There are certain user account prerequisites required for the install of agents.
Windows End Point VM User Account Requirements
- To install agents,
- The user must be either an administrator, or
- A non-administrator who belongs to the administrator group.
Linux End Point VM User Account Requirements
- /tmp mount point should be mounted with exec mount option.
- The following are minimal necessary permissions of the user to install agents and should be mentioned in sudoers file:
For example, for a user called telegrafinstall, you can find the sudoers file in the /etc/sudoers file or in the folder /etc/sudoers.d/:
Defaults:telegrafinstall !requiretty Cmnd_Alias ARC_INSTALL_USER_COMMANDS=/usr/bin/cp*,/bin/cp*,/usr/bin/mkdir*,/bin/mkdir*,/usr/bin/chmod*,/bin/chmod*,/opt/vmware/ucp/bootstrap/uaf-bootstrap.sh,/opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh telegrafinstall ALL=(ALL)NOPASSWD: ARC_INSTALL_USER_COMMANDS
Run-Time User Prerequisites
There are two ways in which a run-time user is created in Linux end point VMs: automatically and manually. A run-time user has a standard name and group, which is the arcuser and arcgroup respectively. If the Create run time user on linux virtual machines, with required permissions as part of agent installation check box is selected, the arcuser and arcgroup are created automatically. The check box is selected by default. If you choose to manually create the arcuser and arcgroup, here are the steps to do it manually:
- The arcgroup must be the primary group of the arcuser.
The following commands can be used to create the arcgroup and arcuser:
groupadd arcgroup
useradd arcuser -g arcgroup -M -s /bin/false
- The arcuser must be created with no home directory and no access to the login shell.
For example, the /etc/passwd entry for the arcuser is as follows after adding arcuser and arcgroup.
arcuser:x:1001:1001::/home/arcuser:/bin/false
- The arcuser must have password-less specific set of privileges as mentioned below, which must be written in /etc/sudoers file or in the folder /etc/sudoers.d/:
Defaults:arcuser !requiretty Cmnd_Alias VAPCOMMANDS=/usr/bin/systemctl * ucp-telegraf.service, !/usr/bin/systemctl * * ucp-telegraf.service, /bin/systemctl * ucp-telegraf.service, !/bin/systemctl * * ucp-telegraf.service, /usr/bin/systemctl * ucp-minion.service, !/usr/bin/systemctl * * ucp-minion.service, /bin/systemctl * ucp-minion.service, !/bin/systemctl * * ucp-minion.service, /usr/bin/systemctl * salt-minion.service, !/usr/bin/systemctl * * salt-minion.service, /bin/systemctl * salt-minion.service, !/bin/systemctl * * salt-minion.service, /usr/bin/systemctl * ucp-salt-minion.service, !/usr/bin/systemctl * * ucp-salt-minion.service, /bin/systemctl * ucp-salt-minion.service, !/bin/systemctl * * ucp-salt-minion.service, /usr/bin/netstat, /bin/netstat, /opt/vmware/ucp/tmp/telegraf_post_install_linux.sh, /opt/vmware/ucp/bootstrap/uaf-bootstrap.sh, /opt/vmware/ucp/content/runscript.sh, /opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh, /usr/bin/systemd-run, /bin/systemd-run arcuser ALL=(ALL) NOPASSWD: VAPCOMMANDS