Solved: NSO6 system install as non-root user failing to start

camarti5 · ‎01-16-2023

Hi All!
I'm trying to perform a fresh NSO6 --system-install with --run-as-user flag to avoid run NSO with root user, but NSO starting is always failing.

Just highlight the fact that NSO installation looks good (no errors in the output).

[coltnso@nso-cfs02 ~]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.7 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"

[coltnso@nso-cfs02 NSO6.0.1.1]$ sudo sh nso-6.0.1.1.linux.x86_64.installer.bin --system-install --run-as-user coltnso --non-interactive
INFO  Using temporary directory /tmp/ncs_installer.11440 to stage NCS installation bundle
INFO  Using /opt/ncs/ncs-6.0.1.1 for static files
INFO  Using /etc/ncs for configuration files
INFO  Using /var/opt/ncs for run-time state files
INFO  Using /var/log/ncs for log files
INFO  Doing install for running as user coltnso
INFO  Unpacked ncs-6.0.1.1 in /opt/ncs/ncs-6.0.1.1
INFO  Found and unpacked corresponding DOCUMENTATION_PACKAGE
INFO  Found and unpacked corresponding EXAMPLE_PACKAGE
INFO  Found and unpacked corresponding JAVA_PACKAGE
INFO  Generating default SSH hostkey (this may take some time)
INFO  SSH hostkey generated
INFO  Generating self-signed certificates for HTTPS
INFO  Environment set-up generated in /opt/ncs/ncs-6.0.1.1/ncsrc
INFO  NSO installation script finished
INFO  Found and unpacked corresponding NETSIM_PACKAGE
INFO  Generating keys for encrypted-strings
INFO  Configuring installation for PAM authentication
INFO  Using PAM service system-auth for authentication
INFO  Installed init script /etc/init.d/ncs
INFO  Installed user profile script ncs.sh in /etc/profile.d
INFO  Installed user profile script ncs.csh in /etc/profile.d
INFO  Installed 'logrotate' configuration file ncs in /etc/logrotate.d

INFO  The installation has been configured for PAM authentication,
INFO  with group assignment based on the OS group database
INFO  (e.g. /etc/group file). Users that need access to NCS must
INFO  belong to either the 'ncsadmin' group (for unlimited access
INFO  rights) or the 'ncsoper' group (for minimal access rights).
INFO  To add an existing user to one of these groups, use OS shell command:

  usermod -a -G <groupname> <username>

INFO  The following files have been installed with elevated privileges:
  /opt/ncs/ncs-6.0.1.1/lib/ncs/lib/core/pam/priv/epam: setuid-root
  /opt/ncs/ncs-6.0.1.1/lib/ncs/erts/bin/ncs.smp: capability cap_net_bind_service
  /opt/ncs/ncs-6.0.1.1/lib/ncs/bin/ip: capability cap_net_admin
  /opt/ncs/ncs-6.0.1.1/lib/ncs/bin/arping: capability cap_net_raw

INFO  NCS installation complete

[coltnso@nso-cfs02 NSO6.0.1.1]$ sudo groupadd ncsadmin
groupadd: group 'ncsadmin' already exists
[coltnso@nso-cfs02 NSO6.0.1.1]$ sudo groupadd ncsoper
groupadd: group 'ncsoper' already exists
[coltnso@nso-cfs02 NSO6.0.1.1]$ sudo usermod -aG ncsadmin coltnso

but when I try to start the daemon,

[coltnso@nso-cfs02 ~]$ source /etc/profile.d/ncs.sh
[coltnso@nso-cfs02 ~]$ sudo /etc/init.d/ncs start
[sudo] password for coltnso:
Starting ncs (via systemctl):  Job for ncs.service failed because the control process exited with error code.
See "systemctl status ncs.service" and "journalctl -xe" for details.
                                                           [FAILED]

[coltnso@nso-cfs02 ~]$ systemctl status ncs.service
● ncs.service - LSB: NCS
   Loaded: loaded (/etc/rc.d/init.d/ncs; generated)
   Active: failed (Result: exit-code) since Mon 2023-01-16 20:42:18 IST; 4min 47s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1951 ExecStart=/etc/rc.d/init.d/ncs start (code=exited, status=126)

Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net systemd[1]: Starting LSB: NCS...
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net ncs[1951]: Starting ncs:
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net ncs[1956]: Starting ncs:
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net ncs[1956]: etc/rc.d/init.d/ncs: line 70: /bin/su: Perm
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net ncs[1951]: e
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net systemd[1]: ncs.service: Control process exited, code=exited status=126
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net systemd[1]: ncs.service: Failed with result 'exit-code'.
Jan 16 20:42:18 nso-cfs02.blr.lab.colt.net systemd[1]: Failed to start LSB: NCS.

Any idea on how to approach this? btw, with root user I'm able to start NSO with no issues...

In the attached file output of journalctl -xe command is provided

BR and Thanks!!
C.
@vleijon

u.avsec · ‎01-17-2023

Here is a longshot: is SELinux enabled?

Are nso logs generated? What does ncs.log or ncserr.log say?

View solution in original post

camarti5 · ‎01-17-2023

thanks!!
SELinux was enabled so after setting SELINNUX=disabled in etc/sysconfig/selinux NSO started with no issues running with non-root user.

View solution in original post

u.avsec · ‎01-16-2023

Hi.

Is the user sudoer? This peeks my interest:

etc/rc.d/init.d/ncs: line 70: /bin/su: Perm

camarti5 · ‎01-17-2023

hi @u.avsec

yes the user is sudoer!

[coltnso@nso-cfs02 ~]$ sudo -l -U coltnso
Matching Defaults entries for coltnso on nso-cfs02:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User coltnso may run the following commands on nso-cfs02:
    (ALL) ALL

u.avsec · ‎01-17-2023

Here is a longshot: is SELinux enabled?

Are nso logs generated? What does ncs.log or ncserr.log say?

camarti5 · ‎01-17-2023

thanks!!
SELinux was enabled so after setting SELINNUX=disabled in etc/sysconfig/selinux NSO started with no issues running with non-root user.

atsynch · ‎01-17-2023

NSO6 is a network service orchestration system developed by Cisco. It is designed to be installed and run as a non-root user, but there may be some cases where the installation fails to start when run as a non-root user.

There are several possible reasons why the installation may fail to start when run as a non-root user:

The user does not have the necessary permissions to access the files and directories required by the installation.

The user does not have the necessary permissions to start the NSO6 service.

Some of the prerequisites for the installation are not met.

There is a problem with the configuration of the system.

The user does not have the necessary permissions to run the necessary commands.

You can try to resolve this issue by checking the permissions of the user and making sure that they have the necessary permissions to access the files and directories required by the installation. Also, you can check the prerequisites for the installation and make sure that they are met.

If the issue persists, you can check the logs and try to find the root cause of the problem. Also, you can look into the documentation provided by Cisco or consult with their support team.