[ClusterLabs] Which effective user is calling OCF agents for querying meta-data?

cfpublic1 at verimatrix.com cfpublic1 at verimatrix.com
Wed Sep 26 09:26:08 EDT 2018

Hi all,

we have been using pacemaker 1.1.7 for many years on RedHat 6. Recently, we moved to RedHat 7.3 and pacemaker 1.1.17.
Note that we build pacemaker from source RPMs and don’t use the packages supplied by RedHat.

With pacemaker 1.1.17, we observe the following messages during startup of pacemaker:
2018-09-18T11:58:18.452951+03:00 p12-0001-bcsm03 crmd[2871]:  warning: Cannot execute '/usr/lib/ocf/resource.d/verimatrix/anything4': Permission denied (13)
2018-09-18T11:58:18.453179+03:00 p12-0001-bcsm03 crmd[2871]:    error: Failed to retrieve meta-data for ocf:verimatrix:anything4
2018-09-18T11:58:18.453291+03:00 p12-0001-bcsm03 crmd[2871]:    error: No metadata for ocf::verimatrix:anything4

However, apart from that, we can control the respective cluster resource (start, stop, move, etc.) as expected.

crmd is running as user ‘hacluster’, both on the old pacemaker 1.1.7 deployment on RHEL6 and on the new pacemaker 1.1.17 deployment on RHEL7.

It seems that on startup, crmd is querying the meta-data on the OCF agents using a non-root user (hacluster?) while the regular resource control activity seems to be done as root.
The OCF resource in question intentionally resides in a directory that is inaccessible to non-root users.

Is this behavior of using different users intended? If yes, any clue why was it working with pacemaker 1.1.7 under RHEL6?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20180926/84fd2ab4/attachment.html>

More information about the Users mailing list