There are certain user account prerequisites required for the install of agents.

Prerequisites for Windows End Points

  • To install agents,
    • The user must be either an administrator, or
    • A non-administrator who belongs to the administrator group.

Prerequisites for Linux End Points

  • /tmp mount point should be mounted with exec mount option.
  • Ensure that the following lines exist in /etc/sudoers.
    1.root ALL=(ALL:ALL) ALL
    2.Defaults:root !requiretty
    3.Defaults:arcuser !requiretty
    
    (1) can be omitted if password-less sudo is already enabled for the root user. (2) and (3) can be omitted if your end point VMs are already configured to turn off requiretty.

For Linux end points, there are two user accounts, such as the install user and the run-time user.

Install User Prerequisites

You can use one of the following install users for Linux end points.

  • root user - All privileges
  • A non-root user with all privileges -

    Password-less sudo elevation access for a non-root user or a non-root user group.

    To enable password-less sudo elevation access for a user called bob, add bob ALL=(ALL:ALL) NOPASSWD: ALL to /etc/sudoers.

    To enable password-less sudo elevation access for a user group called bobg, add %bobg ALL=(ALL:ALL) NOPASSWD: ALL to /etc/sudoers.

  • A non-root user with a specific set of privileges -

    Password-less sudo elevation access for a non-root user with access to certain commands. To enable password-less sudo elevation access for the ARC_INSTALL_USER, add the following corresponding entries to the sudoers file:
    Defaults:ARC_INSTALL_USER !requiretty
    Cmnd_Alias ARC_INSTALL_USER_COMMANDS=/usr/bin/cp*,/bin/cp*,/usr/bin/mkdir*,/bin/mkdir*,/usr/bin/chmod*,/bin/chmod*,/opt/vmware/ucp/bootstrap/uaf-bootstrap.sh,/opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh
    ARC_INSTALL_USER ALL=(ALL)NOPASSWD: ARC_INSTALL_USER_COMMANDS 
    				
    For example,for a user bob, add the following lines to /etc/sudoers:
    Defaults:bob !requiretty
    Cmnd_Alias ARC_INSTALL_USER_COMMANDS=/usr/bin/cp*,/bin/cp*,/usr/bin/mkdir*,/bin/mkdir*,/usr/bin/chmod*,/bin/chmod*,/opt/vmware/ucp/bootstrap/uaf-bootstrap.sh,/opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh 
    bob ALL=(ALL)NOPASSWD: ARC_INSTALL_USER_COMMANDS

Run-Time User Prerequisites

There are two ways in which a run-time user is created in Linux end points: automatically and manually. A run-time user has a standard name and group, which is the arcuser and arcgroup respectively. By default, the arcuser and arcgroup are created automatically. If you choose to manually create the arcuser and arcgroup, here are the prerequisites:

  • Manually created arcuser and arcgroup.

    Create the arcgroup and arcuser and associate the arcgroup as the primary group of the arcuser. Here are the requirements:

    1. The arcgroup must be the primary group of the arcuser.

      For example, the following commands can be used to create the arcgroup and arcuser:

      groupadd arcgroup

      useradd arcuser -g arcgroup -M -s /bin/false

    2. The arcuser must be created with no home directory and no access to the login shell.

      For example, the etc/passwd entry for the arcuser is as follows after adding arcuser and arcgroup.

      arcuser:x:1001:1001::/home/arcuser:/bin/false

    3. The arcuser must have either password-less all privileges or password-less specific set of privileges as mentioned below:

      To enable password-less sudo elevation access for the run-time arcuser, add the following corresponding entries to the sudoers file.

      All privileges:

      arcuser ALL=(ALL:ALL) NOPASSWD: ALL

      Specific set of privileges:
      Cmnd_Alias ARC_RUN_COMMANDS=/usr/bin/systemctl * ucp-telegraf*,/bin/systemctl * ucp-telegraf*, /usr/bin/systemctl * ucp-minion*, /bin/systemctl * ucp-minion*, /usr/bin/systemctl * salt-minion*, /bin/sytemctl * salt-minion*, /usr/bin/netstat, /bin/netstat, /opt/vmware/ucp/tmp/telegraf_post_install_linux.sh, /opt/vmware/ucp/bootstrap/uaf-bootstrap.sh, /opt/vmware/ucp/uaf/runscript.sh, /opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh
      arcuser ALL=(ALL) NOPASSWD: ARC_RUN_COMMANDS