Overview:
NetBackup uses the /sur/open/net backup/logs directory tree not only for the recording of troubleshooting information, but also for progress updates to users and communication updates to other NetBackup applications. Restrictive permissions on these directories can not only disable the collection of troubleshooting data, but also prevent the application from functioning correctly.
Detail/Symptom(s):
Backup and restore operations will fail when permissions are too restrictive as shown by these log entries.
When the user of the Java GUI does not have permission to create a subdirectory within net backup/user_ops.
Protocol Code: 101
Status: 35
Error Msg: cannot make required directory
Server Locale: C
TO[0]: doe
TO[1]: data1
TO[2]: C
TO[3]: XXXX
TO[4]: auth.conf
TO[5]: 600000 IPC
FROM[0]: cannot make required directory
Aux data: null
When a database extension does not have permissions to create a comm file for the server processes to update.
<16> openProgressFile: ERR - can't make directory path: : 13
<16> CreateNewImage: ERR - openProgressFile() failed
<16> VxBSACreateObject: ERR - Could not create new image with file /bk_10_1_616580548.
<16> xbsa_CreateObject: ERR - VxBSACreateObject: Failed with error:
Server Status: Communication with the server has not been initiated or the server status has not been retrieved from the server
When a database extension does not have permission to read updates from the comm file created by the server processes.
<16> openProgressFile: ERR - can't access path: <%s>: Permission denied (13)
or
<16> openProgressFile: ERR - failed to open comm file:<13>:
When a database extension does not have permissions to exchange application data between client side processes.
13:27:19 ERR - Lock file usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1204633605.14081.files.1.lock is unlocked. Abort backup.
or
13:26:43.205 [14081] <2> create_sap_file_list: Creating file list container /usr/openv/netbackup/logs/user_ops/sap/.filelist.1204633602.14081
13:26:43.205 [14081] <16> create_sap_file_list: ERROR: couldn't open file container path: /usr/openv/netbackup/logs/user_ops/sap/.filelist.1204633602.14081
Resolution:
The general recommendation is to make the /usr/openv/netbackup/logs/* directories and subdirectories readable and writeable by all users. However, if security requirements prohibit global read/write access, the permissions of specific directories can be restricted to a single group or user if all backup and restore operations related to that directory are initiated by processes that run as members of that group or as that user.
Most critical is the /usr/openv/netbackup/logs/user_ops directory and subdirectories. These must exist and be accessible for the applications to operate correctly. The following processes use files within this directory tree.
- Processes invoked by native database backup and restore utilities; Oracle rman, SAP brbackup, Informix onbar, Sybase isql, DB2 db2, SQL-Backtrack obackup, etc. These processes typically run as a specific database user, but there may be multiple instances on the host running as different users. In the case of SAP, there may be an SAP user and an Oracle user, both may need access. Be aware that these backups are often invoked from scripts that switch the user before invoking the backup/restore utility and the utility program files themselves may also be installed SetUID or SetGUID. The effective user of the running process needs permission to create/write/read files.
- The NetBackup database extension wizards (e.g. bpdbsbora and bpdbsbdb2) which execute backup and restore templates. These are typically execute as the same user(s) as the database backups noted above.
- The NetBackup Java GUIs (e.g. jbpSA and jnbSA) when run by a user who has permission to submit client-side user-directed backup or restore operations. Please note that this includes the Lotus Notes administrator for client-side initiated restores.
- A snapshot of the most common users and groups that need access can be obtained by creating the directories with 777 and observing the files that get created therein over the next few days or weeks.
- If database extensions are not used and only the root user can initiate user-directed operations, then the permissions can be restricted to just the root user.
Restricting the permissions on the other directories located in /usr/openv/netbackup/logs will not impact operations but may hinder troubleshooting efforts when processes do not have the appropriate permissions to update the debug logs therein. These directories are optional and are temporarily needed only during troubleshooting:
- bpbkar logs are normally only written by 'root'. The process does a switch user after the process is active and the file descriptors for the log file is already open.
- tar logs are normally only written by 'root', however the Lotus Notes and other database extension user must also have privileges since the restore is invoked by that user.
- The dbclient directory must be writeable by the Oracle or Teradata user that is performing the backup or restore.
- The bpdbsbora directory must be writeable by the Oracle user that is performing the backup or restore.
- The bpdb2 and bpdbsbdb2 directories must be writeable by the DB2 user that is performing the backup or restore.
- The infxbsa directory must be writeable by the Informix user that is performing the backup or restore.
- The backint directory must be writeable by the SAP or Oracle user that is performing the backup or restore.
- The nb_obsi directory must be writeable by the SQL-Backtrack or Oracle or Sybase or Informix user that is performing the backup or restore.
- The sybackup directory must be writeable by the Sybase user that is performing the backup or restore.
- The bpbackup, bplist, and bprestore directories must be writeable by the database user or other users that either utilize those commands directly or utilize the comparable NetBackup Java GUI features to queue requests to the master server.
- The bpbrm, bpcd, bpfilter, bphdb, bprd, bpsched, bptm, and vnetd processes only execute as root and those directories do not require additional permissions.
Other NetBackup troubleshooting log directories may be needed occasionally. They should be created, temporarily, with the assistance of NetBackup technical support.
The access to the directories can be reviewed and changed using the following commands.
$ ls -l /usr/openv/logs
$ ls -lR /usr/openv/netbackup/logs
$ chmod
$ chgrp
$ chown
If recreating directories that were deleted, set the umask appropriately before creating the directory.
