cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Administrating AMD without root privileges

tarjei
Organizer

Is it possible to administrate an AMD without root / sudo?

If so, how? If not, why?

4 REPLIES 4

raffaele_talari
Inactive

Hi Tarjei,

As you can read from the docs:

For correct operation, the AMD requires the use of the root account for running all of the traffic monitoring and related processes. This is the default mode of AMD operation after the AMD software is installed. Do not attempt to change these settings in any way or you will prevent theAMD from operating correctly. Do not modify the startup scripts that activate traffic monitoring services and do not attempt to manually stop and start traffic monitoring services as a user other than root.
Also, ensure that you are logged in as root before attempting to edit any of the configuration files. Most AMD configuration actions are performed with dedicated software tools and utilities,but there may be situations when a configuration file must be edited directly.

But I would like to hear, as you, more detailed reasons from the Dev.

Raffaele

wojciech_kurek
Inactive

It's impossible to manage an AMD without root or sudo, as many administrative tasks require access to resources to which only the root user should have access due to security reasons (like NIC configuration).

However it's possible to selectively grant sudo access to particular commands (like rcon, ndstop, ndstart, etc.) to allow a non-root user perform specific tasks. Some tasks, like manual editing of configuration files, will still require root access, or at least more complex sudo permissions.

Some customers successfuly use the above approach to avoid allowing root logins, however it's not an officially supported path.

Here's the list of typically used commands that require root privileges:

/usr/adlex/bin/ndstart *
/usr/adlex/bin/ndstat *
/usr/adlex/bin/ndstop *
/usr/adlex/rtm/bin/kpadmin *
/usr/adlex/rtm/bin/rcon *
/usr/adlex/rtm/bin/rcmd *
/usr/adlex/rtm/bin/rtminst *
/usr/sbin/tcpdump *
/usr/adlex/rtm/bin/rtmcapd *
/usr/bin/mkfifo /var/spool/adlex/rtmtcpdump

Also, some means to edit configuration files and access logs and sample files is needed. Typical config files that may need manual editing in rare circumstances are:

/usr/adlex/config/rtm.config
/usr/adlex/config/cba.config.xml
/usr/adlex/config/nfc.config
/usr/adlex/config/nfc.xml

Some means to retrieve log files from /var/log and /var/log/adlex and sample files from /var/spool/adlex/rtm is needed for diagnostic purposes. It can be also achieved using the AMD Export Config feature in RUM Console though.

The last, however important task is installation of AMD upgrades - which requires full root access, as only the superuser can install RPM packages.

Wojtek.

chris_v
Dynatrace Pro
Dynatrace Pro

I've had similar questions from customers in the past. as such I've developed a SUDOERS config that allows non-root users sufficient privieldges to administer an AMD. As mentioned above, root is still required for install/upgrades.

I haven't yet tested if this still works for AMDs 12.4 or RHEL7. But it works fine for 12.0-12.3 and RHEL6.

The red section, adds for the 'noroot' user the required administrative commands.

The yellow section, is what the installer adds for the operation of the AMD, these are required.

We have this in place for a customer, as described by Chris and Wojciech, and with info from DT. It was enforced for an AMD by admin party, is it not @Peter Gerhards?