default admin connection fails w/ MQRC_NOT_AUTHORIZED on image 9.2.3.0-r1 w/ Podman

[agebhar1]

After update from docker image 9.1.4.-r1 to 9.1.5.0-r1 the default developer configuration:

• User: admin
• Password: passw0rd

are not valid anymore. This simple connection fails on image 9.1.5.0-r1:

import java.util.Locale;

import javax.jms.JMSException;

import com.ibm.mq.jms.MQConnectionFactory;
import com.ibm.msg.client.wmq.WMQConstants;

public class MqConnect {

	static {
		Locale.setDefault(Locale.US);
	}

	public static void main(String[] args) throws JMSException {

		final MQConnectionFactory cf = new MQConnectionFactory();
		cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, "QM1");
		cf.setStringProperty(WMQConstants.WMQ_CONNECTION_NAME_LIST, "localhost(1414)");
		cf.setStringProperty(WMQConstants.WMQ_CHANNEL, "DEV.ADMIN.SVRCONN");
		cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
		cf.setStringProperty(WMQConstants.USERID, "admin");
		cf.setStringProperty(WMQConstants.PASSWORD, "passw0rd");
		cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, false);
		cf.setIntProperty(WMQConstants.WMQ_CLIENT_RECONNECT_OPTIONS, WMQConstants.WMQ_CLIENT_RECONNECT);

		cf.createConnection();
	}
}

with

Exception in thread "main" com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Please check if the supplied username and password are correct on the queue manager to which you are connecting.  For further information, review the queue manager error logs and the Securing IBM MQ topic within IBM Knowledge Center. 
	at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:531)
	at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:215)
	at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:448)
	at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:8475)
	at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:7815)
	at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection(JmsConnectionFactoryImpl.java:303)
	at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:236)
	at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6005)
	at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6030)
	at com.github.agebhar1.MqConnect.main(MqConnect.java:28)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
	at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
	... 8 more

The server log contains:

2020-04-13T15:02:21.633Z AMQ8077W: Entity 'admin' has insufficient authority to access object QM1 [qmgr].
2020-04-13T15:02:21.633Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.

---

Container for image 9.1.4.0-r1:

$ podman exec -ti mq-9.1.4.0-r1 bash
bash-4.4$ ps ux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
mqm          1  1.6  0.0 970064 16728 ?        Ssl  14:33   0:00 runmqserver -nologruntime -dev
mqm        106  0.4  0.0 1146924 40800 ?       Ssl  14:33   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
mqm        142  0.0  0.0 346836 17000 ?        Sl   14:33   0:00 /opt/mqm/bin/amqzfuma -m QM1
mqm        159  0.0  0.0 197668 10628 ?        Ssl  14:33   0:00 /opt/mqm/bin/amqzmgr0 -m QM1
mqm        185  0.1  0.0 2457992 21320 ?       Sl   14:33   0:00 /opt/mqm/bin/amqzmuc0 -m QM1
mqm        238  0.1  0.0 1330000 13964 ?       Sl   14:33   0:00 /opt/mqm/bin/amqzmur0 -m QM1
mqm        253  0.0  0.0 824748 18344 ?        Sl   14:33   0:00 /opt/mqm/bin/amqzmuf0 -m QM1
mqm        258  0.0  0.0 364308 21180 ?        Sl   14:33   0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
mqm        292  0.0  0.0 549468 13028 ?        Sl   14:33   0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
mqm        293  0.0  0.0 478612 19420 ?        Sl   14:33   0:00 /opt/mqm/bin/amqfqpub -mQM1
mqm        294  0.0  0.0 214792 11272 ?        Sl   14:33   0:00 /opt/mqm/bin/amqpcsea QM1
mqm        297  0.0  0.0 394868 10736 ?        Sl   14:33   0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
mqm        300  0.0  0.0 1016772 17464 ?       Sl   14:33   0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
mqm        323  0.0  0.0 741616 19048 ?        Ssl  14:33   0:00 /opt/mqm/bin/amqfcxba -m QM1
mqm        425 35.4  0.2 5359544 192268 ?      SLl  14:33   0:03 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls
mqm        535  3.0  0.0  12016  3292 pts/0    Ss   14:33   0:00 bash
mqm        541  0.0  0.0  43952  3368 pts/0    R+   14:33   0:00 ps ux
bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root)

