Running appservers as non-root user
Sven Vermeulen
We're trying to run the application servers (IBM WebSphere v6.0.2.5)
under non-root users with the nodeagent as root. We've followed the
procedure listed in the info center (umask = 002, chmod -R g+rwX
/opt/IBM/WebSphere/AppServer/profiles/<profile>, etc.) but we're still
encountering permission problems during the application server startup.
I'll provide more detailed error output in a few minutes (logs are
cleaned up for a retry) but I was wondering if anyone is also running a
similar configuration with (or without) any hiccups.
Wkr,
Sven Vermeulen
Sven Vermeulen
The application server runs as "pegwas", group "wsadmin", umask "000"
(yes, 000 - for trying to identify the problem). The node agent runs as
"root", group "wsadmin", umask "000".
When we start the appserver "peg", it gives the following error:
[2/23/06 10:59:09:674 MET] 0000000a A UOW=null
source=com.ibm.ws.pmi.component.PMIImpl org=IBM prod=WebSphere
component=Application Server thread=[Thread-1
]
PMON1001I: PMI is enabled
[2/23/06 10:59:12:446 MET] 0000000a E UOW=null
source=com.ibm.ws.management.repository.FileDocument org=IBM
prod=WebSphere component=Application Server thr
ead=[Thread-1]
ADMR0104E: The system is unable to read document
cells/s2003420_Cell/nodes/s2003420/serverindex.xml:
java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.checkAndCreate(File.java:1314)
at java.io.File.createTempFile(File.java:1402)
at
com.ibm.ws.management.repository.FileDocument.createTempFile(FileDocument.java:561)
[...]
[2/23/06 10:59:12:542 MET] 0000000a W UOW=null
source=com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses org=IBM
prod=WebSphere component=Application S
erver thread=[Thread-1]
HMGR0060W: An error was encountered while obtaining the host
and port information for server nodeagent on node s2003420.
[2/23/06 10:59:12:623 MET] 0000000a E UOW=null
source=com.ibm.ws.management.repository.FileDocument org=IBM
prod=WebSphere component=Application Server thr
ead=[Thread-1]
ADMR0104E: The system is unable to read document
cells/s2003420_Cell/nodes/s2003420/serverindex.xml:
java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.checkAndCreate(File.java:1314)
at java.io.File.createTempFile(File.java:1402)
at
com.ibm.ws.management.repository.FileDocument.createTempFile(FileDocument.java:561)
at
com.ibm.ws.management.repository.FileDocument.read(FileDocument.java:497)
at
com.ibm.ws.management.repository.FileRepository.extractInternal(FileRepository.java:974)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:946)
Yet, the configuration repository for the profile has quite "open"
permissions:
-rw-rw-rw- 1 root wsadmin 6041 Feb 23 10:55
./cells/s2003420_Cell/nodes/s2003420/serverindex.xml
The config/temp directory is also open:
drwxrwxrwx 3 root wsadmin 512 Feb 23 10:35 temp/
I can succesfully access any file when I log on to the system as the
"pegwas" user.
Dexthor
chgrp -R wsadmin $WAS_HOME/config $WAS_HOME/etc $WAS_HOME/temp
$WAS_HOME/lib $WAS_HOME/java $WAS_HOME/properties
chmod -R g+rxs $WAS_HOME/config $WAS_HOME/etc $WAS_HOME/temp
$WAS_HOME/lib $WAS_HOME/java $WAS_HOME/properties
chmod -R g+rwxs $WAS_HOME/temp
Then try to start your AppServer. You can find indepth documentation on
the infocenter on how to run your servers as non-root users, when the
nodeagent/dmgr are running as root.
-Dexthor.
Sven Vermeulen
It seems that the user under which the application server runs must
have the (shared) group as his default group, not just be a member of
that group. Darn.
Oh well, at least things work again ;-)
Dexthor
user's "default group". This is probably why. Well, I'm glad you had
it sorted out.
-Dexthor.
Sven Vermeulen
environment gave permission issues again. To make sure nothing is
missed, here is the steps we are persuing to run a node agent as
root:wsadmin (umask 002) while the application servers run as their own
user with group wsadmin, also umask 002:
1/ We create a new profile
~# wasprofile.sh -create ...
