The cvbackupadmin user has limited capabilities or commands needed to administer the nodes and cluster. This user's capabilities will be limited to the set of commands supported by the restricted shell.
The cvbackupadmin user is created when you install a new Commvault HyperScale X cluster. For existing clusters, if the user is not created, you can create the user and set the password using the following steps.
Note
The cvbackupadmin user password expires every 365 days. Change the password periodically to maintain security. If the password expires before you change it, log in as the root user to reset the cvbackupadmin password.
Before You Begin
Enable root access on the nodes. For more information, see Enabling or Disabling Password-Based Root Access for HyperScale X
Procedure
-
Login to any one of the nodes in the cluster.
-
Navigate the following folder:
# cd /opt/commvault/MediaAgent
-
Run the script to enable restricted shell using one of the following options:
-
Enable the restricted shell from the cluster level, with a single password for the cvbackupadmin user in all the nodes in the cluster:
# ./cv_setup_restricted_shell.py cluster_level
-
Enable the restricted shell from the node level, with a unique password for the cvbackupadmin user in each node:
# ./cv_setup_restricted_shell.py node_level
-
Change the password for the cvbackupadmin user in each node:
# ./cv_setup_restricted_shell.py passwd_node
Note
The password of the cvbackupadmin user expires every 60 days. You must change the password periodically for security reasons.
-
View the help for the command:
]# ./cv_setup_restricted_shell.py -h
usage: cv_setup_restricted_shell.py [-h] {cluster_level,node_level,passwd_cluster,upgrade,passwd_node} ...
cv_setup_restricted_shell.py creates cvbackupadmin user with restricted shell
access.
positional arguments:
{cluster_level,node_level,passwd_cluster,upgrade,passwd_node}
cluster_level Creates cvbackupadmin user with restricted shell
access on all nodes in the cluster.
node_level Creates cvbackupadmin user with restricted shell
access on current node.
passwd_cluster Reset the password for cvbackupadmin user on all nodes
in the cluster.
upgrade Upgrades restricted shell env on current node.
passwd_node Reset password for cvbackupadmin user on current node
if user exists.
optional arguments:
-h, --help show this help message and exit
Output similar to the following will be displayed :
INFO : Creation of User [cvbackupadmin] and setting of Password is done only once per node.
Requirements for Password are:
1: Length of password should be atleast 8 characters.
2: Password should contain atleast one lowercase alphabet [a-z].
3: Password should contain atleast one uppercase alphabet [A-Z].
4: Password should contain atleast one digit [0-9].
5: Password should contain atleast one non alpha-numeric character from [~!@#?$%].
Password for [cvbackupadmin]:
Confirm Password for [cvbackupadmin]:
-
Type the password, and re-type to confirm the password for the cvbackupadmin user.
Output similar to the following will be displayed:
INFO : Cluster name: HV000000000000009
INFO : List of Nodes on which Restricted shell will be installed and associated with cvbackupadmin user:
mynode002.company.com
mynode003.company.com
mynode001.company.com
INFO : Setting up restricted shell on [node: mynode002.company.com]
INFO : Setting up restricted shell on [node: mynode003.company.com]
INFO : Setting up restricted shell on [node: mynode001.company.com
INFO : Installing restricted shell
INFO : Skipping installation of restricted shell, restricted shell is already installed
INFO : Checking if user [cvbackupadmin] already exists
INFO : Creating backup admin user [cvbackupadmin]
INFO : Successfully created backup admin user [cvbackupadmin]
INFO : Setting up restricted environment for user [cvbackupadmin]
INFO : Completed setting up of restricted environment for user [cvbackupadmin]
INFO : Adding commands accessible to user [cvbackupadmin]
INFO : Adding command: clear
INFO : Adding command: osupdate
INFO : Adding command: enable_ransomware_protection
INFO : Adding command: cvnode
INFO : Adding command: cvcluster
INFO : Adding command: noop
INFO : Completed adding commands accessible to user [cvbackupadmin]
INFO : Successfully set up restricted shell on all nodes in the cluster
The creation sequence is logged in /var/log/commvault/Log_Files/cv_setup_restricted_shell.log.
Result
The cvbackupadmin user will be created with the following capabilities:
|
Command
|
Description / Additional Options
|
|
clear
|
Command to clear the restricted shell screen.
|
|
cvnode
|
Command to administer the local node from where its is invoked, unless a remote node name is specified.
The following options are available for this command:
|
|
$ cvnode --help
usage: cvnode [options] Command options for current node. positional arguments:
{firewall-cmd,airgap,less}
Sub-commands for node operations
firewall-cmd Commands to view Firewall Configuration on the HyperScale node
airgap Commands to manage airgap Configuration on the HyperScale node
less Securely view content from standard input optional arguments:
-h, --help show this help message and exit
--node [ ...]
