Sudo file configuration examples for Oracle environments
This topic provides a sample sudo
file privilege configurations for using the Delphix Engine with various operating systems and the Oracle RDBMS.
Requiretty settings
Delphix requires that the requiretty
setting be disabled for all Delphix users with sudo
privileges.
Configuring sudo
access on Solaris SPARC for Oracle source and target environments
Sudo access to pargs
on the Solaris operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN
environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN
, the Delphix OS user delphix_os can derive connection parameters.
Example: Solaris /etc/sudoers
entries for a Delphix Source
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/usr/bin/pargs
On a Solaris target, sudo
access to mount
and umount
is also required.
Example: Solaris /etc/sudoers
entries for a Delphix Target
# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults listpw=all
User_Alias DELPHIX_USER=delphix_os
Cmnd_Alias DELPHIX_CMDS= \
/usr/bin/mount, \
/usr/bin/umount, \
/usr/bin/mkdir, \
/usr/bin/rmdir, \
/usr/bin/pargs
DELPHIX_USER ALL=(ALL) NOPASSWD: DELPHIX_CMDS
Configuring sudo
access on Linux for Oracle source and target environments
Sudo access to ps
on the Linux operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN
environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN
, the Delphix OS user delphix_os can derive connection parameters.
Example: Linux /etc/sudoers
entries for a Delphix Source
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/bin/ps
On a Linux target, sudo access to mount
and umount
is also required.
Example: Linux /etc/sudoers
file for a Delphix Target
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir, /bin/ps
Configuring sudo
access on AIX for Oracle source and target environments
Sudo access to ps
on the AIX operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN
environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN
, the Delphix OS user delphix_os can derive connection parameters.
Example: AIX /etc/sudoers
entries for a Delphix Source
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/bin/ps
In addition to sudo access to the mount
, umount
, and ps
commands on AIX target hosts, Delphix also requires sudo
access to nfso
. This is required on target hosts for the Delphix Engine to monitor the NFS read-write sizes configured on the AIX system. Super-user access level is needed to run the nfso
command.
Example: AIX /etc/sudoers
File for a Delphix Target
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/sbin/mkdir, \
/usr/sbin/rmdir, \
/usr/sbin/nfso, \
/usr/bin/ps
Configuring sudo
access on HP-UX for Oracle source and target environments
No sudo
privileges are required on source environments running HP-UX. The HP-UX OS does not allow the delphix_os user to determine the TNS_ADMIN
environment variable setting for the oracle user. This means that the Delphix Engine cannot auto-discover non-standard listener configurations with non-default TNS_ADMIN
settings.
On the HP-UX target, sudo
access to mount
and umount
is required as with other operating systems.
Example: HP-UX /etc/sudoers file for a Delphix target
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/sbin/mount, /sbin/umount, /sbin/mkdir, /sbin/rmdir
Examples of Limiting sudo
Access for the Delphix OS User
In situations where security requirements prohibit giving the Delphix user root privileges to mount, unmount, make a directory, and remove directory on the global level, it is possible to configure the sudoers
file to provide these privileges only on specific mount points or from specific Delphix Engines, as shown in these two examples.
The Delphix Engine tests its ability to run the mount
command using sudo
on the target environment by issuing the sudo mount
command with no arguments. Many of the examples shown in this topic do not allow that. This causes a warning during environment discovery and monitoring but otherwise does not cause a problem. If your VDB operations succeed, it is safe to ignore this warning.
Similarly, the ps
or pargs
command is used for target environment operations such as initial discovery and refresh. The most restrictive sudo setups might not allow the commands ps (pargs)
. Delphix can still function without these privileges, although auto-discovery may not work.
However, some users configure the security on the target environments to monitor sudo
failures and lockout the offending account after some threshold. In those situations, the failure of the sudo commands might cause the delphix_os account to become locked. One workaround for this situation is to increase the threshold for locking out the user account. Another option is to modify /etc/sudoers
to permit the delphix_os user to run ps (pargs)
, and mount
command without parameters.
Note that the following examples are for illustrative purposes and the sudo file configuration options are subject to change.
Example 1
This example restricts the delphix_os user's use of sudo
privileges to the directory /oracle
.
Note that wildcards are allowed for the options on mount
and umount
because those commands expect a fixed number of arguments after the options. The option wildcard on the mount
command also makes it possible to specify the file-system being mounted from the Delphix Engine.
Example /etc/sudoers
File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS)
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount * /oracle/*, \
/bin/umount * /oracle/*, \
/bin/umount /oracle/*, \
/bin/mkdir -p /oracle/*, \
/bin/mkdir -p -m 755 /oracle/*, \
/bin/mkdir /oracle/*, \
/bin/rmdir /oracle/*, \
/bin/ps
Example /etc/sudoers
File Configuration on the Source Environment to grant Super-User privileges when running PS
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: /bin/ps
Example 2
This example restricts the delphix_os user's use of sudo
privileges to the directory /oracle
, restricts the mount commands to a specific Delphix Engine hostname and IP, and does not allow user-specified options for the umount
command.
This configuration is more secure, but there is a tradeoff with deployment simplicity. This approach would require a different sudo configuration for targets configured for different Delphix Engines.
A Second Example of Configuring the /etc/sudoers
File on the Target Environment for Privileges on the VDB Mount Directory Only (Linux OS)
Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount <delphix-server-name>* /oracle/*, \
/bin/mount * <delphix-server-name>* /oracle/*, \
/bin/mount <delphix-server-ip>* /oracle/*, \
/bin/mount * <delphix-server-ip>* /oracle/*, \
/bin/mount "", \
/bin/umount /oracle/*, \
/bin/umount * /oracle/*, \
/bin/mkdir, \
/bin/rmdir, \
/bin/ps
Example 3
This example adds the following entries in /etc/sudoers
to allow the delphix_os user to run datapatch
as the user oracle without needing to enter the password and with no additional privileges:
Cmnd_Alias ORACLE_CMDS = /u01/app/oracle/product/19.7.0.0/dbhome_1/OPatch/datapatch
Defaults!ORACLE_CMDS env_keep += "ORACLE_HOME ORACLE_SID ORACLE_UNQNAME"
delphix_os ALL=(oracle) NOPASSWD: ORACLE_CMDS
It is important to note that the environment variables necessary for Delphix (ORACLE_HOME
, ORACLE_SID
and ORACLE_UNQNAME
) to successfully invoke the datapatch
command must be preserved using the env_keep
option, otherwise the command invocation may fail.