2/ The profile is federated to the cell (addNode.sh)
3/ The nodeagent settings are altered to have the
runAsUser/runAsGroup/umask to root:wsadmin:002
4/ The nodeagent is stopped
5/ The node is synchronised
6/ The permissions on the profile are changed:
~# chgrp wsadmin /opt/IBM/WebSphere
~# chgrp wsadmin /opt/IBM/WebSphere/AppServer
~# chgrp -R wsadmin /opt/IBM/WebSphere/AppServer/profiles/$(hostname)
~# chmod g+rw /opt/IBM/WebSphere
~# chmod g+rw /opt/IBM/WebSphere/AppServer
~# chmod -R g+rwX /opt/IBM/WebSphere/AppServer/profiles/$(hostname)
7/ The node agent is started
So far so good, but once we create a new server, the files that
represent that server are again owned as root, group "other".
(Before:)
~# find . ! -group wsadmin
~#
(After:)
~# find . ! -group wsadmin
./logs/peg
./logs/peg/startServer.log
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/sib-service.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/ws-security.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/resources-pme502.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/server-pme51.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/server-pme.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/hamanagerservice.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/resources-pme.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/pmi-config.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/resources.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/server.xml
./config/cells/s2003420_Cell/nodes/s2003420/servers/peg/variables.xml
./config/cells/s2003420_Cell/applications
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/peg-1.0.2.ear
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140529730903
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1141211623638
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1141375027183
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1141227333228
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140532123621
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140694207362
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140619924519
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140698970798
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140527727322
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140602403094
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140696938436
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140701438088
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1141645970032
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1141636909265
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140688510155
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140691198427
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deltas/peg-1.0.2.ear/delta-1140686074729
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/deployment.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/META-INF
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/META-INF/MANIFEST.MF
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF/weblogic.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF/ibm-web-bnd.xmi
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF/PRAdminHandler.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF/ibm-web-ext.xmi
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/prweb.war/WEB-INF/web.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/ibm-application-bnd.xmi
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/weblogic-application.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/MANIFEST.MF
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/application.xml
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/was.policy
./config/cells/s2003420_Cell/applications/peg-1.0.2.ear/deployments/peg-1.0.2/META-INF/jboss-app.xml
./config/temp/download/cells/s2003420_Cell
./config/temp/download/cells/s2003420_Cell/nodes
./config/temp/download/cells/s2003420_Cell/nodes/s2003420
./config/temp/download/cells/s2003420_Cell/applications
The root user on that machine does *not* have wsadmin as its default
group (can't do that), but doesn't have "other" as default group either
and it is a member of the wsadmin group:
~# getent passwd root
root:x:0:0:Super-User:/root:/sbin/sh
~# getent group 0
root::0:
~# getent group wsadmin
wsadmin::1500:root
When we don't repeatedly re-chgrp/chmod the entire repository, the
following error occurs:
************ Start Display Current Environment ************
WebSphere Platform 6.0 [ND 6.0.2.5 cf50549.21] running with process
name s2003420_Cell\s2003420\peg and process id 20267
Host Operating System is SunOS, version 5.10
