Open agebhar1 opened 4 years ago
I just gave a quick try with the
admin
user.example:
C:\Users\KIRANDARBHA>docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq:latest
C:\Users\KIRANDARBHA>set MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414)
C:\Users\KIRANDARBHA>set MQSAMP_USER_ID=admin
C:\Users\KIRANDARBHA>amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
hello
Sample AMQSPUT0 end
C:\Users\KIRANDARBHA>
I tried with MQExplorer, connecting to remote qmgr using admin user and that worked too.
Hi @KiranDarbha,
(1) tried your example but without success:
$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
$ export MQSAMP_USER_ID=admin
$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2012
(2) There aren't any customization on the image. It's a 1:1 copy from docker hub.
Did you tried the Java example above? This example was working on the previous (9.1.4.0-r1) image.
Since the MQExplorer(java based) is able to connect to the qmgr using the credentials, I don't think the above java program would fail!.
the mq return code for amqsputc sample 2012
refers to MQ_ENVIRONMENT_ERROR
More details on error -
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q040860_.htm
Not sure if that's something in your env .. may be to narraw down we can give this a try on docker playground ? which is fresh box and see if that reproduces same error for you.
You can log-into - https://labs.play-with-docker.com/ and follow below instructions
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq
docker ps
docker exec -ti <pod-id>bash
cd /opt/mqm/samp/bin
export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
export MQSAMP_USER_ID=admin
./amqsputc DEV.QUEUE.1 QM1```
Here's the output I receive when I try this on docker playground
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2305640f0835 ibmcom/mq:latest "runmqdevserver" 5 seconds ago Up 3 seconds 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp optimistic_chatelet [node1] (local) root@192.168.0.13 ~ $ docker exec -ti 2305640f0835 bash bash-4.4$ cd /opt/mqm/samp/bin bash-4.4$ export MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414) bash: syntax error near unexpected token `(' bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" bash-4.4$ export MQSAMP_USER_ID=admin bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1 Sample AMQSPUT0 start Enter password: **** target queue is DEV.QUEUE.1 hello
on https://labs.play-with-docker.com/ it work's
[node1] (local) root@192.168.0.18 ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc04bf2f6750 ibmcom/mq "runmqdevserver" 5 minutes ago Up 4 minutes 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp great_engelbart
[node1] (local) root@192.168.0.18 ~
$ docker exec -ti fc04bf2f6750 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
but w/ Podman it fails:
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3fe554a7ca5f docker.io/ibmcom/mq:9.1.5.0-r1 21 hours ago Up 21 hours ago 0.0.0.0:1414->1414/tcp mq-9.1.5.0-r1
$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2035
(One of) the difference between the both images 9.1.4.0-r1 and 9.1.5.0-r1 is the user which runs/owns the process within the container:
9.1.4.0-r1:
bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root)
9.1.5.0-r1:
uid=1001(1001) gid=0(root) groups=0(root)
Maybe Podmans and Dockers behavior is different at this point. But running the latest (9.1.5.0-r1) image w/ Podman it isn't possible to login to queue manager with default credentials.
I can reproduce this as well:
$ podman run -d -e LICENSE=accept -e MQ_ADMIN_PASSWORD=foobar -e MQ_QMGR_NAME=QM1 --name qm1 --volume qm1data:/mnt/mqm ibmcom/mq
8a58bb5f066a4a9ba132e4ef35823022c22927f5da1f2a2864283cb725ca3c0d
$ podman exec -e MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" -e MQSAMP_USER_ID=admin -ti --privileged qm1 /opt/mqm/samp/bin/amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ******
MQCONNX ended with reason code 2035
Error: non zero exit code: 243: OCI runtime error
I also see the following in the container logs:
2020-04-14T12:51:02.519Z CPU architecture: amd64
2020-04-14T12:51:02.519Z Linux kernel version: 4.18.0-147.5.1.el8_1.x86_64
2020-04-14T12:51:02.520Z Base image: Red Hat Enterprise Linux 8.1 (Ootpa)
2020-04-14T12:51:02.520Z Running as user ID 1001 with primary group 0
2020-04-14T12:51:02.520Z Capabilities (bounding set): chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap
2020-04-14T12:51:02.520Z seccomp enforcing mode: filtering
2020-04-14T12:51:02.520Z Process security attributes: none
2020-04-14T12:51:02.520Z Detected 'xfs' volume mounted to /mnt/mqm
2020-04-14T12:51:02.623Z Using queue manager name: QM1
2020-04-14T12:51:02.632Z Created directory structure under /var/mqm
2020-04-14T12:51:02.632Z Image created: 2020-03-31T06:57:13+00:00
2020-04-14T12:51:02.632Z Image tag: ibm-mqadvanced-server-dev:9.1.5.0-r1-amd64
2020-04-14T12:51:02.650Z MQ version: 9.1.5.0
2020-04-14T12:51:02.650Z MQ level: p915-ifix-L200325.DE
2020-04-14T12:51:02.650Z MQ license: Developer
...
