Veritas Cluster - Commands - Middleware News
VRTSvcs VERITAS Cluster Server
VRTSvcswz VERITAS Cluster Server Wizard
VRTScsga VERITAS Cluster Server Graphical Administrator
VRTSgab VERITAS Group Membership and Atomic Broadcast
VRTSllt VERITAS Low Latency Transport
VRTSvcsor VERITAS Cluster Server Oracle Enterprise Extension
VRTSvcssy VERITAS Cluster Server Sybase Enterprise Extension
VRTSperl VERITAS Perl for VRTSvcs
Cluster Name of your HA environment
Nodes Physical systems that make up the cluster
Service group Abstract container of related resources
Resource Cluster components (i.e. NICs, IPs, disk groups,
volumes, mounts, processes, etc...)
Attributes Parameter values that define the resources
Dependencies Links between resources or service groups
Cluster Mgr Cluster Monitor : Log in, add clusters, change preferences
Cluster Mgr Cluster Explorer: Monitor systems, service grps,
resources, attributes & dependencies
Cluster Mgr Log Desk : Monitor log messages received
from engine, view GUI commands
Cluster Mgr Command Center : Build VCS commands and send to engine
LLT Low Latency transport provides fast kernel-kernel
comm. & monitors network connx.
GAB Grp membership & Atomic Broadcast maintains a synch.
state & monitors disk comm.
Config files VCS etc directory
$VCSETC=/etc/VRTSvcs
Config files VCS configuration directories
$VCSCONF=/etc/VRTSvcs/conf/config
Binary files VCS opt directory
$VCSOPT=/opt/VRTSvcs
Binary files VCS binary path
$VCSBIN=/opt/VRTSvcs/bin
Log files VCS log path
$VCSLOG=/var/VRTSvcs/log
Config files VCS configuration file
/etc/VRTSvcs/conf/config/main.cf
LLT tab file LLT configuration file
/etc/llttab
LLT hosts file LLT host name database
/etc/llthosts
GAB file Grp membership & Atomic Broadcast file
/etc/gabtab
quick-start VCS Quick-start wizard
# $VCS_HOME/wizards/config/quick_start
quick-NFS VCS Quick-NFS wizard
# $VCS_HOME/wizards/services/quick_nfs
llt Verify LLT
# /sbin/llstat -n
llt Get interface MAC Address
# /opt/VRTSllt/getmac device_name
llt Check network connectivity
# /opt/VRTSllt/dlpiping -s|-c -v device_name
gab Verify GAB
# /sbin/gabconfig -a ; /sbin/gabconfig -l
hasys List systems in cluster
# /opt/VRTSvcs/bin/hasys -list
hasys Detailed info on each cluster node
# /opt/VRTSvcs/bin/hasys -display (sysname)
hasys Increase system count in gabtab startup
# /opt/VRTSvcs/bin/hasys -add (sysname)
hasys Delete a system
# /opt/VRTSvcs/bin/hasys -delete (sysname)
hastart Start VCS cluster
# /opt/VRTSvcs/bin/hastart
hastart Force start a stale VCS cluster
# /opt/VRTSvcs/bin/hastart -force -stale
hastop Stop VCS on all systems
# /opt/VRTSvcs/bin/hastop -all
hastop Stop VCS had, keep srvc-groups running
# /opt/VRTSvcs/bin/hastop -local -force
hastop Stop VCS, migrate srvc-groups to sysname
# /opt/VRTSvcs/bin/hastop -sys (sysname) -evacuate
hastatus Provide continual status of service grps
# /opt/VRTSvcs/bin/hastatus
hastatus Verify status of service groups
# /opt/VRTSvcs/bin/hastatus -summary
hacf Check for syntax errors in main.cf
# /opt/VRTSvcs/bin/hacf -verify /etc/VRTSvcs/conf/config/main.cf
hacf Generate dependency tree in main.cf
