fix: use sudo -n for lsof retry in preflight to avoid password prompt#1227
Merged
Conversation
The port-availability check in checkPortAvailable retries with sudo lsof to detect root-owned listeners. Without -n (non-interactive), sudo blocks on a Password: prompt, stalling non-interactive installs (curl | bash, --non-interactive, NEMOCLAW_NON_INTERACTIVE=1, CI). Switch to sudo -n so it fails immediately when passwordless sudo is unavailable, falling through to the TCP bind probe instead of hanging.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughA single line modification in the port availability check function updates the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
ericksoa
approved these changes
Apr 1, 2026
ericksoa
left a comment
Contributor
There was a problem hiding this comment.
No regression risk. The -n flag prevents a surprise password prompt during preflight — if sudo needs a password, it fails silently into the existing ignoreError: true fallback path.
cv
added a commit
that referenced
this pull request
Apr 1, 2026
Convert bin/lib/preflight.js (357 lines) to src/lib/preflight.ts with full type definitions for all opts objects and return types. The old file becomes a thin re-export shim so existing consumers are unaffected. Changes: - Typed interfaces: PortProbeResult, MemoryInfo, SwapResult, and all opts types (CheckPortOpts, GetMemoryInfoOpts, EnsureSwapOpts) - Extract parseLsofLines helper to reduce duplication in checkPortAvailable - Incorporate #1227 fix: sudo -> sudo -n (non-interactive) for lsof retry - Co-locate tests: test/preflight.test.js -> src/lib/preflight.test.ts converted to expect-style with type narrowing - Add real net probe tests (EADDRINUSE detection on occupied ports) - Fix co-located test imports to go through dist/ for coverage attribution - Add targeted dashboard and validation branch tests for ratchet 612 CLI tests pass. Coverage ratchet passes. No user-facing behavior changes. Relates to #924 (shell consolidation). Supersedes #1227. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
cv
added a commit
that referenced
this pull request
Apr 1, 2026
## Summary - Convert `bin/lib/preflight.js` (357 lines) to `src/lib/preflight.ts` with full type definitions - Typed interfaces for all opts objects and return types: `PortProbeResult`, `MemoryInfo`, `SwapResult`, `CheckPortOpts`, `GetMemoryInfoOpts`, `EnsureSwapOpts` - Extract `parseLsofLines` helper to reduce duplication in `checkPortAvailable` - Incorporate #1227 fix: `sudo` → `sudo -n` (non-interactive) for lsof retry - `bin/lib/preflight.js` becomes a thin re-export shim — existing consumers unaffected - Co-locate tests: `test/preflight.test.js` → `src/lib/preflight.test.ts` - Add real net probe tests (EADDRINUSE detection on occupied ports) - Fix all co-located test imports to use `dist/` paths for coverage attribution - Add targeted dashboard/validation branch tests to maintain ratchet Stacked on #1240. Not touched by any #924 blocker PR. ## Test plan - [x] 612 CLI tests pass (601 existing + 11 new) - [x] `tsc -p tsconfig.src.json` compiles cleanly - [x] `tsc -p tsconfig.cli.json` type-checks cleanly - [x] `tsc -p jsconfig.json` type-checks cleanly (the pre-push check that caught the union issue) - [x] Coverage ratchet passes Relates to #924 (shell consolidation). Supersedes #1227. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
laitingsheng
pushed a commit
that referenced
this pull request
Apr 2, 2026
…#1227) ## Problem The port-availability preflight check in `checkPortAvailable` retries with `sudo lsof` to detect root-owned listeners when unprivileged `lsof` returns empty output. Without `-n` (non-interactive mode), `sudo` blocks on a `Password:` prompt, stalling non-interactive installs: - `curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash` - `nemoclaw onboard --non-interactive` - `NEMOCLAW_NON_INTERACTIVE=1` - CI pipelines ## Fix Use `sudo -n` so it fails immediately when passwordless sudo is unavailable, falling through to the TCP bind probe instead of hanging. This is the only `sudo` call in the codebase that should degrade gracefully — the other `sudo` calls (swap creation) intentionally require elevated privileges to succeed.
lakamsani
pushed a commit
to lakamsani/NemoClaw
that referenced
this pull request
Apr 4, 2026
…NVIDIA#1227) ## Problem The port-availability preflight check in `checkPortAvailable` retries with `sudo lsof` to detect root-owned listeners when unprivileged `lsof` returns empty output. Without `-n` (non-interactive mode), `sudo` blocks on a `Password:` prompt, stalling non-interactive installs: - `curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash` - `nemoclaw onboard --non-interactive` - `NEMOCLAW_NON_INTERACTIVE=1` - CI pipelines ## Fix Use `sudo -n` so it fails immediately when passwordless sudo is unavailable, falling through to the TCP bind probe instead of hanging. This is the only `sudo` call in the codebase that should degrade gracefully — the other `sudo` calls (swap creation) intentionally require elevated privileges to succeed.
gemini2026
pushed a commit
to gemini2026/NemoClaw
that referenced
this pull request
Apr 14, 2026
…NVIDIA#1227) ## Problem The port-availability preflight check in `checkPortAvailable` retries with `sudo lsof` to detect root-owned listeners when unprivileged `lsof` returns empty output. Without `-n` (non-interactive mode), `sudo` blocks on a `Password:` prompt, stalling non-interactive installs: - `curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash` - `nemoclaw onboard --non-interactive` - `NEMOCLAW_NON_INTERACTIVE=1` - CI pipelines ## Fix Use `sudo -n` so it fails immediately when passwordless sudo is unavailable, falling through to the TCP bind probe instead of hanging. This is the only `sudo` call in the codebase that should degrade gracefully — the other `sudo` calls (swap creation) intentionally require elevated privileges to succeed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The port-availability preflight check in
checkPortAvailableretries withsudo lsofto detect root-owned listeners when unprivilegedlsofreturns empty output. Without-n(non-interactive mode),sudoblocks on aPassword:prompt, stalling non-interactive installs:curl -fsSL https://www.nvidia.com/nemoclaw.sh | bashnemoclaw onboard --non-interactiveNEMOCLAW_NON_INTERACTIVE=1Fix
Use
sudo -nso it fails immediately when passwordless sudo is unavailable, falling through to the TCP bind probe instead of hanging.This is the only
sudocall in the codebase that should degrade gracefully — the othersudocalls (swap creation) intentionally require elevated privileges to succeed.Summary by CodeRabbit