The Pluggable Authentication Modules (PAM) is a component of the Linux system. PAM provides dynamic authentication support for applications and services. If the configuration of the system causes the configured PAM authentication procedure to fail, the OCP-Agent pos_proxy process will not be able to run commands.
Problems
When you run OCP-Agent 2.4.0 or later versions on a Linux system, such as Red Hat, CentOS, or AliOS 7, and
add a host, a sub-task failed and the
sudo: pam_open_session: Permission deniederror appears in the log.deploy a cluster, a sub-task failed and the
sudo: pam_open_session: Permission deniederror appears in the log.deploy OBProxy, a sub-task failed and the
sudo: pam_open_session: Permission deniederror appears in the log.
Possible causes
The configured PAM of the Session type failed to authenticate the status of the corresponding operations. General causes include:
An error occurred while authenticating sudo permission: You have not granted the required permission for the corresponding user to access the
/etc/sudoersfile.An error occurred when you authenticated the system resource constraint configuration: You have configured improper system resource constraints by using the ulimit command or in the
/etc/security/limits.conffile.
Solutions
If you are not sure about the specific cause, you can try the following methods one by one to solve the problem.
When the failure is caused during sudo permission authentication, perform the following steps to grant the required sudo permission to the corresponding user:
Log on to the operating system as the root user.
Open the
/etc/sudoersfile.vim /etc/sudoersModify the permissions of the root user and admin user, and save the file.
root ALL=(ALL) ALLadmin ALL=(ALL) ALLRestart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
When the failure is caused during system resource constraint configuration, try the following two solutions:
Perform the following steps to modify the system resource constraint configuration:
Log on to the operating system as the root user.
Run the following command to check the maximum number of files that can be opened by processes.
cat /proc/sys/fs/nr_openOpen the
/etc/security/limits.conffile, and set a value smaller than the maximum number of files that can be opened.# Assume 655360 is smaller than /proc/sys/fs/nr_opencat >> /etc/security/limits.conf <<EOF* soft nofile 655360* hard nofile 655360EOFRestart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
Perform the following steps to remove the PAM authentication for system resource constraints in sessions.
Notice
This solution may introduce security risks.
It invalidates the ulimit configuration in the Debian/Ubuntu system.
Log on to the operating system as the root user.
Open the PAM configuration file.
vim /etc/pam.d/sudoDelete the following line, and save the file.
session required pam_limits.soRestart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base