Creating a Restricted User for HyperScale 1.5 Appliance

Create the cvbackupadmin user with limited capabilities or commands needed to administer the nodes and cluster. This user's capabilities will be limited to the set of commands supported by the restricted shell.

Procedure

  1. Login to any one of the nodes in the cluster.

  2. Navigate the following folder:

    # cd /opt/commvault/MediaAgent/
  3. Run the script to enable restricted shell using one of the following options:

    • Enable the restricted shell from the cluster level, with a single password for the cvbackupadmin user in all the nodes in the cluster:

      # ./cv_setup_restricted_shell.py cluster_level
    • Enable the restricted shell from the node level, with a unique password for the cvbackupadmin user in each node:

      # ./cv_setup_restricted_shell.py node_level
    • View the help for the command:

      ]# ./cv_setup_restricted_shell.py -h
      usage: cv_setup_restricted_shell.py [-h] {cluster_level,node_level} ...
      cv_setup_restricted_shell.py creates cvbackupadmin user with restricted shell
      access.
      positional arguments:
        {cluster_level,node_level}
          cluster_level       Creates cvbackupadmin user with restricted shell
                              access on all nodes in the cluster.
          node_level          Creates cvbackupadmin user with restricted shell
                              access on current node.
      optional arguments:
        -h, --help            show this help message and exit

    Output similar to the following will be displayed:

    Setting up Passwordless SSH on this HS1.5 setup.
    SSH Host keys will be regenerated during settingup of Passwordless SSH. Do you want proceed(y/n):
  4. Type Y and press <Enter> to continue.

    Output similar to the following will be displayed:

    INFO: regenerating ssh host keys on node [mynode001]
    INFO: regenerating ssh host keys on node [mynode002]
    INFO: regenerating ssh host keys on node [mynode003]
    INFO: Executing command [rm -f /etc/ssh/ssh_host_*_key*]
    INFO: Executing command [rm -f /root/.ssh/known_hosts]
    INFO: Executing command [ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key]
    Generating public/private ecdsa key pair.
    Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
    Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
    The key fingerprint is:
    SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxx root@mynode3
    ...
    INFO: Executing command [ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key]
    Generating public/private rsa key pair.
    Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
    Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
    The key fingerprint is:
    SHA256:yyyyyyyyyyyyyyyyyyyyyy+ng root@mynode002
    The key's randomart image is:
    ...
    INFO: Executing command [systemctl restart sshd.service]
    /usr/lib/python2.7/site-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.24.3) or chardet (3.0.4) doesn't match a supported version!
      RequestsDependencyWarning)
    Detected a HyperScale cluster containing the following nodes:
    [mynode3,mynode002,mynode1,]-[UID: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz]
    Do not proceed if all nodes are not listed in the cluster. Proceed (n):
  5. Type Y and press <Enter> to continue.

    The following prompt will be displayed:

    Do all nodes use the same [root] password (y):
  6. Type Y and press <Enter> if all the nodes use the same root password.

    Type N and press <Enter> if the nodes have separate root passwords.

    The following prompt will be displayed: (This prompt will be repeated for each node, if you typed N in the above prompt.)

    Please enter password for user [root] (None):
  7. Enter the root password and then press <Enter> to continue.

    Output similar to the following will be displayed:

    INFO           :        Configuring passwordless ssh between [mynode002] and [mynode002] for user [root].
    INFO           :        Successfully configured passwordless ssh from [mynode002] -> [mynode002].
    INFO           :        Configuring passwordless ssh between [mynode002] and [mynode001]] for user [root].
    INFO           :        Configuring passwordless ssh between [mynode002] and [mynode002] for user [root].
    INFO           :        Successfully configured passwordless ssh from [mynode002] -> [mynode002].
    INFO           :        Configuring passwordless ssh between [mynode002] and [mynode003]] for user [root].
    ...
    INFO        : Successfully setup Passwordless SSH on this HS1.5 setup.
    INFO        : Creation of User [cvbackupadmin] and setting of Password is done only once per node.
    Requirements for Password are:
        1: Length of password should be atleast 8 characters.
        2: Password should contain atleast one lowercase alphabet [a-z].
        3: Password should contain atleast one uppercase alphabet [A-Z].
        4: Password should contain atleast one digit [0-9].
        5: Password should contain atleast one non alpha-numeric character from [~!@#?$%].
    Password for [cvbackupadmin]:
    Confirm Password for [cvbackupadmin]:
  8. Type the password, and re-type to confirm the password for the cvbackupadmin user.

