[Pacemaker] Can't issue 'crm configure' commands under privileged user

Dejan Muhamedagic dejanmm at fastmail.fm
Mon Oct 1 05:02:03 EDT 2012 

On Fri, Sep 28, 2012 at 04:51:36PM +0100, Colin McCormack wrote:
> Hi Dejan - thanks for taking the time to respond again
> 
> >"Hangs? Wasn't it in the first message that "cibadmin is not
> available"? If it hangs, then you should check the process list (pstree)
> to see what the shell is doing at the time and take a look at the logs."
> 
> crm configure...
> Hangs
> 
> sudo crm configure...
> cibadmin is not available is issued
> 
> When it hangs this is what i see with a grepped ps:
> 
> 500      13710 13677  0 13:19 pts/10   00:00:00 /bin/sh -c sudo -E -u
> colinlinux >/dev/null 2>&1 lrmadmin -C

OK. This seems to be a deficiency in lrmd which got fixed later.
But there was a workaround in crm shell for almost two years
(iirc since pacemaker v1.1.5).

> **********************************************************
> 
> > "For this, if I understood correctly, you would like to take a look
> at ACLs. That doesn't require configuring sudo, i.e. the crm shell runs
> all the time as the real user and the cluster should be instructed by a
> set of ACL rules about users' rights."
> 
> I haven't configured any ACLs yet - but i have given permissions (as a
> test) to all of dir /var/lib/heartbeat/crm with no luck

That's not needed actually. And better not to change default
permissions.

> What directorie(s) should i apply ACLs on?

I meant the Pacemaker ACLs. But those are available starting with
Pacemaker v1.1.6.

Thanks,

Dejan

> Thanks
> 
> Col
> 
> 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation, retention or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify postmaster at openet.com. Although Openet has taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

More information about the Pacemaker mailing list