There are certain user account prerequisites required for the install of agents.

Windows End Point VM User Account Requirements

  • To install agents,
    • The user must be either an administrator, or
    • A non-administrator who belongs to the administrator group.

Linux End Point VM User Account Requirements

For Linux end point VMs, there are two user accounts for the Telegraf agent, such as the install user and the run-time user. User credentials which are provided during agent installation, are for the install user. The arcuser is a run-time user and needs a set of privileges which are necessary for the agent’s components to run.
  • /tmp mount point should be mounted with exec mount option.
  • The following are minimal necessary permissions of the user to install agents and should be mentioned in sudoers file:
    For example, for a user called telegrafinstall, you can find the sudoers file in the /etc/sudoers file or in the folder /etc/sudoers.d/:
    Defaults:telegrafinstall !requiretty
    
    Cmnd_Alias ARC_INSTALL_USER_COMMANDS=/usr/bin/cp*,/bin/cp*,/usr/bin/mkdir*,/bin/mkdir*,/usr/bin/chmod*,/bin/chmod*,/opt/vmware/ucp/bootstrap/uaf-bootstrap.sh,/opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh 
    
    telegrafinstall ALL=(ALL)NOPASSWD: ARC_INSTALL_USER_COMMANDS

Run-Time User Prerequisites

There are two ways in which a run-time user is created in Linux end point VMs: automatically and manually. A run-time user has a standard name and group, which is the arcuser and arcgroup respectively. If the Create run time user on linux virtual machines, with required permissions as part of agent installation check box is selected, the arcuser and arcgroup are created automatically. The check box is selected by default. If you choose to manually create the arcuser and arcgroup, here are the steps to do it manually:

Create the arcgroup and arcuser and associate the arcgroup as the primary group of the arcuser.
  1. The arcgroup must be the primary group of the arcuser.

    The following commands can be used to create the arcgroup and arcuser:

    groupadd arcgroup

    useradd arcuser -g arcgroup -M -s /bin/false

  2. The arcuser must be created with no home directory and no access to the login shell.

    For example, the /etc/passwd entry for the arcuser is as follows after adding arcuser and arcgroup.

    arcuser:x:1001:1001::/home/arcuser:/bin/false

  3. The arcuser must have password-less specific set of privileges as mentioned below, which must be written in /etc/sudoers file or in the folder /etc/sudoers.d/:
    Defaults:arcuser !requiretty
    Cmnd_Alias VAPCOMMANDS=/usr/bin/systemctl * ucp-telegraf.service, !/usr/bin/systemctl * * ucp-telegraf.service, /bin/systemctl * ucp-telegraf.service, !/bin/systemctl * * ucp-telegraf.service, /usr/bin/systemctl * ucp-minion.service, !/usr/bin/systemctl * * ucp-minion.service, /bin/systemctl * ucp-minion.service, !/bin/systemctl * * ucp-minion.service, /usr/bin/systemctl * salt-minion.service, !/usr/bin/systemctl * * salt-minion.service, /bin/systemctl * salt-minion.service, !/bin/systemctl * * salt-minion.service, /usr/bin/systemctl * ucp-salt-minion.service, !/usr/bin/systemctl * * ucp-salt-minion.service, /bin/systemctl * ucp-salt-minion.service, !/bin/systemctl * * ucp-salt-minion.service, /usr/bin/netstat, /bin/netstat, /opt/vmware/ucp/tmp/telegraf_post_install_linux.sh, /opt/vmware/ucp/bootstrap/uaf-bootstrap.sh, /opt/vmware/ucp/content/runscript.sh, /opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh, /usr/bin/systemd-run, /bin/systemd-run
    arcuser ALL=(ALL) NOPASSWD: VAPCOMMANDS