-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default admin connection fails w/ MQRC_NOT_AUTHORIZED on image 9.2.3.0-r1 w/ Podman #394
Comments
I just gave a quick try with the
example:
|
I tried with MQExplorer, connecting to remote qmgr using admin user and that worked too. |
Hi @KiranDarbha, (1) tried your example but without success: $ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
$ export MQSAMP_USER_ID=admin
$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2012 (2) There aren't any customization on the image. It's a 1:1 copy from docker hub. Did you tried the Java example above? This example was working on the previous (9.1.4.0-r1) image. |
Since the MQExplorer(java based) is able to connect to the qmgr using the credentials, I don't think the above java program would fail!. the mq return code for amqsputc sample You can log-into - https://labs.play-with-docker.com/
docker ps
|
on https://labs.play-with-docker.com/ it work's [node1] (local) [email protected] ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc04bf2f6750 ibmcom/mq "runmqdevserver" 5 minutes ago Up 4 minutes 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp great_engelbart
[node1] (local) [email protected] ~
$ docker exec -ti fc04bf2f6750 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1 but w/ Podman it fails: $ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3fe554a7ca5f docker.io/ibmcom/mq:9.1.5.0-r1 21 hours ago Up 21 hours ago 0.0.0.0:1414->1414/tcp mq-9.1.5.0-r1
$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2035 |
(One of) the difference between the both images 9.1.4.0-r1 and 9.1.5.0-r1 is the user which runs/owns the process within the container: 9.1.4.0-r1: bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root) 9.1.5.0-r1: uid=1001(1001) gid=0(root) groups=0(root) Maybe Podmans and Dockers behavior is different at this point. But running the latest (9.1.5.0-r1) image w/ Podman it isn't possible to login to queue manager with default credentials. |
I can reproduce this as well: $ podman run -d -e LICENSE=accept -e MQ_ADMIN_PASSWORD=foobar -e MQ_QMGR_NAME=QM1 --name qm1 --volume qm1data:/mnt/mqm ibmcom/mq
8a58bb5f066a4a9ba132e4ef35823022c22927f5da1f2a2864283cb725ca3c0d
$ podman exec -e MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" -e MQSAMP_USER_ID=admin -ti --privileged qm1 /opt/mqm/samp/bin/amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ******
MQCONNX ended with reason code 2035
Error: non zero exit code: 243: OCI runtime error I also see the following in the container logs:
So there's something different going on with Podman. FYI @davidjmccann @LPowlett FYI @agebhar1, the MQ 9.1.5 container image was changed to be able to support running as any user ID, and mostly removes the concept of an "mqm" user, so the result of |
@arthurbarr thanks for the update on the behavior of |
@arthurbarr the problem is also present on 2nd Release of 9.1.5.0 (9.1.5.0-r2), so I updated the title. Podman: bash-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
1001:x:1001:0:container user:/:/bin/sh
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.2 0.0 1043864 16372 ? Ssl 09:26 0:00 runmqserver -nologruntime -dev
1001 80 0.0 0.0 1721148 46720 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 110 0.0 0.0 843960 22744 ? Sl 09:26 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 116 0.0 0.0 197744 10856 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 119 0.0 0.0 3048004 33392 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 161 0.0 0.0 1329112 14308 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 177 0.0 0.0 1398784 25708 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 194 0.0 0.0 1011224 27464 ? Sl 09:26 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 222 0.0 0.0 1052088 26108 ? Sl 09:26 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 229 0.0 0.0 547648 12764 ? Sl 09:26 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 230 0.0 0.0 212984 12192 ? Sl 09:26 0:00 /opt/mqm/bin/amqpcsea QM1
1001 232 0.0 0.0 395104 10868 ? Sl 09:26 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 234 0.0 0.0 1519180 25028 ? Sl 09:26 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 276 0.0 0.0 1241232 25796 ? Ssl 09:26 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 363 3.6 0.2 5363580 184572 ? SLl 09:26 0:06 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.t
1001 490 0.0 0.0 12016 3300 pts/0 Ss 09:27 0:00 bash
1001 765 0.0 0.0 44592 3420 pts/0 R+ 09:29 0:00 ps ux Docker:
The difference seems to be Podman: Unfortunatelly the current sources for 9.1.5.0-r2 are not available of |
It also fails in 9.2.0.0-r1. I spent some more time and the difference which yields to the Podman:
Podman
Docker
Both container started with The environment variable for the mq user Podman
Docker
There is something different while run The source of -- A workaround to run the image on Podman w/ default admin connection is to create a custom image:
whereas
|
Hi @LPowlett, did anybody had a chance to take a look on this issue? |
Was this ever resolved\explained? I'm getting a very similar issue with 9.2.0.3 and 9.2.0.4 builds (using docker) where the amqzxma0 process starts with '-u root' when MQ_USER_NAME=mqm is set. |
No, not yet. |
* Update gosec behaviour to fail if unable to install * fixing gosec issues (#394) Co-authored-by: KIRAN DARBHA <[email protected]>
After update from docker image 9.1.4.-r1 to 9.1.5.0-r1 the default developer configuration:
admin
passw0rd
are not valid anymore. This simple connection fails on image 9.1.5.0-r1:
with
The server log contains:
Container for image 9.1.4.0-r1:
Container for image 9.1.5.0-r1:
diff of
10-dev.mqsc
(9.1.4.0-r1 vs. 9.1.5.0-r1)The text was updated successfully, but these errors were encountered: