cancel
Showing results for 
Search instead for 
Did you mean: 

Running HA as nobody:nobody

mkruer
Level 4

I am running 5.1 HA on a RHEL setup. Right now I have a working cluster with application failover. All our application are set to be run as the nobody:nobody account on the system. As part of the HA integration a requirement came up to that we need to be able to start and stop services and run commands with the nobody:nobody account. Because VCS  is all setup to run as root, what it is the best way to accomplish this?

1 ACCEPTED SOLUTION

Accepted Solutions

Satish_K__Pagar
Level 5
Employee

You need to use the following:

root # hauser -add nobody -priv Administrator

(Provide the password here)

Now enter into nobody's account:


root # su - nobody

Execute the following so that ha commands will not require a password for this user shell.
nobody $ halogin nobody <password>

nobody $ hares -state

Now all "ha" commands should work fine through "nobody" account without requiring password.

Hope that helps.

View solution in original post

6 REPLIES 6

Satish_K__Pagar
Level 5
Employee

In case you have configured your applications using the "Application" agent in VCS, you can set the "User" attribute for that particular resource to "nobody". All the StarProgram, StopProgram CleanProgram executables will be run in that user's context on the system. What other agents have you used to cluster your applications for failover? Most of the agents supported do have an attribute such as "User".

mkruer
Level 4
All the applications are using the correct permissions internally. However I need to be able to run the hares, hagrp, vcs, hastatus, haconfig, gabconfig from the nobody account without it having to login su to root and without HA asking me for a username/password to login to access the HA information. Perhaps a better way to phrase the issue is I need to either run HA with a different account or give nobody access to run HA commands. How would I make the nobody account an admin of HA?

mkruer
Level 4
Would this work for what I am trying to accomplish? if so how do I resolve the issue? # hauser -addpriv nobody AdministratorGroup VCS WARNING V-16-1-10049 This operation is not permitted as the cluster is not running in secure mode

Satish_K__Pagar
Level 5
Employee

You need to use the following:

root # hauser -add nobody -priv Administrator

(Provide the password here)

Now enter into nobody's account:


root # su - nobody

Execute the following so that ha commands will not require a password for this user shell.
nobody $ halogin nobody <password>

nobody $ hares -state

Now all "ha" commands should work fine through "nobody" account without requiring password.

Hope that helps.

mkruer
Level 4
That helps a lot. I think I am 90% there. I just have one more questions I have a script that collects the information Right now I am using a simple "/etc/init.d/vcs status | grep running..." to get the status of vcs. Is there better way to get this even if vcs is not running?

mkruer
Level 4

changing ownership of the file /etc/sysconfig/vcs to nobody fixes the one outstanding permission issue.