Agile PLM 9301 - Solaris SMF - RBAC - How-ToHow-to use
Service Management Facility (SMF),
role based access controls (RBAC) to allow root or a service account to launch
Agile PLM v 9.3.01.
Feedback welcome.
- WebLogic Server (WLS)
- Dependence on network services.
- This method excludes Tomcat (File Manager) which I have not put under SMF yet.
- The file locations differ from standard for SMF in order to accommodate the way Solaris zones are implemented at my employer.
- Output logged to
/var/svc/log/application-agileplm:agileplm.log
SetupTwo script files. We put these in /ops/scripts/agile/exec - where /ops is a symbolic link to an NFS mount on NAS.
- agileplm_node_manager
- agileplm_managed_host
Validate manifest
svccfg validate /ops/scripts/agile/exec/agileplm_miii_$SERVER_TYPE.xml
Import the manifest
something goes here, will add after I wake up
Did it work?
svcs -a | grep agile
Add this line to the bottom of /etc/security/auth_attr
solaris.smf.manage.application/agileplm:::Agile PLM Management ::
Assign authorization to the service account.
usermod -A solaris.smf.manage.application/agileplm srvcagl
Add authorization
svccfg -s agileplm setprop general/action_authorization=astring: 'solaris.smf.manage.application/agileplm'
Assign authorization to the value authorization
svccfg -s agileplm setprop general/value_authorization=astring: 'solaris.smf.manage.application/agileplm'
Did it work?
svcprop -c -p general agileplm
Output should be
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true
general/action_authorization astring solaris.smf.manage.application/agileplm
Enable the agileplm service
/usr/sbin/svcadm enable agileplm
FilesShell script template. Edit and rename where appropriate
#!/sbin/sh
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)agileplm 1.0 07/01/2010 SMI"
#
# Agile PLM SMF script. Brian Dunbar for Plexus
# You MUST edit so that local variables are true
# AGILE_TYPE for the server - file_manager, node_manager, managed_server
# AGILE_USER for the local service account
# AGILE_HOME for your path to Agile
# PIDFILE where you want the process ID to be written to.
#
# this is rather more complicated than I would like. Suggestions welcome.
. /lib/svc/share/smf_include.sh
# Here in case we use svcprop more than we do now. See 'man svcprop'.
getproparg() {
val=`svcprop -p $1 $SMF_FMRI`
[ -n "$val" ] && echo $val
}
# if [ -z "$SMF_FMRI" ]; then
# echo "SMF framework variables are not initialized."
# exit $SMF_EXIT_ERR
# fi
AGILE_HOME="/opt/agl/agile93"
APP_SERVER_DIR="$AGILE_HOME"/agileDomain/bin
TOM_SERVER_DIR="$AGILE_HOME"/apache-tomcat-6.0.18/bin/
AGILE_USER="srvcagl"
AGILE_TYPE="node_manager"
# can aslo be file_manager, managed_server. Change for type of host
PIDFILE="/opt/agl/agile93/agileDomain/log/agileplm.pid"
case "$AGILE_TYPE" in
'node_manager')
APP_DIR=$APP_SERVER_DIR
;;
'file_manager')
APP_DIR=$TOM_SERVER_DIR
;;
'managed_server')
APP_DIR=$APP_SERVER_DIR
;;
*)
echo `date +"%Y/%m/%d %H:%M:%S"` - YOU SHOULD NOT SEE THIS
exit 1
;;
esac
# execute functions
node_manager_start()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - START $AGILE_TYPE
cd "$APP_DIR"
./startAgile.sh
}
node_manager_stop()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - STOP $AGILE_TYPE
cd "$APP_DIR"
./stopAgile.sh
}
file_manager_start()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - START $AGILE_TYPE
cd "$APP_DIR"
./catalina.sh "$cmd"
}
file_manager_stop()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - STOP $AGILE_TYPE
cd "$APP_DIR"
./catalina.sh "$cmd"
}
managed_server_start()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - START $AGILE_TYPE
cd "$APP_DIR"
./startAgileCluster.sh
}
managed_server_stop()
{
echo `date +"%Y/%m/%d %H:%M:%S"` - STOP $AGILE_TYPE
cd "$APP_DIR"
./stopAgile.sh
}
case "$1" in
'start')
/bin/rm -f ${PIDFILE}
cmd="start"
;;
'stop')
cmd="stop"
;;
*)
echo $"Usage: $0 {start|stop}"
exit 1
;;
esac
case "$AGILE_TYPE" in
'node_manager')
execute_start="node_manager_start"
execute_stop="node_manager_stop"
;;
'file_manager')
execute_start="file_manager_start"
execute_stop="file_manager_stop"
;;
'managed_server')
execute_start="managed_server_start"
execute_stop="managed_server_stop"
;;
*)
echo $"Usage: $0 {node_manager|file_manager|managed_server}"
exit 1
;;
esac
case "$cmd" in
'start')
"$execute_start"
;;
'stop')
"$execute_stop"
;;
*)
echo $"Usage $0 {start| stop}"
exit 1
;;
esac
exit $SMF_EXIT_OK
Manifest
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="agileplm">
<service name="application/agileplm" type="service" version="1">
<single_instance/>
<dependency name="network" grouping="require_all" restart_on="none" type="service">
<service_fmri value="svc:/milestone/network:default"/>
</dependency>
<exec_method type="method" name="start" exec="/lib/svc/method/agileplm %m" timeout_seconds="480">
<method_context>
<method_credential user="srvcagl"/>
</method_context>
</exec_method>
<exec_method type="method" name="stop" exec="/lib/svc/method/agileplm %m" timeout_seconds="480">
<method_context>
<method_credential user="srvcagl"/>
</method_context>
</exec_method>
<instance name="agileplm" enabled="false">
<method_context>
<method_credential user="srvcagl" group="plm"/>
</method_context>
<property_group name="agileplm" type="application"/>
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="child"/>
<propval name="ignore_error" type="astring" value="core,signal"/>
<propval name="utmpx_prefix" type="astring" value="co"/>
</property_group>
</instance>
<stability value="Evolving"/>
<template>
<common_name>
<loctext xml:lang="C">AgilePLM</loctext>
</common_name>
<documentation>
<manpage title="agileplm" section="1"/>
<doc_link name="Agile Product Lifecycle Management Documentation Library v9.3 " uri="http://noc.plexus.com/agile_docs/9.3/docset.html"/>
</documentation>
</template>
</service>
</service_bundle>