Thursday, December 30, 2010

Running the RHQ agent as root? Alternatives? ACLs!

 

Some RHQ plugins require access to some resources that are normally only readable by root or the respective owner. The example I am using here is the postgres plugin. This plugin needs access to $PGDATA/postgresql.conf in order to show the configuration in the UI (and to possibly update it).

Unfortunately postgres requires this file to be owned by user postgres and only be read(-writable) by this user (mode 600) and the directory containing this file ($PGDATA) is also required to be owned by user postgres and only be accessible by user postgres (mode 700).

 

One way to access the data it to run the RHQ agent as root and be done. But even if the agent does not do any harm, many admins don't feel comfortable with it - especially when using plugins from third parties that they don't have the source for. Or when using the script plugin, which can use shell scripts to do its work.

Luckily there is an easy way to get around this limitation: ACLs

ACL (access control lists) are a posix feature that is implemented in most (all) modern system these days. The way to set and query them are different unfortunately.

On Red HatEnterprise Linux (and Fedora and probably all other Linuxes) you can set them like this ('hrupp' is used as agent user):

postgres$ pwd
/var/db/postgres
postgres$ setfacl -m u:hrupp:rw $PGDATA/postgresql.conf
postgres$ setfactl -m u:hrupp:x $PGDATA

ls shows that there are ACLs enabled:

root# ls -lsa
8 drwx--x---+ 13 postgres postgres 4096 Dec 21 14:04 .
24 -rw-rw----+ 1 postgres postgres 16872 Dec 17 12:11 postgresql.conf

See the little + in the perms? That indicates an active ACL. Those can be queried via getfacl:

root# getfacl .
# file: .
# owner: postgres
# group: postgres
user::rwx
user:hrupp:--x
group::---
mask::--x
other::---

 

root# getfacl postgresql.conf
# file: postgresql.conf
# owner: postgres
# group: postgres
user::rw-
user:hrupp:rw-
group::---
mask::rw-
other::---

Also remember that the mount options need to enable ACLs first.:

root# grep acl /etc/fstab
/dev/mapper/VG_data-data1 /var/db ext4 defaults,acl 1 3

 

On Mac OS X the command to see them in directory listings is 'ls -lea' (shown below). To set an ACL you can use chmod (here 'hrupp' is used as agent user):

postgres$ pwd
/var/db/postgres
postgres$ chmod +a "hrupp allow read,write" postgresql.conf
postgres$ ls -le postgresql.conf
 -rw-------+ 1 postgres  postgres  16759 Jul 22  2009 postgresql.conf
0: user:hrupp allow read,write
postgres$ chmod +a "hrupp allow execute" .
postgres$ ls -lea
drwx------+ 23 postgres  postgres    782 Dec 30 15:00 . 
0: user:hrupp allow search
-rw-------+  1 postgres  postgres  16759 Jul 22  2009 postgresql.conf 
0: user:hrupp allow read,write

The '0:' tells us that this is the first acl on the file. If there were more acls set, they would be enumerated there as well and evaluated in order.

 

I have been told that recent Windows versions also support POSIX ACLs, so this should work there as well.

---

This tip was brought to you by the excellent RHCSA training.

 

Wednesday, December 29, 2010

A pitfall in PendingIntent (with solution)

The Android documentation has a nice overview chapter about how to notifiy the user with status bar notifications.

The example text works quite nicely and the user gets informed and can then call back into the application. But when working on Zwitscher it did not work as intended by me. But lets start slowly.

Setting up a notifiction goes along the lines of (taken from the developer guide):


Intent notificationIntent = new Intent(this, MyClass.class);
PendingIntent contentIntent =
PendingIntent.getActivity(this, 0, notificationIntent, 0);
notification.setLatestEventInfo(context, "Title",
"something went wrong", contentIntent);

where a PendingIntent is set up as a "pointer" and stored by the system so that when the user selects the notification in the status bar the target activity specified in the notificationIntent can be called.

Now sometimes you want to attach some additional data to the intent to be delivered - like a longer explanation why your action failed. You would go like:

Intent notificationIntent = new Intent(context,MyClass.class);
notificationIntent.putExtra("key","value");        
notificationIntent.putExtra("key2",someCounter++);

to add the payload. And in MyClass you would get the data via

Intent intent = getIntent();        
Bundle bundle = intent.getExtras();        
String head = bundle.getString("key");        
Integer body = bundle.getInt("key2");

Now when the notification fires,  the intent is created and attached to the PendingIntent and this shows up in the status bar

User then selects the status bar to see the longer message and presses this area to see the full details. This means that the system delivers "out of the blue" the created Intent message and thus starts MyClass-activity, which then pulls the payload from the intent.

When you do this a few times in a row you will see that the passed counter (someCounter) does increase in your sending activity, but that the receiver always shows the initial value. Canceling the notification in the sender does not help here.

