From f650c6cfc0ea45b1fa15056ddb47ac998114e7a0 Mon Sep 17 00:00:00 2001 From: Dwight Hodge <79169168+ddhodge@users.noreply.github.com> Date: Tue, 25 Feb 2025 00:44:10 -0500 Subject: [PATCH] [doc][yba] sudo whitelist ynp (#26140) * sudo whitelist * review comment * clarify SSH requirement * format DOC-651 --- .../async-replication/async-deployment.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 58 ++++++++++++++++--- .../async-replication/async-deployment.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 ++++++++++++ .../deploy/multi-dc/async-replication.md | 2 +- .../deploy/multi-dc/async-replication.md | 2 +- .../async-replication/async-deployment.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 ++++++++++++ .../async-replication/async-deployment.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 ++++++++++++ 18 files changed, 177 insertions(+), 23 deletions(-) diff --git a/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md index 6b99177da8e8..39dd5cdade52 100644 --- a/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md @@ -40,7 +40,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/preview/yugabyte-platform/prepare/networking.md b/docs/content/preview/yugabyte-platform/prepare/networking.md index e6b0e5ec6391..800a0795f6a1 100644 --- a/docs/content/preview/yugabyte-platform/prepare/networking.md +++ b/docs/content/preview/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. | -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them. | | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access. | | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate. | | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md index c8f221099b96..e5a030b748aa 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -36,7 +36,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes: -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index fc884f76c13d..84812af42ff7 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -136,27 +136,67 @@ The following options are used for logging the provisioning itself. | `logging directory` | Set the directory where node provisioning log files will be stored. | | `logging file` | Name of the node provisioning log file. | +### Preflight check + +Run the preflight checks either as a root user, or via sudo as follows: + +```sh +sudo ./node-agent-provision.sh --preflight_check +``` + +Address any issues highlighted by the preflight checks. + ### Run the provisioning script -1. Run the preflight checks either as a root user, or via sudo as follows: +When the preflight checks pass, run the script either as a root user, or via sudo as follows: + +```sh +sudo ./node-agent-provision.sh +``` + +The script provisions the node and installs node agent. + +If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider. + +After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. + +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using grep as follows: ```sh - sudo ./node-agent-provision.sh --preflight_check + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" ``` -1. Address any issues highlighted by the preflight checks. + You should see output similar to the following: -1. When the preflight checks pass, run the script either as a root user, or via sudo as follows: + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c - ```sh - sudo ./node-agent-provision.sh + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ ``` -The script provisions the node and installs node agent. +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. -If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider. + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. -After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. ## Next steps diff --git a/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md index 21d9540d5530..fcf27ce0515c 100644 --- a/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/stable/yugabyte-platform/prepare/networking.md b/docs/content/stable/yugabyte-platform/prepare/networking.md index f6920932b9a6..7a7d9e8b2e59 100644 --- a/docs/content/stable/yugabyte-platform/prepare/networking.md +++ b/docs/content/stable/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md index 870fe5cea076..b62303cba03d 100644 --- a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -33,7 +33,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes: -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index bc819dd0a507..4bdf974c92fe 100644 --- a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -158,6 +158,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using grep as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: diff --git a/docs/content/v2.14/deploy/multi-dc/async-replication.md b/docs/content/v2.14/deploy/multi-dc/async-replication.md index 66dd3ae6d654..0420da0a2880 100644 --- a/docs/content/v2.14/deploy/multi-dc/async-replication.md +++ b/docs/content/v2.14/deploy/multi-dc/async-replication.md @@ -41,7 +41,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.18/deploy/multi-dc/async-replication.md b/docs/content/v2.18/deploy/multi-dc/async-replication.md index 5a1957b6632b..4947e7579705 100644 --- a/docs/content/v2.18/deploy/multi-dc/async-replication.md +++ b/docs/content/v2.18/deploy/multi-dc/async-replication.md @@ -42,7 +42,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md index b89a821734fb..fdea5748a5c7 100644 --- a/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.20/yugabyte-platform/prepare/networking.md b/docs/content/v2.20/yugabyte-platform/prepare/networking.md index 3bfeebf4cee1..42f06c16486b 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/networking.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md index 9a3716882a87..bdcb003eb4ad 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -33,7 +33,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes: -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 1890f3d8b00d..e6723d744419 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -159,6 +159,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using grep as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: diff --git a/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md index 7b959d3ab565..d9901df64e68 100644 --- a/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/networking.md b/docs/content/v2024.1/yugabyte-platform/prepare/networking.md index 7e652eea67d6..d517b7b1f990 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/networking.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost. | diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md index 7379be89374a..824a7b518ecd 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -33,7 +33,7 @@ AlmaLinux OS 8 disk images are used by default, but you can specify a custom dis YugabyteDB Anywhere requires the following additional software to be pre-installed on nodes: -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 881b12b219b5..c5b6a9184b19 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -159,6 +159,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using grep as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: