On 19/09/18 14:47 +0800, zhongbin wrote: > More detail: > my operating system is Debian 8 (jessie) . > > At 2018-09-19 14:00:42, "钟彬" <[email protected]> wrote: > > When I use a non - root user to start pacemaker-2.0.0,
Running pacemaker as non-root is not a good choice, I am afraid. It simply wasn't designed to run like that, since the vast majority of the resources to be managed in HA fashion (purpose of pacemaker) will require some portion of extra privileges, so the actual progression regarding privileges is to start with a full sack only to gradually drop what's not needed (akin to "least privilege" principle) -- either in pacemaker's own set of auxiliary daemons or in internally in the resources themselves. The other justification is that for HA clustering to be meaningful, you need some kind of isolation of broken hosts, and how much sense does it make to _not_ allow enough privileges to pacemaker while at the same time allowing it to cut off these machines incl. self (which is being attempted in your very case, to solve something very unexpected -- not having enough privileges is likely one such case)? > "pacemakerd: error: sysrq_init: Cannot write to /proc/sys/kernel/sysrq: > Permission denied (13)" > appears in pacemaker.log. > Some other "Permission denied" problems ware resolved by using > "setcap" command to enable some capabilities. But the above > problem cannot be solved. Well, your run of pacemaker is getting to a really unsolvable situation when it takes the code path allowing for such a message, so even if you manage to overcome that denial with some other capabilities artificially granted, your machine will likely just be rebooted. If I were you, I'd stop going down that rabbit hole and simply run pacemaker as root. The workaround chain for your current approach doesn't seem to be worth the hassle, and is in conflict with what pacemaker is meant to be used for. > "Cannot write to /proc/sys/kernel/sysrq" was printed when calling > the function sysrq_init. > [1]https://github.com/ClusterLabs/pacemaker/blob/e8b96015f5e709de29f8e84fc78387796d31b4da/lib/common/watchdog.c#L69 Not that it should help in your scenario, but realized that perhaps less writes is better regarding various Linux security modules, auditing, etc., and any sort of race condition is not imminent (at worst racing with the sibling processes with the same intent): https://github.com/ClusterLabs/pacemaker/pull/1590 > Can you give me some suggestions to solve the problem. Is > sysrq_init necessary,can I Ignore the error. See above, you likely won't get anywhere even if you ignore that error. -- Nazdar, Jan (Poki)
pgpRIzlWY9UBV.pgp
Description: PGP signature
_______________________________________________ Developers mailing list [email protected] https://lists.clusterlabs.org/mailman/listinfo/developers