This comes from the fact, that the system does not assume that only because we pass a new Intent object to the pending intent, we want this new intent object to be delivered and just keeps the old (initial) pending intent alive.

To get the desired semantics, we need to pass a flag to tell the system:

PendingIntent pintent = 
PendingIntent.getActivity(context,0,intent,PendingIntent.FLAG_CANCEL_CURRENT);


This flag (FLAG_CANCEL_CURRENT) tells the system that the old pending intent is no longer valid and it should cancel (=remove) it and then create a fresh one for us. There are more possible flags, which are described on the javadoc page for PendingIntent.

 


You can see a full example in the Zwitscher source code on github in the

And remember that Zwitscher is live on the Android market - download and try it :-)

Saturday, December 11, 2010

Zwitscher is on the market

Zwitscher, my Twitter client for Android(*) is now available in the Android-Market.

zwitscher_on_market.png

 

While v0.50 has still rough edges it is what I am basically using as my main and only Twitter client on my mobile. I've completely deleted the official Twitter app :-)

Zwitscher is open source and hosted on GitHub.

Thursday, December 09, 2010

New preview release of RHQ 4 available

 

We have just made a new developer preview release of RHQ available. This release features a lot of changes and improvements in the UI, that is rewritten in GWT.

 

 

Rupp_RHQ_Dashboard.png

Major new features:

  • Improved LDAP support
  • Default dashboard improvements
  • Improved Resource Inventory support
  • Breadcrumbs no longer used
  • I18N
  • New Help section: Docs from the www.rhq-project.org are now available directly through the app.
  • GWT-based user and role edit views finished
  • Metric and Alert template views converted from JSF to GWT
  • Much improved MySQL plugin (by Steve Milidge)

More detailed release notes can be found here: http://rhq-project.org/display/RHQ/Release+Notes+4.0+DP2

Please check out this release and give us as much feedback as you can. Also we are very interested in getting more translations

The release can be downloaded from the link within the release notes

Thanks to everyone who contributed. Heiko (on behalf of the RHQ team)

 

Wednesday, December 08, 2010

I am a RHCSA now :-)

Last week I spend the whole week in the Red Hat training center here in Stuttgart, participating in the Red Hat Certified System Administrator (RHCSA) fast track course and exam. The RHCSA is probably still very unknown and better known under its previous name "RHCT". RHCSA runs on RHEL 6.

The fast track training consists of some more basic aspects of system administration like installing and enabling services, setting up networking in the first half and some more advanced topics like ACLs, SELinux, LVM (with encryption and snapshots) in the second part. The course material works with brand new RHEL 6 stuff and also the exam is on RHEL 6. Top notch!

Friday was exam time. As I am not allowed to talk about this only so far: this is a real-world get things done kind of exam and not some multiple choice test.

And then I was waiting for exam results - and today I got it: I passed and I am now a RHCSA! :-)))

Cert number is 100-003-383

 

Tuesday, December 07, 2010

PGDayEU 2010

I had the big luck to be able to attend the first day of PGDay EU conference here in Stuttgart. Conference was held at the SI-Erlebniszentrum - a location well known to me as the Java Forum Stuttgart took place there for many years.

The conference had around 200 attendees and the main tracks were given in two large rooms. Almost all of the "celebrities" like Simon Riggs, Dave Fetter, Magnus Hagander, Heikki Linnegas, Bruce Momijan (with this son!) were there.

I am not too much a database expert, so talks were very technical to me :) But not non-understandable :-)

One definitively cool talk was given by Gianni Ciolly from 2ndquadrant: he was playing chess against postgres (http://twitpic.com/3dfojr and http://yfrog.com/2q3nq01j). Gianni showed the SQL involved and then played against the DB. The chess figures involved were just done by UTF-8 characters :-)

Bruce Momijan talked about rapid upgrades from 8.x (or even 9.0) to 9.x via the re-written db_upgrade. With it upgrades of a huge database can take as little as 44 seconds (in link mode). Definitively something to have a look at.

After lunch I talked about "Servermonitoring mit RHQ" (in German). I had ~ 40 attendees, which was nice. There definitively was interest and I got some good questions afterwards. I've put my slides online at http://www.pilhuhn.de/hwr/misc/PGDay_EU_2010.pdf . If you want to know more about RHQ, visit http://rhq-project.org.

After attending Simon Riggs' talk about replication, I went to Devrim Gündüz, who was talking about failover using the Red Hat Cluster suite. This talk was very nicely presented with a lot of involvement of the speaker :-)

In the evening EnterpriseDB sponsored a party with food and drinks. There were lots of interesting talks at the tables going on, people all were very nice.

So this PGDay was a very positive experience for me. Unfortunately I could not make it to the 2nd day with more interesting talks.