2020-04-14T12:51:14.595Z AMQ8077W: Entity 'mqm' has insufficient authority to access object QM1 [qmgr].
2020-04-14T12:51:14.595Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.
So there's something different going on with Podman. FYI @davidjmccann @LPowlett
FYI @agebhar1, the MQ 9.1.5 container image was changed to be able to support running as any user ID, and mostly removes the concept of an "mqm" user, so the result of id
is expected.
@arthurbarr thanks for the update on the behavior of id
@arthurbarr the problem is also present on 2nd Release of 9.1.5.0 (9.1.5.0-r2), so I updated the title.
Podman:
bash-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
1001:x:1001:0:container user:/:/bin/sh
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.2 0.0 1043864 16372 ? Ssl 09:26 0:00 runmqserver -nologruntime -dev
1001 80 0.0 0.0 1721148 46720 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 110 0.0 0.0 843960 22744 ? Sl 09:26 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 116 0.0 0.0 197744 10856 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 119 0.0 0.0 3048004 33392 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 161 0.0 0.0 1329112 14308 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 177 0.0 0.0 1398784 25708 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 194 0.0 0.0 1011224 27464 ? Sl 09:26 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 222 0.0 0.0 1052088 26108 ? Sl 09:26 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 229 0.0 0.0 547648 12764 ? Sl 09:26 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 230 0.0 0.0 212984 12192 ? Sl 09:26 0:00 /opt/mqm/bin/amqpcsea QM1
1001 232 0.0 0.0 395104 10868 ? Sl 09:26 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 234 0.0 0.0 1519180 25028 ? Sl 09:26 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 276 0.0 0.0 1241232 25796 ? Ssl 09:26 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 363 3.6 0.2 5363580 184572 ? SLl 09:26 0:06 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.t
1001 490 0.0 0.0 12016 3300 pts/0 Ss 09:27 0:00 bash
1001 765 0.0 0.0 44592 3420 pts/0 R+ 09:29 0:00 ps ux
Docker:
bash-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.1 0.4 838800 18232 ? Ssl 09:15 0:01 runmqserver -nologruntime -dev
1001 73 0.0 1.0 1360616 43044 ? Ssl 09:15 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
1001 108 0.0 0.6 813560 24708 ? Sl 09:15 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 114 0.0 0.2 214400 11936 ? Ssl 09:15 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 117 0.0 0.8 1357492 35824 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 133 0.0 0.3 1167664 14908 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 159 0.0 0.6 1349284 24944 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 175 0.0 0.7 888808 28592 ? Sl 09:15 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 200 0.0 0.3 528264 14148 ? Sl 09:15 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 203 0.0 0.3 193600 13624 ? Sl 09:15 0:00 /opt/mqm/bin/amqpcsea QM1
1001 204 0.0 0.3 543356 12416 ? Sl 09:15 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 210 0.0 0.6 1338716 25704 ? Sl 09:15 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 220 0.0 0.6 1019232 27048 ? Sl 09:15 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 257 0.0 0.6 1282112 26848 ? Ssl 09:15 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 337 1.3 3.8 2139300 155400 ? SLl 09:15 0:19 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tl
1001 482 0.0 0.1 35064 4384 pts/0 Ss+ 09:19 0:00 bash
1001 527 0.0 0.1 35064 4464 pts/1 Ss 09:19 0:00 bash
1001 629 0.0 0.4 363368 16388 ? Ssl 09:25 0:00 /opt/mqm/bin/amqrmppa -m QM1
1001 955 0.0 0.0 47504 3612 pts/1 R+ 09:40 0:00 ps ux
The difference seems to be runmqserver
s invocation of amqzxma0
:
Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
-- user exists in /etc/passwd
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
-- user does not exists in /etc/passwd
Unfortunatelly the current sources for 9.1.5.0-r2 are not available of runmqserver
to see why there is a different.
