Hi Minh, Thank you for your reply. >> I don't have any objection to this patch since it's configurable. Thanks. >> who will be using it unless opensaf/all components are the same gid/uid. Yes, as reported in user's list, some OpenSAF users are using it. >> I will push it with title: "amf: provide configuration option to run amfnd >> as non-root"? Thanks, that would be great, appreciate.
Thanks Anand Sundararaj Senior Solutions Architect | +1 480 686 4772 www.GetHighAvailability.com (https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com) Get High Availability Today! NJ, USA: +1 508-507-6507 > On 08/05/2020 2:57 PM minhchau <minh.c...@dektech.com.au> wrote: > > > Hi Anand, > > I think you need to try the non-root feature, there are many failures if > I enabled the option provided by this patch. > > Most of them is that amfnd will no more have privileges to manage the > components. The components themselves normally will drop/change their > privileges after amfnd forked them off, one of them as Thang reported. > > I don't have any objection to this patch since it's configurable, but > just wonder who will be using it unless opensaf/all components are the > same gid/uid. > > I will push it with title: "amf: provide configuration option to run > amfnd as non-root"? > > Thanks > > Minh > > On 6/8/20 4:13 am, Anand Sundararaj wrote: > > Hi Thang/Minh/Mathi, > > It is more than 2 weeks since the patch was published, we are holding a > > minor/harmless fix for a long time. > > Till now, all the concerns have been addressed, I think. Please comment if > > you have any other concerns. > > I will push it by Friday if I don't get any comment. > > > > Thanks > > Anand Sundararaj > > Senior Solutions Architect | +1 480 686 4772 > > www.GetHighAvailability.com > > (https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com) > > Get High Availability Today! > > NJ, USA: +1 508-507-6507 > > > >> On 07/30/2020 6:33 PM Anand Sundararaj <s.an...@gethighavailability.com> > >> wrote: > >> > >> > >> Hi Thang/Minh/Mathi, > >> Please share your comment. This is a minor/harmless fix. > >> @Minh: Can you please push it by today EOD if you are good with it and > >> others don't give any comment. > >> > >> Thanks > >> Anand Sundararaj > >> Senior Solutions Architect | +1 480 686 4772 > >> www.GetHighAvailability.com > >> (https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com) > >> Get High Availability Today! > >> NJ, USA: +1 508-507-6507 > >> > >>> On 07/29/2020 3:40 PM Anand Sundararaj <s.an...@gethighavailability.com> > >>> wrote: > >>> > >>> > >>> Hi Mathi, > >>> Great, thanks. > >>> Though I haven't tested non-root feature, this fix give a quick access to > >>> the user to run amfnd as non-root. Those users, who only uses Amf and not > >>> uses Smf, this fix will help them quickly running amfnd in non-root mode. > >>> Though this is not a great fix(ticket itself is raised as minor), but in > >>> my opinion, provides some support to the users, so should be committed. > >>> If you have any major/serious objections, else good to commit ?? > >>> Please let me know. > >>> > >>> Thanks > >>> Anand Sundararaj > >>> Senior Solutions Architect | +1 480 686 4772 > >>> > >>> www.GetHighAvailability.com > >>> https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com > >>> Get High Availability Today! > >>> NJ, USA: +1 508-507-6507 > >>> > >>>> On 07/29/2020 11:20 AM Mathi N P <mathi.np....@gmail.com> wrote: > >>>> > >>>> > >>>> That description sounds fine to me. Nevertheless, I still can't see > >>>> the problem you are trying to solve when it is already possible to run > >>>> OpenSAF as a non-root user. > >>>> > >>>> Cheers, > >>>> Mathi. > >>>> > >>>> On Tue, Jul 28, 2020 at 9:56 PM Anand Sundararaj > >>>> <s.an...@gethighavailability.com mailto:s.an...@gethighavailability.com > >>>> > wrote: > >>>> > >>>> > > Thanks Mathi. I can change it to "amf: provide > >>>> configuration option to run amfnd as non-root [##205]", is that ok? > >>>>> > >>>>> Thanks > >>>>> Anand Sundararaj > >>>>> Senior Solutions Architect | +1 480 686 4772 > >>>>> > >>>>> www.GetHighAvailability.com > >>>>> https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com > >>>>> Get High Availability Today! > >>>>> NJ, USA: +1 508-507-6507 > >>>>> > >>>>> > > > On 07/28/2020 12:24 PM Mathi N P > >>>>> <mathi.np....