Installing and running Introscope Enterprise Manager on Linux Servers with /tmp mounted with noexec option

Document created by sweeu01 Employee on Aug 24, 2018Last modified by sweeu01 Employee on Aug 24, 2018
Version 2Show Document
  • View in full screen mode

Problem

The installation and running of Introscope Enterprise Manager and APM Database on Linux Servers will fail if the /tmp partition is mounted with the noexec option. Some organizations enforce the noexec option on /tmp as part of their security policy to prevent malicious users from using /tmp to execute unwanted programs

 

At the start of the installation after executing the Introscope EM installer, you will encounter the following error message

 

Install Error Message
Preparing to install
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
JRE libraries are missing or not compatible....
Exiting....

 

Verifications

In the event when you encounter this error, do the following to verify if that is the root cause:

 

Check /tmp mount options

  • To verify, execute
         mount | grep /tmp
You should see the output similar to the line below with noexec option on /tmp:
dev/mapper/[volume-group-name] on /tmp type [filesystem type] (option1, option2, .... noexec....)

 

Check APM install environment details

  • Go to /tmp directory
  • You will see the following directory and file generated as part of the APM installation process
    • install.dir.[random-generated-ID]
    • env.properties.[random-generated-ID]
  • Open the env.properties.[random-generated-ID]
  • Search for "lax.nl.current.vm"
  • You should see an entry like:
    • lax.nl.current.vm=/tmp/install.dir[random-generated-ID]/Linux/resource/jre/bin/java
  • As /tmp has been mounted with noexec option, the installer which requires java is not able to execute successfully

 

Resolution

Approach 1

  • exec option is needed on /tmp to allow the execution of APM temporary installer files
  • We can try remounting /tmp with exec option, run the APM installer, and remount /tmp back with noexec option after the installation is completed successfully
  • Before running APM installer, execute
    • mount -o remount, exec /tmp
  • After APM is installed successfully, execute
    • mount -o remount,noexec /tmp
Note: The mount commands require root access. If the system administrator does not allow these commands to be executed, go to Approach 2
This approach only fixes the installation of APM. The noexec option on /tmp will still prevent Introscope Enterprise Manager and Introscope Web View from running as well. Check out the section below on "Running the Introscope Enterprise Manager and Introscope Web View Services" to fix it

 

Approach 2

  • The other option will be to temporarily specify an alternative tmp directory on a partition which is mounted with exec option
  • An ideal tmp directory could be created at /home/wily/tmp (assuming the owner of the Introscope Enterprise Manager is wily) since most /home partitions are mounted with exec option. Please do verify that the partition is mounted with exec option by executing 'mount'
  • We can then set the IATEMPDIR environment variable to point to the alternative tmp directory
    • IATEMPDIR=/home/wily/tmp
    • export IATEMPDIR
  • During the APM installation process, the initial temporary directory install.dir.[random-generated-ID] will be generated in /home/wily/tmp instead of /tmp
Note: This approach only fixes the installation of APM. The noexec option on /tmp prevents Introscope Enterprise Manager and Introscope Web View services from running as well unless we can permanently set IATEMPDIR to the alternative tmp in the .bash_profile. However, the system administrator may not allow due to the organization security policy. Check out the section below on "Running the Introscope Enterprise Manager and Introscope Web View Services" to fix it

 

Running the Introscope Enterprise Manager and Introscope Web View Services

  • When we start Enterprise Manager with <EM_HOME>/bin/EMCtl.sh and start Web View with <EM_HOME>/bin/WVCtl.sh, there are temporary .so executables generated at /tmp.And if /tmp is mounted with noexec option, both services will fail to start.
  • To get around this issue, there is a property we can set in Introscope_Enterprise_Manager.lax and Introscope_WebView.lax to set the tmp directory at the JVM level to our alternative directory (assuming its designated to /home/wily/tmp):
  1. Open <EM_HOME>/Introscope_Enterprise_Manager.lax
  2. Search for "lax.nl.java.option.additional"
  3. Append "-Djava.io.tmpdir=/home/wily/tmp"
  4. Open <EM_HOME>/Introscope_WebView.lax file
  5. Search for "lax.nl.java.option.additional"
  6. Append "-Djava.io.tmpdir=/home/wily/tmp"
  • Restart Enterprise Manager and Web View - both should run successfully now
Hopefully this article will help to alleviate the pain in installing on a noexec /tmp Linux environment as it seems to be common in larger organizations with strict security policy nowadays

Attachments

    Outcomes