# /opt/VRTSvcs/bin/hacf -generate /etc/VRTSvcs/conf/config/main.cf
hares List all resources
# /opt/VRTSvcs/bin/hares -list
hares List a resource's dependencies
# /opt/VRTSvcs/bin/hares -dep (resource_name)
hares Get detailed info on a resource
# /opt/VRTSvcs/bin/hares -display (resource)
hares Add a resource
# /opt/VRTSvcs/bin/hares -add (resource_name (resource_type (service_group)
hares Modify attributes of the new resource
# /opt/VRTSvcs/bin/hares -modify (resource_name (attribute_name (value)
hares Delete a resource
# /opt/VRTSvcs/bin/hares -delete (resource_name)
hares Online a resource
# /opt/VRTSvcs/bin/hares -online (resource_name) -sys (system_name)
hares Offline a resource
# /opt/VRTSvcs/bin/hares -offline (resource_name) -sys (system_name)
hares Monitor resource on a system
# /opt/VRTSvcs/bin/hares -probe (resource_name) -sys (system_name)
hares Clear a faulted resource
# /opt/VRTSvcs/bin/hares -clear (resource_name) [-sys system_name]
hares Make a resource's attribute value local
# /opt/VRTSvcs/bin/hares -local (resource_name) (attribute_name) value)
hares Make a resource's attribute value global
# /opt/VRTSvcs/bin/hares -global (resource_name) (attribute_name) value)
hares Specify a dependency between 2 resources
# /opt/VRTSvcs/bin/hares -link (parent_res) (child_res)
hares Remove dependency between 2 resources
# /opt/VRTSvcs/bin/hares -unlink (parent_res) (child_res)
hares Modify a Share res. by adding options
# /opt/VRTSvcs/bin/hares Share_cicgt-as4-p_apps Options "%-o rw,root=dcsa-cln1"
hagrp List all service groups
# /opt/VRTSvcs/bin/hagrp -list
hagrp List a service group's resources
# /opt/VRTSvcs/bin/hagrp -resources [service_group]
hagrp List a service group's dependencies
# /opt/VRTSvcs/bin/hagrp -dep [service_group]
hagrp Detailed info about a service group
# /opt/VRTSvcs/bin/hagrp -display [service_group]
hagrp Start service group, bring res. online
# /opt/VRTSvcs/bin/hagrp -online (service_group) -sys (system_name)
hagrp Stop service group, bring res. offline
# /opt/VRTSvcs/bin/hagrp -offline (service_group) -sys (system_name)
hagrp Switch service group between nodes
# /opt/VRTSvcs/bin/hagrp -switch (service_group) -to (system_name)
hagrp Freeze svcgroup, (disable onl. & offl.)
# /opt/VRTSvcs/bin/hagrp -freeze (service_group) [-persistent]
hagrp Thaw a svcgroup, (enable onl. & offl.)
# /opt/VRTSvcs/bin/hagrp -unfreeze (service_group) [-persistent]
hagrp Enable a service group
# /opt/VRTSvcs/bin/hagrp -enable (service_group) [-sys system_name]
hagrp Disable a service group
# /opt/VRTSvcs/bin/hagrp -disable (service_group) [-sys system_name]
hagrp Enable all resources in a service group
# /opt/VRTSvcs/bin/hagrp -enableresources (service_group)
hagrp Disable all resources in a service group
# /opt/VRTSvcs/bin/hagrp -disableresources (service_group)
hagrp Specify dependenciy between 2 svc groups
# /opt/VRTSvcs/bin/hagrp -link (parent_group) (child_group) (relationship)
hagrp Remove dependenciy between 2 svc groups
# /opt/VRTSvcs/bin/hagrp -unlink (parent_group) (child_group)
hagrp Auto-Enable a servicegroup marked
# /opt/VRTSvcs/bin/hagrp -autoenable (service_group) [-sys system_name]
disabled due to prob with system_name.
