Challenge
Granular ‘sudo’ configuration for a Linux user account to be used for Agent Management.Cause
As per Agent Management User Guide, a user account to be used for Agent Management should have administrative permissions on the computer that you want to add to a protection group or a job. If you would like to avoid using ‘root’ account in favor of a sudoer account, you might also want to set permissions granularly for one. This document helps you to achieve this goal.Solution
- Linux user account used by Veeam Backup and Replication server for any Veeam Agent for Linux deployment and management operations must have /bin/bash shell set by default.
- /etc/sudoers file should contain a line with ‘requiretty’ parameter negated explicitly for desired Linux user account
- The account must have either ‘root’ permissions or permissions to execute a specific list of commands as a sudoer on the target Linux machine.
Veeam Agent for Linux 4.0
Veeam Backup & Replication v10
An example of /etc/sudoers file containing proper settings:
Defaults:username !targetpw Defaults:username !targetpw username ALL=(root) /bin/hostname username ALL=(root) /bin/whoami username ALL=(root) /bin/mkdir username ALL=(root) /bin/arch username ALL=(root) /bin/uname username ALL=(root) /bin/scp username ALL=(root) /bin/chown username ALL=(root) /opt/veeam/veeaminstaller username ALL=(root) /bin/veeamconfig # FLR Restore via console username ALL=(root) /tmp/*_vblkid username ALL=(root) /bin/mount username ALL=(root) /bin/[ -d /tmp/ ] username ALL=(root) /tmp/VeeamAgent*-*-*-* username ALL=(root) /bin/rm username ALL=(root) /bin/ps username ALL=(root) /bin/cat
Veeam Agent for Linux 3.x
Veeam Backup & Replication 9.5 U4
An example of /etc/sudoers file containing proper settings for SLES 11, Veeam Agent for Linux v3.0/Veeam Backup & Replication v9.5 update 4:
Defaults:username !targetpw username ALL=(root) /bin/hostname username ALL=(root) /bin/uname username ALL=(root) /bin/arch username ALL=(root) /bin/cat username ALL=(root) /usr/bin/test username ALL=(root) /bin/mkdir username ALL=(root) /bin/rmdir username ALL=(root) /bin/chown username ALL=(root) /usr/bin/whoami username ALL=(root) /usr/bin/id username ALL=(root) /tmp/*/veeamagentid # Agent config/backup username ALL=(root) /usr/bin/veeamconfig # Agent deployment username ALL=(root) /usr/bin/zypper username ALL=(root) /sbin/modinfo username ALL=(root) /bin/rpm # FLR Restore via console username ALL=(root) /bin/sh username ALL=(root) /bin/touch username ALL=(root) /bin/chmod username ALL=(root) /tmp/VeeamAgent*-*-*-* username ALL=(root) /bin/rm username ALL=(root) /bin/ps username ALL=(root) /bin/mv
Veeam Agent for Linux 2.0.1
Veeam Backup & Replication 9.5 U3a
An example of /etc/sudoers file containing proper settings for SLES 11, Veeam Agent for Linux v2.0.1/Veeam Backup & Replication v9.5 update 3a:
Defaults:username !requiretty username ALL=(root) NOPASSWD: /bin/hostname username ALL=(root) NOPASSWD: /bin/uname username ALL=(root) NOPASSWD: /bin/arch username ALL=(root) NOPASSWD: /bin/cat username ALL=(root) NOPASSWD: /usr/bin/test username ALL=(root) NOPASSWD: /bin/mkdir username ALL=(root) NOPASSWD: /bin/rmdir username ALL=(root) NOPASSWD: /bin/chown username ALL=(root) NOPASSWD: /usr/bin/scp username ALL=(root) NOPASSWD: /tmp/*/veeamagentid # Agent config/backup username ALL=(root) NOPASSWD: /usr/bin/veeamconfig # Agent deployment username ALL=(root) NOPASSWD: /usr/bin/zypper username ALL=(root) NOPASSWD: /sbin/modinfo username ALL=(root) NOPASSWD: /bin/rpm # FLR Restore via console username ALL=(root) NOPASSWD: /bin/sh username ALL=(root) NOPASSWD: /bin/touch username ALL=(root) NOPASSWD: /bin/chmod username ALL=(root) NOPASSWD: /tmp/VeeamAgent*-*-*-* username ALL=(root) NOPASSWD: /bin/rm username ALL=(root) NOPASSWD: /bin/ps username ALL=(root) NOPASSWD: /bin/mv
For distributions other than SLES replace /usr/bin/zypper with a path to corresponding package manager binary.