Issues
- Abnormal persistent file permissions upon upgrade to Meridian2023NMS-16153Christian Pape
- Database deadlock issue with lots of hikariCP and hibernate threadsNMS-16107Resolved issue: NMS-16107fooker
- Last 24 Hours graphs do not update correctly when using Database driversNMS-15850Resolved issue: NMS-15850Christian Pape
- Database deadlock triggered by NodeRestServiceNMS-15816Resolved issue: NMS-15816Jesse White
- Jira Ticketer Plugin update support for Atlassian CloudNMS-15785
- Docs need updating to include support for Kafka 3NMS-15777Resolved issue: NMS-15777Jeff Gehlbach
Abnormal persistent file permissions upon upgrade to Meridian2023
Description
Environment
Acceptance / Success Criteria
Attachments
Details
Assignee
Christian PapeChristian PapeReporter
JianYetJianYetHB Grooming Date
Sep 28, 2023HB Backlog Status
Refined BacklogSprint
NoneFix versions
Affects versions
Priority
High
Details
Details
Assignee
Reporter
HB Grooming Date
HB Backlog Status
Sprint
Fix versions
Affects versions
Priority
HighPagerDuty
PagerDuty
PagerDuty
Activity
JianYetDecember 5, 2023 at 2:55 PMEdited
The issue occurred on older Ubuntu release 18.04 as well when running opennms as non-root user after upgrading from Horizon 28 to Horizon 32. The output in the attached file is after implementing the workaround running as root. There’s no selinux running there as far as I can tell.
JianYetOctober 26, 2023 at 3:16 PMEdited
One of the instances have selinux in permissive mode. See https://opennms.atlassian.net/browse/SUPPORT-1999?focusedCommentId=100833. On the call, it seemed that this issue was isolated to opennms process only as the permission issue was not observed when creating the files manually. Consequently, the java process umask was also messed up.
Christian PapeOctober 5, 2023 at 1:21 PM
I mean something like SE Linux or any other Linux hardening mechanism, that may affect file creation, umask or permissions.
JianYetOctober 4, 2023 at 1:21 PMEdited
None of us was able to reproduce it either in our lab locally. Perhaps it has to do with the kernel version. I’ve seen in some cases updating the kernel version helped but not 100%. For example, we have seen this issue in RHEL7.9 3.10.0-1160.99.1.el7.x86_64,3.10.0-1160.90.1.el7 RHEL8.8 4.18.0-477.10.1.el8_8. Good question though. What security policy are you thinking about? Let me know if you have some ideas how to retrieve this information.
Christian PapeOctober 4, 2023 at 5:59 AM
I wasn’t able to reproduce the behavior. Was anyone of support able to reproduce the problem? Did the reporting customers enabled any security policy in their RHEL installation?
Upon upgrade to Meridian 2023, OpenNMS apparently breaks the file permissions or umask. Files are either created/modified to abnormal permission mode (non 644 for files) across multiple directory paths under /opt/opennms/ such as logs/, data/, etc/, share/rrd/, etc. This issue is persistent across restarts. Fixing permission manually either by running
fix-permissionsorchmodbinary may relieve the symptoms for a few minutes but it’s recurring after that. This seems like it’s more likely to occur when coming from an older version of kernel. Updating the kernel version to the latest can’t always fully fix the problem across different environment.For example,
in logs/
in data/tmp/ some files don’t have permission at all
There are many symptoms that can relate to this issue.
rrd files becomes inaccessible to user
opennmsso resource graphs are not rendered.jsp files becomes inaccessible to user
opennmsand it breaks the web UI. For example,and throws errors
For more details and longer report, please refer to https://opennms.atlassian.net/browse/SUPPORT-1999?focusedCommentId=101141
It appears that opennms process Umask is abnormal as opposed to the standard 0002.