hatype List resource types
# /opt/VRTSvcs/bin/hatype -list
hatype Detailed info on a resource type
# /opt/VRTSvcs/bin/hatype -display (resource_type)
hatype List all resources of a part. type
# /opt/VRTSvcs/bin/hatype -resources (resource_type)
hatype Add a resource type
# /opt/VRTSvcs/bin/hatype -add (resource_type)
hatype Set static attribute values
# /opt/VRTSvcs/bin/hatype -modify ...
hatype Delete a resource type
# /opt/VRTSvcs/bin/hatype -delete (resource_type)
haattr Add Attribute to a Type definition
# /opt/VRTSvcs/bin/haattr -add (resource_type) (attribute_name) /
(attribute_type -integer, -string, -vector)
haattr Delete a Entry in a Type definition
# /opt/VRTSvcs/bin/haattr -delete (resource_type) (attribute_name)
haconf Set VCS configuration file to r/w mode
# /opt/VRTSvcs/bin/haconf -makerw
haconf Set VCS configuration file to read mode
# /opt/VRTSvcs/bin/haconf -dump -makero
hauser Add a user with r/w access to VCS
# /opt/VRTSvcs/bin/hauser -add (user_name)
hauser Add a user with read access only to VCS
# /opt/VRTSvcs/bin/hauser -add VCSGuest
hauser Update a user
# /opt/VRTSvcs/bin/hauser -update (user_name)
hauser Delete a user
# /opt/VRTSvcs/bin/hauser -delete (user_name)
hauser Display all users
# /opt/VRTSvcs/bin/hauser -display
haagent Start agents manually
# haagent -start (agent_name) -sys (system_name)
haagent Stop agents manually
# haagent -stop (agent_name) -sys (system_name)
hagui Start Cluster Manager
# /opt/VRTSvcs/bin/hagui
hagui Start Cluster Manager in debug mode
# /opt/VRTSvcs/bin/hagui -D
Product Terminology comparisons
Sun SC 2.2 Veritas VCS 1.1
------------------------------------------------------
cluster name cluster name
admin workstation -
physical node A local system
physical node B remote system
physical node IP address maintenance IP address
logical host service group
logical host IP address service group IP address
- resources
disk group disk group
private heartbeats communication channels
- GAB disk (disk heartbeat)
Quorum disk -
Admin filesystem -
scinstall Quick-Start wizard
split-brain network partition
configuration files:
/etc/llthosts
/etc/llttab
/etc/gabtab
/etc/VRTSvcs/conf/config/main.cf
/etc/VRTSvcs/conf/config/sysname
Identifying vulnerable applications
The following commands can help you quickly and accurately identify whether you are running a vulnerable version that requires updating.
Solaris systems, run the following command:
# pkginfo -l VRTSvcs | grep VERSION
VERSION: 3.5
The base version will appear to the right of the VERSION tag. If it is 3.5, or 4.0, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
Linux systems, run the following command:
# rpm -q -i VRTSvcs | grep Version
Version: 2.2.rhel30 Vendor: VERITAS Software Corp.
The version (along with the platform, in this case, RHEL 3.0), will appear to the right of the Version tag. If it reads 2.2, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
AIX systems, type the following command:
# lslpp -l | grep VRTSvcs.rte
VRTSvcs.rte 4.0.0.0 COMMITTED VERITAS Cluster Server 4.0
The version will appear at the end of the line (in this case, 4.0). If it includes 3.5 or 4.0, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
HP-UX systems, type the following command:
# swlist | grep VRTSvcs
...
VRTSvcs 3.5 Veritas Cluster Server
...
The results may include several lines of output. Identify the line that starts with VRTSvcs and note the version number in the second column. If it reads 3.5, you are vulnerable. If this line does not appear in the output, you do not have VERITAS Cluster Server for UNIX installed.
Mitigation/Workarounds
For customers unable to apply the recommended fixes immediately, removing root suid permission on VCS 'ha' binaries and restricting access to Authorized VCS users can protect a VCS cluster from possible elevation of privileges until such time as proper updates can be applied.
NOTE: This workaround will require non-root users who require access to be assigned a valid VCS Username and password for use every time they communicate with the VCS Cluster.
Remove root suid permissions on any VCS 'ha' binaries
Find affected binaries as follows: -
On Linux, use the command "find /opt/VRTSvcs -perm 4000"
On Solaris, AIX, HP-UX use the command "find /opt/VRTSvcs -perm 4755"
chmod u-s
Restrict access to Cluster Nodes to only Authorized VCS users
Check the value of Cluster attribute AllowNativeCliUsers as: -
haclus -value AllowNativeCliUsers
If the value of the above attribute is 1, perform the following steps: -
haconf -makerw
haclus -modify AllowNativeCliUsers 0
haconf -dump -makero
Force non-root users to specify a valid VCS Username and password and use TCP for communication by setting the following environment variable:
VCS_TEST_HOST= where value is the hostname of the cluster node.
e.g., export VCS_TEST_HOST=sysa where sysa is the hostname of the cluster node.
NOTE: By removing the root suid permissions, a non-root user cannot communicate with VCS using root Unix Domain Sockets (UDS). By setting the VCS_TEST_HOST environment variable, the 'ha' command (e.g. hagrp) can be used by a non-root user after specifying a valid VCS username and password.
WARNING: Any 'cron' jobs running as a non-root user and using a VCS 'ha' command may fail because of not specifying a valid VCS username and password. For such cases, the appropriate VCS patch listed above should be applied.
VRTSvcs VERITAS Cluster Server
VRTSvcswz VERITAS Cluster Server Wizard
VRTScsga VERITAS Cluster Server Graphical Administrator
VRTSgab VERITAS Group Membership and Atomic Broadcast
VRTSllt VERITAS Low Latency Transport
VRTSvcsor VERITAS Cluster Server Oracle Enterprise Extension
VRTSvcssy VERITAS Cluster Server Sybase Enterprise Extension
VRTSperl VERITAS Perl for VRTSvcs
Cluster Name of your HA environment
Nodes Physical systems that make up the cluster
Service group Abstract container of related resources
Resource Cluster components (i.e. NICs, IPs, disk groups,
volumes, mounts, processes, etc...)
Attributes Parameter values that define the resources
Dependencies Links between resources or service groups
Cluster Mgr Cluster Monitor : Log in, add clusters, change preferences
Cluster Mgr Cluster Explorer: Monitor systems, service grps,
resources, attributes & dependencies
Cluster Mgr Log Desk : Monitor log messages received
from engine, view GUI commands
Cluster Mgr Command Center : Build VCS commands and send to engine
LLT Low Latency transport provides fast kernel-kernel
comm. & monitors network connx.
GAB Grp membership & Atomic Broadcast maintains a synch.
state & monitors disk comm.
Config files VCS etc directory
$VCSETC=/etc/VRTSvcs
Config files VCS configuration directories
$VCSCONF=/etc/VRTSvcs/conf/config
Binary files VCS opt directory
$VCSOPT=/opt/VRTSvcs
Binary files VCS binary path
$VCSBIN=/opt/VRTSvcs/bin
Log files VCS log path
$VCSLOG=/var/VRTSvcs/log
Config files VCS configuration file
/etc/VRTSvcs/conf/config/main.cf
LLT tab file LLT configuration file
/etc/llttab
LLT hosts file LLT host name database
/etc/llthosts
GAB file Grp membership & Atomic Broadcast file
/etc/gabtab
quick-start VCS Quick-start wizard
# $VCS_HOME/wizards/config/quick_start
quick-NFS VCS Quick-NFS wizard
# $VCS_HOME/wizards/services/quick_nfs
llt Verify LLT
# /sbin/llstat -n
llt Get interface MAC Address
# /opt/VRTSllt/getmac device_name
llt Check network connectivity
# /opt/VRTSllt/dlpiping -s|-c -v device_name
gab Verify GAB
# /sbin/gabconfig -a ; /sbin/gabconfig -l
hasys List systems in cluster
# /opt/VRTSvcs/bin/hasys -list
hasys Detailed info on each cluster node
# /opt/VRTSvcs/bin/hasys -display (sysname)
hasys Increase system count in gabtab startup
# /opt/VRTSvcs/bin/hasys -add (sysname)
hasys Delete a system
# /opt/VRTSvcs/bin/hasys -delete (sysname)
hastart Start VCS cluster
# /opt/VRTSvcs/bin/hastart
hastart Force start a stale VCS cluster
# /opt/VRTSvcs/bin/hastart -force -stale
hastop Stop VCS on all systems
# /opt/VRTSvcs/bin/hastop -all
hastop Stop VCS had, keep srvc-groups running
# /opt/VRTSvcs/bin/hastop -local -force
hastop Stop VCS, migrate srvc-groups to sysname
# /opt/VRTSvcs/bin/hastop -sys (sysname) -evacuate
hastatus Provide continual status of service grps
# /opt/VRTSvcs/bin/hastatus
hastatus Verify status of service groups
# /opt/VRTSvcs/bin/hastatus -summary
hacf Check for syntax errors in main.cf
# /opt/VRTSvcs/bin/hacf -verify /etc/VRTSvcs/conf/config/main.cf
hacf Generate dependency tree in main.cf
# /opt/VRTSvcs/bin/hacf -generate /etc/VRTSvcs/conf/config/main.cf
hares List all resources
