This topic describes the rationale behind specific sudo privilege requirements for virtualizing SAP ASE Databases.

Privilege

Sources

Targets

Rationale

pargs


Required on SolarisRequired on SolarisDelphix attempts to call pargs to discover the arguments of the ASE processes. It needs the name of each running dataserver or backupserver process so that it can try to connect to the instances to gather further information during the discovery process.

ps


Optional on Linux, AIXOptional on Linux, AIX

Delphix attempts to call ps to discover the arguments of the ASE processes. It needs the name of each running dataserver or backupserver process so that it can try to connect to the instances to gather further information during the discovery process.

Unlike Solaris, Delphix can usually determine the arguments without sudo privileges on Linux/AIX. But Delphix will attempt "sudo ps" before attempting a regular ps command, and this could cause locking of the delphix_os account. To avoid locking issues, you can grant sudo ps to delphix_os.


mount/umountNot RequiredRequiredDelphix dynamically mounts and unmounts directories under the provisioning directory during VDB operations. This privilege is required because mount and umount are typically reserved for superuser.
nfsoNot RequiredRequired on AIXDelphix monitors NFS read and write sizes on an AIX target host. It uses the nfso command to query the sizes in order to optimize NFS performance for VDBs running on the target host. Only a superuser can issue the nfso command.

Default Mount Directory

By default, Delphix mounts the NFS directories for VDBs and staging databases under the toolkit directory. Sudo permissions should be granted to allow the mount/umount commands to execute under these directories unless the dSource is linked using the command-line interface (CLI) and a different NFS mount base is specified. Please refer to the Reference manual for more information on linking the dSource using the CLI and specifying the "mountBase" parameter.

Specify the NOPASSWD qualifier

It is required to specify the NOPASSWD qualifier within the "sudo" configuration file, as shown here: Sudo File Configuration Examples for SAP ASE Environments.  This ensures that the "sudo" command does not demand the entry of a password, even for the "display permissions" (i.e. "sudo -l") command.

Delphix issues "sudo -l" in some scripts to detect if the operating system user has the correct sudo privileges. If it is unable to execute this command, some actions may fail and Delphix will raise an alert suggesting it does not have the correct sudo permissions. Restricting the execution of "sudo -l" by setting “listpw=always” in the “/etc/sudoers” file when the Delphix operating system user is configured to use public key authentication will cause the Delphix operating system user to be prompted for a password which will fail certain Delphix actions. Use a less restrictive setting for listpw than "always" when the Delphix operating system user is using public-key authentication.

SAP ASE and AppData Mount Options
AIX
-o cio,rw,fg,hard,rsize=$nfs_rsize,wsize=$nfs_wsize,nointr,timeo=600,proto=tcp,noacl
HPUX
-o rw,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,proto=tcp,suid
Solaris
-F nfs -o rw,fg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,proto=tcp,suid,sec=sys

For these platforms, depending on the NFS version used, additional options vers=3 or vers=4.x is added (x varies depending on what that platform supports. e.g. vers=4 or vers=4.1)

Linux (NFSv3)

-t nfs -o rw,fg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,tcp,noacl,vers=3
Linux (NFSv4)
-t nfs4 -o rw,fg,hard,rsize=1048576,wsize=1048576,nointr,timeo=600,sec=sys,tcp,noacl

(For some flavors of Linux and NFSv4.1, additional optional 'v4.1' is added)

1.  AppData plugins and toolkits have some additional mount options depending on the type of toolkit/plugin.
2. "port=2049" is added for all the platforms.
SAP ASE and AppData unmount options"-f" in most cases. Certain cases, SAP ASE uses "-lf". (Lazy unmount option)

Mount and Unmount Options Subject to Change

Please note that the mount and unmount options listed above are subject to change. For example, if Delphix finds that a certain option improves performance, Delphix may add, remove or change options at anytime. Therefore, it is highly recommended to create the sudo profiles using wildcards that allow any number of options.

Related Topics