EZproxy with SRC in AIX

From EZProxyWiki

• Submitted: February 13, 2002
• Submitted by: Chuck Geigner, Illinois State University, Milner Library

This document about System Resource Controller (SRC) was made as a result of my own trial-and-error. The results have not yet been fully analyzed, and as such can not be regarded as conclusive evidence that srcmstr will run EZproxy effectively on your RS6K. It certainly looks that way though. Feel free to share your experiences with me if you feel that they would be a good addition to this howto. -CTG

Contents 1 How to 1.1 Define a restricted access user and group 1.2 Define the "ezproxy" subsystem and the "proxy" group used by SRC 1.3 Change ownership of ezproxy programs and files to your new restricted user 1.4 Start the ezproxy subsystem 1.5 Edit /etc/rc.tcpip, adding 1.6 Test 2 Possible errors 2.1 SRC "refresh" errors out 2.2 Subsystem will not start 2.3 Subsystem says it starts, but it really doesn't 2.4 Invalid UID 3 More info 4 Author

How to

Define a restricted access user and group

Define a restricted access user and group to assign daemon and SRC rights to the ezproxy subsystem (to be created in next step). [NOTE: The EZproxy directions suggest that you assign EZproxy ownership to "nobody;" But in this case, SRC will not recognize the "nobody" UID of 429496729, hence the creation of another restricted user. I chose to give this user a UID of 9999. Adjust UID if you already have a user with UID 9999.]

# mkgroup -A nobody2
# mkuser id='9999' pgrp='nobody2' home='/usr/local/proxy'
shell='/bin/noshell' gecos='Proxy Dummy' login='false' rlogin='false'
nobody2

Define the "ezproxy" subsystem and the "proxy" group used by SRC

# mkssys -s ezproxy -p /usr/local/proxy/ezproxy -u 9999 -o
/usr/local/proxy/proxy.iolog -S -n 15 -f 9 -G proxy
0513-071 The ezproxy Subsystem has been added.

• -p explicit path of the executable (/usr/local/proxy/ezproxy)
• -u UID of subsystem owner
• -o explicit path of the file that stdout will be redirected to
• -S Communication method: Signals
• -f Signal to use on forced shutdown (SIGKILL)
• -n Signal to use on normal shutdown (SIGTERM)
• -G Group to which the ezproxy subsystem will belong (named mine "proxy")

# lssrc -s ezproxy
Subsystem Group PID Status
ezproxy proxy inoperative

Change ownership of ezproxy programs and files to your new restricted user

# chown -R nobody2 /usr/local/proxy*

Start the ezproxy subsystem

# startsrc -s ezproxy
0513-059 The ezproxy Subsystem has been started. Subsystem PID is 4296.
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Oct 19 - 13:07 /etc/init
root 2440 1 0 Oct 19 - 0:00 /usr/sbin/srcmstr
root 3622 2440 0 Oct 19 - 0:00 /usr/sbin/inetd
root 3906 2440 0 Oct 19 - 0:24 /usr/sbin/syslogd
nobody2 4296 2440 2 12:52:44 - 0:02 /usr/local/proxy/ezproxy

Edit /etc/rc.tcpip, adding

# Start EZProxy
start /usr/local/proxy/ezproxy "$src_running"

This will ensure that EZproxy starts automagically every time you boot your machine.

Test

Test it. Test more. Test vigorously.

Possible errors

SRC "refresh" errors out

# refresh -s ezproxy
0513-005 The Subsystem, ezproxy, only supports signal communication.

This is normal. Use "stopsrc -s ezproxy; startsrc -s ezproxy" instead.

Subsystem will not start

# startsrc -s ezproxy
0513-015 The ezproxy Subsystem could not be started.
Please check subsystem resources and try again later.

This means that one of your subsystem definitions is more than likely erroneous (EVEN THOUGH IT PROBABLY "LET" YOU MAKE THE BAD CHANGE). Redefine subsystem correctly using chssys.

Subsystem says it starts, but it really doesn't

# sudo startsrc -s ezproxy
0513-059 The ezproxy Subsystem has been started. Subsystem PID is 7018.
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Oct 19 - 10:26 /etc/init
root 2440 1 0 Oct 19 - 0:00 /usr/sbin/srcmstr
root 7022 8984 8 12:44:12 pts/1 0:00 ps -ef

Use the "errpt -a" and "alog -o -f '/var/adm/ras/conslog'" commands to view any software error details. Check configuration.

Invalid UID

# startsrc -s ezproxy
0513-012 The ezproxy Subsystem could not be started.
The Subsystem's user id could not be established.
Please check the Subsystem's user id and try again.

The UID you assigned as the owner of the subsystem is not recognized by SRC. This most commonly happens when using the AIX UID for "nobody" (4294967294). This number is out-of-bounds; You can fix this by creating another restricted user and reassigning subsystem ownership to it (be sure to reassign ownership of subsystem's files as well).

# mkgroup -A nobody2
# mkuser id='9999' pgrp='nobody2' home='/usr/local/proxy'
shell='/bin/noshell' gecos='Proxy Dummy' login='false' rlogin='false'
nobody2
# chssys -s ezproxy -u 9999

More info

• man chssys
• man mkssys
• http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds3/mkssys.htm
• man lssrc
• man startsrc
• man rc.tcpip
• man fg
• man bg

Author

Chuck Geigner, AIX SysOp, Milner Library - 12 Feb 2002 <maestro@milton.mlb.ilstu.edu>