# /opt/VRTSvcs/bin/hares -list
hares List a resource's dependencies
# /opt/VRTSvcs/bin/hares -dep (resource_name)
hares Get detailed info on a resource
# /opt/VRTSvcs/bin/hares -display (resource)
hares Add a resource
# /opt/VRTSvcs/bin/hares -add (resource_name (resource_type (service_group)
hares Modify attributes of the new resource
# /opt/VRTSvcs/bin/hares -modify (resource_name (attribute_name (value)
hares Delete a resource
# /opt/VRTSvcs/bin/hares -delete (resource_name)
hares Online a resource
# /opt/VRTSvcs/bin/hares -online (resource_name) -sys (system_name)
hares Offline a resource
# /opt/VRTSvcs/bin/hares -offline (resource_name) -sys (system_name)
hares Monitor resource on a system
# /opt/VRTSvcs/bin/hares -probe (resource_name) -sys (system_name)
hares Clear a faulted resource
# /opt/VRTSvcs/bin/hares -clear (resource_name) [-sys system_name]
hares Make a resource's attribute value local
# /opt/VRTSvcs/bin/hares -local (resource_name) (attribute_name) value)
hares Make a resource's attribute value global
# /opt/VRTSvcs/bin/hares -global (resource_name) (attribute_name) value)
hares Specify a dependency between 2 resources
# /opt/VRTSvcs/bin/hares -link (parent_res) (child_res)
hares Remove dependency between 2 resources
# /opt/VRTSvcs/bin/hares -unlink (parent_res) (child_res)
hares Modify a Share res. by adding options
# /opt/VRTSvcs/bin/hares Share_cicgt-as4-p_apps Options "%-o rw,root=dcsa-cln1"
hagrp List all service groups
# /opt/VRTSvcs/bin/hagrp -list
hagrp List a service group's resources
# /opt/VRTSvcs/bin/hagrp -resources [service_group]
hagrp List a service group's dependencies
# /opt/VRTSvcs/bin/hagrp -dep [service_group]
hagrp Detailed info about a service group
# /opt/VRTSvcs/bin/hagrp -display [service_group]
hagrp Start service group, bring res. online
# /opt/VRTSvcs/bin/hagrp -online (service_group) -sys (system_name)
hagrp Stop service group, bring res. offline
# /opt/VRTSvcs/bin/hagrp -offline (service_group) -sys (system_name)
hagrp Switch service group between nodes
# /opt/VRTSvcs/bin/hagrp -switch (service_group) -to (system_name)
hagrp Freeze svcgroup, (disable onl. & offl.)
# /opt/VRTSvcs/bin/hagrp -freeze (service_group) [-persistent]
hagrp Thaw a svcgroup, (enable onl. & offl.)
# /opt/VRTSvcs/bin/hagrp -unfreeze (service_group) [-persistent]
hagrp Enable a service group
# /opt/VRTSvcs/bin/hagrp -enable (service_group) [-sys system_name]
hagrp Disable a service group
# /opt/VRTSvcs/bin/hagrp -disable (service_group) [-sys system_name]
hagrp Enable all resources in a service group
# /opt/VRTSvcs/bin/hagrp -enableresources (service_group)
hagrp Disable all resources in a service group
# /opt/VRTSvcs/bin/hagrp -disableresources (service_group)
hagrp Specify dependenciy between 2 svc groups
# /opt/VRTSvcs/bin/hagrp -link (parent_group) (child_group) (relationship)
hagrp Remove dependenciy between 2 svc groups
# /opt/VRTSvcs/bin/hagrp -unlink (parent_group) (child_group)
hagrp Auto-Enable a servicegroup marked
# /opt/VRTSvcs/bin/hagrp -autoenable (service_group) [-sys system_name]
disabled due to prob with system_name.
