We are using the "Run Command Line" action to run a command. In this case, it's IBM's IIB mqsideploy. But the command being used in the "Command Line String" input parameter could be anything. The input parameters are displayed below. In addition to these input parameters the action needs to run as a specific user - so we have configured the action's Credentials settings to use the user we want to use (details regarding how user impersonation has been implemented on the agent are also below).
For example; we are using iib's mqsideploy to interact with IBM IIB. We're doing this using the following:
Command Line String [String]
/opt/ibm/mqsi/inst1/iib-10/server/bin/mqsideploy <brokerSpec> -e <integrationServerName> -a <BARFileName>
Work Directory [String]
/opt/ibm/mqsi/inst1/iib-10/server/bin
On the agent machine we have configured the conf/processes.properties with a cmd.to.execute=/path/to/customActionsRunner.sh
And, the customActionsRunner.sh is configured to use: echo $nolio_password | sudo -u $3 -S ./ActionsRunner.sh $1 $2 $3
While running this action it returns the following:
Run Command Line action has finished successfully.
Return value: 127
Std out:
Std err: /opt/ibm/mqsi/inst1/iib-10/server/bin/mqsideploy: error while loading shared libraries: libImbCmdLib.so: cannot open shared object file: No such file or directory
Command line executed: /bin/sh -c /opt/ibm/mqsi/inst1/iib-10/server/bin/mqsideploy <brokerSpec> -e <integrationServerName> -a <BARFileName>
This specific command (IBM's IIB mqsideploy command) has prerequisites. The exact prerequisites are not clear. But, maybe it was a modified $PATH or maybe some Environment variables need to be set - similar to how ORACLE_HOME, ORACLE_BASE, ORACLE_SID, etc.. are needed to run oracle commands.
Release : 6.6
Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER
One solution to solve this problem was loading the user's profile (.bash_profile) before running the mqsideploy command. In full, the solution looked like this:
The main piece here is prefixing the "Command Line String" command with: source /path/to/user's/.bash_profile
Sourcing the user's .bash_profile, in this case, prepared the environment with all of the prerequisites needed to successfully run the mqsideploy command.
Considerations:
While needing this kind of solution, where a CLI has requirements that are not met while using sudo -u, there are some considerations that should be made when using this solution for multiple systems. Here are some of those considerations:
Recommendations:
Whenever trying to use the Nolio RA "Run Command Line" action to accomplish an advanced task (like interacting with a 3rd party application), it is recommended to take a phased approach to this. The approach looks like this:
Investigating:
While investigating whether an existing action pack behaves the way you need it to, the following is recommended:
Variations of implementation options:
Some of the variations below may be considered. However, these variations have not been thoroughly tested. Even if they were, it is important to consider how these variations may impact other deployments.
SSH:
The SSH implementation of user impersonation requires a password to be specified in an action's Credentials settings. A variation of this implementation is available that would not require a password to be specified. That variation involves setting up SSH keys on the agent machine, for the user that that you're specifying in the Credentials settings window. If the SSH keys are setup to not require a password or passphrase then the password field will not need a value.
Sudo:
By default, sudo will not try and load a user's profile. However, there is an option (-i) that instructs sudo to run the shell specified by the target user's password database entry as a login shell. This means that login-specific resources (such as profiles) will be read by the shell. If you want to use this variation then you could use something like this in your customActionsRunner.sh:
echo $nolio_password | sudo -u $3 -i -S -- sh -c "cd /path/to/RA_Agent_Home && ./ActionsRunner.sh $1 $2 $3"
Su:
By default, the su command requires a password. For this reason you need to make sure that, at a minimum, you use it with the customActionsRunner.sh set to use:
echo $nolio_password | su - $3 -c "cd /path/to/RA_Agent_Home ; ./customActionsRunner.sh $1 $2 $3"
The command above uses the "-" (aka -l, aka --login) option which starts the shell as login shell with an environment similar to a real login. See `man su` for more information. If for some reason you need to specify a shell different than the users default shell then you can specify the shell to use by configuring customActionsRunner.sh with the following:
echo $nolio_password | su - $3 -s /bin/bash -c "cd /path/to/RA_Agent_Home ; ./ActionsRunner.sh $1 $2 $3"