From 2f45be0eb427e88849a0c4ecb179e5db535db30c Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Thu, 20 Feb 2025 22:01:04 -0500 Subject: [PATCH 1/4] sudo whitelist --- .../server-nodes-software/software-on-prem.md | 59 ++++++++++++++++--- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index fc884f76c13..a86c236fa8c 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -136,27 +136,68 @@ The following options are used for logging the provisioning itself. | `logging directory` | Set the directory where node provisioning log files will be stored. | | `logging file` | Name of the node provisioning log file. | +### Preflight check + +Run the preflight checks either as a root user, or via sudo as follows: + +```sh +sudo ./node-agent-provision.sh --preflight_check +``` + +Address any issues highlighted by the preflight checks. + ### Run the provisioning script -1. Run the preflight checks either as a root user, or via sudo as follows: +When the preflight checks pass, run the script either as a root user, or via sudo as follows: + +```sh +sudo ./node-agent-provision.sh +``` + +The script provisions the node and installs node agent. + +If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider. + +After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. + +## sudo whitelist + +If you need to create a sudo whitelist for the user executing the preflight check and provisioning script, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depends upon the version of YugabyteDB Anywhere, and is updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, follow the steps: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using `grep` as follows: ```sh - sudo ./node-agent-provision.sh --preflight_check + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" ``` -1. Address any issues highlighted by the preflight checks. + You should see output similar to the following: -1. When the preflight checks pass, run the script either as a root user, or via sudo as follows: + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c - ```sh - sudo ./node-agent-provision.sh + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ ``` -The script provisions the node and installs node agent. +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. -If specified, node agent creates the on-premises provider configuration; or, if the provider already exists, adds the instance to the provider. + The first file in the log is the precheck template. -After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. + The second file in the log is the actual execution template. + +Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. ## Next steps From 7188312786fc058a65cf6a03e57f29260dbe0402 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 21 Feb 2025 16:04:18 -0500 Subject: [PATCH 2/4] review comment --- .../server-nodes-software/software-on-prem.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index a86c236fa8c..f92e00c6061 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -162,16 +162,16 @@ After the node is provisioned, YugabyteDB Anywhere does not need sudo access to ## sudo whitelist -If you need to create a sudo whitelist for the user executing the preflight check and provisioning script, you can add the following commands to the sudo whitelist: +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: ```sh sudo ./node-agent-provision.sh --preflight_check sudo ./node-agent-provision.sh ``` -The underlying fine-grained commands that the script runs during provisioning depends upon the version of YugabyteDB Anywhere, and is updated as newer capabilities are incorporated. +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. -To audit the commands that are run by the script, follow the steps: +To audit the commands that are run by the script, do the following: 1. [Run the preflight check](#preflight-check). @@ -193,11 +193,10 @@ To audit the commands that are run by the script, follow the steps: 1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. - The first file in the log is the precheck template. + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. - The second file in the log is the actual execution template. - -Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. ## Next steps From 45acc655dd12a1e0beadbc40114a55a5f1497de2 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Fri, 21 Feb 2025 16:28:03 -0500 Subject: [PATCH 3/4] clarify SSH requirement --- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 +++++++++++++++++++ .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 +++++++++++++++++++ .../yugabyte-platform/prepare/networking.md | 2 +- .../prepare/server-nodes-software/_index.md | 2 +- .../server-nodes-software/software-on-prem.md | 38 +++++++++++++++++++ 11 files changed, 122 insertions(+), 8 deletions(-) diff --git a/docs/content/preview/yugabyte-platform/prepare/networking.md b/docs/content/preview/yugabyte-platform/prepare/networking.md index e6b0e5ec639..800a0795f6a 100644 --- a/docs/content/preview/yugabyte-platform/prepare/networking.md +++ b/docs/content/preview/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md index 1c2fd906bf4..c759ca0d1f1 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -43,7 +43,7 @@ YugabyteDB Anywhere requires the following additional software to be pre-install Alternately, if you are using the default version of python3, you might be able to install the python3-libselinux package. -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/stable/yugabyte-platform/prepare/networking.md b/docs/content/stable/yugabyte-platform/prepare/networking.md index f6920932b9a..7a7d9e8b2e5 100644 --- a/docs/content/stable/yugabyte-platform/prepare/networking.md +++ b/docs/content/stable/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md index c8d5ace4e92..d5395065480 100644 --- a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -40,7 +40,7 @@ YugabyteDB Anywhere requires the following additional software to be pre-install Alternately, if you are using the default version of python3, you might be able to install the python3-libselinux package. -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index bc819dd0a50..644b0fbedcd 100644 --- a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -158,6 +158,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using `grep` as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: diff --git a/docs/content/v2.20/yugabyte-platform/prepare/networking.md b/docs/content/v2.20/yugabyte-platform/prepare/networking.md index 3bfeebf4cee..42f06c16486 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/networking.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost.