@gmail.com mailto:mathi.np....@gmail.com > wrote: > >>>>>> > >>>>>> > >>>>>> Hi Anand, > >>>>>> > >>>>>> For some background, It is not merely a hard coding that > >>>>>> you are looking at, but it is rather by design. > >>>>>> I think you should at the least change the commit message > >>>>>> of your patch and describe the actual change that you are intending to > >>>>>> introduce. > >>>>>> FYI, > >>>>>> Mathi. > >>>>>> > >>>>>> On Tue, Jul 28, 2020 at 6:01 PM Anand Sundararaj > >>>>>> <s.an...@gethighavailability.com > >>>>>> mailto:s.an...@gethighavailability.com > wrote: > >>>>>> > >>>>>> > > > > Hi Minh/Thang/Nagendra/Paul, > >>>>>>> I am planning to push the patch by 30th > >>>>>>> July(thursday). > >>>>>>> Please kindly find some time to review by 29th > >>>>>>> July(tomorrow) and > >>>>>>> send your comments or Ack. > >>>>>>> > >>>>>>> Thanks > >>>>>>> Anand Sundararaj > >>>>>>> Senior Solutions Architect | +1 480 686 4772 > >>>>>>> http://www.GetHighAvailability.com > >>>>>>> > >>>>>>> (https://am2.myprofessionalmail.com/appsuite/www.GetHighAvailability.com) > >>>>>>> Get High Availability Today! > >>>>>>> NJ, USA: +1 508-507-6507 > >>>>>>> > >>>>>>> > On 07/23/2020 9:38 PM > >>>>>>> s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > >>>>>>> <s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > wrote: > >>>>>>> > > >>>>>>> > > >>>>>>> > Hi Thang, > >>>>>>> > Good catch ! > >>>>>>> > Can you please let me know if you were starting pm > >>>>>>> monitoring on a component pid, which is in root or non-root? > >>>>>>> > > >>>>>>> > The issue, you are reporting, Thang, may come when > >>>>>>> Amfnd' (kill) doesn't have permission to send signal to the pid. > >>>>>>> > I am assuming that you are getting EPERM as a > >>>>>>> return. > >>>>>>> > Can you please verify, Thang(by logging, just like > >>>>>>> done in mon.cc at "switch (kill(mon_rec->pid, 0)) {"), if the return > >>>>>>> is EPERM or something else? > >>>>>>> > If it is correct, then ideally, the user shouldn't > >>>>>>> be using pm monitoring on such pid and that means no change is needed > >>>>>>> in the patch. > >>>>>>> > can you please confirm, Thang. > >>>>>>> > > >>>>>>> > Thanks > >>>>>>> > > >>>>>>> > Anand Sundararaj > >>>>>>> > Senior Solutions Architect | 480 686 4772 > >>>>>>> > > >>>>>>> > > >>>>>>> >http://www.GetHighAvailability.com > >>>>>>> > > >>>>>>> > Get High Availability Today! > >>>>>>> > NJ, USA: +1 508-507-6507 > >>>>>>> > > >>>>>>> > > On 07/20/2020 9:11 PM Thang Duc Nguyen > >>>>>>> <thang.d.ngu...@dektech.com.au mailto:thang.d.ngu...@dektech.com.au > > >>>>>>> wrote: > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > I missed one info. I tested with NON_ROOT user. > >>>>>>> > > export AMFND_NON_ROOT=1 > >>>>>>> > > > >>>>>>> > > -----Original Message----- > >>>>>>> > > From: Thang Duc Nguyen > >>>>>>> <thang.d.ngu...@dektech.com.au mailto:thang.d.ngu...@dektech.com.au > > >>>>>>> > > Sent: Tuesday, July 21, 2020 11:02 AM > >>>>>>> > > To: s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com ; Minh Hon Chau > >>>>>>> <minh.c...@dektech.com.au mailto:minh.c...@dektech.com.au >; > >>>>>>> nagen...@gethighavailability.com; p...@gethighavailability.com > >>>>>>> > > Cc: opensaf-devel@lists.sourceforge.net > >>>>>>> mailto:opensaf-devel@lists.sourceforge.net > >>>>>>> > > Subject: Re: [devel] [PATCH 1/1] amf: remove > >>>>>>> hard-coding in amfnd [#3205] > >>>>>>> > > > >>>>>>> > > Hi Sundararaj, > >>>>>>> > > > >>>>>>> > > The Opensaf can start but it may not run > >>>>>>> correctly. > >>>>>>> > > I tested your patch. During passive mornitoring > >>>>>>> process of copoenent, this patch cuases the coredump in function > >>>>>>> avnd_comp_pm_param_val() when invoking saAmfPmStop()/saAmfPmStart(). > >>>>>>> > > > >>>>>>> > > Snipest code indicate the crash in cpm.cc file > >>>>>>> void avnd_comp_pm_param_val( ) { ... > >>>>>>> > > if (kill(pm_start->pid, 0) == -1) { > >>>>>>> > > osafassert(errno == ESRCH); //Crash here > >>>>>>> due to retured error: Operation not permitted > >>>>>>> > > *o_amf_rc = SA_AIS_ERR_NOT_EXIST; > >>>>>>> > > return; > >>>>>>> > > } > >>>>>>> > > } > >>>>>>> > > > >>>>>>> > > B.R/Thang > >>>>>>> > > -----Original Message----- > >>>>>>> > > From: s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > >>>>>>> <s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > > >>>>>>> > > Sent: Tuesday, July 21, 2020 9:22 AM > >>>>>>> > > To: Minh Hon Chau <minh.c...