System resource constraints and PAM

2023-08-15 11:20:56  Updated

The Pluggable Authentication Modules (PAM) is a component of the Linux system. PAM provides dynamic authentication support for applications and services. If the configuration of the system causes the configured PAM authentication procedure to fail, the OCP-Agent pos_proxy process will not be able to run commands. This topic describes how to troubleshoot the unavailability of the pos_proxy process caused by system resource constraints and the PAM.

Problem description

When you add a host, deploy a cluster, or deploy an OBProxy in the OceanBase Cloud Platform (OCP) console, some sub-tasks fail with an error message "sudo: pam_open_session: Permission denied".

Possible causes

The configured PAM of the Session type failed to authenticate the status of the corresponding operations. General causes include:

  • An error occurred while authenticating sudo permissions because you have not granted the corresponding user the required permissions in the sudoers file under the /etc/ directory.

  • An error occurred while authenticating the system resource constraint configuration because you have configured improper system resource constraints by using the ulimit command or in the limits.conf file under the /etc/security/ directory.

Solutions

  • Grant the required sudo permissions to the corresponding user

    1. Log on to the host that returns the error as the root user.

    2. Run the vi /etc/sudoers command to check whether the root user and administrator have the following permissions:

      root  ALL=(ALL) ALL
admin ALL=(ALL) ALL

      • If yes, they have the required permissions.

      • Otherwise, you need to modify the permissions as shown in the preceding figure and proceed to the next step.

    3. Restart the ocp_agent processes.

      You can restart a process by clicking Restart in the Processes list in the OCP console or by running a command in the OCP-Agent script.

  • Make sure that the system resource constraints are correctly configured.

    1. Log on to the host that returns the error as the root user.

    2. Run the cat/proc/sys/fs/nr_open command to view the maximum number of files that the OBServer allows the process to open.

    3. Open the /etc/security/limits.conf file and set a value smaller than the maximum number of files that can be opened.

      # Assume that 655360 is less than the maximum number specified.
cat >> /etc/security/limits.conf <<EOF
* soft nofile 655360
* hard nofile 655360
EOF

    4. Restart the ocp_agent processes.

Last
Next

OceanBaseOceanBase

OceanBase, A Highly Scalable Database for Transactional, Analytical, and AI Workloads.

Company

About OceanBaseContact UsPartner

Product

OceanBase CloudOceanBase EnterpriseQuick StartDownloadPricing

Resources

DocsBlogWhite PaperTrust Center

Follow us

LinkedInLinkedInDiscordDiscordTwitterTwitterYoutubeYoutubeForumForumGitHubGitHubStack OverflowStack Overflow

© OceanBase 2024. All rights reserved | Cloud Service Agreement | Privacy Policy | Legal | Security

Contact Us