So, this is an issue that was caused on RHEL 7.4 with EnterpriseDB 9.6.6.11 and pgPool 3.6. I followed this link to configure wrapper scripts for /sbin/ip and /sbin/arping.
This was added to the /etc/sudoers file to allow the enterprisedb user to execute the wrapper scripts:
enterprisedb compute01=(root) NOPASSWD:EXEC:SETENV: /sbin/ip, /sbin/arping
Just as a check, I was able to sudo to the enterprisedb user and execute the following command and successfully bring up the delegate IP (or VIP):
ip_w addr add 10.10.10.85/24 dev ens192 label ens192:0
Now, as root I started the pgPool service:
systemctl start edb-pgpool-3.6
Checking /var/log/messages, the following was shown:
15:49:12: pid 860: LOG: creating socket for sending heartbeat
15:49:12: pid 860: DETAIL: setsockopt(SO_BINDTODEVICE) requires root privilege
15:49:12: pid 860: LOG: set SO_REUSEPORT option to the socket
15:49:12: pid 860: LOG: creating socket for sending heartbeat
15:49:12: pid 860: DETAIL: set SO_REUSEPORT
15:49:12: pid 858: LOG: failed to create watchdog heartbeat receive socket.
15:49:12: pid 858: DETAIL: setsockopt(SO_BINDTODEVICE) requies root privilege
15:49:12: pid 858: LOG: set SO_REUSEPORT option to the socket
15:49:12: pid 858: LOG: creating watchdog heartbeat receive socket.
15:49:12: pid 858: DETAIL: set SO_REUSEPORT
15:49:14: pid 854: WARNING: watchdog failed to ping host"10.85.10.134"
15:49:14: pid 854: DETAIL: ping process exits with code: 1
15:49:14: pid 854: LOG: waiting for the delegate IP address to become active
15:49:14: pid 854: DETAIL: waiting... count: 1
15:49:17: pid 854: WARNING: watchdog failed to ping host"10.85.10.134"
15:49:17: pid 854: DETAIL: ping process exits with code: 1
15:49:17: pid 854: LOG: waiting for the delegate IP address to become active
15:49:17: pid 854: DETAIL: waiting... count: 2
15:49:20: pid 854: WARNING: watchdog failed to ping host"10.85.10.134"
15:49:20: pid 854: DETAIL: ping process exits with code: 1
15:49:20: pid 854: LOG: waiting for the delegate IP address to become active
15:49:20: pid 854: DETAIL: waiting... count: 3
15:49:20: pid 854: LOG: failed to acquire the delegate IP address
15:49:20: pid 854: DETAIL: 'if_up_cmd' failed
15:49:20: pid 854: WARNING: watchdog escalation failed to acquire delegate IP
15:49:20: pid 850: LOG: watchdog escalation process with pid: 854 exit with SUCCESS.
Notice the "DETAIL: 'if_up_cmd' failed" line. The delegate IP was not brought up.
The following was noted in the /var/log/edb/pgpool3.6/edb-pgpool-3.6.log file:
sudo: sorry, you must have a tty to run sudo
So, what's going on here? Checking the /etc/sudoers file, note this line:
Defaults listpw=all, requiretty, syslog=authpriv, !root_sudo, !umask, env_reset, secure_path = /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
It looks like a terminal is required by the enterprisedb user to execute the commands to bring up the delegate IP by the fact that "requiretty" is set for all users.
Checking online for the above message, the following link discusses the fix.
Adding the following to /etc/sudoers (use visudo to make changes to this file):
Defaults:enterprisedb !requiretty
So now, enterprisedb can run the relevant commands without a tty.
Since I'm using Puppet to manage the environment, I added the following class to my module that manages the Enterprise DB environment:
class edbas::set_privs {
sudo::default_entry { 'enterprisedb_requiretty':
content => [ '!requiretty', ],
target => ':enterprisedb',
}
sudo::user_specification { 'enterprisedb':
user_list => ['enterprisedb'],
runas => 'root',
cmnd => ['/sbin/ip', '/sbin/arping'],
passwd => false,
}
}
I'm using pupmod-simp-sudo modules in this environment, so this is the actual module that manages the /etc/sudoers file and I call this from my edbas module.
No comments:
Post a Comment