| Author |
Message
|
| mqwbiwf |
 Posted: Tue Dec 22, 2009 11:59 am Post subject: MQ/WMB installation |
 |
|
Centurion
Joined: 21 Jul 2006
Posts: 126
|
Is there a way to install MQ v 6.0 and Message Broker version 6.1 on a AIX server, without actually logging in as root/sudo root?
If so, I would appreciate if someone can point me where to get that information. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Dec 22, 2009 12:14 pm Post subject: Re: MQ/WMB installation |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqwbiwf wrote: |
Is there a way to install MQ v 6.0 and Message Broker version 6.1 on a AIX server, without actually logging in as root/sudo root?
|
AFAIK there's no way to install anything on AIX without root authority.
I'll stand correction on this of course.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Dec 22, 2009 4:47 pm Post subject: Re: MQ/WMB installation |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| mqwbiwf wrote: |
| Is there a way to install MQ v 6.0 and Message Broker version 6.1 on a AIX server, without actually logging in as root/sudo root? |
On all *ix operating systems, administration activity (such as installing software) is done by root.
So when you're installing MQ
- directories under /var and /usr must be created, which any reasonable AIX system will disallow to all users except root.
- file ownership and permissions must be set to their correct values. root is the only user allowed to run chown.
(It's one of the rules of Unix that you have to be root to be allowed to change the owner of a file.)
Running the install as root is therefore required. |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Tue Dec 22, 2009 7:12 pm Post subject: Re: MQ/WMB installation |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| mvic wrote: |
| It's one of the rules of Unix that you have to be root to be allowed to change the owner of a file. |
On a side note, many versions of Unix also allow the owner of a file to change its ownership. It's sometimes a configurable administrative option. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Dec 22, 2009 10:25 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| On a side note, many versions of Unix also allow the owner of a file to change its ownership. It's sometimes a configurable administrative option. |
Actually, it's one of those requirements to be branded UNIX.
In the case of WMQ, rwx filesystem permissions are for MQ software itself. Queues and other objects are owned and managed by MQ, not end-users or end-user applications.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Wed Dec 23, 2009 3:31 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| bruce2359 wrote: |
| Quote: |
| On a side note, many versions of Unix also allow the owner of a file to change its ownership. It's sometimes a configurable administrative option. |
Actually, it's one of those requirements to be branded UNIX. |
To be more precise, the option is for restricting the usage of chown to privileged users; it's not for allowing such usage for file owners. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 07, 2010 3:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
If the MQ team don't have root access, and the Unix team (mainly AIX) don't look after the MQ installs - can the MQ team use sudo access?
Does anyone have experience (and preferably some info) on configuring sudo access (AIX) to allow
1. A new installation of MQ v6 or v7 queue manager and/or client?
2. Applying the latest fixpack to an existing installation of MQ (QM and/or client)?
3. Backing out the above changes?
From what was said above, root access is required - can anyone confirm or deny this (especially in relation to sudo usage)? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 07, 2010 5:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
sudo counts as root access, that's what it is... "su do" - "DO this action as the Super User".
And, yes, software installation on Unix requires root level access, especially with package management systems like smit or rpm or installp that keep track of what software has been lain down. The only Unix I know that doesn't require a software installer to install software is Mac OS X.
The AIX team will likely not want to give you generic sudo access, that would let you run any command as the root user, including telnet/ssh/login...
They will almost certainly want to provide you with limited sudo access to specific commands.
The difficulty on AIX is that MQ is installed and fixed using smit or smitty, and your AIX team will likely not want to give you sudo access to smit/smitty, as it would then allow you to install any dang thing you wanted.
All the shops I've dealt with have wanted to handle this in different ways. Some have been fine to give the WMQ/WMB admins "unattended" install rights, some have been okay with having a Unix admin sit and watch MQ admin do the the installation, some have been okay with having the MQ admin sit and watch the Unix admin do the install... Some have been okay with having the MQ admins create a script that either the Unix team can sudo or that the MQ admins can be granted specific privileges to sudo.
Lots of options, depends entirely on site specific policies and sensibilities. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 07, 2010 6:06 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I think we would have to ask for sudo with the exact installp commands required, which are not explicitly documented (although I suppose will be in the SMIT log after a normal install).
Anyone else had to do it this way? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 07, 2010 6:11 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| From what was said above, root access is required - can anyone confirm or deny this (especially in relation to sudo usage)? |
When I've done work on AIX I've either been given the root password or given authority to sudo into root. From my experience the 2 methods have been equivalent (as you'd expect). As my most worthy associate points out it very much depends on local policies and views.
Looking back, it's been more common for the admin to change the root password to "mqinstall", wait for me to finish then change it to something else. This has been seen as "easier to remove" than granting me (or mqm) sudo then removing it again.
But I've encountered the opposing view, where the site wanted all generic access audited so it was sudo all the way. Be it to root or to mqm. All depends on the site.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 07, 2010 6:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Anyone else had to do it this way? |
I've always done it with unrestricted root. This has helped when we've had issues with disc, mount points or ownership. Again from a personal experience, sys admins are fine with this for the hour or so it takes to finish an install.
But it depends on site.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 07, 2010 6:15 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
I think we would have to ask for sudo with the exact installp commands required, which are not explicitly documented (although I suppose will be in the SMIT log after a normal install).
Anyone else had to do it this way? |
Again, this may be something that you can manage by writing a script to run the necessary smit commands. (or is it smitty that's the non-interactive?)
Those should be documented.
Then you can put the script file in a specific location, the unix admins can review it and approve it and chmod it so you can't edit it. Then they can give sudo access to run that specific script file.
This could also include the silent install commands for Broker. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 07, 2010 6:44 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
It's still a bit of a worry (using pre-written scripts) if you need to backout, or if something isn't quite right when you come to do the change in production under more pressure and at some odd hour of the day.
It would be great if IBM provided an AIX MQ install script that we could run under sudo - I am surprised they don't. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jan 07, 2010 6:58 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
At some point, and on all platforms, for MQ sysadmins to do their work (installation and subsequent problem determination), the o/s sysadmins must either:
1) grant o/s-level root
2) do the MQ install and o/s-level pd for us
3) oversee MQ sysadmins do the install and pd
4) or some combination of the above.
Bickering over territorial issues, while at times healthy, is in the long-term counter-productive. In my management days, I'd drag both admins into my office and wag my cooperation finger at them for delaying/killing a project. Work together, for the sake of both your careers.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mvic |
| Posted: Thu Jan 07, 2010 7:04 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| zpat wrote: |
| It would be great if IBM provided an AIX MQ install script that we could run under sudo - I am surprised they don't. |
In general I would say it was MUCH less effort to run the install from the smitty panel than to try to negotiate the details of the command line utilities.
And once you have got your favourite clean install, then as you mentioned earlier, there is a "geninstall" or "installp" command in the smit.log file. |
|
| Back to top |
|
|
|
|
