The Pluggable Authentication Modules (PAM) is a component of the Linux system. PAM provides dynamic authentication support for applications and services. If the configuration of the system causes the configured PAM authentication procedure to fail, the OCP-Agent pos_proxy process will not be able to run commands.
Problems
When you run OCP-Agent 2.4.0 or later versions on a Linux system, such as Red Hat, CentOS, or AliOS 7, and
add a host, a sub-task failed and the
sudo: pam_open_session: Permission denied
error appears in the log.
deploy a cluster, a sub-task failed and the
sudo: pam_open_session: Permission denied
error appears in the log.
deploy OBProxy, a sub-task failed and the
sudo: pam_open_session: Permission denied
error appears in the log.
Possible causes
The configured PAM of the Session type failed to authenticate the status of the corresponding operations. General causes include:
An error occurred while authenticating sudo permission: You have not granted the required permission for the corresponding user to access the
/etc/sudoers
file.
An error occurred when you authenticated the system resource constraint configuration: You have configured improper system resource constraints by using the ulimit command or in the
/etc/security/limits.conf
file.
Solutions
If you are not sure about the specific cause, you can try the following methods one by one to solve the problem.
When the failure is caused during sudo permission authentication, perform the following steps to grant the required sudo permission to the corresponding user:
Log on to the operating system as the root user.
Open the
/etc/sudoers
file.
vim /etc/sudoers
Modify the permissions of the root user and admin user, and save the file.
root ALL=(ALL) ALLadmin ALL=(ALL) ALL
Restart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
When the failure is caused during system resource constraint configuration, try the following two solutions:
Perform the following steps to modify the system resource constraint configuration:
Log on to the operating system as the root user.
Run the following command to check the maximum number of files that can be opened by processes.
cat /proc/sys/fs/nr_open
Open the /etc/security/limits.conf
file, and set a value smaller than the maximum number of files that can be opened.
# Assume 655360 is smaller than /proc/sys/fs/nr_opencat >> /etc/security/limits.conf <<EOF* soft nofile 655360* hard nofile 655360EOF
Restart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
Perform the following steps to remove the PAM authentication for system resource constraints in sessions.
Notice
This solution may introduce security risks.
It invalidates the ulimit configuration in the Debian/Ubuntu system.
Log on to the operating system as the root user.
Open the PAM configuration file.
vim /etc/pam.d/sudo
Delete the following line, and save the file.
session required pam_limits.so
Restart OCP-Agent.
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base