Configure sudo user

Edit online

In an environment that demands high security measures in place, the systems admin can create sudo user in PowerVC. A sudo user has roles and privileges similar to a root user but with a limited scope for PowerVC operations.

Creating a sudo user

The system admin can create a user on all PowerVC controller nodes. Later, add user to the wheel group (assigning the user as sudo user).

Add special permission for passwordless sudo access such that PowerVC OpsMgr can run commands as users: root, pvc_internal group: pvcservices but limiting the commands as mentioned.
  • /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/libexec/platform-python*
  • /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/bin/python*
  • /usr/bin/rsync *
You can add the following to /etc/sudoers or equivalent to restrict execution of the commands.
<sudo_user_username>\tALL=(root, %pvcservices, pvc_internal)\tNOPASSWD: /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/libexec/platform-python*, /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/bin/python*, /usr/bin/rsync *, /usr/sbin/crm_resource -Q*, /opt/ibm/powervc/ttv-validation/powervc-validator*, /usr/bin/test, /usr/bin/powervc-services, /usr/bin/chage, /usr/bin/cat, /usr/bin/grep, /usr/bin/python*, /usr/bin/stat, /usr/bin/ls, /bin/mkdir, /bin/tar, /tmp/powervc_img_temp_*/*/install, /opt/ibm/powervc/bin/powervc-manage, /bin/chmod, /usr/bin/clustercheck, /usr/sbin/rabbitmqctl cluster_status *
Considerations
  • A sudo user must have the same password on all nodes.
  • Provide the login details of the sudo user during inventory creation.
  • Privilege escalation for the sudo user must request for the same user's password.
    Note: Linux systems request for default target (root) password for privilege escalation because of the default targetpw entry in the /etc/sudoers file. Removing or commenting the entry resolves the issue.
  • To run the powervc-config command as a non-root or sudo user, make sure to export powervcrc from the source /opt/ibm/powervc/powervcrc location by updating the username and password. Then, run the sudo -E powervc-config compute command.
  • If installation is performed as a sudo user, login works with only the sudo user.
    Example
    sudo powervc-services status or sudo powervc-validate --start
    Output
    [user1@vm-1376 ~]$ sudo powervc-cloud-config policy-list
[sudo] password for user1:
Enter password for root:
No cloud policy set by admin for project: ibm-default
DEFAULT POLICY SET:
 project_id: 51eb7853a18a457b9cdd8636686adb75,
 project_name: ibm-default,
 policy_type: default_expiration_days,
 value: 30