Forum OpenACS Q&A: inittab aolserver restart problem

Posted by Raul Rodriguez on 04/03/03 09:34 AM

I have installed OACS 4.6, postgresql 7.2.3, aolserver 3.3+ad13, redhat 8.0. I cannot get aolserver to restart automatically. When I tried to run it manually from root:

[root@localhost root]# /usr/local/aolserver/bin/nsd-postgres -i -u nobody -g web -t /home/dude/web/icann/nsd.tcl

I get:

[02/Apr/2003:16:58:25][1158.8192][-main-] Notice: nsd.tcl: starting to read config file...
[02/Apr/2003:16:58:25][1158.8192][-main-] Warning: nsd.tcl: nsssl not loaded because key/cert files do not exist.
[02/Apr/2003:16:58:25][1158.8192][-main-] Notice: nsd.tcl: finished reading config file.
[02/Apr/2003:16:58:25][1158.8192][-main-] Error: log: failed to re-open log file '/home/dude/web/icann/log/error.log': 'Permission denied'
[02/Apr/2003:16:58:25][1158.8192][-main-] Fatal: log: failed to open server log '/home/dude/web/icann/log/error.log': 'Permission denied'

I have followed the installation instructions and have updated the log permissions as was indicated in the comment section by Ola Hansson.

[root@localhost root]# ls -l /home/dude/web/icann/
total 84
drwxrwxr-x    3 dude     dude         4096 Apr  2 19:05 apm-workspace
drwxrwxr-x    3 dude     web          4096 Apr  2 01:44 bin
drwxrwxr-x    3 dude     web          4096 Apr  2 01:44 content-repository-content-files
drwxrwxr-x    5 dude     web          4096 Apr  2 01:44 contrib
drwxrwxr-x    2 dude     web          4096 Apr  2 01:44 CVS
-r--rw-r--    1 dude     web         18009 Jul 10  2002 license.txt
drwxrwx---    2 dude     web          4096 Apr  2 19:40 log
-rw-------    1 dude     dude        10678 Apr  2 19:03 nsd.tcl
-rw-------    1 dude     dude        10691 Apr  2 01:51 nsd.tcl~
drwxrwxr-x  109 dude     web          4096 Apr  2 01:45 packages
-r-xrwxr-x    1 dude     web          1866 Jan 20 05:12 readme.txt
drwxrwxr-x    3 dude     web          4096 Apr  2 01:45 tcl
drwxrwxr-x    6 dude     web          4096 Apr  2 01:45 www
[root@localhost root]# ls -l /home/dude/web/icann/log/
total 0

When I manually execute from /home/dude everything runs fine. Any ideas?
TIA

2: Re: inittab aolserver restart problem (response to 1)

Posted by Joel Aufrecht on 04/03/03 06:57 PM

Check the permissions all the way down. One of the subdirectories may have the wrong permissions. Or you could have created the log file by starting the server under a different user and now the new user can't touch the old file.

3: Re: inittab aolserver restart problem (response to 1)

Posted by Rocael Hernández Rizzardini on 04/03/03 09:28 PM

why you don't try daemontools, is just better!
http://zmbh.com/daemontools-aolserver/aolserver+daemontools.html
https://openacs.org/doc/openacs-4/openacs.html

4: Re: inittab aolserver restart problem (response to 1)

Posted by Lamar Owen on 04/03/03 11:04 PM

Setting group on the nsd command line doesn't necessarily work correctly. Is there a reason you need /home/dude/web/icann owned by 'dude', but nsd is running as 'nobody'? It is my experience that the user (not group) that nsd is run as must own the files nsd needs to write.

As to the merits of daemontools, that response didn't answer the question, and, in this case, just converting over to daemontools without correctig the underlying permissions issue isn't going to help anything.

5: Re: inittab aolserver restart problem (response to 1)

Posted by Raul Rodriguez on 04/04/03 01:19 AM

Thank you for the replies. Joel, I checked the permissions and after doing the following:

[root@localhost root]#  chown dude.web /home/dude/
[root@localhost root]#  chmod 770 /home/dude/
[root@localhost root]# ls -l /home/
total 8
drwxrwx---    4 dude     web          4096 Apr  3 15:09 dude

I was able to get aolserver to restart automatically. I rechecked the install instructions, but I did not see this step.

Lamar, I was just following the install instructions where it states:

Locations: 

     We'll compile stuff in /usr/local/src 

     PostgreSQL will go into /usr/local/pgsql 

     AOLServer will go into /usr/local/aolserver 

     The web root will go into your home directory (e.g. /home/joeuser/web) 

None of these locations are set in stone - they're simply the values that
we've chosen. You are free to install your software in other locations, but
you'll need to adjust the instructions in this document to point to those
locations. 

Note that previous versions of this document recommended using /web for
the web root and running AOLserver as the nsadmin user. For security and
compatibility reasons, this is no longer recommended. 

This guide will use joeuser as a normal user. Substitute your own
username wherever you see joeuser.

and later on in the instructions it states:

AOLserver needs to be started as the root user if you want to use port
80. Once it starts, though, it will drop the root privileges and run as
another user, which you must specify on the command line. It's
important that this user has as few privileges as possible. Why? Because
if an intruder somehow breaks in through AOLserver, you don't want him
to have any ability to do damage to the rest of your server. At the same
time, AOLserver needs to have write access to some files on your system
in order for OpenACS to function properly. So, we'll run AOLserver as the
nobody user and the web group. We'll add your regular user account to the
web group and make sure that OpenACS files are group readable and
writable. 

     Run these commands: 

     root:/usr/local/src# cd
     root:~# groupadd web
     root:~# adduser joeuser web
     root:~# exit

Thanks to everyone.

6: Re: inittab aolserver restart problem (response to 1)

Posted by Tom Jackson on 04/04/03 07:02 AM

There is nothing special about the 'nobody' user. Just create a user for your instance of aolserver. If you want the group to be 'web' then the user you create should have this as the main group. On Linux:

# groupadd web
# useradd -g web -G anyOtherGroup username

My opinion is that you should start the webserver as root, with -u set to the username. Right now the -g switch doesn't work. I have a patch which allows you to choose another group, assuming the user is a member of that group, but stock aolserver doesn't do it yet. Also, if possible, set the nsd.tcl file as readable only by root. This way, no one can read that file, which has database passwords. Probably this doesn't really matter for postgresql. Comments anyone on this?

If the webserver complains 'permission denied', that is easy enough to solve by correcting the permissions. Log files should probably be owned by the running user. You may choose to use the group permission, but not sure why you would choose that. At most group needs to read the logs, although you could deny that as well. The main use of the group is if you use daemontools svc to restart. Then, when permissions are setup, any member of the group can restart the process. Since you are not using daemontools, you probably don't need to worry about the group.

One issue I see with using the 'nobody' user, is that it is probably setup as a no login type account. This can make it difficult to try things as a particular user, such as logging in to the database.

7: Re: inittab aolserver restart problem (response to 1)

Posted by Joel Aufrecht on 04/04/03 09:23 PM

The current "recommended practice," in the install docs, is to use daemontools with this command:

exec /usr/local/aolserver/bin/nsd-postgres -it /web/service0/etc/config.tcl -u service0 -g web

Where service0 is the service name. This allows services to be segregated on the same machine. However, the daemontools helper script somebody wrote sets permissions at the group level, so any OpenACS user can stop any service in this setup. If anybody thinks that's high priority, I can re-write the script. Or you can just chgrp your /web/service0 directory from web to service0.

8: Re: inittab aolserver restart problem (response to 1)

Posted by Lamar Owen on 04/04/03 09:40 PM

Ah, so it was a permissions issue.

As to the 'recommended practice' of using daemontools, I for one am not thrilled with the idea of relying on Yet Another Piece of 3rd Party Software. We have enough dependencies now on 3rd party stuff; while daemontools is quite powerful not everyone is going to want (or need) it. Or even be able to use it, depending upon the target of the OpenACS installation.

I use inittab -- it's there, it's guaranteed to be there, and it works with less hassle. IMHO. A paragraph about 'alternatives to using inittab are available. One such alternative is daemontools. Further documentation on using daemontools may be found here' would be more appropriate. In my mind the administrivia about daemontools clutters the documentation.

I just don't think the docs should favor a 'recommended' sysadmin style. YMMV, IMHO, etc.