Hide Forgot
There was a recent question on the rhq-users list about how process discovery and management worked, depending on the agent user and the process user on the system. This needs to be investigated for some server types, like JBAS, Apache, Tomcat, etc. For the recent JVM monitoring that Ian worked on, the agent must be running as the same user as the JVM or as root for the JVM to be discovered.
I spent some time investigating this this afternoon. The results were a bit surprising. I started to JBAS6, Tomcat6, and Apache2 instances as root, and then tried to discover them with an Agent running as a regular user. Apache was discovered, but JBAS and Tomcat were not, which surprised me. Looking at the code for the AS4 and AS5 plugins, I can tell we intended to support discovering AS servers running as other users, but alas it doesn't work; I would consider it a bug. I think Tomcat falls in the same boat - I can't think of any reason why we should not be able to discover Tomcat processes running as other users. We discover Apache and Postgres processes running as other users with no issues. As for Process Resources, I was able to manually add Process Resources corresponding to processes running as root with no problems, even though my Agent was running as a regular user. I think we need BZ's for fixing the AS4, AS5, and Tomcat plugins, so they are able to discover server instances running as different users. This should not be a huge effort either.
I've done some further investigation, and it turns out it's not as bad as I thought. AS4 and AS5 can be discovered even when running as a different user than the Agent, but only if the Agent can read the AS instance's run.jar file (e.g. /home/bob/Applications/jboss/bin/run.jar). On Unix systems this means the Agent user must have execute/search permission on all ancestor directories of run.jar, i.e.: /home/ /home/bob/ /home/bob/Applications/ /home/bob/Applications/jboss/ /home/bob/Applications/jboss/bin/ and it also must have read permission for the run.jar file itself. The search permissions requirement is not obvious, except for Unix gurus. We should improve our logging in the AS4 and AS5 plugins, so they log informative warnings in cases where run.jar cannot be accessed, e.g.: [WARN] /home/bob/Applications/jboss/bin/run.jar is not accessible. Please make sure the file is readable by the user the Agent is running as (ips). In addition, make sure all of its ancestor directories (/home/, /home/bob/, /home/bob/Applications/, /home/bob/Applications/jboss/, and /home/bob/Applications/jboss/bin/) are executable/searchable by ips. I'll create a BZ for adding this improved logging. As for Tomcat, it does not discover Tomcat instances running as other users, even when the Agent can read all files in the Tomcat install. I consider this a bug, and I'll create a BZ for it.
Setting the target to 3.1.
Somewhat related, see bug 790753.
Assigning to Ian for review.
Created attachment 587447 [details] agent and resource users Ian, Just review the docs, mark it up (track changes should be on), and re-attach it here. If anything is missing, insert a note, and I'll write the new content. Thanks! Deon P.S. As per normal, I haven't spell-checked yet. I always do that last, after all the changes are done.
Created attachment 589964 [details] reviews Agent user docs
Edits are in place: http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/3.1/html/Admin_Initial_Setup_Inventory_Groups_and_Users/agent-user.html