| Author |
Message
|
| lancelotlinc |
 Posted: Wed Oct 05, 2011 9:21 am Post subject: Primary Group Membership |
 |
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Greetings.
Need some clarification on installing WMB v7 on AIX. Currently, the documentation in the InfoCentre is vague on this topic.
A couple years back, a consultant configured the Broker runtime here to run under the mqm service Id. This results in the following:
1. When deploying bar files, the deployment sometimes hangs and does not complete.
2. When starting and stopping the brokers, some DFEs do not terminate and become zombies owned by root, whereas they were started under mqm Id.
3. Sometimes, when issuing an mqsistop command, a DFE will terminate and unexpectedly restart.
Most other clients I have been at configure a service Id where the primary group membership is mqbrkrs. The problem with using mqm as the service Id, is that mqm user's primary group membership is mqm group not mqbrkrs group.
Can someone (mgk maybe) comment on the product design and how the AIX primary group membership is relevant in this scenario. I would like to recommend to the Ops people that a new service Id be created and its primary group membership be mqbrkrs with secondary group membership of mqm. In my experience, it solves the above three anomalies. I do not find convincing documentation in the InfoCentre to support this position, however.
Comments?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Oct 05, 2011 10:21 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I've experienced the same problems as you in this area.
I first encountered it with the V2.1 UserNameServer.
It just wouldn't run and accept operations unless the primary account group was MQBrkrs.
Ever since then when I've faced problems deploying this is about the first thing I check. Then when I find out that it isn't 'mqbrkrs' I have that DOH! moment. 
Then I usually delete everything, uninstall Broker and start again this time with the correct group ordering.
I've even encountered one site where I supplied a script that created and verified the account setting as part of the consultancy deliverables. The local admins ignored this script and the documentation and created the broker account wrongly. Just because it didn't fit in with their policies they ignored my instructions. Definitely some NIH going on.
I had great pleasure billing them for another day when I had to go in and sort it out. My Told you so moment.
Then we could get onto sites where the SysAdmins insist on the broker account password expiring every 30 days without realising the implications to production operations.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Oct 05, 2011 10:24 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Thanks for the insight davies. I hope we can see some documentation of this configuration in InfoCentre. Have you been able find any documentation of this for WMB? I did see some for WBIMB v 2.1 but none recent.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Oct 05, 2011 11:22 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I have to hold my hand up and say...
I haven't looked at that bit of the InforCentre since V6.0 came out.
I have a bash script that can create a compete broker environment using a config file. I tend to use that these days.
It does all the grunt work like creating EG's, setting the EG HTTP port, Creating Configurable services and DSN's.
So I can't really help you here except to say, the mqbrkrs group seems to work so :-
carry on and keep calm
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 05, 2011 11:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There should be information somewhere in the v7 Information Center on this, in terms of using the queue manager itself to start and stop the Broker by defining a set of MQ Services.
It would likely be buried in the discussion of creating a multi-instance Broker and thus running on top of a multi-instance queue manager. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Oct 05, 2011 12:15 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Hi mqjeff, The references are not specific enough to advocate my position as described above. At the very most, the InfoCentre references talk about mqm being a member of mqbrkrs. Specifically, I need an InfoCentre article that says "On AIX and Linux, for best results, create a separate Broker runtime service Id and assign it's primary group as mqbrkrs and secondary group as mqm."
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 05, 2011 12:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| smdavies99 wrote: |
| carry on and keep calm |
More typically expressed the other way round but still words to live by.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 05, 2011 12:27 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You will never find an entry in the InfoCenter that says "for best results".
You will find comments along the lines of 'this will work" or "this will not work".
It's an InfoCenter, not a collection of best practices nor is it capable of analzying your requirements and determining what BEST meets those requirements.
As you mention, the documentation explicitly states that mqm must be a member of mqbrkrs, if you want to use mqm as the service id.
There is also discussion of what group membership is needed to perform various functions, including starting or running a broker.
So, again, the InfoCenter will tell you what you MUST do or what you CAN do, but will not tell you what you SHOULD do. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Oct 05, 2011 12:31 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Yes, I get this. The problem is, when any user Id that issues a Broker administrative command is not primary to mqbrkrs group Id, then the Broker has anomalies.
I don't consider it a bug as much as a usage clarification.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 05, 2011 12:41 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
Yes, I get this. The problem is, when any user Id that issues a Broker administrative command is not primary to mqbrkrs group Id, then the Broker has anomalies.
I don't consider it a bug as much as a usage clarification. |
Group membership should be sufficient. It should not be necessary, since it is not DOCUMENTED to be necessary, that mqbrkrs should be the primary group.
If you are seeing other behavior, then either the product is malfunctioning or the documentation is wrong. Also note that this behavior may vary on Linux versus AIX vs Solaris vs. etc. etc. etc.
So either open a PMR or file a feedback. Ideally, do both. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 05, 2011 1:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I suspect this may very much be dependent on how the user ids are generated in your system, and your mileage may vary.
Say the userid is generated as a copy of a user with its primary group as either in mqm or mqbrkrs... it may have different ulimits and other environmental setup as a user generated from a copy of a user in the staff group and just made member of the mqm or mqbrkrs groups.
This might also impact the behavior of your app. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Oct 05, 2011 1:30 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| mqjeff wrote: |
| lancelotlinc wrote: |
Yes, I get this. The problem is, when any user Id that issues a Broker administrative command is not primary to mqbrkrs group Id, then the Broker has anomalies.
I don't consider it a bug as much as a usage clarification. |
Group membership should be sufficient. It should not be necessary, since it is not DOCUMENTED to be necessary, that mqbrkrs should be the primary group.
If you are seeing other behavior, then either the product is malfunctioning or the documentation is wrong. Also note that this behavior may vary on Linux versus AIX vs Solaris vs. etc. etc. etc.
So either open a PMR or file a feedback. Ideally, do both. |
Ok, I will open a PMR and send some document feedback. I have observed this consistent behaviour on RHEL 5.5 and AIX 5.3. I'm not suggesting that a source code change is needed in the WMB product, only that this behaviour needs to be pointed out in documentation.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Oct 06, 2011 5:40 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
I posted this as a comment on this article: Topic bp43600_ Activating broker administration security
http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/topic/com.ibm.etools.mft.doc/bp43600_.htm
The instructions in this article lead to three specific problems on AIX and Red Hat Linux operating systems.
1. When deploying bar files, the deployment sometimes hangs and does not complete.
2. When starting and stopping the brokers, some DFEs do not terminate and become zombies owned by root, whereas they were started under mqm Id.
3. Sometimes, when issuing an mqsistop command, a DFE will terminate and unexpectedly restart.
To resolve this, the service Id that runs Broker runtime needs to have primary group membership in mqbrkrs not mqm. This document leads users to create a Broker configuration where the Broker runtime service Id is primary group membership of mqm which is not correct. In order for Broker runtime to operate without the above three anomalies, the Broker service Id must have primary group membership of mqbrkrs and any user executing Administrative commands must sudo into the Broker Service Id first.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Oct 10, 2011 5:41 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
fyi - I received an email today from IBM UK acknowledging my request and stating that the request has been assigned to a technical writer.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
|
|