    Output similar to the following will be displayed:

    INFO        : List of Nodes on which Restricted shell will be installed and associated with cvbackupadmin user:
    mynode002.company.com
    mynode003.company.com
    mynode001.company.com
    INFO        : Setting up restricted shell on [node: mynode002.company.com]
    INFO        : Setting up restricted shell on [node: mynode003.company.com]
    INFO        : Setting up restricted shell on [node: mynode004.company.com]
    INFO        : Installing restricted shell
    INFO        : Successfully installed restricted shell
    INFO        : Checking if user [cvbackupadmin] already exists
    INFO        : Creating backup admin user [cvbackupadmin]
    INFO        : Successfully created backup admin user [cvbackupadmin]
    INFO        : Setting up restricted environment for user [cvbackupadmin]
    INFO        : Completed setting up of restricted environment for user [cvbackupadmin]
    INFO        : Adding commands accessible to user [cvbackupadmin]
    INFO        : Adding command: clear
    INFO        : Adding command: osupdate
    INFO        : Adding command: enable_ransomware_protection
    INFO        : Adding command: hs_node
    INFO        : Adding command: hs_cluster
    INFO        : Adding command: noop
    INFO        : Completed adding commands accessible to user [cvbackupadmin]
    INFO        : Successfully set up restricted shell on all nodes in the cluster

    The creation sequence is logged in /var/log/commvault/Log_Files/cv_setup_restricted_shell.log.

Result

The cvbackupadmin user will be created with the following capabilities:

Command

Description / Additional Options

clear

Command to clear the restricted shell screen.

hs_node

Command to administer the local node from where its is invoked, unless a remote node name is specified.

The following options are available for this command:

$ hs_node --help
usage: hs_node (options)
Command options for current node.
Optional arguments:
  -h, --help            show this help message and exit
  --node <hostname>     If not specified, execute on local node. If specified, execute on specified node.
                        This can be applied to any of the node optional arguments;
                        Example: [--get_serial_number --node <remote_node>]
                        NOTE: Passwordless SSH must be configured for remote nodes.
  --get_serial_number   Show serial number of the node.
  --gethostname         Show hostname of the node.
  --cat <PATH_TO_FILE>  Show only allowed file's content.
  --tail [<TAIL_CLI_OPTIONS> [<TAIL_CLI_OPTIONS> ...]]
                        Show file content using 'tail' command.
                        Run [--tail ++help] option to check detailed usage.
                        Does not support --node option.
  --df                  Execute's command 'df -h'.
  --sestatus            Execute's command 'sestatus'. Used to check if ransomware protection is enabled.
  --lsblk               Execute's command 'lsblk'.
  --lsscsi              Execute's command 'lsscsi'.
  --lsmod               Execute's command 'lsmod'.
  --fdisk               Execute's command 'fdisk -l'.
  --get_registry_entry [reg_path= reg_key= [instance= ...]]
                        Show registry value for a given combination of instance=, reg_path=, and reg_key=.
                        Default instance value is Instance001. reg_path is an xpath from instance level.
                        Sample usage of the command:
                        1. hs_node --get_registry_entry reg_path=Installer/Subsystems reg_key=nPackageSum
                        2. hs_node --get_registry_entry reg_path=MediaAgent reg_key=sHyperScaleRPMQuerySuccess
  --grep SEARCH_WORD    Execute's command 'grep -i SEARCH_WORD -'.
                        Use it by piping output from other commands.
                        Does not support --node option.
                        Sample usage of the command:
                        1. hs_node --df | hs_node --grep "hedvig"
  --commvault SUBCOMMAND
                        Execute's command 'commvault (list|status|start|restart|start_services|stop|reg)'.
                        'start_services' subcommand can be used to start services as OS update does.
  --dmidecode           Execute's command 'dmidecode -t system'.
  --date                Execute's command 'date'.
  --netstat             Execute's command 'netstat -rn'.
  --blkid               Execute's command 'blkid'.
  --mount               Execute's command 'mount'.
  --uname               Execute's command 'uname -a'.
  --rpm                 Execute's command 'rpm -qa'.
  --ulimit              Execute's command 'ulimit -a'.
  --uptime              Execute's command 'uptime'.
  --resume_protection   Sets the node in enforcing mode.
  --firewall_list_open_ports
                        Execute's command 'firewall-cmd --list-ports'.
  --ping IP/Hostname    Execute's command 'ping IP/Hostname'. Does not support --node option.
  --nslookup IP/Hostname
                        Execute's command 'nslookup IP/Hostname'. Does not support --node option.
  --reboot              Execute's command 'reboot'. Does not support --node option.
  --gluster_volume SUBCOMMAND
                        Shows gluster volume related information. use --gluster_volume help to get more information.
  --volume GLUSTER_VOLUME_NAME
                        Provide gluster volume name.