@dektech.com.au > >>>>>>> mailto:minh.c...@dektech.com.au >; Thang Duc Nguyen > >>>>>>> <thang.d.ngu...@dektech.com.au mailto:thang.d.ngu...@dektech.com.au > >>>>>>> >; nagen...@gethighavailability.com; p...@gethighavailability.com > >>>>>>> > > Cc: opensaf-devel@lists.sourceforge.net > >>>>>>> mailto:opensaf-devel@lists.sourceforge.net ; Anand Sundararaj > >>>>>>> <s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > > >>>>>>> > > Subject: [PATCH 1/1] amf: remove hard-coding in > >>>>>>> amfnd [#3205] > >>>>>>> > > > >>>>>>> > > From: Anand Sundararaj > >>>>>>> <s.an...@gethighavailability.com > >>>>>>> mailto:s.an...@gethighavailability.com > > >>>>>>> > > > >>>>>>> > > --- > >>>>>>> > > src/amf/amfnd/amfnd.conf | 3 +++ > >>>>>>> > > src/amf/amfnd/main.cc | 9 ++++++++- > >>>>>>> > > 2 files changed, 11 insertions(+), 1 deletion(-) > >>>>>>> > > > >>>>>>> > > diff --git a/src/amf/amfnd/amfnd.conf > >>>>>>> b/src/amf/amfnd/amfnd.conf index 07bc0ba..4e8b07a 100644 > >>>>>>> > > --- a/src/amf/amfnd/amfnd.conf > >>>>>>> > > +++ b/src/amf/amfnd/amfnd.conf > >>>>>>> > > @@ -34,3 +34,6 @@ export > >>>>>>> AVND_PM_MONITORING_RATE=1000 # It can be disabled if set > >>>>>>> THREAD_TRACE_BUFFER as 0, the maximum value # can be set as 65535. > >>>>>>> > > # export THREAD_TRACE_BUFFER=10240 > >>>>>>> > > + > >>>>>>> > > +#AMFND run as root. Uncomment next line to run > >>>>>>> as a user mentioned in nid.conf. > >>>>>>> > > +#export AMFND_NON_ROOT=1 > >>>>>>> > > diff --git a/src/amf/amfnd/main.cc > >>>>>>> b/src/amf/amfnd/main.cc index d7857fa..6d9ee95 100644 > >>>>>>> > > --- a/src/amf/amfnd/main.cc > >>>>>>> > > +++ b/src/amf/amfnd/main.cc > >>>>>>> > > @@ -164,6 +164,7 @@ static void new_handler() { > >>>>>>> > > > >>>>>>> > > int main(int argc, char *argv[]) { > >>>>>>> > > uint32_t error; > >>>>>>> > > + char *val; > >>>>>>> > > > >>>>>>> > > // function to be called if new fails. The > >>>>>>> alternative of using catch of > >>>>>>> > > // std::bad_alloc will unwind the stack and > >>>>>>> thus no call chain will be @@ -179,7 +180,13 @@ int main(int argc, > >>>>>>> char *argv[]) { > >>>>>>> > > goto done; > >>>>>>> > > } > >>>>>>> > > > >>>>>>> > > - daemonize_as_user("root", argc, argv); > >>>>>>> > > + if ((val = getenv("AMFND_NON_ROOT")) != > >>>>>>> nullptr) { > >>>>>>> > > + daemonize(argc, argv); > >>>>>>> > > + TRACE("AMFND will run as non-root"); } > >>>>>>> else { > >>>>>>> > > + daemonize_as_user("root", argc, argv); > >>>>>>> > > + TRACE("AMFND will run as root"); > >>>>>>> > > + } > >>>>>>> > > > >>>>>>> > > // Enable long DN > >>>>>>> > > if (setenv("SA_ENABLE_EXTENDED_NAMES", "1", > >>>>>>> 1) != 0) { > >>>>>>> > > -- > >>>>>>> > > 2.7.4 > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > _______________________________________________ > >>>>>>> > > Opensaf-devel mailing list > >>>>>>> > > Opensaf-devel@lists.sourceforge.net > >>>>>>> mailto:Opensaf-devel@lists.sourceforge.net > >>>>>>> > > > >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensaf-devel > >>>>>>> > > >>>>>>> > > >>>>>>> > _______________________________________________ > >>>>>>> > Opensaf-devel mailing list > >>>>>>> > Opensaf-devel@lists.sourceforge.net > >>>>>>> mailto:Opensaf-devel@lists.sourceforge.net > >>>>>>> > > >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensaf-devel > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Opensaf-devel mailing list > >>>>>>> Opensaf-devel@lists.sourceforge.net > >>>>>>> mailto:Opensaf-devel@lists.sourceforge.net > >>>>>>> > >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensaf-devel > >>>>>>> > >>>>>>> > > > > >>>>>> > > > >>>>> > > >>> _______________________________________________ > >>> Opensaf-devel mailing list > >>> Opensaf-devel@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/opensaf-devel > >> > >> _______________________________________________ > >> Opensaf-devel mailing list > >> Opensaf-devel@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/opensaf-devel _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel
