APPLIES TO:
Enterprise Manager Base Platform - Version 12.1.0.1.0 and later
Generic UNIX
Generic Linux
SYMPTOMS:
The Cloud Control Management Agent has been installed on a Unix machine. Trying to perform some operations against any target monitored by this Agent from the Cloud Control results in the error:
ERROR: NMO not setuid-root (Unix-only).
Examples of operations that can result in the above error:
- Running a Job against this host : this can be OS Command, SQLPlus Script etc
- Setting or Testing Preferred Credentials for this host
- Configuring the database backup settings for a database on this host.
- Trying to Clone an Oracle Home, running the Patching Wizard or Deployment procedure against targets in this host.
- Executing a User-Defined Metric against target in this host, etc
In summary, any operation which requires the Agent to login to the host and perform an activity may result in the above error.
CAUSE:
Cause 1: The <AGENT_HOME>/root.sh script was not run after the Agent installation.
The owner of the nmo, nmb and nmo executables is not the root user:
$ cd <AGENT_BASE>/sbin
$ ls -ltr nm*
For Example:
$ cd /u03/cloud12c/agent12c/sbin
$ ls -al nm*
-rwxr-xr-x 1 oracle oracle 22754 Feb 11 11:08 nmb
-rwxr-xr-x 1 oracle oracle 57835 Feb 11 11:10 nmhs
-rwxr-xr-x 1 oracle oracle 40478 Jan 31 16:57 nmo
...
The correct permissions should have been set by executing the file <AGENT_HOME>/root.sh as root at the Agent installation/deployment time.
You should get:
$ ls -al nm*
-rwxr-xr-x 1 root oracle 585242 Jul 6 2013 nmosudo
-rws--x--- 1 root oracle 40007 Jul 6 2013 nmo
-rws--x--- 1 root oracle 57835 Jul 6 2013 nmhs
-rws--x--- 1 root oracle 22754 Jul 6 2013 nmb
-rwxr-xr-x 1 root oracle 43494 Jul 6 2013 nmgsshe
Cause 2: The root.sh script may have been run but the mount point for the <AGENT_HOME> is set with a 'nosuid' / 'nosetuid' / 'noatime' / 'nodiratime' option.
This can be verified by doing the mount command:
mount
or
mount | grep nosuid
and
mount | grep nosetuid
or
check the entries in files: /etc/vfstab, /etc/fstab
The 'nosetuid' option prevents mounted programs that have setuid permission to run with the permissions of their owners, regardless of who starts them. Without this option, if a program with setuid permission is owned by root, it will run with root permissions, regardless of who starts it.
Sometimes 'nosuid' option is specified to protect the system against setuid programs that may run as root and damage the system.
Note that a Solaris zone can report incorrect mount parameters:
If the setuid is set at the global level to the ZFS file system, the lofs that mounts that mountpoint to a directory in the zone is always setuid=true, to pass along the setting from the global zone.
If, for the zone, if you do a 'mount|grep /<mountpoint>' from the zone it always misleadingly returns 'setuid'.
If you issue 'mount|grep' in the global zone, you'll see the correct setting.
The issue is also seen if noatime,nodiratime options are enabled on the filesystem.
SOLUTION:
Solution for Cause 1:
1) Login to the Cloud Control Agent host as root.
2) Go to the Cloud Control Agent Oracle Home directory
Example: /u01/app/oracle/product/Middleware/agent/core/12.1.0.1.0
3) Execute the root.sh script:
# ./root.sh
4) Log in to the Cloud Control Agent host as the Agent binaries owner (oracle for example)
5) Check that the permissions are now correct:
$ ls -ltr
....
-rwxr-xr-x 1 root em 585242 Jul 6 2013 nmosudo
-rws--x--- 1 root em 40007 Jul 6 2013 nmo
-rws--x--- 1 root em 57835 Jul 6 2013 nmhs
-rws--x--- 1 root em 22754 Jul 6 2013 nmb
-rwxr-xr-x 1 root em 43494 Jul 6 2013 nmgsshe
6) Stop and restart the Cloud Control Agent:
Example
$ cd /u01/app/oracle/product/Middleware/agent/core/12.1.0.1.0/bin
$ ./emctl stop agent
$ ./emctl start agent
Solution for Cause 2:
If the mount point has any of the options ('nosuid' / 'nosetuid' / 'noatime' / 'nodiratime') set, this problem should be corrected by the system administrator of the Unix system:
1) Backup, edit and save the file /etc/vfstab or /etc/fstab for the mount point where the Agent has been installed and remove the 'nosuid' / 'nosetuid' / 'noatime' / 'nodiratime' option.
On AIX operating system edit thefile /etc/filesystems.
(u01 in our example)
2) Stop the Agent, remount the mount point and restart the EM Agent
Example
(As the owner of the Agent binaries:)
$ cd $ORACLE_HOME/bin
$ ./emctl stop agent
(As the Root User):
# umount <offendingMountPoint>
# mount <fixedMountPoint>
(As the owner of the Agent binaries:)
$ cd $ORACLE_HOME/bin
$ ./emctl start agent
Recent Posts