Container for image 9.1.5.0-r1:

$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ ps ux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1001         1  1.4  0.0 1043792 17152 ?       Ssl  14:51   0:00 runmqserver -nologruntime -dev
1001        76  0.2  0.0 1643248 46608 ?       Ssl  14:51   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001       106  0.0  0.0 916016 23556 ?        Sl   14:51   0:00 /opt/mqm/bin/amqzfuma -m QM1
1001       115  0.0  0.0 197744 10944 ?        Ssl  14:51   0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001       118  0.0  0.0 2953456 27700 ?       Sl   14:51   0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001       159  0.0  0.0 1327528 14040 ?       Sl   14:51   0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001       174  0.0  0.0 1394092 23856 ?       Sl   14:51   0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001       194  0.0  0.0 859884 27924 ?        Sl   14:51   0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001       221  0.0  0.0 547648 13372 ?        Sl   14:51   0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001       223  0.0  0.0 212984 11204 ?        Sl   14:51   0:00 /opt/mqm/bin/amqpcsea QM1
1001       225  0.0  0.0 395104 10744 ?        Sl   14:51   0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001       226  0.0  0.0 1047916 25948 ?       Sl   14:51   0:00 /opt/mqm/bin/amqfqpub -mQM1
1001       229  0.0  0.0 1589380 24508 ?       Sl   14:51   0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001       263  0.0  0.0 1310792 26096 ?       Ssl  14:51   0:00 /opt/mqm/bin/amqfcxba -m QM1
1001       362 22.8  0.2 5376888 170256 ?      SLl  14:51   0:03 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls
1001       481  1.8  0.0  12020  3192 pts/0    Ss   14:51   0:00 bash
1001       487  0.0  0.0  43956  3388 pts/0    R+   14:51   0:00 ps ux
bash-4.4$ id
uid=1001(1001) gid=0(root) groups=0(root)

---

diff of 10-dev.mqsc (9.1.4.0-r1 vs. 9.1.5.0-r1)

--- 10-dev.mqsc~9.1.4.0-r1      2020-04-13 16:27:11.331068491 +0200
+++ 10-dev.mqsc~9.1.5.0-r1      2020-04-13 16:26:21.902267288 +0200
@@ -40,8 +40,9 @@
 SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(ASQMGR) DESCR('Allows connection via APP channel') ACTION(REPLACE)
 SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
 SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)
+SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(MAP) MCAUSER ('mqm') DESCR ('Allow admin as MQ-admin') ACTION(REPLACE)
 
 * Developer authority records
-SET AUTHREC GROUP('mqclient') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
+SET AUTHREC PRINCIPAL('app') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)

[KiranDarbha]

I just gave a quick try with the

• ibm-mqadvanced-server-dev:9.1.5.0-r1-amd64 (from entitled registry) and
• ibmcom/mq:latest
  and both work for admin user.

1. Could you try the below example and see if that works for you ?
2. Were there any customizations made by you on top of the dev-image ?

example:

C:\Users\KIRANDARBHA>docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq:latest

C:\Users\KIRANDARBHA>set MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414)
C:\Users\KIRANDARBHA>set MQSAMP_USER_ID=admin
C:\Users\KIRANDARBHA>amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
hello

Sample AMQSPUT0 end
C:\Users\KIRANDARBHA>

[KiranDarbha]

I tried with MQExplorer, connecting to remote qmgr using admin user and that worked too.

[agebhar1]

Hi @KiranDarbha,

(1) tried your example but without success:

$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
$ export MQSAMP_USER_ID=admin
$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2012

(2) There aren't any customization on the image. It's a 1:1 copy from docker hub.

Did you tried the Java example above? This example was working on the previous (9.1.4.0-r1) image.

[KiranDarbha]

Since the MQExplorer(java based) is able to connect to the qmgr using the credentials, I don't think the above java program would fail!.

the mq return code for amqsputc sample 2012 refers to MQ_ENVIRONMENT_ERROR
More details on error -
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q040860_.htm
Not sure if that's something in your env .. may be to narraw down we can give this a try on docker playground ? which is fresh box and see if that reproduces same error for you.

