System resource constraints and PAM

The Pluggable Authentication Modules (PAM) is a component of the Linux system. PAM provides dynamic authentication support for applications and services. If the configuration of the system causes the configured PAM authentication procedure to fail, the OCP-Agent pos_proxy process will not be able to run commands. This topic describes how to troubleshoot the unavailability of the pos_proxy process caused by system resource constraints and the PAM.

Problem description

When you add a host, deploy a cluster, or deploy an OBProxy in the OceanBase Cloud Platform (OCP) console, some sub-tasks fail with an error message "sudo: pam_open_session: Permission denied".

Possible causes

The configured PAM of the Session type failed to authenticate the status of the corresponding operations. General causes include:

• An error occurred while authenticating sudo permissions because you have not granted the corresponding user the required permissions in the sudoers file under the /etc/ directory.

• An error occurred while authenticating the system resource constraint configuration because you have configured improper system resource constraints by using the ulimit command or in the limits.conf file under the /etc/security/ directory.

Solutions

• Grant the required sudo permissions to the corresponding user

  1. Log on to the host that returns the error as the root user.

  2. Run the vi /etc/sudoers command to check whether the root user and administrator have the following permissions:

     root  ALL=(ALL) ALL
     admin ALL=(ALL) ALL
     

     • If yes, they have the required permissions.

     • Otherwise, you need to modify the permissions as shown in the preceding figure and proceed to the next step.

  3. Restart the ocp_agent processes.

     You can restart a process by clicking Restart in the Processes list in the OCP console or by running a command in the OCP-Agent script.

• Make sure that the system resource constraints are correctly configured.

  1. Log on to the host that returns the error as the root user.

  2. Run the cat/proc/sys/fs/nr_open command to view the maximum number of files that the OBServer allows the process to open.

  3. Open the /etc/security/limits.conf file and set a value smaller than the maximum number of files that can be opened.

     # Assume that 655360 is less than the maximum number specified.
     cat >> /etc/security/limits.conf <<EOF
     * soft nofile 655360
     * hard nofile 655360
     EOF
     

  4. Restart the ocp_agent processes.