This documentation is for the extended support release (ESR) version of Cumulus Linux. We will continue to keep this content up to date until 21 February, 2023, when ESR support ends. For more information about ESR, please read this knowledge base article.

If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Using sudo to Delegate Privileges

By default, Cumulus Linux has two user accounts: root and cumulus. The cumulus account is a normal user and is in the group sudo.

You can add more user accounts as needed. Like the cumulus account, these accounts must use sudo to execute privileged commands.

sudo Basics

sudo allows you to execute a command as superuser or another user as specified by the security policy. See man sudo(8) for details.

The default security policy is sudoers, which is configured using /etc/sudoers. Use /etc/sudoers.d/ to add to the default sudoers policy. See man sudoers(5) for details.

Use visudo only to edit the sudoers file; do not use another editor like vi or emacs. See man visudo(8) for details.

When creating a new file in /etc/sudoers.d, use visudo -f. This option performs sanity checks before writing the file to avoid errors that prevent sudo from working.

Errors in the sudoers file can result in losing the ability to elevate privileges to root. You can fix this issue only by power cycling the switch and booting into single user mode. Before modifying sudoers, enable the root user by setting a password for the root user.

By default, users in the sudo group can use sudo to execute privileged commands. To add users to the sudo group, use the useradd(8) or usermod(8) command. To see which users belong to the sudo group, see /etc/group (man group(5)).

Any command can be run as sudo, including su. A password is required.

The example below shows how to use sudo as a non-privileged user cumulus to bring up an interface:

cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff
 
cumulus@switch:~$ ip link set dev swp1 up
RTNETLINK answers: Operation not permitted
 
cumulus@switch:~$ sudo ip link set dev swp1 up
Password:
 
cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff

sudoers Examples

The following examples show how you grant as few privileges as necessary to a user or group of users to allow them to perform the required task. For each example, the system group noc is used; groups are prefixed with an %.

When executed by an unprivileged user, the example commands below must be prefixed with sudo.

Category

Privilege

Example Command

sudoers Entry

Monitoring

Switch port info

ethtool -m swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ethtool

Monitoring

System diagnostics

cl-support
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-support

Monitoring

Routing diagnostics

cl-resource-query
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-resource-query

Image management

Install images

onie-select http://lab/install.bin
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/onie-select

Package management

Any apt-get command

apt-get update or apt-get install
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get

Package management

Just apt-get update

apt-get update
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get update

Package management

Install packages

apt-get install vim
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get install * 

Package management

Upgrading

apt-get upgrade
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get upgrade

Netfilter

Install ACL policies

cl-acltool -i
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-acltool

Netfilter

List iptables rules

iptables -L
%noc ALL=(ALL) NOPASSWD:/sbin/iptables

L1 + 2 features

Any LLDP command

lldpcli show neighbors / configure
%noc ALL=(ALL) NOPASSWD:/usr/sbin/lldpcli

L1 + 2 features

Just show neighbors

lldpcli show neighbors
%noc ALL=(ALL) NOPASSWD:/usr/sbin/lldpcli show neighbors*

Interfaces

Modify any interface

ip link set dev swp1 {up|down}
%noc ALL=(ALL) NOPASSWD:/sbin/ip link set * 

Interfaces

Up any interface

ifup swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ifup

Interfaces

Down any interface

ifdown swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ifdown

Interfaces

Up/down only swp2

ifup swp2 / ifdown swp2
%noc ALL=(ALL) NOPASSWD:/sbin/ifup swp2,/sbin/ifdown swp2

Interfaces

Any IP address chg

ip addr {add|del} 192.0.2.1/30 dev swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ip addr * 

Interfaces

Only set IP address

ip addr add 192.0.2.1/30 dev swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ip addr add * 

Ethernet bridging

Any bridge command

brctl addbr br0 / brctl delif br0 swp1
%noc ALL=(ALL) NOPASSWD:/sbin/brctl

Ethernet bridging

Add bridges and ints

brctl addbr br0 / brctl addif br0 swp1
%noc ALL=(ALL) NOPASSWD:/sbin/brctl addbr \*,/sbin/brctl addif * 

Spanning tree

Set STP properties

mstpctl setmaxage br2 20
%noc ALL=(ALL) NOPASSWD:/sbin/mstpctl

Troubleshooting

Restart switchd

systemctl restart switchd.service
%noc ALL=(ALL) NOPASSWD:/usr/sbin/service switchd * 

Troubleshooting

Restart any service

systemctl cron switchd.service
%noc ALL=(ALL) NOPASSWD:/usr/sbin/service

Troubleshooting

Packet capture

tcpdump
%noc ALL=(ALL) NOPASSWD:/usr/sbin/tcpdump

L3

Add static routes

ip route add 10.2.0.0/16 via 10.0.0.1
%noc ALL=(ALL) NOPASSWD:/bin/ip route add * 

L3

Delete static routes

ip route del 10.2.0.0/16 via 10.0.0.1
%noc ALL=(ALL) NOPASSWD:/bin/ip route del * 

L3

Any static route chg

ip route * 
%noc ALL=(ALL) NOPASSWD:/bin/ip route * 

L3

Any iproute command

ip * 
%noc ALL=(ALL) NOPASSWD:/bin/ip

L3

Non-modal OSPF

cl-ospf area 0.0.0.1 range 10.0.0.0/24
%noc ALL=(ALL) NOPASSWD:/usr/bin/cl-ospf
Debian wiki - sudo