Configure elevated permissions in Dynatrace Managed

By default, the Dynatrace Managed cluster leverages sudo to elevate permissions for certain maintenance operations, and you don't need to perform any additional actions when running the installation for the purpose of setting up users, permissions, and services. However, when sudo is not available in your operating system, or when you're required to use an alternative command to elevate permissions, you must specify them during installation.

• In interactive mode, when you are asked about elevated permissions, pass a command prefix including a program such as pbrun, sesudo, or suexec
• In silent mode, you can specify this parameter via a customized installation

When elevated permissions are required

An OS user who runs Dynatrace Managed services needs elevated permissions to perform the following tasks:

• Run installation or reconfiguration script
• Add or remove a cluster node
• Start, stop, restart, or check the status of services

For the complete list of commands that require elevated permissions, check /opt/dtrun/dtrun.conf file. The /opt/dtrun directory and all files inside are owned by root user for security reasons.

Reconfigure dtrun sudo command

To simplify OS permission management, Dynatrace Managed uses a single script to run all commands that require elevated permissions. A script called dtrun is a wrapper for sudo or any other command you have to provide during installation. The location of dtrun is /opt/dtrun/dtrun, and all commands that dtrun can execute are listed in /opt/dtrun/dtrun.conf. Only the scripts and commands that are included in /opt/dtrun/dtrun.conf can be run.

If a cluster needs to run a command as the root user (for example, to add iptables, restart a component, or run the upgrader), it will use the SUDO_COMMAND set during installation to try to gain elevated permissions. You can also search for issues in the /var/opt/dynatrace-managed/log/dtrun.log log file.

If you need to reconfigure an existing installation to use a sudo alternative, you can run a reconfiguration script. For example, to change the sudo command to pbrun, use this script to rerun the installer:

copydownload
sudo /opt/dynatrace-managed/installer/reconfigure.sh --sudo-cmd "/usr/bin/pbrun \$CMD"

Troubleshooting

Misconfigured permissions may lead to various issues with, for example, Dynatrace Managed services or networking. If there is an issue with permissions, you will see installation log entries such as:

copydownload
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

Additionally, you will see issues in these logs:

• /var/opt/dynatrace-managed/log/dtrun.log (dtrun logs)
• /var/opt/dynatrace-managed/log/launch-logging.log (Services launcher script logs)

When troubleshooting issues with sudo or elevated permissions, the best approach is to run the entire configuration at once and compare. Under the root user, all of the commands below should generate output:

copydownload
cat /etc/sudoers | grep -i include
cat /etc/sudoers.d/dynatrace

su - dynatrace -s /bin/bash -c 'sudo /opt/dtrun/dtrun iptables -L -n'

cat /etc/sudoers | grep dynatrace
cat /etc/passwd | grep dynatrace
cat /etc/shadow | grep dynatrace

chage -l dynatrace

The chage command tells you if the password is about to expire (that can also cause issues with sudo access).

When you perform additional security checks to control what dtrun is allowed to execute, you can find out easily if sudo still works as expected by running the following command as a root user:

copydownload
su - dynatrace -s /bin/bash -c 'sudo /opt/dtrun/dtrun service dynatrace-server status'

The following command is an example to verify permission elevation using a sudo alternative, pbrun:

copydownload
su - dynatrace -s /bin/bash -c 'pbrun /opt/dtrun/dtrun service dynatrace-server status'