Sudo File Configuration Examples for PostgreSQL Environments
Delphix Administration / PostgreSQL Environments and Data Sources / PostgreSQL Support and Requirements / Sudo File Configuration Examples for PostgreSQL Environments

This topic describes the rationale behind specific sudo privilege requirements for virtualizing PostgreSQL Databases.

The sudo configuration exists as /etc/sudoers file.

Requiretty settings

Delphix requires that the requiretty setting be disabled for all Delphix users with sudo privileges.

PrivilegeSourcesTargets and StagingRationale

mkdir/rmdir

Not Required

Required

Delphix dynamically creates and removes directories under the provisioning directory during VDB operations.

mount/umount

Not Required

Required

Delphix dynamically mounts and unmounts directories under the provisioning directory during VDB operations. This privilege is required because mount and unmount are typically reserved for superuser.

Configuring sudo Access on Linux for PostgreSQL Target Environments

Below is the example of sudo configuration file contents as mentioned above for the Postgres environment.

$ vi /etc/sudoers
Defaults:postgres !requiretty
postgres ALL=NOPASSWD:  /bin/mount,/bin/umount,/bin/mkdir,/bin/rmdir

Example 1

This example restricts the postgres user's use of sudo privileges to the directory /postgres.

Note that wildcards are allowed for the options on mount and umount because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file-system being mounted from the Delphix Engine.

Delphix requires umount -lf for emergency force unmounts on Linux.  For other Unix OSes, Delphix requires umount -f.

Example /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS)

Defaults:postgres !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount  *        /postgres/*, \
/bin/umount *        /postgres/*, \
/bin/umount          /postgres/*, \
/bin/umount -lf      /postgres/*

Example 2

This example restricts the postgres user's use of sudo privileges to the directory /postgres, restricts the mount commands to a specific Delphix Engine hostname and IP, and does not allow user-specified options for the umount command.

Delphix requires umount -lf for emergency force unmounts on Linux.  For other Unix OSes, Delphix requires umount -f.

This configuration is more secure, but there is a tradeoff with deployment simplicity.  This approach would require a different sudo configuration for targets configured for different Delphix Engines.

A Second Example of Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount          *<delphix-server-ip>*   /postgres/*, \
/bin/mount          *<delphix-server-ip>*   /postgres/*, \
/bin/umount          /postgres/*, \
/bin/umount *        /postgres/*, \
/bin/umount -lf      /postgres/*