System Center Cross Platform Provider for Operations Manager
Microsoft Public License
36
stars
31
forks
source link
SCX generates a certificate as part of scxsslconfig, and that certificate is owned by root:root, which cause omi with non-root feature can't start up #83
SCXcore’s scxsslconfig program should set the permissions to OMI due to the non-root changes. It was always weird that SCX was generating an OMI certificate, and now we were bitten by this. This can’t be done in postinstall, because scxsslconfig can be run after installation. So the program itself needs to set the permissions.
Repro steps:
Run sh scx-1.6.3-372.universal.x64.sh –install
Check /etc/opt/omi/ssl/omi.pem file permission, its permission is root:root. (As OMI designed architecture, its permission should be omi:omi.)
Add https 5986 port in /etc/opt/omi/conf/omiserver.conf
Restart omi: /opt/omi/bin/service_control restart
Check omiengine process doesn’t start up.
Another way to repro the issue is to install omi.rpm, then install scx.rpm, it shows that scx package installing reverts /etc/opt/omi/ssl/omi.pem file permission from omi:omi to root:root.
SCXcore’s scxsslconfig program should set the permissions to OMI due to the non-root changes. It was always weird that SCX was generating an OMI certificate, and now we were bitten by this. This can’t be done in postinstall, because scxsslconfig can be run after installation. So the program itself needs to set the permissions.
Repro steps:
sh scx-1.6.3-372.universal.x64.sh –install
/opt/omi/bin/service_control restart
Another way to repro the issue is to install omi.rpm, then install scx.rpm, it shows that scx package installing reverts /etc/opt/omi/ssl/omi.pem file permission from omi:omi to root:root.