sudoers - Google Compute Engine - no access to root

Asked 23/12, 2014 at 14:47 Answered 7/2, 2022 at 4:33

Solved root google-compute-engine sudoers

I have a Google Compute Engine VM instance with a Asterisk Server running on it. I get this message when I try to run sudo:

sudo: parse error in /etc/sudoers near line 21
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

Is there a password for root so I can try to change it there? Any suggestions on this?

Sigh answered 23/12, 2014 at 14:47 Comment(2)

you need to get from your server admin – Idoux 23/12, 2014 at 14:59

that´s me ;) - Do you know of Google Cloud Engine provide to reset the Root from console.developers.google.com? – Sigh 23/12, 2014 at 15:3

It looks like you have manually edited the /etc/sudoers file so while you would normally have sudo access, due to the parse error, you won't be able to do this directly.

Here's how to fix this situation.

1. Save the current boot disk

go to to the instance view in Developers Console
find your VM instance and click on its name; you should now be looking at a URL such as https://console.cloud.google.com/project/[PROJECT]/compute/instancesDetail/zones/[ZONE]/instances/[VM-NAME]
stop the instance
detach the boot disk from the instance

2. Fix the /etc/sudoers on the boot disk

create a new VM instance with its own boot disk; you should have sudo access here
attach the disk saved above as a separate persistent disk
mount the disk you just attached
fix the /etc/sudoers file on the disk
unmount the second disk
detach the second disk from the VM
delete the new VM instance (let it delete its boot disk, you won't need it)

3. Restore the original VM instance

re-attach the boot disk to the original VM
restart the original VM with its original boot disk, with fixed config

How to avoid this in the future

Always use the command visudo rather just any text editor directly to edit the /etc/sudoers file which will validate the contents of the file prior to saving it.

Nettlesome answered 23/12, 2014 at 21:59 Comment(4)

Hey Great! I was about to start from the beginning. You saved my Day! – Sigh 24/12, 2014 at 23:28

You also can probably do EDITOR=nano visudo or have a root session in screen for emergency fix. – Redstone 15/5, 2017 at 14:43

2. Fix the /etc/sudoers on the boot disk: worked perfectly for me. Thanks for the solution – Redmund 28/10, 2020 at 6:4

I followed these steps and it when I detatched the disk from my server it deleted everything. Great. – Whydah 5/12, 2022 at 13:12

I ran into this issue as well and had the same issue Nakilon was reporting when trying the gcloud workaround.

What we ended up doing was configure a startup script that removed the broken sudoers file.

So in your metadata put something like:

#/bin/sh

rm "/etc/sudoers.d/broken-config-file"
echo "ok" > /tmp/ok.log

https://cloud.google.com/compute/docs/startupscript

Outskirts answered 9/10, 2018 at 14:42 Comment(2)

All the other answers were not working except this perfect solution, thanks a lot and it saved my day – Thee 17/4, 2019 at 6:13

Thanks a lot, that worked but I also had to run usermod -aG sudo username. Anyway, that's the way to recover root access :) – Karakalpak 28/4, 2019 at 20:17

As you probably figured out this requires the /etc/sudoers file to be fixed. As nobody has root access to the instance, you will not be able to do this from inside the instance.

The best way to solve this is to edit the disk from another instance. The basic steps to do this are:

Take a snapshot of your disk as a backup (!)
Shutdown your instance, taking care not to delete the boot disk.
Start a new "debugger" instance from one of the stock GCE images.
Attach the old boot disk to the new instance.
In the debugger instance, mount the disk.
In the debugger instance, fix the sudoers file on the mounted disk.
In the debugger instance, unmount the disk
Shutdown the debugger instance.
Create a new instance with the same specs as your original instance using the fixed disk as the boot disk.

The new disk will then have the fixed sudoers file.

Rata answered 23/12, 2014 at 21:58 Comment(0)

Since i bumped into this issue too, if you have another instance or any place where you can run with gcloud privileges, you can run:

gcloud compute --project "<project id>" ssh --zone "europe-west1-b" "<servername>"

I ran this on a server which had gcloud as root, so you login to the other box as root too! Then fix your issue. (if you don't have a box, just spin a micro up with the correct gcloud privileges) saves the hassle of disk stuff etc.

Cotyledon answered 14/6, 2015 at 16:43 Comment(3)

Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

– Redstone 12/5, 2017 at 19:17

this works a lot better than deleting/recreating the instance! Thanks! – Madwort 23/6, 2018 at 20:37

Oh man!. Thanks for the great hack for this issue in Gcp.. This really solved my issue – Hilltop 30/3, 2021 at 7:9

As mentioned in above comments, I am getting the same error like below in gcp VM.

sudo: parse error in /etc/sudoers near line 21
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

To solve this

I have ssh to another vm and become root then I ran gcloud ssh command to our main vm (where you are getting the sudo error.)

gcloud compute --project "<project id>" ssh --zone "europe-west1-b "<servername>"

And BOOM!, now are login as root in the VM.

Now you can access/change the /etc/sudoers file accordingly.

I found this hack better than recreating vm/disks. Hope this helps to someone!

Hilltop answered 30/3, 2021 at 7:17 Comment(1)

You are my hero. Just a tip: it's possible to do it directly from the Cloud Shell machine, just remember to do "sudo su" in the Cloud Shell before running the gcloud command. – Merkel 8/4, 2021 at 22:40

It is possible to connect to a VM as root from your developers console Google Cloud Shell. Make sure the VM is running, start the shell and use this command:

gcloud compute ssh root@<instance-name> --zone <zone> [--project <project-id>]

where instance-name is found in the Compute Engine VM Instances screen. project-id is optional but required if you are connecting to an instance in a different project from the project where you started the shell.

You can then fix this and other issues that may prevent you from using sudo.

Dislocation answered 10/2, 2016 at 2:24 Comment(1)

Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

– Redstone 12/5, 2017 at 19:13

I got a Permission denied error when trying to ssh to the problem instance via gcloud. Using a startup script as mentioned above by @Jorick works. Instructions for it are here. You will have to stop and restart the VM instance for the startup script to get executed. I modified the script slightly:

rm -f /etc/sudoers.d/google_sudoers >& /tmp/startup.log

After the restart, launch an SSH session from the cloud console and check that you are able to view the file contents (with sudo more /etc/sudoers.d/google_sudoers for example). If that works your problem has been solved.

Humeral answered 7/2, 2022 at 4:33 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags