none
Apache httpd discovery issue RRS feed

  • Question

  • Hello forum,

    recently we imported the Microsoft Apache HTTP Server Library and quickly it discovered 4 (out of many) httpd. On the rest it does not work. 

    When I run the shell script (see link below) as a SCOM Task it returns the following error (which I can see in the MS trace log as well) :
    StdErr: "Failed to start child process '/etc/opt/microsoft/scx/conf/tmpdir/scxkdM3r0' errno=13"
    --> not good

    When I run the shell script interactively on the Linux box I get:
    StdOut: "name=httpd,conffile=/etc/httpd/conf/httpd.conf"
    --> looks good

    Running the SCOM task from above on the discovered servers I get:
    StdOut: "name=httpd,conffile=/etc/httpd/conf/httpd.conf"
    --> good

    Here some Facts:

    Discovered Server:
    OS: RHEL 7.6
    SCX: 1.4.1-45
    Apache: httpd-2.4.6-88.el7.x86_64

    Missing Server:
    OS: RHEL 6.10
    SCX: 1.4.1-45
    Apache: httpd-2.2.15-69.el6.x86_64

    MG is 1807.

    Update: obviously I got the same issue running any other shell script as a task (just doing some ls). With that being said: now it is confirmed that this is not related to the Apache MP.

    Any idea what could go wrong here?

    Thanks in advance,
    Patrick

    Here the link to the shell script:
    https://systemcenter.wiki/?GetElement=Microsoft.ApacheHTTPServer.Installation.ScriptDiscovery.U&Type=asdfDiscovery&ManagementPack=Microsoft.ApacheHTTPServer.Library&Version=7.6.1065.0


    Please remember to click 'Mark as Answer' on the post that helped you.

    Patrick Seidl (System Center and Private Cloud)
    s2 - seidl solutions
    Blog: http://www.systemcenterrocks.com



    Thursday, May 9, 2019 6:16 AM

All replies

  • /etc/opt/microsoft/scx/conf/tmpdir/ is the folder where the script is stored and from where it should be run by agent, and errno=13 means "permission denied".

    So I guess you should check everything related to permission (sudoers file...) and see if you can find any more info about denied permissions in other log files...


    Thursday, May 9, 2019 6:40 AM
  • That makes perfectly sense... Looks like the customers UNIX guys manipulated the permissions without a change or any information/documentation on just 900+ servers...

    Thanks for giving me confidence on that - even when I haven't figured out yet what they did.


    Please remember to click 'Mark as Answer' on the post that helped you.

    Patrick Seidl (System Center and Private Cloud)
    s2 - seidl solutions
    Blog: http://www.systemcenterrocks.com

    Thursday, May 9, 2019 7:29 AM
  • Quick update on that...

    The point is that /etc/opt/microsoft/scx/conf/tmpdir is created as a link to /tmp and that is mounted with noexec option (as it should be for security reasons).

    Once the link has been removed and tmpdir ha been created as a directory the workflows work as expected.

    Back in 2015 we opened already a case at MSFT (115110313332366 SCOM permission issue on Linux Server) and the resolution from MSFT was:

    "The developing team is actively working in implementing a change regarding how the /tmp folder it is being used in SCOM. At the moment the solution is being tested and once the tests are complete, the solution will be released."

    Well... since that, they released several URs for 2012r2 and full versions 2016, 1801, 1807 and 2019 and (at least until in our currently running 1807) this is not fixed.

    Cheers,
    Patrick


    Please remember to click 'Mark as Answer' on the post that helped you.

    Patrick Seidl (System Center and Private Cloud)
    s2 - seidl solutions
    Blog: http://www.systemcenterrocks.com

    Thursday, May 9, 2019 9:00 AM
  • Another update... that has been fixed (more or less) in 2012 R2 UR11:

    Scripts executed by the ExecuteScript method in Management Packs always run from the /tmp folder. With this update, the temporary folder for scripts is now configurable. To use another folder, update the symbolic link to link to a temporary folder of your choice:
    /etc/opt/microsoft/scx/conf/tmpdir

    So, at least one could change the link if /tmp is mounted with NOEXEC option. However, you first need to realize that you have this option in your (customers) environment.

    At least there is a workaround available but still I'd prefer to have this fixed or get an alert when scripts could not be executed and/or NOEXEC is set.

    Best,
    Patrick


    Please remember to click 'Mark as Answer' on the post that helped you.

    Patrick Seidl (System Center and Private Cloud)
    s2 - seidl solutions
    Blog: http://www.systemcenterrocks.com




    Thursday, May 9, 2019 2:07 PM