[ClusterLabs] Antw: pcmk 1.1.17: Which effective user is calling OCF agents for querying meta-data?

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Thu Sep 27 05:55:43 EDT 2018

>>> "cfpublic1 at verimatrix.com" <cfpublic1 at verimatrix.com> schrieb am 27.09.2018
11:19 in Nachricht
<CO1PR20MB07128659B8A06743D805D41BBE140 at CO1PR20MB0712.namprd20.prod.outlook.com>

> Hi all,
> we have been using pacemaker 1.1.7 for many years on RedHat 6. Recently, we

> moved to RedHat 7.3 and pacemaker 1.1.17.
> Note that we build pacemaker from source RPMs and don’t use the packages 
> supplied by RedHat.
> With pacemaker 1.1.17, we observe the following messages during startup of 
> pacemaker:
> 2018-09-18T11:58:18.452951+03:00 p12-0001-bcsm03 crmd[2871]:  warning: 
> Cannot execute '/usr/lib/ocf/resource.d/verimatrix/anything4': Permission 
> denied (13)
> 2018-09-18T11:58:18.453179+03:00 p12-0001-bcsm03 crmd[2871]:    error: 
> Failed to retrieve meta-data for ocf:verimatrix:anything4
> 2018-09-18T11:58:18.453291+03:00 p12-0001-bcsm03 crmd[2871]:    error: No 
> metadata for ocf::verimatrix:anything4


Could it be as simple as /usr/lib/ocf/resource.d/verimatrix/anything4 not
having the execute bit set (for the user)?

> However, apart from that, we can control the respective cluster resource 
> (start, stop, move, etc.) as expected.
> crmd is running as user ‘hacluster’, both on the old pacemaker 1.1.7 
> deployment on RHEL6 and on the new pacemaker 1.1.17 deployment on RHEL7.
> It seems that on startup, crmd is querying the meta-data on the OCF agents 
> using a non-root user (hacluster?) while the regular resource control 
> activity seems to be done as root.
> The OCF resource in question intentionally resides in a directory that is 
> inaccessible to non-root users.

Why? You can selectively grat access (man setfacl)!

> Is this behavior of using different users intended? If yes, any clue why was

> it working with pacemaker 1.1.7 under RHEL6?

Finally: Why are you asking thei list for help, when you removed execute
permission for your home-grown (as it seems) resource agent? What could WE do?


More information about the Users mailing list