Video Screencast Help

Running HA as nobody:nobody

Created: 25 Jul 2012 • Updated: 27 Jul 2012 | 6 comments
This issue has been solved. See solution.

I am running 5.1 HA on a RHEL setup. Right now I have a working cluster with application failover. All our application are set to be run as the nobody:nobody account on the system. As part of the HA integration a requirement came up to that we need to be able to start and stop services and run commands with the nobody:nobody account. Because VCS  is all setup to run as root, what it is the best way to accomplish this?

Comments 6 CommentsJump to latest comment

Satish K. Pagare's picture

In case you have configured your applications using the "Application" agent in VCS, you can set the "User" attribute for that particular resource to "nobody". All the StarProgram, StopProgram CleanProgram executables will be run in that user's context on the system. What other agents have you used to cluster your applications for failover? Most of the agents supported do have an attribute such as "User".

mkruer's picture

All the applications are using the correct permissions internally. However I need to be able to run the hares, hagrp, vcs, hastatus, haconfig, gabconfig from the nobody account without it having to login su to root and without HA asking me for a username/password to login to access the HA information. Perhaps a better way to phrase the issue is I need to either run HA with a different account or give nobody access to run HA commands. How would I make the nobody account an admin of HA?

mkruer's picture

Would this work for what I am trying to accomplish? if so how do I resolve the issue?

# hauser -addpriv nobody AdministratorGroup

VCS WARNING V-16-1-10049 This operation is not permitted as the cluster is not running in secure mode

Satish K. Pagare's picture

You need to use the following:

root # hauser -add nobody -priv Administrator

(Provide the password here)

Now enter into nobody's account:

root # su - nobody

Execute the following so that ha commands will not require a password for this user shell.
nobody $ halogin nobody <password>

nobody $ hares -state

Now all "ha" commands should work fine through "nobody" account without requiring password.

Hope that helps.

mkruer's picture

That helps a lot. I think I am 90% there.

I just have one more questions

I have a script that collects the information

Right now I am using a simple "/etc/init.d/vcs status | grep running..." to get the status of vcs. Is there better way to get this even if vcs is not running?

mkruer's picture

changing ownership of the file /etc/sysconfig/vcs to nobody fixes the one outstanding permission issue.