On 06/15/09 09:10, Sangeeta Misra wrote: > Folks, > Currently ilbd daemon runs as "root" and uses SCF to store > persistent configuration. ILB's rules, servergroups and healthcheck > objects are represented as property groups in SCF. Note that we use > the property group type SCF_GROUP_APPLICATION. > > Below is a sample layout of the ilb property groups/properties: > > prop-group name | property name | property type | property value > ------------------------------------------------------------------------- > rule123 status boolean disabled/enabled > vip net-v4/6-addr v4/6 IP address > port astring port range > protocol astring TCP/UDP... > ilb-alg astring round-robin... > ilb-type astring NAT/DSR... > healthcheck astring healthcheck name > drain-time int sec > nat-timeout int sec > pers-timeout int sec > hc-port astring ALL/ANY/some-number > servergroup astring servergroup name > [.... more rules ....] > servergroup123 status boolean disabled/enabled > server1 astring > IP-addr:port:enable/disable > server2 astring > IP-addr:port:enable/disable > [ .... more servers ....] > healthcheck123 hc-test astring test program > hc-timeout int timeout value in sec > hc-interval int interval val in sec > hc-count int test repetition > [ .... more healthchecks ....] > > I am trying to see if I can get ilbd to run as "daemon" instead of > "root" . See attached ilbd.xml file to see the list of privileges > that ilbd daemon runs with. After starting the ilbd daemon ( ie > running with "daemon" uid), when I try to configure healthcheck thus: > > # ilbadm create-healthcheck -h > hc-test=ping,hc-timeout=3,hc-count=2,hc-interval=14 hc1 > > I get the error: > ilbadm: no scf permit > > The command executes fine, but its the writing to scf that is > failing. My questions are as follows: > > Question 1 > =========== > I assume in order to authorize ilbd daemon to successfully call the > the scf_* functions to create/modify /delete/retrieve the > configuration to/from scf framework, all I need to do is add this to > usr/src/lib/libsecdb/user_attr.txt : > > daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify > > Can you confirm that this is indeed all that is required? Or does > one need to do more than that ( and if so what exactly)? > I tried the above and it seems to work. But the question is is this OK to do. If not , then we would need to create a uid of "netadm" and run ilbd with that uid instead and change the user_attr entry to: netadm::::auths=solaris.smf.manage.ilb,solaris.smf.modify
Please advise. Sangeeta > Question 2 > ============= > Is it OK for a process running as "daemon" to have > "solaris.smf.modify"/"solaris.smf.modify.application" authorization? > Or should this authorization only be granted to processes that run as > "root" ? > > Sangeeta > > ------------------------------------------------------------------------ > > _______________________________________________ > ilb-dev mailing list > ilb-dev at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/ilb-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/smf-discuss/attachments/20090615/399c2beb/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: ilbd.xml Type: text/xml Size: 3171 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/smf-discuss/attachments/20090615/399c2beb/attachment.xml>
