By default, Cumulus Linux has two user accounts: root and cumulus. The cumulus account is a normal user and is in the group sudo.

You can add more user accounts as needed. Like the cumulus account, these accounts must use sudo to execute privileged commands.


 (Click to expand)


  • sudo
  • visudo

Using sudo

sudo allows you to execute a command as superuser or another user as specified by the security policy. See man sudo(8) for details.

The default security policy is sudoers, which is configured using /etc/sudoers. Use /etc/sudoers.d/ to add to the default sudoers policy. See man sudoers(5) for details.


Use visudo only to edit the sudoers file; do not use another editor like vi or emacs. See man visudo(8) for details.

Errors in the sudoers file can result in losing the ability to elevate privileges to root. You can fix this issue only by power cycling the switch and booting into single user mode. Before modifying sudoers, enable the root user by setting a password for the root user.

By default, users in the sudo group can use sudo to execute privileged commands. To add users to the sudo group, use the useradd(8) or usermod(8) command. To see which users belong to the sudo group, see /etc/group (man group(5)).

Any command can be run as sudo, including su. A password is required.

The example below shows how to use sudo as a non-privileged user cumulus to bring up an interface:

cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master br0 state DOWN mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff

cumulus@switch:~$ ip link set dev swp1 up
RTNETLINK answers: Operation not permitted

cumulus@switch:~$ sudo ip link set dev swp1 up

cumulus@switch:~$ ip link show dev swp1
3: swp1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT qlen 500
link/ether 44:38:39:00:27:9f brd ff:ff:ff:ff:ff:ff

sudoers Examples

The following examples show how you grant as few privileges as necessary to a user or group of users to allow them to perform the required task. For each example, the system group noc is used; groups are prefixed with an %.

When executed by an unprivileged user, the example commands below must be prefixed with sudo.

CategoryPrivilegeExample Commandsudoers Entry
MonitoringSwitch port info
ethtool -m swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ethtool
MonitoringSystem diagnostics
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-support
MonitoringRouting diagnostics
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-resource-query
Image managementInstall images
cl-img-install http://lab/install.bin
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-img-install
Image managementSwapping slots
cl-img-select 1
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-img-select
Image managementClearing an overlay
cl-img-clear-overlay 1
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-img-clear-overlay
Package managementAny apt-get command
apt-get update or apt-get install
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get
Package managementJust apt-get update
apt-get update
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get update
Package managementInstall packages
apt-get install mtr-tiny
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get install *
Package managementUpgrading
apt-get upgrade
%noc ALL=(ALL) NOPASSWD:/usr/bin/apt-get upgrade
NetfilterInstall ACL policies
cl-acltool -i
%noc ALL=(ALL) NOPASSWD:/usr/cumulus/bin/cl-acltool
NetfilterList iptables rules
iptables -L
%noc ALL=(ALL) NOPASSWD:/sbin/iptables
L1 + 2 featuresAny LLDP command
lldpcli show neighbors / configure
%noc ALL=(ALL) NOPASSWD:/usr/sbin/lldpcli
L1 + 2 featuresJust show neighbors
lldpcli show neighbors
%noc ALL=(ALL) NOPASSWD:/usr/sbin/lldpcli show neighbours*
InterfacesModify any interface
ip link set dev swp1 {up|down}
%noc ALL=(ALL) NOPASSWD:/sbin/ip link set *
InterfacesUp any interface
ifup swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ifup
InterfacesDown any interface
ifdown swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ifdown
InterfacesUp/down only swp2
ifup swp2 / ifdown swp2
%noc ALL=(ALL) NOPASSWD:/sbin/ifup swp2,/sbin/ifdown swp2
InterfacesAny IP address chg
ip addr {add|del} dev swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ip addr *
InterfacesOnly set IP address
ip addr add dev swp1
%noc ALL=(ALL) NOPASSWD:/sbin/ip addr add *
Ethernet bridgingAny bridge command
brctl addbr br0 / brctl delif br0 swp1
%noc ALL=(ALL) NOPASSWD:/sbin/brctl
Ethernet bridgingAdd bridges and ints
brctl addbr br0 / brctl addif br0 swp1
%noc ALL=(ALL) NOPASSWD:/sbin/brctl addbr *,/sbin/brctl addif *
Spanning treeSet STP properties
mstpctl setmaxage br2 20
%noc ALL=(ALL) NOPASSWD:/sbin/mstpctl
TroubleshootingRestart switchd
service switchd restart
%noc ALL=(ALL) NOPASSWD:/usr/sbin/service switchd *
TroubleshootingRestart any service
service switchd cron
%noc ALL=(ALL) NOPASSWD:/usr/sbin/service
TroubleshootingPacket capture
%noc ALL=(ALL) NOPASSWD:/usr/sbin/tcpdump
L3Add static routes
ip route add via
%noc ALL=(ALL) NOPASSWD:/bin/ip route add *
L3Delete static routes
ip route del via
%noc ALL=(ALL) NOPASSWD:/bin/ip route del *
L3Any static route chg
ip route *
%noc ALL=(ALL) NOPASSWD:/bin/ip route *
L3Any iproute command
ip *
%noc ALL=(ALL) NOPASSWD:/bin/ip
L3Non-modal OSPF
cl-ospf area range
%noc ALL=(ALL) NOPASSWD:/usr/bin/cl-ospf

Configuration Files

  • /etc/sudoers - default security policy
  • /etc/sudoers.d/ - default security policy