You can log-into - https://labs.play-with-docker.com/
and follow below instructions

docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq
docker ps
docker exec -ti <pod-id>bash
cd /opt/mqm/samp/bin
export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
export MQSAMP_USER_ID=admin
./amqsputc DEV.QUEUE.1 QM1```

Here's the output I receive when I try this on docker playground

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2305640f0835 ibmcom/mq:latest "runmqdevserver" 5 seconds ago Up 3 seconds 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp optimistic_chatelet
[node1] (local) [email protected] ~
$ docker exec -ti 2305640f0835 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414)
bash: syntax error near unexpected token `('
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
hello

[agebhar1]

on https://labs.play-with-docker.com/ it work's

[node1] (local) [email protected] ~
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                        NAMES
fc04bf2f6750        ibmcom/mq           "runmqdevserver"    5 minutes ago       Up 4 minutes        9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp   great_engelbart
[node1] (local) [email protected] ~
$ docker exec -ti fc04bf2f6750 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1

but w/ Podman it fails:

$ podman ps
CONTAINER ID  IMAGE                           COMMAND  CREATED       STATUS           PORTS                   NAMES
3fe554a7ca5f  docker.io/ibmcom/mq:9.1.5.0-r1           21 hours ago  Up 21 hours ago  0.0.0.0:1414->1414/tcp  mq-9.1.5.0-r1
$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2035

[agebhar1]

(One of) the difference between the both images 9.1.4.0-r1 and 9.1.5.0-r1 is the user which runs/owns the process within the container:

9.1.4.0-r1:

bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root)

9.1.5.0-r1:

uid=1001(1001) gid=0(root) groups=0(root)

Maybe Podmans and Dockers behavior is different at this point. But running the latest (9.1.5.0-r1) image w/ Podman it isn't possible to login to queue manager with default credentials.

[arthurbarr]

I can reproduce this as well:

$ podman run -d -e LICENSE=accept -e MQ_ADMIN_PASSWORD=foobar -e MQ_QMGR_NAME=QM1 --name qm1 --volume qm1data:/mnt/mqm ibmcom/mq
8a58bb5f066a4a9ba132e4ef35823022c22927f5da1f2a2864283cb725ca3c0d
$ podman exec -e MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" -e MQSAMP_USER_ID=admin -ti --privileged qm1 /opt/mqm/samp/bin/amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ******
MQCONNX ended with reason code 2035
Error: non zero exit code: 243: OCI runtime error

I also see the following in the container logs:

2020-04-14T12:51:02.519Z CPU architecture: amd64
2020-04-14T12:51:02.519Z Linux kernel version: 4.18.0-147.5.1.el8_1.x86_64
2020-04-14T12:51:02.520Z Base image: Red Hat Enterprise Linux 8.1 (Ootpa)
2020-04-14T12:51:02.520Z Running as user ID 1001 with primary group 0
2020-04-14T12:51:02.520Z Capabilities (bounding set): chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap
2020-04-14T12:51:02.520Z seccomp enforcing mode: filtering
2020-04-14T12:51:02.520Z Process security attributes: none
2020-04-14T12:51:02.520Z Detected 'xfs' volume mounted to /mnt/mqm
2020-04-14T12:51:02.623Z Using queue manager name: QM1
2020-04-14T12:51:02.632Z Created directory structure under /var/mqm
2020-04-14T12:51:02.632Z Image created: 2020-03-31T06:57:13+00:00
2020-04-14T12:51:02.632Z Image tag: ibm-mqadvanced-server-dev:9.1.5.0-r1-amd64
2020-04-14T12:51:02.650Z MQ version: 9.1.5.0
2020-04-14T12:51:02.650Z MQ level: p915-ifix-L200325.DE
2020-04-14T12:51:02.650Z MQ license: Developer
...
2020-04-14T12:51:14.595Z AMQ8077W: Entity 'mqm' has insufficient authority to access object QM1 [qmgr].
2020-04-14T12:51:14.595Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.

So there's something different going on with Podman. FYI @davidjmccann @LPowlett

FYI @agebhar1, the MQ 9.1.5 container image was changed to be able to support running as any user ID, and mostly removes the concept of an "mqm" user, so the result of id is expected.

[agebhar1]

@arthurbarr thanks for the update on the behavior of id

[agebhar1]

@arthurbarr the problem is also present on 2nd Release of 9.1.5.0 (9.1.5.0-r2), so I updated the title.

Podman:

bash-4.4$ cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
1001:x:1001:0:container user:/:/bin/sh
bash-4.4$ ps ux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1001           1  0.2  0.0 1043864 16372 ?       Ssl  09:26   0:00 runmqserver -nologruntime -dev
1001          80  0.0  0.0 1721148 46720 ?       Ssl  09:26   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001         110  0.0  0.0 843960 22744 ?        Sl   09:26   0:00 /opt/mqm/bin/amqzfuma -m QM1
1001         116  0.0  0.0 197744 10856 ?        Ssl  09:26   0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001         119  0.0  0.0 3048004 33392 ?       Sl   09:26   0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001         161  0.0  0.0 1329112 14308 ?       Sl   09:26   0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001         177  0.0  0.0 1398784 25708 ?       Sl   09:26   0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001         194  0.0  0.0 1011224 27464 ?       Sl   09:26   0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001         222  0.0  0.0 1052088 26108 ?       Sl   09:26   0:00 /opt/mqm/bin/amqfqpub -mQM1
1001         229  0.0  0.0 547648 12764 ?        Sl   09:26   0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001         230  0.0  0.0 212984 12192 ?        Sl   09:26   0:00 /opt/mqm/bin/amqpcsea QM1
1001         232  0.0  0.0 395104 10868 ?        Sl   09:26   0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001         234  0.0  0.0 1519180 25028 ?       Sl   09:26   0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001         276  0.0  0.0 1241232 25796 ?       Ssl  09:26   0:00 /opt/mqm/bin/amqfcxba -m QM1
1001         363  3.6  0.2 5363580 184572 ?      SLl  09:26   0:06 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.t
1001         490  0.0  0.0  12016  3300 pts/0    Ss   09:27   0:00 bash
1001         765  0.0  0.0  44592  3420 pts/0    R+   09:29   0:00 ps ux

Docker:

bash-4.4$ cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
bash-4.4$ ps ux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1001           1  0.1  0.4 838800 18232 ?        Ssl  09:15   0:01 runmqserver -nologruntime -dev
1001          73  0.0  1.0 1360616 43044 ?       Ssl  09:15   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
1001         108  0.0  0.6 813560 24708 ?        Sl   09:15   0:00 /opt/mqm/bin/amqzfuma -m QM1
1001         114  0.0  0.2 214400 11936 ?        Ssl  09:15   0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001         117  0.0  0.8 1357492 35824 ?       Sl   09:15   0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001         133  0.0  0.3 1167664 14908 ?       Sl   09:15   0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001         159  0.0  0.6 1349284 24944 ?       Sl   09:15   0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001         175  0.0  0.7 888808 28592 ?        Sl   09:15   0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001         200  0.0  0.3 528264 14148 ?        Sl   09:15   0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001         203  0.0  0.3 193600 13624 ?        Sl   09:15   0:00 /opt/mqm/bin/amqpcsea QM1
1001         204  0.0  0.3 543356 12416 ?        Sl   09:15   0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001         210  0.0  0.6 1338716 25704 ?       Sl   09:15   0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001         220  0.0  0.6 1019232 27048 ?       Sl   09:15   0:00 /opt/mqm/bin/amqfqpub -mQM1
1001         257  0.0  0.6 1282112 26848 ?       Ssl  09:15   0:00 /opt/mqm/bin/amqfcxba -m QM1
1001         337  1.3  3.8 2139300 155400 ?      SLl  09:15   0:19 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tl
1001         482  0.0  0.1  35064  4384 pts/0    Ss+  09:19   0:00 bash
1001         527  0.0  0.1  35064  4464 pts/1    Ss   09:19   0:00 bash
1001         629  0.0  0.4 363368 16388 ?        Ssl  09:25   0:00 /opt/mqm/bin/amqrmppa -m QM1
1001         955  0.0  0.0  47504  3612 pts/1    R+   09:40   0:00 ps ux

The difference seems to be runmqservers invocation of amqzxma0:

Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001 -- user exists in /etc/passwd
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm -- user does not exists in /etc/passwd

Unfortunatelly the current sources for 9.1.5.0-r2 are not available of runmqserver to see why there is a different.

