Versions Compared

Old Version 89

changes.mady.by.user Robin Twiggs

Saved on

compared with

New Version 90

changes.mady.by.user Robin Twiggs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • General Changes required by both fapolicyd and noexec mounted /tmp (required by OMK Installers, but not by NMIS Installers):

    Code Block
    # Create an install directory which we can use in a less restricted fashion to get OMK Applications' installed and functioning
# - for this example we have chosen directory '/data/installs/':

sudo -i
mkdir -p /data/installs/

# Set an environment variable globally to accomodate Perl::PAR module, which is used to create and execute OMK daemons and scripts, if needed:
# check the environment variable is not already set (should not return reference to PAR_GLOBAL_TMPDIR if not set in this file):
cat /etc/environment

# check the environment variable is not already set in some other manner (should not return anything if PAR_GLOBAL_TMPDIR is not already exported):
echo "${PAR_GLOBAL_TMPDIR}"

# set up PAR_GLOBAL_TMPDIR if needed:
	#
	# IMPORTANT:
	#	If you require OMK scripts, that don't explicitly require root privileges, able to be executed by users without root privileges:
	#		Set PAR_GLOBAL_TMPDIR to a suitable directory outside of the OMK install directory (/usr/local/omk in this example);
	#		The OMK install directory currently has root as both owner and group by default.
	#		Users without root privileges won't therefore have execute capability in the OMK install directory structure.
	#
mkdir -p /usr/local/omk/var/lib/common/
chmod 1777 
echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment

# reboot to get the PAR_GLOBAL_TMPDIR exported globally if it needed to be set:
reboot

# check PAR_GLOBAL_TMPDIR is exported after reboot:
echo "${PAR_GLOBAL_TMPDIR}"
/usr/local/omk/var/lib/common/

# Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited:
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat omkd
# then, if necessary, edit omkd service
sudo systemctl edit omkd

# Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present:

[Service]
EnvironmentFile=/etc/environment


# edit each OMK systemd service in this manner if needed, for example: 
sudo systemctl edit opchartsd
sudo systemctl edit opconfigd
sudo systemctl edit opeventsd
sudo systemctl edit opflowd


# reload the edited services
sudo systemctl daemon-reload


# restart the OMK services
sudo /path/to/omk/bin/checkomkdaemons.sh restart


# To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR,
# prepend the following code to the command:
export $(/usr/bin/xargs < /etc/environment)||:;
# For example /etc/cron.d/opreports: 
# was 
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root 	/usr/local/omk/bin/opreports-scheduler.exe
# and becomes
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root	 NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon, executes opcharts-cli.pl so this service too
# needs to be configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment:
#
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat nmis9d
# then, if necessary, edit nmis9d service
sudo systemctl edit nmis9d

# Ensure the service is configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present
# - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found:

[Service]
EnvironmentFile=-/etc/environment



# reload the edited services
sudo systemctl daemon-reload


# restart the OMK services
sudo /path/to/omk/bin/checkomkdaemons.sh restart

# restart the nmis9d service
sudo systemctl restart nmis9d  


# To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR,
# prepend the following code to the command:
export $(/usr/bin/xargs < /etc/environment)||:;
# For example /usr/local/omk/bin/opreports-scheduler.exe

    fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):

    Code Block
    # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd
# such that root (uid=0) can execute scripts in the listed directories:
# - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is etc/cron.d/opreports: 
# was 
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root 	/usr/local/omk/:

# Insert the following rule at line 1 of /etc/fapolicyd/fapolicyd.rules
allow perm=any uid=0 : dir=/data/installs/,/bin/opreports-scheduler.exe
# and becomes
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root	export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/,/usr/local/omk/lib/.tmp/PAR/

# Update faplicyd with the additional rule we have inserted:
sudo fapolicyd-cli --update

# Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended
sudo reboot

 # restart the OMK services
sudo /usr/local/omk//bin/checkomkdaemons.sh restart

    noexec mounted /tmp Change (required by OMK Installers and NMIS Installers):

    Code Block
    # Please read the next paragraph 'Starting the Installer' too, for more details on the installer!


# The Opmantek installers cannot install from a noexec mounted directory, so we need to install from an alternative location:
# - for this example we have chosen directory '/data/installs/':
sudo mkdir -p /data/installs
cd /data/installs

# We need to instruct only this command we are about to execute with current directory set as environment variable TMPDIR:
# Place the installer  in the current directory, then ..

# This command as given sets TMPDIR to the current directory (not /tmp/) - there is a space character between the two stop characters in 'TMPDIR=. ./'
# TMPDIR=.<space>./

TMPDIR=. ./opReports-4.2.2-test-noexec.run

# To be safe we ensure TMPDIR is unset after successful execution of the installer by executing this command:
unset TMPDIR

# The installer will now install using current directory as /tmp
# Unfortunately when the installer runs in this way, not using /tmp/ directory, it doesn't clean up after itself, so we clean up manually:
ls
opReports-4.2.2-test-noexec.run
selfgz3021223337

# The installer always unpacks to a directory of glob pattern selfgz*, so we clean up by removing directory selfgz3021223337:
rm -rf selfgz*

...

  • bin/opreports-scheduler.exe


  • fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):

    Code Block
    # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd
# such that root (uid=0) can execute scripts in the listed directories:
# - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/:

# Insert the following rule at line 1 of /etc/fapolicyd/fapolicyd.rules
allow perm=any uid=0 : dir=/data/installs/,/usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/,/usr/local/omk/lib/.tmp/PAR/

# Update faplicyd with the additional rule we have inserted:
sudo fapolicyd-cli --update

# Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended
sudo reboot

 # restart the OMK services
sudo /usr/local/omk//bin/checkomkdaemons.sh restart


  • noexec mounted /tmp Change (required by OMK Installers and NMIS Installers):

    Code Block
    # Please read the next paragraph 'Starting the Installer' too, for more details on the installer!


# The Opmantek installers cannot install from a noexec mounted directory, so we need to install from an alternative location:
# - for this example we have chosen directory '/data/installs/':
sudo mkdir -p /data/installs
cd /data/installs

# We need to instruct only this command we are about to execute with current directory set as environment variable TMPDIR:
# Place the installer  in the current directory, then ..

# This command as given sets TMPDIR to the current directory (not /tmp/) - there is a space character between the two stop characters in 'TMPDIR=. ./'
# TMPDIR=.<space>./

TMPDIR=. ./opReports-4.2.2-test-noexec.run

# To be safe we ensure TMPDIR is unset after successful execution of the installer by executing this command:
unset TMPDIR

# The installer will now install using current directory as /tmp
# Unfortunately when the installer runs in this way, not using /tmp/ directory, it doesn't clean up after itself, so we clean up manually:
ls
opReports-4.2.2-test-noexec.run
selfgz3021223337

# The installer always unpacks to a directory of glob pattern selfgz*, so we clean up by removing directory selfgz3021223337:
rm -rf selfgz*



Debugging PAR Script Unpack Locations

Bash one-liner command to find the scripts executing as PAR executables on a server and where their PAR unpacked directory is located:

Code Block
sudo find / -type f ! -name 'main.pl' -regextype posix-egrep -regex '^.*?/par-[^/]+/cache-[^/]+/inc/script.*' 2>/dev/null|xargs -I{} sudo ls -lA '{}';

	-rw-r--r--. 1 root root 37741 Feb  7 15:09 /tmp/par-726f6f74/cache-5372daa5f1e09cab20da623efbb20c3c4f14b1a8/inc/script/opcharts-cli.pl

# Using this approach I tracked down the above execution of opcharts-cli.pl to be by an NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon

# Unfortunately systemd services do not pick up this global environment variable, so nmis9d service needs to be edited:
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat nmis9d
# then, if necessary, edit nmis9d service
sudo systemctl edit nmis9d

# Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present
# - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found:

[Service]
EnvironmentFile=-/etc/environment



# reload the edited service
sudo systemctl daemon-reload


# restart the nmis9d service
sudo systemctl restart nmis9d

Bash one-liner command to find the scripts executing as PAR executables on a server and where their PAR unpacked directory is located:

Code Block
sudo find / -type f ! -name 'main.pl' -regextype posix-egrep -regex '^.*?/par-[^/]+/cache-[^/]+/inc/script.*' 2>/dev/null|xargs -I{} sudo ls -lA '{}';



Debugging fapolicyd

Stop the fapolicyd service and run fapolicyd in the foreground with '--debug-deny' parameter:

...