[ClusterLabs Developers] pacemakerd: error: sysrq_init: Cannot write to /proc/sys/kernel/sysrq: Permission denied (13)

Jan Pokorný jpokorny at redhat.com
Wed Sep 19 06:30:35 EDT 2018


On 19/09/18 14:47 +0800, zhongbin wrote:
>   More detail:
>     my  operating system  is  Debian 8  (jessie) . 
> 
> At 2018-09-19 14:00:42, "钟彬" <zhongbin314 at 163.com> wrote:
> 
> When I use a non - root user to start pacemaker-2.0.0,

Running pacemaker as non-root is not a good choice, I am afraid.

It simply wasn't designed to run like that, since the vast majority
of the resources to be managed in HA fashion (purpose of pacemaker)
will require some portion of extra privileges, so the actual
progression regarding privileges is to start with a full sack
only to gradually drop what's not needed (akin to "least privilege"
principle) -- either in pacemaker's own set of auxiliary daemons
or in internally in the resources themselves.

The other justification is that for HA clustering to be meaningful,
you need some kind of isolation of broken hosts, and how much sense
does it make to _not_ allow enough privileges to pacemaker while at
the same time allowing it to cut off these machines incl. self
(which is being attempted in your very case, to solve something
very unexpected -- not having enough privileges is likely one such
case)?

> "pacemakerd:  error: sysrq_init: Cannot write to /proc/sys/kernel/sysrq: Permission denied (13)" 
> appears  in pacemaker.log.
> Some  other "Permission denied"  problems ware resolved by using
> "setcap" command to  enable some capabilities.  But the above
> problem cannot be solved.

Well, your run of pacemaker is getting to a really unsolvable
situation when it takes the code path allowing for such a message,
so even if you manage to overcome that denial with some other
capabilities artificially granted, your machine will likely just
be rebooted.

If I were you, I'd stop going down that rabbit hole and simply
run pacemaker as root.  The workaround chain for your current
approach doesn't seem to be worth the hassle, and is in conflict
with what pacemaker is meant to be used for.

> "Cannot write to /proc/sys/kernel/sysrq" was printed when  calling
> the function  sysrq_init.
> [1]https://github.com/ClusterLabs/pacemaker/blob/e8b96015f5e709de29f8e84fc78387796d31b4da/lib/common/watchdog.c#L69

Not that it should help in your scenario, but realized that perhaps
less writes is better regarding various Linux security modules,
auditing, etc., and any sort of race condition is not imminent
(at worst racing with the sibling processes with the same intent):
https://github.com/ClusterLabs/pacemaker/pull/1590

> Can you give me some suggestions to solve the problem. Is
> sysrq_init  necessary,can I  Ignore the error.

See above, you likely won't get anywhere even if you ignore that
error.

-- 
Nazdar,
Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/developers/attachments/20180919/8e548966/attachment-0002.sig>


More information about the Developers mailing list