Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

/proc/sys error messages Domino on Linux

Daniel Nashed  6 February 2020 08:05:15

The Domino start script now leverages "server -c" commands instead of writing into the server's redirected input file since the latest version as blogged earlier.
If you use the server binary for that purpose, some side effects could occur, which are not new. But you might not have noticed them.

When the server process starts, it tried to set kernel parameters to optimize certain network parameters.
Domino itself uses a none privileged user (default: notes).  To be able to set the kernel parameters a helper binary called "tunekrnl", which has the sticky bit set, is used.
The sticky bit runs the process as root and allows those restricted operations.

But even with root permissions in some Linux server environment those changes are not allowed.

For example in paravirtualized environments, where you don't have your own "root" server like when using virtual servers from HostEurope, your server doesn't allow those operations.
Another case would be a Docker environment where you are also not allowed to change those kernel parameters.

In those cases you see error messages similar to this:

Error messages on console

Error - can't open /proc/sys/fs/file-max.
        errno: 13
        Permission denied
Error - can't open /proc/sys/net/ipv4/tcp_fin_timeout.
        errno: 13
        Permission denied
Error - can't open /proc/sys/net/ipv4/tcp_max_syn_backlog.
        errno: 13
        Permission denied
Error - can't open /proc/sys/net/ipv4/tcp_tw_reuse.
        errno: 13
        Permission denied
Error - can't open /proc/sys/net/ipv4/ip_local_port_range.
        errno: 13
        Permission denied

As long this was just on server start, I ignored those messages. But in a remote console for every command you want to get rid of them.

In our Docker project we are already removing the tunekrnl during install. This avoids those error messages.

If you are on virtualization platform, which provides you are full virtualization stack -- like ESX, you should not receive an error.
In that case you should check the permissions of the file and not remove it!


It should look like this (the file needs to be owned by root and the sticky bit should be set -- the s in the 4. position)

ll tunekrnl
-r-sr-xr-x. 1 root daemon 71768 Nov 25 08:33 tunekrnl


If the settings are wrong, here is the way to change them. The following is a more paranoid setting. The file is owned by root and the group notes and you are allowing user's from the group notes to execute the file with root permissions.

chown root:notes /opt/hcl/domino/notes/latest/linux/tunekrnl
chmod 4550 /opt/hcl/domino/notes/latest/linux/tunekrnl


By the way : There is one other file in Domino which needs root permissions to run. bindsock  is used to allow processes to listed on restricted ports below 1024. So bindsock is a helper binary to allow those operations.

-- Daniel



Comments
No Comments Found

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]