9 Replies Latest reply on Jan 31, 2008 1:58 PM by Craig Dockter

    Pre / Post Commands with /tmp mounted noexec - Linux

    Craig Dockter

      We are running version 7.4.1 appserver and agents on RedHat EL 3 systems that have separate disk partitions for /tmp. Per our security requirements we mount /tmp with the noexec option. This is causing pre- and post-commands on deploy jobs to not run because BladeLogic copies the commands to /tmp/some-file-name.bat and attempts to execute them from there.

       

      We have our STAGING_DIR set to /var/tmp/staging on all systems.

       

      Does anybody know any way of telling BladeLogic to use the STAGING_DIR instead of /tmp?

       

      Thanks.

       

      Craig Dockter

      Technical Analyst

      Noridian Mutual Insurance

        • 1. Re: Pre / Post Commands with /tmp mounted noexec - Linux
          Bill Robinson

          and /var/tmp is not a symlink to /tmp ? (just checking...)

           

          it's possibly we're using the TMP env variable, so you could do something like:

           

          export TMP=??STAGING_DIR?? as the first thing in your pre/post job. that's obviously a workaround and not a 'fix'

           

          can you open a support ticket w/ this issue ?

          • 2. Re: Pre / Post Commands with /tmp mounted noexec - Linux
            Craig Dockter

            No, /var/tmp is an actual directory on the /var partition, not a symlink. That's why I want the script files that BladeLogic creates for the pre- and post-commands to be created in /var/tmp.

             

            I did not try exporting the TMP variable but that maybe what I was looking for. I'll try that.

             

            I actually did open a ticket last summer but no resolution other than don't mount /tmp partitions noexec. We were running 7.2.0 at the time and the TMP variable wasn't mentioned.

             

            Thank you.

             

            Craig Dockter

            • 3. Re: Pre / Post Commands with /tmp mounted noexec - Linux
              Craig Dockter

              Thanks Bill! It looks like that is the solution. I really appreciate the help, this has been bugging me for a while.

               

              Craig Dockter

              • 4. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                Bill Robinson

                cool.... i was going to say it might be TMPDIR...depends on the shell i think...

                 

                i'd still open a ticket w/ this, ideally, the STAGING_DIR setting should be used for everything 'temp' for cases like this..

                • 5. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                  Craig Dockter

                  Sorry, I spoke too soon. Setting the TMP environment variable works for file deploy jobs. It does not work for BL package deploy jobs though. I tried setting just the TMP variable, just the TMPDIR variable, the TMP variable first and the TMPDIR variable first with the same results. Here is the message:

                   

                   

                  Warning Jan 28, 2008 10:03:40 AM /tmp/pcre-4.5-4.6-2004986.1-2007252.3.bat: Command not found

                   

                  Don't be fooled by the 'Command not found' message. It's actually saying there is no interpreter which is what is returned when trying to execute a program on a noexec mounted partition. I've verified the pre-command is actually being copied to the /tmp directory of the target machine:

                   

                  -rwx------ 1 root root 73 Jan 28 10:13 /tmp/pcre-4.5-4.6-2004986.1-2007252.3.bat

                   

                   

                  Any ideas?

                   

                  Thanks again.

                   

                  Craig Dockter

                  Noridian Mutual Insurance

                  • 6. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                    Bill Robinson

                    so close :)

                     

                    hmm... where did you set hte variable in the blpackage deploy job - was it in the pre/post command ?

                     

                    you could try adding an 'external command' in the package itself

                    • 7. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                      Craig Dockter

                      The first tries were adding the 'export TMP' statements to the pre- and -post command dialogs on the job itself. I did try the exports in the external command but it can't, and didn't, work because the external commands run in a separate process according to the documentation.

                       

                      Then I tried a different approach. I added two external commands, one before and one after the update to remount the /tmp partition executable and back to noexec. This didn't work either but I think it's because I don't quite understand the external command process yet. I tried both just the mount command and running it using nexec.

                       

                      Craig Dockter

                      Noridian Mutual Insurance

                      • 8. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                        Bill Robinson

                        if /tmp is mounted in /etc/fstab i don't know if you can override the mount options on the commandline. i think there is a way to do a soft-remount...maybe only on linux though.

                         

                        hmm..what if you symlink something... like if you have:

                         

                        /opt/foo is executable and you have a symlink /tmp/foo -> /opt/foo

                         

                        can you run /tmp/foo (since foo is not really on /tmp) ?

                         

                        i'm kind of grasping here. i think you need a hotfix for this.

                        • 9. Re: Pre / Post Commands with /tmp mounted noexec - Linux
                          Craig Dockter

                          Thanks for sticking with this Bill.

                           

                          I don't think a symlink would work because the name of the batch file changes with each version of the BL package deploy job.

                           

                          I've gone into the /usr/nsh directory on the target machine, read the logs and created a params.txt with no results. I also figured out that the BL package external commands are executed after the job pre-commands and before the deploy job post-commands.

                           

                          Since the deploy job package and pre- and post-commands files are created on the app/file server then copied over to the target, I think whatever change is needed is either on the app/file server or in the database. I'm still looking, but I think you're right about this needing a hot fix.

                           

                           

                          Thanks again.

                           

                          Craig Dockter

                          Noridian Mutual Insurance