Configuring the sudo command

You can configure the sudo command in the VM Recovery Manager HA solution.

Prerequisites

The AIX operating system does not have sudo features by default. You must download the sudorpm package from the web and install it in the KSYS node.

Configuring the Sudo

Only a root user can configure sudo features in the AIX operating system. The username of the user must be added to the sudoers file for the user to run the sudo command.

Editing the sudoers file

To configure the sudo command, you can edit the sudoers file by using the visudo command. To enable the user to run the commands, in the sudoers file, under the user privilege specification, specify the username and commands. The user can run only the commands specified in the user privilege section for the user.

An example sudoers file follows:

##
## Host alias specification
##
##
## User alias specification
##
##
## Cmnd alias specification
##
#Cmnd_Alias SU = /usr/bin/su
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
<username> ALL=(ALL) /opt/IBM/ksys/ksysmgr q vm, /opt/IBM/ksys/ksysmgr q host
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)  ALL

Verifying the execute permissions for a user

To verify the execute permission that you provided for the user in the sudoers file, complete the following steps.

Run the following command:

# sudo /opt/IBM/ksys/ksysmgr q host

The command runs successfully and an output similar to the following example is displayed.

ERROR: KSYS subsystem is currently offline, please sync ksyscluster to start KSYS "ksysmgr sync ksyscluster <name>"

Run the following command:

# sudo /opt/IBM/ksys/ksysmgr q vm

The command runs successfully and an output similar to the following example is displayed.

ERROR: KSYS subsystem is currently offline, please sync ksyscluster to start KSYS "ksysmgr sync ksyscluster <name>"

Run the following command:

# sudo /opt/IBM/ksys/ksysmgr q vios

The command does not run successfully and an output similar to the following example is displayed.

Sorry, <username> is not allowed to execute '/opt/IBM/ksys/ksysmgr q vios' as root on <hostname>.

Since you provided the execute permission to the user for the first two commands in the example sudoers file (see the previous topic), the ksysmgr q vm and ksysmgr q host, commands ran successfully, and because you did not provide the execute permission to the user for the ksysmgr q vios command in the example sudoers file, this command did not run successfully, and a message stating that the user is not allowed to execute the command was displayed.

Granting the execute permission for all commands

You can provide the execute permission to run all commands for a user on the KSYS node. Edit the <username> ALL attribute in the sudoers file as shown.

root ALL=(ALL) ALL
<useranme> ALL=(ALL) /opt/IBM/ksys/

Troubleshooting the sudo command configuration error

If the configuration of the sudo command is not successful, the sudo -v command displays the following error:

sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: unable to load /opt/freeware/libexec/sudo/sudoers.so:     0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /usr/lib/libcrypto.a(libcrypto.so.1.0.2) could not be loaded.
        0509-152   Member libcrypto.so.1.0.2 is not found in archive
        0509-022 Cannot load module /opt/freeware/libexec/sudo/sudoers.so.
        0509-150   Dependent module /opt/freeware/libexec/sudo/sudoers.so could not be loaded.
sudo: fatal error, unable to load plugins

To resolve this error, export the library path LIBPATH=/opt/freeware/lib:$LIBPATH by running the export command.