Port 6433 serves built-in connection pooling (if enabled). | diff --git a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md index f3ed5cc17ce..1fedbb91ee9 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -40,7 +40,7 @@ YugabyteDB Anywhere requires the following additional software to be pre-install Alternately, if you are using the default version of python3, you might be able to install the python3-libselinux package. -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 1890f3d8b00..f877f2ebaa5 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -159,6 +159,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using `grep` as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/networking.md b/docs/content/v2024.1/yugabyte-platform/prepare/networking.md index 7e652eea67d..d517b7b1f99 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/networking.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/networking.md @@ -23,7 +23,7 @@ The following ports need to be open. | From | To | Requirements | | :--- | :--- | :--- | | DB nodes | DB nodes | Open the following ports for communication between nodes in clusters. They do not need to be exposed to your application. For universes with [Node-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted.
  • 7000 - YB-Master HTTP(S)
  • 7100 - YB-Master RPC
  • 9000 - YB-TServer HTTP(S)
  • 9100 - YB-TServer RPC
  • 18018 - YB Controller RPC
| -| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
SSH is not required after initial setup and configuration, but is recommended for subsequent troubleshooting. If you disallow SSH entirely, you must manually set up each DB node (see [Provisioning on-premises nodes](../server-nodes-software/software-on-prem-manual/)). | +| YBA node | DB nodes | Open the following ports on database cluster nodes so that YugabyteDB Anywhere can provision them.
  • 22 - SSH ([legacy provisioning](../server-nodes-software/software-on-prem-legacy/) only)
  • 5433 - YSQL server
  • 7000/7100 - YB-Master HTTP/RPC
  • 9000/9100 - YB-TServer HTTP/RPC
  • 9042 - YCQL server
  • 9070 - Node agent RPC
  • 9300 - Prometheus Node Exporter HTTP
  • 12000 - YCQL API
  • 13000 - YSQL API
  • 18018 - YB Controller RPC
| | Application | DB nodes | Open the following ports on database cluster nodes so that applications can connect via APIs. For universes with [Client-to-Node encryption in transit](../../security/enable-encryption-in-transit/), communication over these ports is encrypted. Universes can also be configured with database [authorization](../../security/authorization-platform/) and [authentication](../../security/authentication/) to manage access.
  • 5433 - YSQL server
  • 9042 - YCQL server
| | DB nodes | YBA node | Open the following port on the YugabyteDB Anywhere node so that node agents can communicate.
  • 443 - HTTPS
| | Operator | YBA node | Open the following ports on the YugabyteDB Anywhere node so that administrators can access the YBA UI and monitor the system and node metrics. These ports are also used by standby YBA instances in [high availability](../../administer-yugabyte-platform/high-availability/) setups.
  • 443 - HTTPS
  • 9090 - Served by Prometheus, for metrics
Port 5432 serves a local PostgreSQL instance, and is not exposed outside of localhost. | diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md index ff9c0118f89..cf1f2b0dc6e 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/_index.md @@ -40,7 +40,7 @@ YugabyteDB Anywhere requires the following additional software to be pre-install Alternately, if you are using the default version of python3, you might be able to install the python3-libselinux package. -- OpenSSH Server. Allowing SSH is recommended but optional. Using SSH can be skipped in some on-premises deployment approaches; all other workflows require it. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. +- OpenSSH Server. Allowing SSH is optional. Using SSH is required in some [legacy on-premises deployment](../server-nodes-software/software-on-prem-legacy/) approaches. [Tectia SSH](../../create-deployments/connect-to-universe/#enable-tectia-ssh) is also supported. - tar - unzip - policycoreutils-python-utils diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 881b12b219b..6bcaa98b79f 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -159,6 +159,44 @@ If specified, node agent creates the on-premises provider configuration; or, if After the node is provisioned, YugabyteDB Anywhere does not need sudo access to the node. +## sudo whitelist + +If security restrictions require you to explicitly list the commands that you'll be running as root under sudo, you can add the following commands to the sudo whitelist: + +```sh +sudo ./node-agent-provision.sh --preflight_check +sudo ./node-agent-provision.sh +``` + +The underlying fine-grained commands that the script runs during provisioning depend on the version of YugabyteDB Anywhere, and are updated as newer capabilities are incorporated. + +To audit the commands that are run by the script, do the following: + +1. [Run the preflight check](#preflight-check). + + The preflight check renders templates containing all the bash commands that the script will execute for provisioning. + +1. Identify the rendered templates using `grep` as follows: + + ```sh + sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" + ``` + + You should see output similar to the following: + + ```output + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmp0ey61a1c + + 2025-02-20 23:01:37,290 - commands.provision_command - INFO - /tmp/tmppri1g4r_ + ``` + +1. Use `cat` or any other CLI tool to inspect the content of these files to understand