Difference between revisions of "Debugging hints"
Line 9: | Line 9: | ||
For all run-modes of gLExec, the gLExec must be ''executable'' for all users. | For all run-modes of gLExec, the gLExec must be ''executable'' for all users. | ||
− | + | === Versions up to 0.6.8-3 === | |
− | |||
− | |||
− | * | + | *For running gLExec in '''setuid''' mode, ''preferably'' use the following mode ('''setuid''' and '''setgid'''): |
− | + | -r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec | |
− | + | -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf | |
− | *For running gLExec in '''logging only''' mode, ''preferably'' use | + | *In case ''setgid'' is not possible, ''preferably'' use the following mode (only '''setuid'''): |
− | + | -r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec | |
− | + | -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf | |
+ | |||
+ | *For running gLExec in '''logging only''' mode, ''preferably'' use the following mode: | ||
+ | -r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | Note that these settings are also possible on a NFS mount. | ||
+ | |||
+ | === Version 0.7.0-2 === | ||
+ | |||
+ | *For running gLExec in '''setuid''' mode, ''preferably'' use the following mode (only '''setuid'''): | ||
+ | -rws--x--x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | *For running gLExec in '''logging only''' mode, ''preferably'' use the following mode: | ||
+ | -rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | Note that these settings are also possible on a NFS mount. | ||
+ | |||
+ | Also note that YAIM will still install gLExec with either the ''setuid-and-setgid'' or ''logging-only-mode'' settings of [[#Versions up to 0.6.8-3|the previous versions]] which are still valid, and are also possible on an NFS mount. | ||
+ | |||
+ | The non-YAIM ''only-setuid'' set of permissions of [[#Versions up to 0.6.8-3|the previous versions]] no longer works. | ||
== Before continuing with testing: The gLExec Exit Codes and the Environment variables == | == Before continuing with testing: The gLExec Exit Codes and the Environment variables == |
Revision as of 15:10, 14 April 2010
Here are some useful things to check and mention when contacting us for help:
Check the version of the gLExec version:
/opt/glite/sbin/glexec -v
Check the file permissions of the gLExec executable.
For all run-modes of gLExec, the gLExec must be executable for all users.
Versions up to 0.6.8-3
- For running gLExec in setuid mode, preferably use the following mode (setuid and setgid):
-r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- In case setgid is not possible, preferably use the following mode (only setuid):
-r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Version 0.7.0-2
- For running gLExec in setuid mode, preferably use the following mode (only setuid):
-rws--x--x 1 root root 12345 2010-02-29 12:34 glexec -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Also note that YAIM will still install gLExec with either the setuid-and-setgid or logging-only-mode settings of the previous versions which are still valid, and are also possible on an NFS mount.
The non-YAIM only-setuid set of permissions of the previous versions no longer works.
Before continuing with testing: The gLExec Exit Codes and the Environment variables
The following pages might hold interesting to glance through before proceeding with your debugging:
- Proxy file handling in gLExec: All the details about the environment variables used by gLExec.
- Exit codes of gLExec: All the details about the exit codes of gLExec.
Test the exit codes by printing them on the shell by showing the value of $? Example:
/opt/glite/sbin/glexec /usr/bin/id -a; echo $?
Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path
See Proxy file handling in gLExec for the purpose of these environment variables.
export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms export X509_USER_PROXY=`pwd`/mkproxy-x509-voms
Is the user account that tries to use gLExec whitelisted?
Method 1.: the calling account is a member of the 'glexec' primary or secondary group.
Method 2.: the account or the pool is whitelisted in the glexec.conf. See the Man pages of gLExec for more details on the whitelist options.
Note: when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable glexec.conf file: in case the glexec.conf file is unreadable, gLExec uses its buildin defaults, including whitelisting only unix accounts which are member of the glexec group. Check the file permissions of the gLExec executable.
Example test script for gLExec
Testing basic functionality:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing with the transfer of a specific proxy file:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY export GLEXEC_SOURCE_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing multi-user Pilot Job scenarios:
#!/bin/sh VOMSINFO=`which voms-proxy-info` PILOT_PROXY=/tmp/x509up_`id -u` TARGET_USER_PROXY=`pwd`/other.proxy export X509_USER_PROXY=$PILOT_PROXY export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY $VOMSINFO -all /opt/glite/sbin/glexec $VOMSINFO -all