Dear community,
Trying to deploy systemedge configurations to agents remotely, using VAIM. I came across the following unexpected behavior:
1) During systemedge agent start the /opt/CA/SystemEDGE/config/port1691 directory is created. It includes a temporary directory “temp”. The default access permissions are following:
[caadm@OM2REP01 config]$ ls -la port1691
total 188
drwxr-x--- 3 caadm caadm 4096 May 19 10:54 .
drwxr-xr-x 4 caadm caadm 4096 May 19 10:47 ..
-rw-r----- 1 caadm caadm 452 May 19 10:54 sysedge_audit.log
-rw-r----- 1 caadm caadm 58544 May 19 10:47 sysedge.cf
-rw------- 1 caadm caadm 92 May 19 10:54 .sysedge.id
-rw-rw---- 1 caadm caadm 53734 May 19 10:57 sysedge.log
-rw-rw---- 1 caadm caadm 3775 May 19 10:47 sysedge.log.0
-rw-r----- 1 caadm caadm 11585 May 19 10:54 sysedge.mon
-rw-r----- 1 caadm caadm 11536 May 19 10:48 sysedge.mon.bak
-rw-r----- 1 caadm caadm 6 May 19 10:48 sysedge.pid
-r--r----- 1 caadm caadm 5294 Apr 25 2013 sysedgeV3.cf
drw-r----- 2 caadm caadm 4096 May 19 10:48 temp
-rw-r----- 1 caadm caadm 32 May 19 10:48 .v3_eng.id
2) If I discover the server and try applying a policy, it get’s stuck in the “Delivered” state. The /opt/CA/SystemEDGE/config/port1691/sysedge.log file says:
0000266 2015-05-19 10:54:36.29 [C]-030714-f7fa5ac0- caismcomm/config_handler.c[2127]: configFileHandler(): Failed to open file /opt/CA/SystemEDGE/config/port1691/temp/sysedge.cf - Permission denied
3) I found out that the directory is missing the “execute” permission, which is needed for users to be able to add,rename,delete files (together with the “write” permission)
4) After adding the execute permission (chmod +x /opt/CA/SystemEDGE/config/port1691/temp/) and re-applying the policy it changes from delivered to configured almost instantaneously.
My question is, what’s wrong, why doesn’t it work out of the box? I had this problem on 3 different servers, and I’m facing a rollout to 60 more servers. Having the need to manually intervene on every single of them is scarying both me and the customer – as I don’t have access to the production servers and this needs to be done as a change on the customers environment.
Thank you very much for any thoughts.
P.S.: VAIM 12.8.1, SystemEDGE 5.6|5.7.1|5.8.0
Message was edited by: Michael Kristofic
I forgot to mention that the agent is run in privileges separation mode, so without root privileges.