Restricted Sudo Privileges

The term sudo stands for super user do. This technology allows one user to execute a command as another user. If HPE Ezmeral Runtime Enterprise is installed as a non-root/superuser user, that user must have sudo permissions to execute some commands as the superuser. A number of different tools are available for implementing sudo functionality. The most common such tool on the Linux operating system is called sudo. The sudo packages must be installed on each host in the HPE Ezmeral Runtime Enterprise deployment.

Security policies at your organization may require you to control access to the sudo commands run by HPE Ezmeral Runtime Enterprise. You can implement this access control by creating an allowed list of sudo commands that HPE Ezmeral Runtime Enterprise runs.

The lists of sudo commands provided in this topic are formatted for ease of copying and pasting.

Set the NOPASSWD tag to ensure all bin files execute successfully.

Installing and Upgrading HPE Ezmeral Runtime Enterprise 5.7.x

The following sudo privileges are required for installing and upgrading HPE Ezmeral Runtime Enterprise 5.7.x:

/bin/base64, /bin/bdconfig, /bin/cat, /bin/chcon, /bin/chgrp, /bin/chmod, /bin/chown, /bin/container-storage-setup, /bin/cp, /bin/dd, /bin/echo, /bin/find, /bin/getent, /bin/grep, /bin/hostnamectl, /bin/id, /bin/killall, /bin/ln, /bin/ls, /bin/mkdir, /bin/mount, /bin/ovs-ofctl, /bin/ovs-vsctl, /bin/mv, /bin/pkill, /bin/python3, /bin/rm, /bin/rpm, /bin/sed, /bin/sg, /bin/systemctl, /bin/tar, /bin/tee, /bin/test, /bin/touch, /bin/umount, /bin/which, /bin/xargs, /bin/yum, /opt/bluedata/common-install/scripts/generate_django_secret.py, /opt/bluedata/common-install/scripts/monitoring/services_config/tls/generate-certs.sh, /sbin/alternatives, /sbin/blkid, /sbin/blockdev, /sbin/chpasswd, /sbin/corosync-cmapctl, /sbin/dmidecode, /sbin/dmsetup, /sbin/groupadd, /sbin/groupdel, /sbin/ip, /sbin/iptables, /sbin/lvcreate, /sbin/lvs, /sbin/mkfs, /sbin/parted, /sbin/pcs, /sbin/pvcreate, /sbin/pvremove, /sbin/restorecon, /sbin/semodule, /sbin/semanage, /sbin/service, /sbin/setsebool, /sbin/ss, /sbin/subscription-manager, /sbin/sysctl, /sbin/useradd, /sbin/userdel, /sbin/usermod, /sbin/vgcreate, /sbin/vgdisplay, /sbin/vgremove, /usr/bin/firewall-cmd, /usr/sbin/dmidecode, /usr/sbin/pcs, /usr/sbin/haproxy, /sbin/vgscan, /sbin/lvscan, /sbin/pvscan, /bin/egrep, /bin/nerdctl, /usr/bin/ezconfig, /bin/ctr, /usr/bin/bdconfig, /usr/bin/containerd, /usr/sbin/modprobe, /usr/bin/rmdir

Running HPE Ezmeral Runtime Enterprise 5.7.x

The following sudo privileges are required for running HPE Ezmeral Runtime Enterprise 5.7.x:

/bin/systemctl, /bin/sed, /bin/cat, /bin/rm, /bin/mkdir, /bin/chgrp, /bin/chmod, /bin/chown, /bin/cp, /sbin/ip, /bin/ovs-ofctl, /bin/killall, /usr/sbin/dnsmasq, /usr/sbin/haproxy, /bin/echo, /bin/stat, /bin/umount, /bin/mount, /usr/sbin/crm_mon, /usr/sbin/pcs, /bin/ovs-vsctl, /sbin/vgdisplay, /sbin/dmidecode, /sbin/iptables, /bin/nerdctl, /bin/find, /bin/ls, /bin/xargs, /bin/tar, /bin/test, /sbin/modprobe, /bin/mv, /sbin/restorecon, /sbin/sysctl, /bin/yum, /bin/tee, /bin/chcon, /sbin/semanage, /bin/ezctl, /usr/bin/ezctl, /bin/pkill, /bin/timeout, /bin/ctr, /usr/bin/ezconfig, /bin/containerd, /sbin/lvs, /sbin/lvremove, /sbin/vgreduce, /sbin/pvremove, /sbin/parted, /sbin/blockdev, /sbin/vgremove, /sbin/vgscan, /sbin/lvscan, /sbin/pvscan, /usr/bin/kubectl, /usr/bin/curl, /bin/kubeadm

SETENV Sudo Tag

You also need to set the SETENV sudo tag for the following commands:

/bin/cat
/usr/sbin/haproxy

HPE Ezmeral Runtime Enterprise 5.7 Documentation
Abstract	HPE Ezmeral Container Platform is a unified container platform built on open source Kubernetes and designed for both cloud-native applications and non-cloud-native applications running on any infrastructure either on-premises, in multiple public clouds, in a hybrid model, or at the edge.
Published	October 2025
Edition	5.7.0
Topic last updated	2025-04-21