bin/bash in it, which is why it doesn't match with your sudoer entry.

To get around that, simply add shell=False to your call:

from fabric.api import sudo

def restart():
    sudo("supervisorctl restart picky", shell=False)

You might have to add the full path to supervisorctl.

Answer 2

Two items I noticed; your syntax might be incorrect and you might have rules that override this one later in the file.

I'd change your picky entry to picky ALL=NOPASSWD:ALL, place it at the END of the file (or at least after other entries similar to root ALL=(ALL:ALL) ALL) and see if it works. If so, then change it to picky ALL=NOPASSWD:/usr/bin/supervisorctl restart picky and see if that works. It should.