Anonymous_User Absent Member.
Absent Member.
1274 views

LUM, novlwww and tomcat

We have a problem with tomcat and LUM, where the novlwww user is given the
wrong uid, which breaks tomcat.

To explain the situation, here are two scenarios - one which works and one
which doesn't.


1) Test environment (works fine)

In my test tree, I have one server.

uid 100 is taken by netdump, so novlwww has uid 101.

I then install LUM and NSS and the local novlwww is deleted. A novlwww is
created in eDirectory, with uid 101.

So then tomcat uses the LUM novlwww account, and carries on working after
a restart.


2) Live environment (Broken)

In the live environment, we already have a novlwww account in eDirectory -
with uid 100.

A new server is installed - again netdump has grabbed uid 100, so novlww
gets uid 101.

I configure LUM and NSS, and the local novlwww account is removed. As
there is already a novlwww account in eDirectory, a new one can't be
created.

When I restart tomcat now, it fails, as it uses the LUM novlwww account,
which has the wrong uid (100 instead of 101).


The upshot seems to be that unless you put every server in its own
container, and set the LUM search root to be that container, this could
easily break. Surely this is not how its meant to work, is it?

Am I missing something?

Cheers

Tom
Labels (2)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LUM, novlwww and tomcat

On Fri, 02 Mar 2007 17:28:43 +0000, Leonard Thomas wrote:

> We have a problem with tomcat and LUM, where the novlwww user is given the
> wrong uid, which breaks tomcat.
>
> To explain the situation, here are two scenarios - one which works and one
> which doesn't.
>
>
> 1) Test environment (works fine)
>
> In my test tree, I have one server.
>
> uid 100 is taken by netdump, so novlwww has uid 101.
>
> I then install LUM and NSS and the local novlwww is deleted. A novlwww is
> created in eDirectory, with uid 101.
>
> So then tomcat uses the LUM novlwww account, and carries on working after
> a restart.
>
>
> 2) Live environment (Broken)
>
> In the live environment, we already have a novlwww account in eDirectory -
> with uid 100.
>
> A new server is installed - again netdump has grabbed uid 100, so novlww
> gets uid 101.
>
> I configure LUM and NSS, and the local novlwww account is removed. As
> there is already a novlwww account in eDirectory, a new one can't be
> created.
>
> When I restart tomcat now, it fails, as it uses the LUM novlwww account,
> which has the wrong uid (100 instead of 101).
>
>
> The upshot seems to be that unless you put every server in its own
> container, and set the LUM search root to be that container, this could
> easily break. Surely this is not how its meant to work, is it?
>
> Am I missing something?


Nope, it is broken for you right now. The problem is that novlwww was LUM
enabled on a different server where 100 was available.

Where is the netdump user coming from? Is it another piece of software
that you install or a user that you create?

The easiest way to sort this is to fix the local netdump user by changing
its UID. Does it own files on the filesystem?

--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LUM, novlwww and tomcat


On Mon, 05 Mar 2007 17:28:24 +0000, Mark Robinson wrote:

> On Fri, 02 Mar 2007 17:28:43 +0000, Leonard Thomas wrote:
>
>> We have a problem with tomcat and LUM, where the novlwww user is given the
>> wrong uid, which breaks tomcat.
>>
>> To explain the situation, here are two scenarios - one which works and one
>> which doesn't.
>>
>>
>> 1) Test environment (works fine)
>>
>> In my test tree, I have one server.
>>
>> uid 100 is taken by netdump, so novlwww has uid 101.
>>
>> I then install LUM and NSS and the local novlwww is deleted. A novlwww is
>> created in eDirectory, with uid 101.
>>
>> So then tomcat uses the LUM novlwww account, and carries on working after
>> a restart.
>>
>>
>> 2) Live environment (Broken)
>>
>> In the live environment, we already have a novlwww account in eDirectory -
>> with uid 100.
>>
>> A new server is installed - again netdump has grabbed uid 100, so novlww
>> gets uid 101.
>>
>> I configure LUM and NSS, and the local novlwww account is removed. As
>> there is already a novlwww account in eDirectory, a new one can't be
>> created.
>>
>> When I restart tomcat now, it fails, as it uses the LUM novlwww account,
>> which has the wrong uid (100 instead of 101).
>>
>>
>> The upshot seems to be that unless you put every server in its own
>> container, and set the LUM search root to be that container, this could
>> easily break. Surely this is not how its meant to work, is it?
>>
>> Am I missing something?

>
> Nope, it is broken for you right now. The problem is that novlwww was LUM
> enabled on a different server where 100 was available.
>
> Where is the netdump user coming from? Is it another piece of software
> that you install or a user that you create?
>
> The easiest way to sort this is to fix the local netdump user by changing
> its UID. Does it own files on the filesystem?


Thanks for the reply.

The netdump user is automatically installed by the LKCD (Linux
Kernel Core Dump) Netdump server. I don't know for sure if it owns files
but I suspect it does.

Interestingly (ish), if I install the server manually, netdump doesn't get
uid 100, but it does if I install via autoyast.

I've got round the problem by removing LKCS netdump server from the
autoyast script, as we probably will never need it. Not much of a solution
though really. Ideally we'd be able to automate the installation without
having to either write lots of post scripts, or make manual changes to get
things to work.

There is actually a script provided by Novell to address this problem,
we've discovered - /opt/novell/oes_install/nssid.sh. However its really
just a cludge as it simply resets the uids to whatever the 'LUM' novlwww
users has - which in my case would simply render tomcat owned by netdump
(which surely can't be a good thing!)

I'm not really clear on why Novell have designed things this way, so if
anyone has any insights I'd welcome them. I can't really see what is
gained by having the 'special' Novell accounts in eDirectory rather than
simply being local accounts. Isn't it just something else which can go
wrong and break some pretty fundamental services?

And if they insist on doing it this way, would it not make more sense to
use default uids which are unlikely to be used by other software (i.e. not
around the 100 mark!)?

And does anyone know if this method going to continue in SLES10?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LUM, novlwww and tomcat

On Mon, 05 Mar 2007 22:30:50 +0000, Leonard Thomas wrote:
> The netdump user is automatically installed by the LKCD (Linux Kernel Core
> Dump) Netdump server. I don't know for sure if it owns files but I suspect
> it does.
>
> Interestingly (ish), if I install the server manually, netdump doesn't get
> uid 100, but it does if I install via autoyast.


You could always add the user account to the appropriate section of
the autoyast file with a UID<>100.

> I've got round the problem by removing LKCS netdump server from the
> autoyast script, as we probably will never need it. Not much of a solution
> though really. Ideally we'd be able to automate the installation without
> having to either write lots of post scripts, or make manual changes to get
> things to work.


Well, yes, I agree!

> There is actually a script provided by Novell to address this problem,
> we've discovered - /opt/novell/oes_install/nssid.sh. However its really
> just a cludge as it simply resets the uids to whatever the 'LUM' novlwww
> users has - which in my case would simply render tomcat owned by netdump
> (which surely can't be a good thing!)


Yeah, been there, done that 🙂 I had a 3-way tie for a UID at one point!
Ended up rebuilding to get NetStorage etc to work.

> I'm not really clear on why Novell have designed things this way, so if
> anyone has any insights I'd welcome them. I can't really see what is
> gained by having the 'special' Novell accounts in eDirectory rather than
> simply being local accounts. Isn't it just something else which can go
> wrong and break some pretty fundamental services?


The idea is that the admin burden is greatly reduced, and servers are more
consistent. Remember Novell is trying to aim this at people who don't
know Linux. They are not quite there yet, but I do push hard to fix
anything that we find an issue in the forums.

> And if they insist on doing it this way, would it not make more sense to
> use default uids which are unlikely to be used by other software (i.e.
> not around the 100 mark!)?


To be fair, this is not so much a Novell issue as a Unix system issue.
The two greatest problems facing Unix admins are permissions and user
management (UID/GID) across a large number of systems. Did you ever meet
NIS? If not then you won;t realise just how good LUm really is 🙂

> And does anyone know if this method going to continue in SLES10?


Yes, OES 2 has LUM still, but apparently it's much improved.


--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LUM, novlwww and tomcat

On Tue, 06 Mar 2007 10:21:38 +0000, Mark Robinson wrote:

> The idea is that the admin burden is greatly reduced, and servers are more
> consistent. Remember Novell is trying to aim this at people who don't
> know Linux. They are not quite there yet, but I do push hard to fix
> anything that we find an issue in the forums.


Thanks for the reply - glad to see I'm not the opnly person whos been
struggling with this!

I can see the point about the reduced admin overhead - the problem is with
the consistency issue!

Hopefully Novell will have ironed that out in OES2...


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LUM, novlwww and tomcat

On Tue, 06 Mar 2007 11:27:52 +0000, Leonard Thomas wrote:

> On Tue, 06 Mar 2007 10:21:38 +0000, Mark Robinson wrote:
>
>> The idea is that the admin burden is greatly reduced, and servers are
>> more consistent. Remember Novell is trying to aim this at people who
>> don't know Linux. They are not quite there yet, but I do push hard to
>> fix anything that we find an issue in the forums.

>
> Thanks for the reply - glad to see I'm not the opnly person whos been
> struggling with this!


Nope, far from it! OES is a damn good product considering that it's a
first version... OES2 should be much improved.

> I can see the point about the reduced admin overhead - the problem is
> with the consistency issue!


Yeah, double edge swords are always fun 🙂

> Hopefully Novell will have ironed that out in OES2...


We'll see. I hope to do my first beta install this week.

--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.