It also fails in 9.2.0.0-r1. I spent some more time and the difference which yields to the MQRC_NOT_AUTHORIZED
error for admin is the wrong user id on `amqzxma0 (mqm vs. 1001)
Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
runmqserver
starts the queue manager (strmqm
) process with the queue manager name. The queue manager process strmqm
itself starts the execution controller amqzxma0
as one of the first jobs. On execution call of amqzxma0
the argument for the user differs between Podman and Docker which can be seen in an strace
excerpt:
Podman
618 17:31:12.899655 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "1001"], ["LD_LIBRARY_PATH=/opt/mqm/lib64", "MQS_PERMIT_UNKNOWN_ID=true", "LANG=en_US.UTF-8", "HOSTNAME=", "AMQ_DIAGNOSTIC_MSG_SEVERITY=1", "AMQ_ADDITIONAL_JSON_LOG=1", "container=podman", "PWD=/", "HOME=/", "MQ_OVERRIDE_DATA_PATH=/mnt/mqm/d"..., "MQ_CONNAUTH_USE_HTP=true", "MQ_GENERATE_CERTIFICATE_HOSTNAME"..., "MQ_DEV=true", "TERM=xterm", "SHLVL=1", "LICENSE=accept", "MQ_QMGR_NAME=QM1", "MQ_USER_NAME=mqm", "MQ_GRACE_PERIOD=30", "PATH=/usr/local/sbin:/usr/local/"..., "MQ_ENABLE_EMBEDDED_WEB_SERVER=1", "LOG_FORMAT=basic", "MQ_OVERRIDE_INSTALLATION_NAME=In"..., "_=/usr/bin/strace"] <unfinished ...>
Docker
704 17:50:10.312635 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "mqm"], 0x7ffe4414db48 /* 24 vars */ <unfinished ...>
Both container started with --privileged
to enable tracing with strace
. strace
was copied into container from registry.redhat.io/rhel8/support-tools
.
The environment variable for the mq user MQ_USER_NAME
is ignored on Podman:
Podman
$ podman run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ podman exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME
ibm
bash-4.4$ ps ux | grep amqzxma0
1001 248 0.0 0.0 1716364 46356 ? Ssl 07:55 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 1706 0.0 0.0 9176 1084 pts/0 S+ 08:07 0:00 grep amqzxma0
Docker
$ docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ docker exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME
ibm
bash-4.4$ ps ux | grep amqzxma0
1001 214 0.0 1.0 1359896 42632 ? Ssl 07:56 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u ibm
1001 733 0.0 0.0 9176 956 pts/0 S+ 08:09 0:00 grep amqzxma0
There is something different while run strmqm
to determine the mq user name from the environment to start amqzxma0
between Podman and Docker.
The source of strmqm
is not available, so you (IBM @arthurbarr @LPowlett) might have a look.
--
A workaround to run the image on Podman w/ default admin connection is to create a custom image:
FROM ibmcom/mq
USER 1001
COPY 10-dev.mqsc.tpl /etc/mqm/10-dev.mqsc.tpl
whereas 10-dev.mqsc.tpl
is generated by
sed -e "s/MCAUSER ('mqm')/MCAUSER ('1001')/g" incubating/mqadvanced-server-dev/10-dev.mqsc.tpl > 10-dev.mqsc.tpl
Hi @LPowlett, did anybody had a chance to take a look on this issue?
Was this ever resolved\explained? I'm getting a very similar issue with 9.2.0.3 and 9.2.0.4 builds (using docker) where the amqzxma0 process starts with '-u root' when MQ_USER_NAME=mqm is set.
No, not yet.
After update from docker image 9.1.4.-r1 to 9.1.5.0-r1 the default developer configuration:
admin
passw0rd
are not valid anymore. This simple connection fails on image 9.1.5.0-r1:
with
The server log contains:
Container for image 9.1.4.0-r1:
Container for image 9.1.5.0-r1:
diff of
10-dev.mqsc
(9.1.4.0-r1 vs. 9.1.5.0-r1)