Restricted Sudo Privileges
The term sudo stands for super user do. This technology allows one user to
execute a command as another user. If HPE Ezmeral Runtime Enterprise is installed as a non-root/superuser user, that user
must have sudo permissions to execute some commands as the superuser. A
number of different tools are available for implementing sudo
functionality. The most common such tool on the Linux operating system is called
sudo. The sudo packages must be installed on each
host in the HPE Ezmeral Runtime Enterprise deployment.
Security policies at your organization may require you to control access to the
sudo commands run by HPE Ezmeral Runtime Enterprise. You can implement this access control by
creating an allowed list of sudo commands that HPE Ezmeral Runtime Enterprise runs.
The lists of sudo commands provided in this topic are formatted for ease
of copying and pasting.
Set the NOPASSWD tag to ensure all bin files execute successfully.
Installing and Upgrading HPE Ezmeral Runtime Enterprise 5.6.x
The following sudo privileges are required for installing and
upgrading HPE Ezmeral Runtime Enterprise
5.6.x:
/bin/base64 /bin/bdconfig /bin/cat /bin/chcon /bin/chgrp /bin/chmod
/bin/chown /bin/container-storage-setup /bin/cp /bin/dd /bin/echo /bin/find
/bin/getent /bin/grep /bin/hostnamectl /bin/id /bin/killall /bin/ln /bin/ls
/bin/mkdir /bin/mount /bin/ovs-ofctl /bin/ovs-vsctl /bin/mv /bin/pkill
/bin/python3 /bin/rm /bin/rpm /bin/sed /bin/sg /bin/systemctl /bin/tar /bin/tee
/bin/test /bin/touch /bin/umount /bin/which /bin/xargs /bin/yum
/opt/bluedata/common-install/scripts/generate_django_secret.py
/opt/bluedata/common-install/scripts/monitoring/services_config/tls/generate-certs.sh
/sbin/alternatives /sbin/blkid /sbin/blockdev /sbin/chpasswd
/sbin/corosync-cmapctl /sbin/dmidecode /sbin/dmsetup /sbin/groupadd
/sbin/groupdel /sbin/ip /sbin/iptables /sbin/lvcreate /sbin/lvs /sbin/mkfs
/sbin/parted /sbin/pcs /sbin/pvcreate /sbin/pvremove /sbin/restorecon
/sbin/semodule /sbin/semanage /sbin/service /sbin/setsebool /sbin/ss
/sbin/subscription-manager /sbin/sysctl /sbin/useradd /sbin/userdel
/sbin/usermod /sbin/vgcreate /sbin/vgdisplay /sbin/vgremove
/usr/bin/firewall-cmd /usr/sbin/dmidecode /usr/sbin/pcs /usr/sbin/haproxy
/bin/ls /sbin/sysctl /sbin/vgscan
/sbin/lvscan /sbin/pvscan /bin/egrep /bin/nerdctl /usr/bin/ezconfig
/bin/ctr
Running HPE Ezmeral Runtime Enterprise 5.6.x
The following sudo privileges are required for running HPE Ezmeral Runtime Enterprise
5.6.x:
/bin/systemctl , /bin/sed , /bin/cat , /bin/rm , /bin/mkdir , /bin/chgrp ,
/bin/chmod , /bin/chown , /bin/cp , /sbin/ip , /bin/ovs-ofctl , /bin/killall ,
/usr/sbin/dnsmasq , /usr/sbin/haproxy , /bin/echo , /sbin/ip , /bin/stat ,
/bin/umount , /bin/mount , /usr/sbin/crm_mon , /usr/sbin/pcs , /bin/ovs-vsctl ,
/usr/sbin/haproxy , /sbin/vgdisplay , /sbin/dmidecode , /bin/sed , /bin/umount ,
/bin/stat , /bin/mount , /bin/mkdir , /bin/chgrp , /bin/chmod , /usr/sbin/pcs ,
/usr/sbin/crm_mon /sbin/iptables
/bin/nerdctl /bin/find /bin/ls /bin/xargs /bin/tar /bin/test /sbin/modprobe
/bin/mv /sbin/restorecon /sbin/sysctl /bin/yum /bin/tee /bin/chcon
/sbin/semanage /bin/ezctl /usr/bin/ezctl bin/pkill /bin/timeout /bin/ctr
/usr/bin/ezconfig /bin/containerd /sbin/lvs /sbin/lvremove /sbin/vgreduce
/sbin/pvremov /sbin/parted /sbin/blockdev /sbin/vgremove /sbin/vgscan
/sbin/lvscan /sbin/pvscan
SETENV Sudo Tag
You also need to set the SETENV sudo tag for the following
commands:
/bin/cat
/usr/sbin/haproxy