[agebhar1]

It also fails in 9.2.0.0-r1. I spent some more time and the difference which yields to the MQRC_NOT_AUTHORIZED error for admin is the wrong user id on `amqzxma0 (mqm vs. 1001)

Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm

runmqserver starts the queue manager (strmqm) process with the queue manager name. The queue manager process strmqm itself starts the execution controller amqzxma0 as one of the first jobs. On execution call of amqzxma0 the argument for the user differs between Podman and Docker which can be seen in an strace excerpt:

Podman

618   17:31:12.899655 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "1001"], ["LD_LIBRARY_PATH=/opt/mqm/lib64", "MQS_PERMIT_UNKNOWN_ID=true", "LANG=en_US.UTF-8", "HOSTNAME=", "AMQ_DIAGNOSTIC_MSG_SEVERITY=1", "AMQ_ADDITIONAL_JSON_LOG=1", "container=podman", "PWD=/", "HOME=/", "MQ_OVERRIDE_DATA_PATH=/mnt/mqm/d"..., "MQ_CONNAUTH_USE_HTP=true", "MQ_GENERATE_CERTIFICATE_HOSTNAME"..., "MQ_DEV=true", "TERM=xterm", "SHLVL=1", "LICENSE=accept", "MQ_QMGR_NAME=QM1", "MQ_USER_NAME=mqm", "MQ_GRACE_PERIOD=30", "PATH=/usr/local/sbin:/usr/local/"..., "MQ_ENABLE_EMBEDDED_WEB_SERVER=1", "LOG_FORMAT=basic", "MQ_OVERRIDE_INSTALLATION_NAME=In"..., "_=/usr/bin/strace"] <unfinished ...>

Docker

704   17:50:10.312635 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "mqm"], 0x7ffe4414db48 /* 24 vars */ <unfinished ...>

Both container started with --privileged to enable tracing with strace. strace was copied into container from registry.redhat.io/rhel8/support-tools.

The environment variable for the mq user MQ_USER_NAME is ignored on Podman:

Podman

$ podman run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ podman exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME 
ibm
bash-4.4$ ps ux | grep amqzxma0 
1001         248  0.0  0.0 1716364 46356 ?       Ssl  07:55   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001        1706  0.0  0.0   9176  1084 pts/0    S+   08:07   0:00 grep amqzxma0

Docker

$ docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ docker exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME 
ibm
bash-4.4$ ps ux | grep amqzxma0 
1001         214  0.0  1.0 1359896 42632 ?       Ssl  07:56   0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u ibm
1001         733  0.0  0.0   9176   956 pts/0    S+   08:09   0:00 grep amqzxma0

There is something different while run strmqm to determine the mq user name from the environment to start amqzxma0 between Podman and Docker.

The source of strmqm is not available, so you (IBM @arthurbarr @LPowlett) might have a look.

--

A workaround to run the image on Podman w/ default admin connection is to create a custom image:

FROM ibmcom/mq
USER 1001
COPY 10-dev.mqsc.tpl /etc/mqm/10-dev.mqsc.tpl

whereas 10-dev.mqsc.tpl is generated by

sed -e "s/MCAUSER ('mqm')/MCAUSER ('1001')/g" incubating/mqadvanced-server-dev/10-dev.mqsc.tpl > 10-dev.mqsc.tpl 

[agebhar1]

Hi @LPowlett, did anybody had a chance to take a look on this issue?

[bony-cas]

Was this ever resolved\explained? I'm getting a very similar issue with 9.2.0.3 and 9.2.0.4 builds (using docker) where the amqzxma0 process starts with '-u root' when MQ_USER_NAME=mqm is set.

[agebhar1]

No, not yet.