...
General Changes required by both fapolicyd and noexec mounted /tmp (required by OMK Installers, but not by NMIS Installers):
Code Block # Create an install directory which we can use in a less restricted fashion to get OMK Applications' installed and functioning # - for this example we have chosen directory '/data/installs/': sudo -i mkdir -p /data/installs/ # Set an environment variable globally to accomodate Perl::PAR module, which is used to create and execute OMK daemons and scripts, if needed: # check the environment variable is not already set (should not return reference to PAR_GLOBAL_TMPDIR if not set in this file): cat /etc/environment # check the environment variable is not already set in some other manner (should not return anything if PAR_GLOBAL_TMPDIR is not already exported): echo "${PAR_GLOBAL_TMPDIR}" # set up PAR_GLOBAL_TMPDIR if needed: mkdir -p /usr/local/omk/var/lib/common/ chmod 1777 echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment # reboot to get the PAR_GLOBAL_TMPDIR exported globally if it needed to be set: reboot # check # # IMPORTANT: # If you require OMK scripts, that don't explicitly require root privileges, able to be executed by users without root privileges: # Set PAR_GLOBAL_TMPDIR is exported after reboot: echo "${PAR_GLOBAL_TMPDIR}" to a suitable directory outside of the OMK install directory (/usr/local/omk/var/lib/common/ # Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited: # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat omkd # then, if necessary, edit omkd service sudo systemctl edit omkd # Ensure the service is configured to use in this example); # The OMK install directory currently has root as both owner and group by default. # Users without root privileges won't therefore have execute capability in the OMK install directory structure. # mkdir -p /usr/local/omk/var/lib/common/ chmod 1777 echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment # reboot to get the PAR_GLOBAL_TMPDIR environmentexported variableglobally asif setit in /etc/environment # by adding the following entry to [Service] - add [Service] section if it is not already present: [Service] EnvironmentFile=/etc/environment # edit each OMK systemd service in this manner if needed, for example: sudo systemctl edit opchartsd sudo systemctl edit opconfigd sudo systemctl edit opeventsd sudo systemctl edit opflowd # reload the edited services sudo systemctl daemon-reload # restart the OMK services sudo /path/to/omk/bin/checkomkdaemons.sh restart
fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):
Code Block # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd # such that root (uid=0) can execute scripts in the listed directories: # - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/: # Insert the following rule at line 1 of /etc/fapolicyd/fapolicyd.rules allow perm=any uid=0 : dir=/data/installs/,/usr/local/omk/var/lib/needed to be set: reboot # check PAR_GLOBAL_TMPDIR is exported after reboot: echo "${PAR_GLOBAL_TMPDIR}" /usr/local/omk/var/lib/common/ # Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited: # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat omkd # then, if necessary, edit omkd service sudo systemctl edit omkd # Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment # by adding the following entry to [Service] - add [Service] section if it is not already present: [Service] EnvironmentFile=/etc/environment # edit each OMK systemd service in this manner if needed, for example: sudo systemctl edit opchartsd sudo systemctl edit opconfigd sudo systemctl edit opeventsd sudo systemctl edit opflowd # reload the edited services sudo systemctl daemon-reload # restart the OMK services sudo /path/to/omk/bin/checkomkdaemons.sh restart
fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):
Code Block # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd # such that root (uid=0) can execute scripts in the listed directories: # - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/: # Insert the following rule at line 1 of /etc/fapolicyd/fapolicyd.rules allow perm=any uid=0 : dir=/data/installs/,/usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/,/usr/local/omk/lib/.tmp/PAR/ # Update faplicyd with the additional rule we have inserted: sudo fapolicyd-cli --update # Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended sudo reboot # restart the OMK services sudo /usr/local/omk//bin/checkomkdaemons.sh restart
noexec mounted /tmp Change (required by OMK Installers and NMIS Installers):
Code Block # Please read the next paragraph 'Starting the Installer' too, for more details on the installer! # The Opmantek installers cannot install from a noexec mounted directory, so we need to install from an alternative location: # - for this example we have chosen directory '/data/installs/': sudo mkdir -p /data/installs cd /data/installs # We need to instruct only this command we are about to execute with current directory set as environment variable TMPDIR: # Place the installer in the current directory, then .. # This command as given sets TMPDIR to the current directory (not /tmp/) - there is a space character between the two stop characters in 'TMPDIR=. ./' # TMPDIR=.<space>./ TMPDIR=. ./opReports-4.2.2-test-noexec.run # To be safe we ensure TMPDIR is unset after successful execution of the installer by executing this command: unset TMPDIR # The installer will now install using current directory as /tmp # Unfortunately when the installer runs in this way, not using /tmp/ directory, it doesn't clean up after itself, so we clean up manually: ls opReports-4.2.2-test-noexec.run selfgz3021223337 # The installer always unpacks to a directory of glob pattern selfgz*, so we clean up by removing directory of glob pattern selfgz*, so we clean up by removing directory selfgz3021223337: rm -rf selfgz* selfgz3021223337: rm -rf selfgz*
Debugging PAR Script Unpack Locations
One-liner to find the scripts executing as PAR executables on a server and where their PAR unpacked directory is located:
Code Block |
---|
sudo find / -type f ! -name 'main.pl' -regextype posix-egrep -regex '^.*?/par-[^/]+/cache-[^/]+/inc/script.*' 2>/dev/null|xargs -I{} sudo ls -lA '{}'; |
Starting the Installer
Starting the self-extracting installer is trivial: you simply tell your shell to run it.
...