10.3 SS hangs at startup and notes that required capabilities are not set properly

Document ID : KB000122846
Last Modified Date : 12/12/2018
Show Technical Document Details
Issue:
After installing 10.3.0 and starting the SpectroSERVER (./startSS.pl) it hangs during startup showing the following:

Version 10.3.0.000 
Failed to get capabilities of file `/app/local/spectrum/SS/SpectroSERVER' (Operation not supported) 
SPC-SHD-29021: 
************************************************************************** 
The following output is intended to facilitate debugging, please forward 
to CA technical support. The files listed are not part of the customer 
installation of SPECTRUM. 
************************************************************************** 

Dec 04 15:12:08 ERROR TRACE at VNM.cc(436): Required capabilities cap_net_raw and cap_net_bind_service are not set properly. 
Dec 04 15:12:08 ERROR TRACE at VNM.cc(437): If installed Spectrum as non-root,Please run the $SPECROOT/Install-Tools/CASpectrum_ProcessRegister.sh as root to properly set capabilities if not run earlier 
Dec 04 15:12:08 ERROR TRACE at VNM.cc(438): If replaced SpectroSERVER file, then once start SS using startSS.pl with install owner 



  After a bit of troubleshooting, it appears that the script is giving an error for these 3 setcap statements:

        /usr/sbin/setcap cap_net_raw,cap_net_bind_service+ep $SPECROOT/SS/SpectroSERVER
        /usr/sbin/setcap cap_setuid+ep $SPECROOT/bin/launchinstdbapp
        /usr/sbin/setcap cap_sys_ptrace+ep $SPECROOT/bin/gdb

When manually running the setcap commands from the $SPECROOT/Install-Tools/CASpectrum_ProcessRegister.sh they fail:

executing sysctl -e -q -p command
Failed to set capabilities on file `/app/local/spectrum/SS/SpectroSERVER' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

Note <filename> must be a regular (non-symlink) file.
Failed to set capabilities on file `/app/local/spectrum/bin/launchinstdbapp' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

Note <filename> must be a regular (non-symlink) file.
Failed to set capabilities on file `/app/local/spectrum/bin/gdb' (Operation not supported)
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

Note <filename> must be a regular (non-symlink) file.
 
Cause:
The problem is that Redhat Linux does not support adding capabilities on NFS mounts:

https://access.redhat.com/solutions/2117321 

In Spectrum 10.3 and above, the requirement to own the SpectroSERVER as root user has been removed and the SpectroSERVER process is now owned by the install owner
To allow the processd and the SpectroSERVER to be owned by non root user , additional capabilities need to be added that were provided by root ownership.
Resolution:
Reconfigure Spectrum so that you are not using an NFS mount or provide root ownership back to the processd and SpectroSERVER process:

1. Enable the setuid bit on SpectroServer executable and change the file ownership to root (as before 10.3) 
chown root:root_group SpectroSERVER 
chmod u+s SpectroSERVER 

note: here root_group is root user group name 

2. Stop processd. 
3. Edit /etc/init.d/processd file and change the username (USER=(username)) to root and save it. 
ie. USER=root 
c. Start processd as root user and run process listing verify it's running as root. 
d. Start the SpectroSERVER 


 
Additional Information:
When changing the ownership back to root user, you will see this message in the $SPECROOT/SS/VNM.OUT which you can ignore because the SpectroSERVER process is owned by root:

Failed to get capabilities of file `/app/local/spectrum/SS/SpectroSERVER' (Operation not supported)
unable to set CAP_SETFCAP effective capability: Operation not permitted