Problem
Beginning with NetBackup 9.1, NetBackup can run most of the primary server services as non-root, which is highly encouraged.
- On Unix, the user will start seeing a new prompt during the primary server fresh install or upgrade from the previous release. The new prompt will ask the user to provide a ‘service user’ (preferably non-root). Most daemons on the primary server will now run as this user. This user must be created in advance and must have the
WEBSVC_GROUP
(typically 'nbwebgrp') as the secondary group.
- On Windows, there would be no prompt and fresh install will default to use LocalService built-in account. There will be no visible impact on upgrades.
These user account elements must be available on each primary server (or each node of a clustered primary server).
Solution
Numerous procedures can be used to create users and groups in operating systems. Some specific approaches are listed below, but other methods may accomplish the same goal. The home directory path, user name, and group names are not hardcoded and can be changed. Also, ensure that the WEBSVC_USER
for the NetBackup primary server is already configured before creating the NetBackup service user. The detailed steps for configuring web service user for NetBackup primary server can be found at https://www.veritas.com/support/en_US/article.100023872
UNIX
- Create a local primary group for the service account: groupadd <groupname>
- Create a local service account user: useradd -g <groupname> -c 'NetBackup Service Account' -d /usr/openv/ <username>
- Add the WEBSVC_GROUP group as a secondary group for the service user: usermod -a -G <nbwebgrp> <username>
Note: In clustered environments, make sure the local accounts are defined consistently on all cluster nodes. If you use a clustered environment on Linux or UNIX platforms, the NetBackup service user can be a local user, but the NetBackup service user must have the same name and UID on all nodes of the cluster. Also, It is recommended to use domain users (Example: NIS) for clustered environments.
LDAP accounts are supported and can be used on UNIX.
POSIX Shell requirements: The NetBackup Service account must use a POSIX compliant shell.
Windows
On Windows, NetBackup will use a built-in Local Service account as the NetBackup service user by default, and there are no additional steps to be taken. Note that this is not the same account as the Local System account. The use of the Local Service account can only be changed to a specified user if a Custom installation is performed during a fresh installation of the product. There is no option to specify the user when upgrades are performed.
Additional considerations:
1. Resource limits like number of processes that can be spawned must be at par with that of the root user.
2. Number of files that can be opened must be at par with that of the root user.
3. It is not recommended to use the root user as the service user.
4. The WEBSVC_USER
should not be used as the service user.
5. The WEBSVC_GROUP
must be a secondary group of the service user.
6. Using a service user account other than root involves a one-time conversion that may significantly increase upgrade time based on your catalog size.
7. When the NetBackup install or upgrade puts the service user into use, the ownership and permissions of pathnames that are part of the NetBackup install directory are updated automatically.
8. Pathnames that are external to the NetBackup install directory must manually be made accessible to the service account and generally fall into two categories.
Some pathnames are shared with other applications, and the service user should be provided permission to access those same pathnames. For example:
- ECA paths
- /tmp
Other pathnames are not shared, and the ownership of those directories must simply be updated to the service user. For example:
- DR path
- NetBackup catalog relational database files placed on separate disks or paths
- All directories listed in ALTPATH files present under <install directory>/NetBackup/db/images/<client>/
- HOST_CACHE_PATH directory in the NetBackup configuration
- NetBackup log folders if relocated via links
Unix/Linux example setting ownership on the location where the catalog backup places the Disaster Recovery and .drpkg files:
chown nbservice:nbservicegrp /drfile
When running as non-root service user the <DR file directory> must have permissions rwx------
chmod 700 /drfile
Note: On Windows hosts, you can execute nbserviceusercmd command to give access to NetBackup services.
For example:
<install_path>\NetBackup\bin\goodies\nbserviceusercmd.exe -addAcl "D:\alt_path\target" -reason “Updating ACLs for external path”
9. The NetBackup service user name should contain only ASCII characters. Non-English characters are not supported for service user.
10. For UNIX systems, if service user name length is more than system defined user column width (usually it's 8 characters), then you might see a truncated user name or UID in bpps output.
11. The service user name cannot exceed 32 characters and can only contain English characters.
12. Ownership of the /usr/openv directory changes to the new service user account.
13. The service user should maintain the minimum O/S ulimit settings on primary, media server and client Linux/UNIX platforms.
14. Users must take full backup whether Windows\Standard Policy File System or BMR policy configuration after changing the service user.
15. If previous NetBackup installation (10.2 or older) configured with service account, then in case of upgrade using native installer, configure service account for Private Branch Exchange using following link. How to use vxpbxserviceusercmd in PBX
The detailed steps for minimum O/S ulimit settings can be found at https://www.veritas.com/support/en_US/article.100022164