Create the cvbackupadmin user with limited capabilities or commands needed to administer the nodes and cluster. This user's capabilities will be limited to the set of commands supported by the restricted shell.
Note
The password of the cvbackupadmin user expires for every 60 days. Please change the password periodically for security reasons.
Before You Begin
HyperScale X Reference Architecture security features, which includes Enabling Firewall and Restricting Root Access requires the following minimum version in the CommServe server and the HyperScale MediaAgent:
- Commvault V11 Feature Release 28 , with Maintenance Release 11.28.19 or later
Procedure
-
Login to any one of the nodes in the cluster.
-
Navigate the following folder:
# cd /opt/commvault/MediaAgent
-
Run the script to enable restricted shell using one of the following options:
-
Enable the restricted shell from the cluster level, with a single password for the cvbackupadmin user in all the nodes in the cluster:
# ./cv_setup_restricted_shell.py cluster_level
-
Enable the restricted shell from the node level, with a unique password for the cvbackupadmin user in each node:
# ./cv_setup_restricted_shell.py node_level
-
Change the password for the cvbackupadmin user in each node:
# ./cv_setup_restricted_shell.py passwd_node
Note
The password of the cvbackupadmin user expires every 60 days. You must change the password periodically for security reasons.
-
View the help for the command:
# ./cv_setup_restricted_shell.py -h usage: cv_setup_restricted_shell.py [-h] {cluster_level,node_level,passwd_cluster,upgrade,passwd_node} ... cv_setup_restricted_shell.py creates cvbackupadmin user with restricted shell access. positional arguments: {cluster_level,node_level,passwd_cluster,upgrade,passwd_node} cluster_level Creates cvbackupadmin user with restricted shell access on all nodes in the cluster. node_level Creates cvbackupadmin user with restricted shell access on current node. passwd_cluster Reset the password for cvbackupadmin user on all nodes in the cluster. upgrade Upgrades restricted shell env on current node. passwd_node Reset password for cvbackupadmin user on current node if user exists. optional arguments: -h, --help show this help message and exit
Output similar to the following will be displayed :
INFO : Creation of User [cvbackupadmin] and setting of Password is done only once per node. Requirements for Password are: 1: Length of password should be atleast 8 characters. 2: Password should contain atleast one lowercase alphabet [a-z]. 3: Password should contain atleast one uppercase alphabet [A-Z]. 4: Password should contain atleast one digit [0-9]. 5: Password should contain atleast one non alpha-numeric character from [~!@#?$%]. Password for [cvbackupadmin]: Confirm Password for [cvbackupadmin]:
-
-
Type the password, and re-type to confirm the password for the cvbackupadmin user.
Output similar to the following will be displayed:
INFO : Cluster name: HV000000000000009 INFO : List of Nodes on which Restricted shell will be installed and associated with cvbackupadmin user: mynode002.company.com mynode003.company.com mynode001.company.com INFO : Setting up restricted shell on [node: mynode002.company.com] INFO : Setting up restricted shell on [node: mynode003.company.com] INFO : Setting up restricted shell on [node: mynode001.company.com INFO : Installing restricted shell INFO : Skipping installation of restricted shell, restricted shell is already installed INFO : Checking if user [cvbackupadmin] already exists INFO : Creating backup admin user [cvbackupadmin] INFO : Successfully created backup admin user [cvbackupadmin] INFO : Setting up restricted environment for user [cvbackupadmin] INFO : Completed setting up of restricted environment for user [cvbackupadmin] INFO : Adding commands accessible to user [cvbackupadmin] INFO : Adding command: clear INFO : Adding command: osupdate INFO : Adding command: enable_ransomware_protection INFO : Adding command: hs_node INFO : Adding command: hs_cluster INFO : Adding command: noop INFO : Completed adding commands accessible to user [cvbackupadmin] INFO : Successfully set up restricted shell on all nodes in the cluster
The creation sequence is logged in /var/log/commvault/Log_Files/cv_setup_restricted_shell.log.
Result
The cvbackupadmin user will be created with the following capabilities:
Command |
Description / Additional Options |
---|---|
clear |
Command to clear the restricted shell screen. |
hs_node |
Command to administer the local node from where its is invoked, unless a remote node name is specified. The following options are available for this command: |
|
|
hs_cluster |
Command to administer all the nodes in a cluster. The following options are available for this command: |
|
|
enable_ransomware_protection |
Command to enable ransomware protection on the nodes. Reboot the node after enabling ransomware using the following command:
|
osupdate |
Command to upgrade the operating system (OS). The following options are supported for this command: |
|
|
Note When the osupdate command is executed without any options, both the CDS and the OS will be upgraded. |
What to Do Next
Disable root access on the nodes, so that only the restricted user (cvbackupadmin) will be able to login and access the nodes in the cluster.