Solved: Using hacli for non root users - VCS 5.0

gdan2000 · ‎07-18-2011

Hi,

We've upgraded VCS from 4.0 to 5.0 and discovered that we're not able anymore use hacli for non root user (execute command on another nodes in cluster)

HacliUserLevel parameter in 5.0 can be set to COMMANDROOT/NONE only, which restricts using hacli for root user.

The problem is that root access very limited on the customer site...

Is there any solution for that ?

Thanks

mikebounds · ‎07-19-2011

If it is a bunch of scripts, rather than adhoc commands, you could use VCS actions something like this:

Create a dummy FileOnOff resource - this could be in any service group, but if scripts are run against resources in a particular resource, then add it to this service group(s). Make resource non-critical and do not make any resources dependent on it so that it does not effect servicegroup in any way (although there is not much that can go wrong with just a creating file).
Create an "actions" directory in /opt/VRTSvcs/bin/FileOnOff and place your scripts in this directory on all nodes
Populate SupportedActions attribute on FileOnOff type with a list of your scripts

You can now run your scripts from command line from on any node specifying what node you want script to run on with "-sys" option like:

hares -action FileOnOff_res_name script_name [-actionargs arg1 arg2 ...] -sys system

You can also run from VCS GUI by right clicking on resource and choosing "actions"

The scripts will be passed the name of the resource so you can use this to determine what service group the resource is in if your scripts performs actions relative to service group. The way args are passed changed, but not sure if this was 5.0 or 5.1 so I think they passed something like:

resource_name 1 arg1_value 2 arg2_value

as oppose to

resource_name arg1_value arg2_value

But you can put "echo $* > /tmp/args" at start of your script to see what args are passed.

If you wanted to run adhoc commands you could probably have your script run "sh arg1"

Mike

View solution in original post

mikebounds · ‎07-19-2011

Why do you need to run commands from another node - why not log on to that node - you could use ssh/rsh. What commands are you running - adhoc commands or specific commands?

Mike

gdan2000 · ‎07-19-2011

you are right, basically I can use silent ssh

the problem is that bunch of scripts written with hacli (for VCS 4.0), so it will create a lot work ...

This is the reason I'm looking for VCS backward compatibility soltion

mikebounds · ‎07-19-2011

If it is a bunch of scripts, rather than adhoc commands, you could use VCS actions something like this:

Create a dummy FileOnOff resource - this could be in any service group, but if scripts are run against resources in a particular resource, then add it to this service group(s). Make resource non-critical and do not make any resources dependent on it so that it does not effect servicegroup in any way (although there is not much that can go wrong with just a creating file).
Create an "actions" directory in /opt/VRTSvcs/bin/FileOnOff and place your scripts in this directory on all nodes
Populate SupportedActions attribute on FileOnOff type with a list of your scripts

You can now run your scripts from command line from on any node specifying what node you want script to run on with "-sys" option like:

hares -action FileOnOff_res_name script_name [-actionargs arg1 arg2 ...] -sys system

You can also run from VCS GUI by right clicking on resource and choosing "actions"

The scripts will be passed the name of the resource so you can use this to determine what service group the resource is in if your scripts performs actions relative to service group. The way args are passed changed, but not sure if this was 5.0 or 5.1 so I think they passed something like:

resource_name 1 arg1_value 2 arg2_value

as oppose to

resource_name arg1_value arg2_value

But you can put "echo $* > /tmp/args" at start of your script to see what args are passed.

If you wanted to run adhoc commands you could probably have your script run "sh arg1"

Mike

gdan2000 · ‎07-19-2011

Thanks Mike

I understand proposed solution, but creating silent ssh and replace hacli commands to ssh style seems to me easier...

The goal of my post was actually to find out if VCS 5.0 keeps a backward compatibility for hacli (some kind of new attribute,flag etc...)

and thus reduce production changes to minimum.

mikebounds · ‎07-19-2011

You already stated you have issues running root on source box, so I guess it depends on whether scripts need to run as root on target box - i.e with VCS 4.0 hacli you would have run command as non-root on node1 which would have run commands as root on node2. If you use ssh on node1, then if root access is restricted, then it can't run as root on node2 and this may (or maynot be an issue). Even if script needs to be run as a specifc user then this means original script would have run "su - user" and if you run this script as non-root, even with the same user you do the "su -" to, you will be prompted with a password so you will have to ammend scripts. With action scripts, once you have added FileOnOff resource and modified Type, if you don't need to pass any args then you just need to replace:

 hacli -cmd full_path/script_name -sys system

with

 hares -action FileOnOff_res_name script_name -sys system

and you shouldn't need to change scripts

or if you are running adhoc commands then something like (example to run "ls"

 hares -action FileOnOff_res_name run_command -args ls -sys system

where run_command contains something like:

 # Remove "resource_name" from args
shift  
# Run command
$*

I don't know of any backward compatibility for hacli.

Mike

gdan2000 · ‎07-19-2011

10x guys

I'll try it

VOX

Using hacli for non root users - VCS 5.0