Friday, September 26, 2014

ERROR: NMO not setuid-root (Unix-only)

ERROR:

NMO not setuid-root (Unix-only).

2014-09-26 08:48:57,680 [14768:EDA3E961:GC.SysExecutor.23 (NmoHealthTask)] INFO - Job Attributes: {JobID=AgentHealthMonitor:14117357376
80, KeepAliveRequest=false} Job Command: {/u01/app/oracle/product/agent12c/sbin/nmo}
2014-09-26 08:48:57,714 [14768:EDA3E961] WARN - NmoStatus: Unable to verify nmo.
oracle.sysman.gcagent.target.interaction.execution.JobExecutionMgr$AuthenticatedJobExecutionException: ERROR: NMO not setuid-root (Unix-only)

The above error can result with the the below error:

EM Event: Warning:DOYEN.com - Agent has stopped monitoring. The following errors are reported : Read timed out.

Cause 1: 

The /root.sh script was not run after the Agent installation. So, the owner of the nmo, nmb and nmo executables is not the root user:

$ cd /sbin
$ ls -ltr nm*


For Example:

$ cd /u03/cloud12c/agent12c/sbin
$ ls -al nm*
-rwxr-xr-x 1 oracle oracle 22754 Feb 11 11:08 nmb
-rwxr-xr-x 1 oracle oracle 57835 Feb 11 11:10 nmhs
-rwxr-xr-x 1 oracle oracle 40478 Jan 31 16:57 nmo
...
The correct permissions should have been set by executing the file /root.sh as root at the Agent installation/deployment time.

Note :
=====
After running the root.sh the following file will be created. Do confirm the same.

/etc/oragchomelist


You should get:

$ ls -al nm*
-rwxr-xr-x  1 root oracle 585242 Jul  6  2013 nmosudo
-rws--x---  1 root oracle  40007 Jul  6  2013 nmo
-rws--x---  1 root oracle  57835 Jul  6  2013 nmhs
-rws--x---  1 root oracle  22754 Jul  6  2013 nmb
-rwxr-xr-x  1 root oracle  43494 Jul  6  2013 nmgsshe


Cause 2 :

 The root.sh script may have been run but the mount point for the is set with a 'nosuid' / 'nosetuid' option.

This can be verified by doing the mount command:

mount
or
mount | grep nosuid
and
mount | grep nosetuid
or
check the entries in files: /etc/vfstab, /etc/fstab

The 'nosetuid' option prevents mounted programs that have setuid permission to run with the permissions of their owners, regardless of who starts them. Without this

option, if a program with setuid permission is owned by root, it will run with root permissions, regardless of who starts it.
Sometimes 'nosuid' option is specified to protect the system against setuid programs that may run as root and damage the system.

SOLUTION :

Solution for Cause 1 :

Login to the Cloud Control Agent host as root.
Go to the Cloud Control Agent ORACLE_HOME directory

Example: /u01/app/oracle/product/Middleware/agent/core/12.1.0.1.0

Execute the root.sh script:

# ./root.sh
Log in to the Cloud Control Agent host as the Agent binaries owner (oracle for example)
Check that the permissions are now correct:

$ ls -ltr
....
-rwxr-xr-x  1 root em 585242 Jul  6  2013 nmosudo
-rws--x---  1 root em  40007 Jul  6  2013 nmo
-rws--x---  1 root em  57835 Jul  6  2013 nmhs
-rws--x---  1 root em  22754 Jul  6  2013 nmb
-rwxr-xr-x  1 root em  43494 Jul  6  2013 nmgsshe
Stop and restart the Cloud Control Agent:

Example
$ cd /u01/app/oracle/product/Middleware/agent/core/12.1.0.1.0/bin
$ ./emctl stop agent
$ ./emctl start agent


Solution for Cause 2

If the mount point has nosuid option set, this problem should be corrected by the system administrator of the Unix system:

Backup, edit and save the file /etc/vfstab or /etc/fstab for the mount point where the Agent has been installed and remove the 'nosuid' / 'nosetuid' option.
On AIX operating system edit thefile  /etc/filesystems.
(u01 in our example)
Stop and restart the Cloud Control Agent

$ cd $ORACLE_HOME/bin

Example

$ cd /u01/app/oracle/product/Middleware/agent/core/12.1.0.1.0/bin
$ ./emctl stop agent
$ ./emctl start agent


Reference :
========

Fix the Cloud Control Agent 12c error 'ERROR: NMO Not Setuid-root (Unix-only)' (Doc ID 146527)



1 comment:

Unknown said...

Thanks, in my case I had the problem described as "cause 2". I was tired of always finding only the "cause 1" solution, which didn't work in my case.