>> With pacemaker 1.1.17, we observe the following messages during 
>> startup of
>> pacemaker:
>> 2018-09-18T11:58:18.452951+03:00 p12-0001-bcsm03 crmd[2871]:  warning: 
>> Cannot execute '/usr/lib/ocf/resource.d/verimatrix/anything4': 
>> Permission denied (13)
>> 2018-09-18T11:58:18.453179+03:00 p12-0001-bcsm03 crmd[2871]:    error: 
>> Failed to retrieve meta-data for ocf:verimatrix:anything4
>> 2018-09-18T11:58:18.453291+03:00 p12-0001-bcsm03 crmd[2871]:    error: No 
>> metadata for ocf::verimatrix:anything4
>> 
> 
> Could it be as simple as /usr/lib/ocf/resource.d/verimatrix/anything4 not 
> having the execute bit set (for the user)?

The OCF agent is not physically located there. 
/usr/lib/ocf/resource.d/verimatrix is a symbolic link that points to a 
directory in our software distribution. That part is not reachable for "other".

>> 
>> It seems that on startup, crmd is querying the meta-data on the OCF 
>> agents using a non-root user (hacluster?) while the regular resource 
>> control activity seems to be done as root.
>> The OCF resource in question intentionally resides in a directory that 
>> is inaccessible to non-root users.
> 
> Why? You can selectively grat access (man setfacl)!

That's an option, thank you.

>> 
>> Is this behavior of using different users intended? If yes, any clue 
>> why was
>> it working with pacemaker 1.1.7 under RHEL6?
> 
> Finally: Why are you asking thei list for help, when you removed execute 
> permission for your home-grown (as it seems) resource agent?
> What could WE do?

I would like to understand the concept behind it to determine the best 
solution. If there was a way to configure or tell crmd to do the meta-data 
query as root, I would prefer that. It's because even if the actual access to 
the OCF agent scripts worked, we would hit the next problems because some OCF 
scripts use the "ocf_is_root" function from 
/usr/lib/ocf/lib/heartbeat/ocf-shellfuncs. These OCFs would fail miserably.
So before I revisit all our OCFs to check if the well-behave if called as 
non-root, I wanted to check if there is another way.

Thanks,
  Carsten

_______________________________________________
Users mailing list: Users@clusterlabs.org
https://lists.clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Reply via email to