If not specified, execute on local node. If specified, execute on specified node.
This can be applied to any of the node optional arguments;
Example: [--get_serial_number --node ]
NOTE: Passwordless SSH must be configured for remote nodes.
--get_serial_number Show serial number of the node.
--gethostname Show hostname of the node.
--cat Show only allowed file's content.
Does not support --node option.
--tail [ [ ...]]
Show file content using 'tail' command.
Run [--tail ++help] option to check detailed usage.
Does not support --node option.
--df Executes command 'df -h'.
--sestatus Executes command 'sestatus'. Used to check if ransomware protection is enabled.
--lsblk Executes command 'lsblk'.
--lsscsi Executes command 'lsscsi'.
--lsmod Executes command 'lsmod'.
--fdisk Executes command 'fdisk -l'.
--grep SEARCH_WORD Executes command 'grep -iF SEARCH_WORD -'.
Use it by piping output from other commands.
Does not support --node option.
Sample usage of the command:
1. cvnode --df | cvnode --grep "raidvg"
--commvault SUBCOMMAND
Executes command 'commvault (list|status|start|restart|start_services|stop)'.
'start_services' subcommand can be used to start services as OS update does.
--dmidecode Executes command 'dmidecode -t system'.
--date Executes command 'date'.
--netstat Executes command 'netstat -rn'.
--blkid Executes command 'blkid'.
--mount Executes command 'mount'.
--uname Executes command 'uname -a'.
--rpm Executes command 'rpm -qa'.
--ulimit Executes command 'ulimit -a'.
--uptime Executes command 'uptime'.
--resume_protection Sets the node in enforcing mode.
--ping IP/Hostname Executes command 'ping IP/Hostname'. Does not support --node option.
--nslookup IP/Hostname
Executes command 'nslookup IP/Hostname'. Does not support --node option.
--change_password Change cvbackupadmin user password for local node.
--network_stats Display Network performance stats from current node to node(--node).
--enable_protection Enable Ransomware Protection on local node.
--safe_reboot [verbose= [restart= ...]]
Initiates safe reboot on local node.
--lastreboot_resume [verbose= [verbose= ...]]
Resumes previous failed safe reboot operation if one exists.
--lastreboot_status Displays status of currently running or recently Failed/successful safe reboot operation.
--safe_shutdown [manual_resume= [enable_root_access= verbose= restart= ...]]
Initiates safe shutdown on local node.
--lastshutdown_resume [verbose= [verbose= ...]]
Resumes previous failed safe shutdown operation if one exists.
--lastshutdown_status
Displays status of currently running or recently Failed/successful safe shutdown operation.
--cds SUBCOMMAND Shows cds related information. use --cds help to get more information.
--set_ire_csdp_interfaces [interfaces= [interfaces= ...]]
Provide comma seperated list of interfaces to use as IRE CSDP interfaces.
Example: --set_ire_csdp_interfaces interfaces=enpsf1,enpsf1,...
Possible values for interfaces= include a list of interfaces like enpsf1,enpsf2,enpsf3
OR single interface like enpsf1
OR empty list like intefaces=
Provide empty list to unset IRE CSDP nw.
All interfaces provided in the list should be of Data Protection type.
--display_airgap_configuration
Display Airgap Configuration.
--is_migrated Check if the node is migrated to HyperScale 3.x.
|
|
cvcluster
|
Command to administer all the nodes in a cluster.
The following options are available for this command:
|
|
$ cvcluster --help
usage: hs_cluster [options] These actions are preformed across the entire cluster, for each and every node. positional arguments:
{airgap} Sub-commands for cluster operations
airgap Commands to manage airgap Configuration on the HyperScale cluster optional arguments:
-h, --help show this help message and exit
--node NODE Provide the list of cluster nodes to operate against.
This can be applied to any of the cluster optional arguments;
Example: [--get_serial_number --cluster --node node1 --node node2 --node node3 etc...
NOTE: Passwordless SSH must be configured for remote nodes.
--get_serial_number Show serial number for each node in the cluster.
--sestatus 'sestatus' command is executed on all nodes and prints output on the screen.
--lsblk 'lsblk' command is executed on all nodes and prints output on the screen.
--lsscsi 'lsscsi' command is executed on all nodes and prints output on the screen.
--lsmod 'lsmod' command is executed on all nodes and prints output on the screen.
--fdisk 'fdisk -l' command is executed on all nodes and prints output on the screen.
--df 'df -h' command is executed on all nodes and prints output on the screen.
--commvault SUBCOMMAND
'cvnode --commvault' command is executed on all nodes and prints output on the screen.
--dmidecode 'dmidecode -t system' command is executed on all nodes and prints output on the screen.
--date 'date' command is executed on all nodes and prints output on the screen.
--netstat 'netstat -rn' command is executed on all nodes and prints output on the screen.
--blkid 'blkid' command is executed on all nodes and prints output on the screen.
--mount 'mount' command is executed on all nodes and prints output on the screen.
--uname 'uname -a' command is executed on all nodes and prints output on the screen.
--rpm 'rpm -qa' command is executed on all nodes and prints output on the screen.
--ulimit 'ulimit -a' command is executed on all nodes and prints output on the screen.
--uptime 'uptime' command is executed on all nodes and prints output on the screen.
--resume_protection Sets Selinux to enforcing mode on all nodes in the cluster.
--get_remote_cache Find which node is the remote cache node of this cluster.
--get_temp_remote_cache
Find which node is the temporary remote cache node of this cluster.
--network_stats Display Network performance stats to all nodes from current node in the cluster.
--enable_protection Enable Ransomware Protection on all nodes in the cluster.
--change_password Change cvbackupadmin user password on all nodes in the cluster.
--cds SUBCOMMAND Shows cds related information from all nodes in the cluster. use --cds help to get more information.
--lift_airgap [startdate= starttime= [window= ...]]
Lifts airgap for provided interval on all nodes of the cluster.
Eg: --lift_airgap startdate=2024-06-11 starttime=11:00 window=5
Default value of startdate when not given is current date.
Default value of starttime when not given is current time.
unit of window value is minute.
window=0 will set airgap.
--set_airgap_probe_frequency [frequency= [frequency= ...]]
CS Probe frequency interval for airgap.
Eg: --set_airgap_probe_frequency frequency=10
unit of frequency value is minute
frequncy value can be any value between [5, 1440]
--set_airgap_min_auxcopy_threshold [threshold= [threshold= ...]]
Minimum threshold data to open airgap for aux copy.
Eg: --set_airgap_min_auxcopy_threshold threshold=2024
unit of threshold value is Megabyte
threshold value can be any value >= 1024
--permanent_airgap [action= [action= ...]]
set and unset Permanent Airgap.
Eg: --permanent_airgap action=set
action value can be one off [set, unset].
action=set will set the cluster in permanent airgap until action=unset.
--list Show all nodes in the cluster.
--safe_reboot [verbose= [restart= silent= ...]]
Initiates safe reboot of cluster.
--lastreboot_resume [verbose= [verbose= ...]]
Resumes previous failed safe reboot operation if one exists.
--lastreboot_status Displays status of currently running or recently Failed/successful safe reboot operation.
--safe_shutdown [manual_resume= [enable_root_access= verbose= restart= silent= ...]]
Initiates safe shutdown of cluster.
--lastshutdown_resume [verbose= [verbose= ...]]
Resumes previous failed safe shutdown operation if one exists.
--lastshutdown_status
Displays status of currently running or recently Failed/successful safe shutdown operation.
--display_airgap_configuration
Display Airgap Configuration.
--enable_https_probe Configure Airgap to use HTTPS probe.
--disable_https_probe
Configure Airgap to use cvfwd probe.
--is_migrated Check if each node in the cluster is migrated to HyperScale 3.x.
|
|
enable_ransomware_protection
|
Command to enable ransomware protection on the nodes.
Reboot the node after enabling ransomware using the following command:
|
|
osupdate
|
Command to upgrade the operating system (OS).
The following options are supported for this command:
|
|
cvupgradeos.py
Updates both CVDS and OS Binaries on all cluster nodes.
cvupgradeos.py -status
Get status of upgraded nodes
cvupgradeos.py -upgrade_hedvig_only
Updates only CVDS Binaries on all nodes.
cvupgradeos.py -upgrade_os_only
Updates only OS Binaries on all nodes
|
|
Note
When the osupdate command is executed without any options, both the CVFS and the OS will be upgraded.
|
|
cvnode --is_migrated
|
Command to verify the migration status.
Execute the following command:
The output appears as follows:
-
On a 2.x node: Migration is not attempted.
-
On a new 3.x node: Migration is not required.
-
On a node with migration not yet completed and reimaged with Rocky during the process: Migrate is in progress.
-
On a node after completion of migration: Migration completed.
|
What to Do Next
Disable root access on the nodes, so that only the restricted user (cvbackupadmin) will be able to login and access the nodes in the cluster.