the code that the script will execute when provisioning a node. + + - The first file in the log is the precheck template. + - The second file in the log is the actual execution template. + + Note that these files are specific to the operating system and YugabyteDB Anywhere release, and can vary between releases. + ## Next steps If you did not provide details for the provider configuration, you will need to do the following: From 2b84f0bb1cbb343e6444dd54754ba92e6aeb3f63 Mon Sep 17 00:00:00 2001 From: Dwight Hodge Date: Mon, 24 Feb 2025 14:09:04 -0500 Subject: [PATCH 4/4] format DOC-651 --- .../deploy/multi-dc/async-replication/async-deployment.md | 2 +- .../prepare/server-nodes-software/software-on-prem.md | 2 +- .../deploy/multi-dc/async-replication/async-deployment.md | 2 +- .../prepare/server-nodes-software/software-on-prem.md | 2 +- docs/content/v2.14/deploy/multi-dc/async-replication.md | 2 +- docs/content/v2.18/deploy/multi-dc/async-replication.md | 2 +- .../v2.20/deploy/multi-dc/async-replication/async-deployment.md | 2 +- .../prepare/server-nodes-software/software-on-prem.md | 2 +- .../deploy/multi-dc/async-replication/async-deployment.md | 2 +- .../prepare/server-nodes-software/software-on-prem.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md index 6b99177da8e..39dd5cdade5 100644 --- a/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/preview/deploy/multi-dc/async-replication/async-deployment.md @@ -40,7 +40,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index f92e00c6061..84812af42ff 100644 --- a/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/preview/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -177,7 +177,7 @@ To audit the commands that are run by the script, do the following: The preflight check renders templates containing all the bash commands that the script will execute for provisioning. -1. Identify the rendered templates using `grep` as follows: +1. Identify the rendered templates using grep as follows: ```sh sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" diff --git a/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md index 21d9540d553..fcf27ce0515 100644 --- a/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/stable/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 644b0fbedcd..4bdf974c92f 100644 --- a/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/stable/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -175,7 +175,7 @@ To audit the commands that are run by the script, do the following: The preflight check renders templates containing all the bash commands that the script will execute for provisioning. -1. Identify the rendered templates using `grep` as follows: +1. Identify the rendered templates using grep as follows: ```sh sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" diff --git a/docs/content/v2.14/deploy/multi-dc/async-replication.md b/docs/content/v2.14/deploy/multi-dc/async-replication.md index 66dd3ae6d65..0420da0a288 100644 --- a/docs/content/v2.14/deploy/multi-dc/async-replication.md +++ b/docs/content/v2.14/deploy/multi-dc/async-replication.md @@ -41,7 +41,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.18/deploy/multi-dc/async-replication.md b/docs/content/v2.18/deploy/multi-dc/async-replication.md index 5a1957b6632..4947e757970 100644 --- a/docs/content/v2.18/deploy/multi-dc/async-replication.md +++ b/docs/content/v2.18/deploy/multi-dc/async-replication.md @@ -42,7 +42,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md index b89a821734f..fdea5748a5c 100644 --- a/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/v2.20/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index f877f2ebaa5..e6723d74441 100644 --- a/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2.20/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -176,7 +176,7 @@ To audit the commands that are run by the script, do the following: The preflight check renders templates containing all the bash commands that the script will execute for provisioning. -1. Identify the rendered templates using `grep` as follows: +1. Identify the rendered templates using grep as follows: ```sh sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$" diff --git a/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md b/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md index 7b959d3ab56..d9901df64e6 100644 --- a/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md +++ b/docs/content/v2024.1/deploy/multi-dc/async-replication/async-deployment.md @@ -38,7 +38,7 @@ After you created the required tables, you can set up unidirectional replication ./bin/yb-admin -master_addresses list_tables include_table_id ``` - The preceding command lists all the tables, including system tables. To locate a specific table, you can add `grep`, as follows: + The preceding command lists all the tables, including system tables. To locate a specific table, you can add grep as follows: ```sh ./bin/yb-admin -master_addresses list_tables include_table_id | grep table_name diff --git a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md index 6bcaa98b79f..c5b6a9184b1 100644 --- a/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md +++ b/docs/content/v2024.1/yugabyte-platform/prepare/server-nodes-software/software-on-prem.md @@ -176,7 +176,7 @@ To audit the commands that are run by the script, do the following: The preflight check renders templates containing all the bash commands that the script will execute for provisioning. -1. Identify the rendered templates using `grep` as follows: +1. Identify the rendered templates using grep as follows: ```sh sudo ./node-agent-provision.sh --preflight_check 2>&1 | grep "INFO - /tmp/tmp.*$"