Creating a Restricted User for HyperScale X Reference Architecture

The cvbackupadmin user has limited capabilities or commands needed to administer the nodes and cluster. This user's capabilities will be limited to the set of commands supported by the restricted shell.

The cvbackupadmin user is created when you install a new HyperScale X Reference Architecture cluster. For existing clusters, if the user is not created, you can create the user and set the password using the following steps.

Note

The password of the cvbackupadmin user expires for every 60 days. Please change the password periodically for security reasons.

Before You Begin

Enable root access on the nodes. For more information, see Enabling and Disabling Password-Based Root Access.

Procedure

Login to any one of the nodes in the cluster.
Navigate the following folder:
```
# cd /opt/commvault/MediaAgent
```

Run the script to enable restricted shell using one of the following options:

Enable the restricted shell from the cluster level, with a single password for the cvbackupadmin user in all the nodes in the cluster:
```
# ./cv_setup_restricted_shell.py cluster_level
```
Enable the restricted shell from the node level, with a unique password for the cvbackupadmin user in each node:
```
# ./cv_setup_restricted_shell.py node_level
```
Change the password for the cvbackupadmin user in each node:
```
# ./cv_setup_restricted_shell.py passwd_node
```
Note

The password of the cvbackupadmin user expires every 60 days. You must change the password periodically for security reasons.

View the help for the command:

]# ./cv_setup_restricted_shell.py -h
usage: cv_setup_restricted_shell.py [-h] {cluster_level,node_level,passwd_cluster,upgrade,passwd_node} ...
cv_setup_restricted_shell.py creates cvbackupadmin user with restricted shell
access.
positional arguments:
  {cluster_level,node_level,passwd_cluster,upgrade,passwd_node}
    cluster_level       Creates cvbackupadmin user with restricted shell
                        access on all nodes in the cluster.
    node_level          Creates cvbackupadmin user with restricted shell
                        access on current node.
    passwd_cluster      Reset the password for cvbackupadmin user on all nodes 
                        in the cluster.
    upgrade             Upgrades restricted shell env on current node.
    passwd_node         Reset password for cvbackupadmin user on current node
                        if user exists.
optional arguments:
  -h, --help            show this help message and exit

Output similar to the following will be displayed :

 INFO        : Creation of User [cvbackupadmin] and setting of Password is done only once per node.
Requirements for Password are:
    1: Length of password should be atleast 8 characters.
    2: Password should contain atleast one lowercase alphabet [a-z].
    3: Password should contain atleast one uppercase alphabet [A-Z].
    4: Password should contain atleast one digit [0-9].
    5: Password should contain atleast one non alpha-numeric character from [~!@#?$%].
Password for [cvbackupadmin]:
Confirm Password for [cvbackupadmin]:

Type the password, and re-type to confirm the password for the cvbackupadmin user.

Output similar to the following will be displayed:

INFO           :        Cluster name: HV000000000000009
INFO        : List of Nodes on which Restricted shell will be installed and associated with cvbackupadmin user:
mynode002.company.com
mynode003.company.com
mynode001.company.com
INFO        : Setting up restricted shell on [node: mynode002.company.com]
INFO        : Setting up restricted shell on [node: mynode003.company.com]
INFO        : Setting up restricted shell on [node: mynode001.company.com
INFO        : Installing restricted shell
INFO        : Skipping installation of restricted shell, restricted shell is already installed
INFO        : Checking if user [cvbackupadmin] already exists
INFO        : Creating backup admin user [cvbackupadmin]
INFO        : Successfully created backup admin user [cvbackupadmin]
INFO        : Setting up restricted environment for user [cvbackupadmin]
INFO        : Completed setting up of restricted environment for user [cvbackupadmin]
INFO        : Adding commands accessible to user [cvbackupadmin]
INFO        : Adding command: clear
INFO        : Adding command: osupdate
INFO        : Adding command: enable_ransomware_protection
INFO        : Adding command: hs_node
INFO        : Adding command: hs_cluster
INFO        : Adding command: noop
INFO        : Completed adding commands accessible to user [cvbackupadmin]
INFO        : Successfully set up restricted shell on all nodes in the cluster

The creation sequence is logged in /var/log/commvault/Log_Files/cv_setup_restricted_shell.log.

Result

The cvbackupadmin user will be created with the following capabilities:

Command	Description / Additional Options
clear	Command to clear the restricted shell screen.
hs_node	Command to administer the local node from where its is invoked, unless a remote node name is specified. The following options are available for this command:
	$ hs_node --help usage: hs_node (options) Command options for current node. Optional arguments: -h, --help show this help message and exit --node <hostname> If not specified, execute on local node. If specified, execute on specified node. This can be applied to any of the node optional arguments; Example: [--get_serial_number --node <remote_node>] NOTE: Passwordless SSH must be configured for remote nodes. --get_serial_number Show serial number of the node. --gethostname Show hostname of the node. --cat <PATH_TO_FILE> Show only allowed file's content. --tail [<TAIL_CLI_OPTIONS> [<TAIL_CLI_OPTIONS> ...]] Show file content using 'tail' command. Run [--tail ++help] option to check detailed usage. Does not support --node option. --df Execute's command 'df -h'. --sestatus Execute's command 'sestatus'. Used to check if ransomware protection is enabled. --lsblk Execute's command 'lsblk'. --lsscsi Execute's command 'lsscsi'. --lsmod Execute's command 'lsmod'. --fdisk Execute's command 'fdisk -l'. --get_registry_entry [reg_path= reg_key= [instance= ...]] Show registry value for a given combination of instance=, reg_path=, and reg_key=. Default instance value is Instance001. reg_path is an xpath from instance level. Sample usage of the command: 1. hs_node --get_registry_entry reg_path=Installer/Subsystems reg_key=nPackageSum 2. hs_node --get_registry_entry reg_path=MediaAgent reg_key=sHyperScaleRPMQuerySuccess --grep SEARCH_WORD Execute's command 'grep -i SEARCH_WORD -'. Use it by piping output from other commands. Does not support --node option. Sample usage of the command: 1. hs_node --df \| hs_node --grep "hedvig" --commvault SUBCOMMAND Execute's command 'commvault (list\|status\|start\|restart\|start_services\|stop\|reg)'. 'start_services' subcommand can be used to start services as OS update does. --dmidecode Execute's command 'dmidecode -t system'. --date Execute's command 'date'. --netstat Execute's command 'netstat -rn'. --blkid Execute's command 'blkid'. --mount Execute's command 'mount'. --uname Execute's command 'uname -a'. --rpm Execute's command 'rpm -qa'. --ulimit Execute's command 'ulimit -a'. --uptime Execute's command 'uptime'. --resume_protection Sets the node in enforcing mode. --firewall_list_open_ports Execute's command 'firewall-cmd --list-ports'. --ping IP/Hostname Execute's command 'ping IP/Hostname'. Does not support --node option. --nslookup IP/Hostname Execute's command 'nslookup IP/Hostname'. Does not support --node option. --reboot Execute's command 'reboot'. Does not support --node option. --cds SUBCOMMAND Shows CVFS related information. use --cds help to get more information.
hs_cluster	Command to administer all the nodes in a cluster. The following options are available for this command:
	$ hs_cluster --help usage: hs_cluster [options] These actions are preformed across the entire cluster, for each and every node. optional arguments: -h, --help show this help message and exit --get_serial_number Show serial number for each node in the cluster. --list Show all nodes in the cluster. --cat <PATH_TO_FILE> Show only allowed file's content from each node in the cluster. --sestatus 'sestatus' command is executed on all nodes and prints output on the screen. --lsblk 'lsblk' command is executed on all nodes and prints output on the screen. --lsscsi 'lsscsi' command is executed on all nodes and prints output on the screen. --lsmod 'lsmod' command is executed on all nodes and prints output on the screen. --fdisk 'fdisk -l' command is executed on all nodes and prints output on the screen. --df 'df -h' command is executed on all nodes and prints output on the screen. --get_registry_entry [GET_REGISTRY_ENTRY [GET_REGISTRY_ENTRY ...]] 'hs_node --get_registry_entry' command is executed on all nodes and prints output on the screen. --commvault SUBCOMMAND 'hs_node --commvault' command is executed on all nodes and prints output on the screen. --dmidecode 'dmidecode -t system' command is executed on all nodes and prints output on the screen. --date 'date' command is executed on all nodes and prints output on the screen. --netstat 'netstat -rn' command is executed on all nodes and prints output on the screen. --blkid 'blkid' command is executed on all nodes and prints output on the screen. --mount 'mount' command is executed on all nodes and prints output on the screen. --uname 'uname -a' command is executed on all nodes and prints output on the screen. --rpm 'rpm -qa' command is executed on all nodes and prints output on the screen. --ulimit 'ulimit -a' command is executed on all nodes and prints output on the screen. --uptime 'uptime' command is executed on all nodes and prints output on the screen. --resume_protection Sets Selinux to enforcing mode on all nodes in the cluster. --firewall_list_open_ports 'firewall-cmd --list-ports' command is executed on all nodes and prints output on the screen. --get_remote_cache Find which node is the remote cache node of this cluster. --cds SUBCOMMAND Shows CVFS related information from all nodes in the cluster. use --cds help to get more information.
enable_ransomware_protection	Command to enable ransomware protection on the nodes. Reboot the node after enabling ransomware using the following command: `$ hs_node –reboot`
osupdate	Command to upgrade the operating system (OS). The following options are supported for this command:
	`cvupgradeos.py Updates both CVDS and OS Binaries on all cluster nodes. cvupgradeos.py -status Get status of upgraded nodes cvupgradeos.py -upgrade_hedvig_only Updates only CVDS Binaries on all nodes. cvupgradeos.py -upgrade_os_only Updates only OS Binaries on all nodes`
	Note When the osupdate command is executed without any options, both the CVFS and the OS will be upgraded.

What to Do Next

Disable root access on the nodes, so that only the restricted user (cvbackupadmin) will be able to login and access the nodes in the cluster.