User Account
Prerequisites
There are certain
user account prerequisites required for the install of agents.
Windows Target Machine User Account
Requirements
- To install agents,
- The user must be either an administrator, or
- A non-administrator who belongs to the administrator group.
Linux Target Machine User Account
Requirements
For Linux target machines, there are two user
accounts for the Telegraf agent, such as the install user and the run-time user.
User credentials which are provided during agent installation, are for the install
user. The
arcuser
is a
run-time user and needs a set of privileges which are necessary for the agent’s
components to run.- /tmpmount point should be mounted with exec mount option.
- The following are minimal necessary permissions of the user to install agents and should be mentioned insudoersfile:For example, for a user calledtelegrafinstall, you can find thesudoersfile in the/etc/sudoersfile or in the folder/etc/sudoers.d/:Defaults:telegrafinstall !requiretty Cmnd_Alias ARC_INSTALL_USER_COMMANDS=/usr/bin/cp*,/bin/cp*,/usr/bin/mkdir*,/bin/mkdir*,/usr/bin/chmod*,/bin/chmod*,/opt/vmware/ucp/bootstrap/uaf-bootstrap.sh,/opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh telegrafinstall ALL=(ALL)NOPASSWD: ARC_INSTALL_USER_COMMANDS
Run-Time User
Prerequisites
There are two ways in which a run-time user is created
in Linux target machines: automatically and manually. A run-time user has a standard
name and group, which is the
arcuser
and arcgroup
respectively. If the Create run time user on linux
virtual machines, with required permissions as part of agent
installation
check box is selected, the arcuser
and arcgroup
are created
automatically. The check box is selected by default. A run-time user is also created
automatically during a script-based install. If you choose to manually create the
arcuser
and arcgroup
, here are the
steps to do it manually:Create the
arcgroup
and arcuser
and associate the
arcgroup
as the primary
group of the arcuser
. - Thearcgroupmust be the primary group of thearcuser.The following commands can be used to create thearcgroupandarcuser:groupadd arcgroupuseradd arcuser -g arcgroup -M -s /bin/false
- Thearcusermust be created with no home directory and no access to the login shell.For example, the/etc/passwdentry for thearcuseris as follows after addingarcuserandarcgroup.arcuser:x:1001:1001::/home/arcuser:/bin/false
- Thearcusermust have password-less specific set of privileges as mentioned below, which must be written in/etc/sudoersfile or in the folder/etc/sudoers.d/:Defaults:arcuser !requiretty Cmnd_Alias VAPCOMMANDS=/usr/bin/systemctl * ucp-telegraf.service, !/usr/bin/systemctl * * ucp-telegraf.service, /bin/systemctl * ucp-telegraf.service, !/bin/systemctl * * ucp-telegraf.service, /usr/bin/systemctl * ucp-minion.service, !/usr/bin/systemctl * * ucp-minion.service, /bin/systemctl * ucp-minion.service, !/bin/systemctl * * ucp-minion.service, /usr/bin/systemctl * salt-minion.service, !/usr/bin/systemctl * * salt-minion.service, /bin/systemctl * salt-minion.service, !/bin/systemctl * * salt-minion.service, /usr/bin/systemctl * ucp-salt-minion.service, !/usr/bin/systemctl * * ucp-salt-minion.service, /bin/systemctl * ucp-salt-minion.service, !/bin/systemctl * * ucp-salt-minion.service, /usr/bin/netstat, /bin/netstat, /opt/vmware/ucp/tmp/telegraf_post_install_linux.sh, /opt/vmware/ucp/bootstrap/uaf-bootstrap.sh, /opt/vmware/ucp/content/runscript.sh, /opt/vmware/ucp/ucp-minion/bin/ucp-minion.sh, /usr/bin/systemd-run, /bin/systemd-run arcuser ALL=(ALL) NOPASSWD: VAPCOMMANDS