Java version = 1.4.2_08, Java Compiler = null, Java VM name = Java
HotSpot(TM) Client VM
was.install.root = /opt/IBM/WebSphere/AppServer
user.install.root = /opt/IBM/WebSphere/AppServer/profiles/s2003420
Java Home = /opt/IBM/WebSphere/AppServer/java/jre
ws.ext.dirs =
/opt/IBM/WebSphere/AppServer/java/lib:/opt/IBM/WebSphere/AppServer/profiles/s2003420/classes:/opt/IBM/WebSphere/AppServer/classes:/opt/IBM/Web
Sphere/AppServer/lib:/opt/IBM/WebSphere/AppServer/installedChannels:/opt/IBM/WebSphere/AppServer/lib/ext:/opt/IBM/WebSphere/AppServer/web/help:/opt/IBM/WebS
phere/AppServer/deploytool/itp/plugins/com.ibm.etools.ejbdeploy/runtime
Classpath =
/opt/IBM/WebSphere/AppServer/profiles/s2003420/properties:/opt/IBM/WebSphere/AppServer/properties:/opt/IBM/WebSphere/AppServer/lib/bootstrap.jar
:/opt/IBM/WebSphere/AppServer/lib/j2ee.jar:/opt/IBM/WebSphere/AppServer/lib/lmproxy.jar:/opt/IBM/WebSphere/AppServer/lib/urlprotocols.jar:/ontw/peg/resource
s/jvm-lib:/ontw/peg/resources/config:/ontw/peg/resources/config/Connector
Java Library path =
/opt/IBM/WebSphere/AppServer/java/jre/lib/sparc/client:/opt/IBM/WebSphere/AppServer/java/jre/lib/sparc:/opt/IBM/WebSphere/AppServer/java
/jre/../lib/sparc:/usr/lib/lwp:/ontw/lib:/usr/local/lib:/opt/oracle/product/9.2.0/lib:/opt/IBM/WebSphere/AppServer/java/jre/lib/sparc/client:/opt/IBM/WebSph
ere/AppServer/java/jre/lib/sparc:/opt/IBM/WebSphere/AppServer/java/jre/../lib/sparc:/opt/IBM/WebSphere/AppServer/bin:/opt/mqm/java/lib:/opt/wemps/lib::/usr/
lib
************* End Display Current Environment *************
[3/6/06 12:57:13:851 MET] 0000000a I UOW=null
source=com.ibm.ejs.ras.ManagerAdmin org=IBM prod=WebSphere
component=Application Server thread=[Thread-1]
TRAS0017I: The startup trace state is *=info.
[3/6/06 12:57:16:292 MET] 0000000a A UOW=null
source=com.ibm.ws.management.AdminInitializer org=IBM prod=WebSphere
component=Application Server thread=[Thr
ead-1]
ADMN0015I: The administration service is initialized.
PLGC0057I: Plug-in configuration service is started successfully.
[3/6/06 12:57:18:960 MET] 0000000a A UOW=null
source=com.ibm.ws.pmi.component.PMIImpl org=IBM prod=WebSphere
component=Application Server thread=[Thread-1]
PMON1001I: PMI is enabled
[3/6/06 12:57:21:793 MET] 0000000a E UOW=null
source=com.ibm.ws.management.repository.FileDocument org=IBM
prod=WebSphere component=Application Server thre
ad=[Thread-1]
ADMR0104E: The system is unable to read document
cells/s2003420_Cell/nodes/s2003420/serverindex.xml:
java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.checkAndCreate(File.java:1314)
at java.io.File.createTempFile(File.java:1402)
at
com.ibm.ws.management.repository.FileDocument.createTempFile(FileDocument.java:561)
at
com.ibm.ws.management.repository.FileDocument.read(FileDocument.java:497)
at
com.ibm.ws.management.repository.FileRepository.extractInternal(FileRepository.java:974)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:946)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:913)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:903)
at
com.ibm.ws.hamanager.runtime.config.ConfigUtils$1.run(ConfigUtils.java:176)
at
com.ibm.ws.security.auth.distContextManagerImpl.runAs(distContextManagerImpl.java:2778)
at
com.ibm.ws.security.auth.distContextManagerImpl.runAsSystem(distContextManagerImpl.java:2655)
at
com.ibm.ws.hamanager.runtime.config.ConfigUtils.getResource(ConfigUtils.java:172)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses$ServerIndexParser.getNodeEntry(CoreGroupProcesses.java:389)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses$ServerIndexParser.getServerIndexForServer(CoreGroupProcesses.java:351)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses.<init>(CoreGroupProcesses.java:114)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupConfig.<init>(CoreGroupConfig.java:98)
at
com.ibm.ws.hamanager.runtime.config.Config.loadCoreGroupConfig(Config.java:200)
at
com.ibm.ws.hamanager.runtime.config.Config.initialize(Config.java:150)
at
com.ibm.ws.hamanager.runtime.CoordinatorComponentImpl.initialize(CoordinatorComponentImpl.java:164)
at
com.ibm.ws.runtime.component.ContainerImpl.initializeComponent(ContainerImpl.java:1160)
at
com.ibm.ws.runtime.component.ContainerImpl.initializeComponents(ContainerImpl.java:979)
at
com.ibm.ws.runtime.component.ServerImpl.initialize(ServerImpl.java:278)
at
com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:173)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:133)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:387)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.ibm.ws.bootstrap.WSLauncher.run(WSLauncher.java:219)
at java.lang.Thread.run(Thread.java:534)
.
[3/6/06 12:57:21:921 MET] 0000000a W UOW=null
source=com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses org=IBM
prod=WebSphere component=Application Se
rver thread=[Thread-1]
HMGR0060W: An error was encountered while obtaining the host
and port information for server nodeagent on node s2003420.
[3/6/06 12:57:22:001 MET] 0000000a E UOW=null
source=com.ibm.ws.management.repository.FileDocument org=IBM
prod=WebSphere component=Application Server thre
ad=[Thread-1]
ADMR0104E: The system is unable to read document
cells/s2003420_Cell/nodes/s2003420/serverindex.xml:
java.io.IOException: Permission denied
at java.io.UnixFileSystem.createFileExclusively(Native Method)
at java.io.File.checkAndCreate(File.java:1314)
at java.io.File.createTempFile(File.java:1402)
at
com.ibm.ws.management.repository.FileDocument.createTempFile(FileDocument.java:561)
at
com.ibm.ws.management.repository.FileDocument.read(FileDocument.java:497)
at
com.ibm.ws.management.repository.FileRepository.extractInternal(FileRepository.java:974)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:946)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:913)
at
com.ibm.ws.management.repository.FileRepository.extract(FileRepository.java:903)
at
com.ibm.ws.hamanager.runtime.config.ConfigUtils$1.run(ConfigUtils.java:176)
at
com.ibm.ws.security.auth.distContextManagerImpl.runAs(distContextManagerImpl.java:2778)
at
com.ibm.ws.security.auth.distContextManagerImpl.runAsSystem(distContextManagerImpl.java:2655)
at
com.ibm.ws.hamanager.runtime.config.ConfigUtils.getResource(ConfigUtils.java:172)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses$ServerIndexParser.getNodeEntry(CoreGroupProcesses.java:389)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses$ServerIndexParser.getServerIndexForServer(CoreGroupProcesses.java:351)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupProcesses.<init>(CoreGroupProcesses.java:114)
at
com.ibm.ws.hamanager.runtime.config.CoreGroupConfig.<init>(CoreGroupConfig.java:98)
at
com.ibm.ws.hamanager.runtime.config.Config.loadCoreGroupConfig(Config.java:200)
at
com.ibm.ws.hamanager.runtime.config.Config.initialize(Config.java:150)
at
com.ibm.ws.hamanager.runtime.CoordinatorComponentImpl.initialize(CoordinatorComponentImpl.java:164)
at
com.ibm.ws.runtime.component.ContainerImpl.initializeComponent(ContainerImpl.java:1160)
at
com.ibm.ws.runtime.component.ContainerImpl.initializeComponents(ContainerImpl.java:979)
at
com.ibm.ws.runtime.component.ServerImpl.initialize(ServerImpl.java:278)
at
com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:173)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:133)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:387)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.ibm.ws.bootstrap.WSLauncher.run(WSLauncher.java:219)
at java.lang.Thread.run(Thread.java:534)
etc, etc, etc...
The application servers are all installed with runAsGroup=wsadmin and
umask=002.
I find it quite strange that new files are again placed as root:other
although the node agent clearly is defined for root:wsadmin. Could it
be that the file synchronisation uses its own configuration?
Sven Vermeulen
It is the /opt/IBM/WebSphere/AppServer/bin/syncNode.sh script; it
synchronises the repository as the user/group it is started with.
Synchronisation using the admin console uses the correct privileges.
Dexthor
carried over, instead of the default group of the creator. If you take
care of the umask, then you can ensure that the members of "wsadmin"
group can continue to function, irrespective of any mishaps like you
had before.
-Dexthor.