hatype List resource types
# /opt/VRTSvcs/bin/hatype -list
hatype Detailed info on a resource type
# /opt/VRTSvcs/bin/hatype -display (resource_type)
hatype List all resources of a part. type
# /opt/VRTSvcs/bin/hatype -resources (resource_type)
hatype Add a resource type
# /opt/VRTSvcs/bin/hatype -add (resource_type)
hatype Set static attribute values
# /opt/VRTSvcs/bin/hatype -modify ...
hatype Delete a resource type
# /opt/VRTSvcs/bin/hatype -delete (resource_type)
haattr Add Attribute to a Type definition
# /opt/VRTSvcs/bin/haattr -add (resource_type) (attribute_name) /
(attribute_type -integer, -string, -vector)
haattr Delete a Entry in a Type definition
# /opt/VRTSvcs/bin/haattr -delete (resource_type) (attribute_name)
haconf Set VCS configuration file to r/w mode
# /opt/VRTSvcs/bin/haconf -makerw
haconf Set VCS configuration file to read mode
# /opt/VRTSvcs/bin/haconf -dump -makero
hauser Add a user with r/w access to VCS
# /opt/VRTSvcs/bin/hauser -add (user_name)
hauser Add a user with read access only to VCS
# /opt/VRTSvcs/bin/hauser -add VCSGuest
hauser Update a user
# /opt/VRTSvcs/bin/hauser -update (user_name)
hauser Delete a user
# /opt/VRTSvcs/bin/hauser -delete (user_name)
hauser Display all users
# /opt/VRTSvcs/bin/hauser -display
haagent Start agents manually
# haagent -start (agent_name) -sys (system_name)
haagent Stop agents manually
# haagent -stop (agent_name) -sys (system_name)
hagui Start Cluster Manager
# /opt/VRTSvcs/bin/hagui
hagui Start Cluster Manager in debug mode
# /opt/VRTSvcs/bin/hagui -D
Product Terminology comparisons
Sun SC 2.2 Veritas VCS 1.1
------------------------------------------------------
cluster name cluster name
admin workstation -
physical node A local system
physical node B remote system
physical node IP address maintenance IP address
logical host service group
logical host IP address service group IP address
- resources
disk group disk group
private heartbeats communication channels
- GAB disk (disk heartbeat)
Quorum disk -
Admin filesystem -
scinstall Quick-Start wizard
split-brain network partition
configuration files:
/etc/llthosts
/etc/llttab
/etc/gabtab
/etc/VRTSvcs/conf/config/main.cf
/etc/VRTSvcs/conf/config/sysname
Identifying vulnerable applications
The following commands can help you quickly and accurately identify whether you are running a vulnerable version that requires updating.
Solaris systems, run the following command:
# pkginfo -l VRTSvcs | grep VERSION
VERSION: 3.5
The base version will appear to the right of the VERSION tag. If it is 3.5, or 4.0, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
Linux systems, run the following command:
# rpm -q -i VRTSvcs | grep Version
Version: 2.2.rhel30 Vendor: VERITAS Software Corp.
The version (along with the platform, in this case, RHEL 3.0), will appear to the right of the Version tag. If it reads 2.2, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
AIX systems, type the following command:
# lslpp -l | grep VRTSvcs.rte
VRTSvcs.rte 4.0.0.0 COMMITTED VERITAS Cluster Server 4.0
The version will appear at the end of the line (in this case, 4.0). If it includes 3.5 or 4.0, you are vulnerable. If nothing is returned, you do not have VERITAS Cluster Server for UNIX installed.
HP-UX systems, type the following command:
# swlist | grep VRTSvcs
...
VRTSvcs 3.5 Veritas Cluster Server
...
The results may include several lines of output. Identify the line that starts with VRTSvcs and note the version number in the second column. If it reads 3.5, you are vulnerable. If this line does not appear in the output, you do not have VERITAS Cluster Server for UNIX installed.
Mitigation/Workarounds
For customers unable to apply the recommended fixes immediately, removing root suid permission on VCS 'ha' binaries and restricting access to Authorized VCS users can protect a VCS cluster from possible elevation of privileges until such time as proper updates can be applied.
NOTE: This workaround will require non-root users who require access to be assigned a valid VCS Username and password for use every time they communicate with the VCS Cluster.
Remove root suid permissions on any VCS 'ha' binaries
Find affected binaries as follows: -
On Linux, use the command "find /opt/VRTSvcs -perm 4000"
On Solaris, AIX, HP-UX use the command "find /opt/VRTSvcs -perm 4755"
chmod u-s
Restrict access to Cluster Nodes to only Authorized VCS users
Check the value of Cluster attribute AllowNativeCliUsers as: -
haclus -value AllowNativeCliUsers
If the value of the above attribute is 1, perform the following steps: -
haconf -makerw
haclus -modify AllowNativeCliUsers 0
haconf -dump -makero
Force non-root users to specify a valid VCS Username and password and use TCP for communication by setting the following environment variable:
VCS_TEST_HOST= where value is the hostname of the cluster node.
e.g., export VCS_TEST_HOST=sysa where sysa is the hostname of the cluster node.
NOTE: By removing the root suid permissions, a non-root user cannot communicate with VCS using root Unix Domain Sockets (UDS). By setting the VCS_TEST_HOST environment variable, the 'ha' command (e.g. hagrp) can be used by a non-root user after specifying a valid VCS username and password.
WARNING: Any 'cron' jobs running as a non-root user and using a VCS 'ha' command may fail because of not specifying a valid VCS username and password. For such cases, the appropriate VCS patch listed above should be applied.
Comments
Post a Comment