hs_cluster

Command to administer all the nodes in a cluster.

The following options are available for this command:

$ hs_cluster --help
usage: hs_cluster [options]
These actions are preformed across the entire cluster, for each and every node.
optional arguments:
  -h, --help            show this help message and exit
  --get_serial_number   Show serial number for each node in the cluster.
  --list                Show all nodes in the cluster.
  --cat <PATH_TO_FILE>  Show only allowed file's content from each node in the cluster.
  --sestatus            'sestatus' command is executed on all nodes and prints output on the screen.
  --lsblk               'lsblk' command is executed on all nodes and prints output on the screen.
  --lsscsi              'lsscsi' command is executed on all nodes and prints output on the screen.
  --lsmod               'lsmod' command is executed on all nodes and prints output on the screen.
  --fdisk               'fdisk -l' command is executed on all nodes and prints output on the screen.
  --df                  'df -h' command is executed on all nodes and prints output on the screen.
  --get_registry_entry [GET_REGISTRY_ENTRY [GET_REGISTRY_ENTRY ...]]
                        'hs_node --get_registry_entry' command is executed on all nodes and prints output on the screen.
  --commvault SUBCOMMAND
                        'hs_node --commvault' command is executed on all nodes and prints output on the screen.
  --dmidecode           'dmidecode -t system' command is executed on all nodes and prints output on the screen.
  --date                'date' command is executed on all nodes and prints output on the screen.
  --netstat             'netstat -rn' command is executed on all nodes and prints output on the screen.
  --blkid               'blkid' command is executed on all nodes and prints output on the screen.
  --mount               'mount' command is executed on all nodes and prints output on the screen.
  --uname               'uname -a' command is executed on all nodes and prints output on the screen.
  --rpm                 'rpm -qa' command is executed on all nodes and prints output on the screen.
  --ulimit              'ulimit -a' command is executed on all nodes and prints output on the screen.
  --uptime              'uptime' command is executed on all nodes and prints output on the screen.
  --resume_protection   Sets Selinux to enforcing mode on all nodes in the cluster.
  --firewall_list_open_ports
                        'firewall-cmd --list-ports' command is executed on all nodes and prints output on the screen.
  --get_remote_cache    Find which node is the remote cache node of this cluster.

enable_ransomware_protection

Command to enable ransomware protection on the nodes.

Reboot the node after enabling ransomware using the following command:

$ hs_node –reboot

osupdate

Command to upgrade the operating system (OS).

When the OS upgrade process in in progress, the upgrade status can be viewed using the following command:

$ osupdate -status

What to Do Next

Disable root access on the nodes, so that only the restricted user (cvbackupadmin) will be able to login and access the nodes in the cluster.

Loading...