On UNIX® systems, certain Foglight® agents require elevated privileges in order to gather the required system metrics. This is achieved by having the Agent Manager launch these agents with root privileges.
To give these agents the required access, the Agent Manager is configured to launch these agents using an external application like sudo, setuid_launcher, or any other tool that allows privilege escalation (without a password) and supports the same command‑line semantics as sudo.
NOTE: The tool setuid_launcher is included with the Agent Manager, in the <fglam_home>/bin/setuid_launcher directory. |
Instructions for using sudo and setuid_launcher to give these agents the necessary privileges are provided below.
NOTE: Certain agents that require root privileges to gather a more complete set of system metrics are able to function without these privileges. See the Managing Operating Systems User Guide for more information.
The agent does not collect as much data as when it is run with root privileges. |
This section contains instructions for using sudo to give agents elevated permissions.
1 |
2 |
3 |
Set the path to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer). |
4 |
5 |
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to be run as root by a specific user, without requiring a password, and only for the agents that require root privileges. |
6 |
Ensure that the requiretty option is disabled in the sudoers file. For example, to disable this option for the foglight user, add the following entry to the file: |
7 |
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password. |
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:
http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents. |
If these permissions are no longer needed, remove the lines that you added to run fog4_launcher or udp2icmp with root permissions.
1 |
Navigate to <fglam_home>/state/default/config. |
2 |
Open the fglam.config.xml file for editing. |
3 |
Edit the <config:path> element under <config:secure-launcher> to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer). |
4 |
Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to run as root by a specific user, without requiring a password, and only for the agents that require root privileges. |
5 |
If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password. |
TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at:
http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents. |
This section contains instructions for using setuid_launcher to give agents elevated permissions.
1 |
3 |
Set the path to point to the setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher. |
4 |
5 |
6 |
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password. |
If these permissions are no longer needed, issue the following command:
chmod u-s <fglam_home>/bin/setuid_launcher
1 |
Navigate to <fglam_home>/state/default/config. |
2 |
Open the fglam.config.xml file for editing. |
3 |
Edit the <config:path> element under <config:secure-launcher> to point to your local setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher. |
4 |
5 |
Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password. |
If your database is installed on an HP-UX server, HP® provides a tool for ensuring that all the patches required to run JavaTM on HP-UX are installed.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center