mq-container
mq-container copied to clipboard
ibm-messaging
default admin connection fails w/ MQRC_NOT_AUTHORIZED on image 9.2.3.0-r1 w/ Podman
After update from docker image 9.1.4.-r1 to 9.1.5.0-r1 the default developer configuration:
- User:
admin - Password:
passw0rd
are not valid anymore. This simple connection fails on image 9.1.5.0-r1:
import java.util.Locale;
import javax.jms.JMSException;
import com.ibm.mq.jms.MQConnectionFactory;
import com.ibm.msg.client.wmq.WMQConstants;
public class MqConnect {
static {
Locale.setDefault(Locale.US);
}
public static void main(String[] args) throws JMSException {
final MQConnectionFactory cf = new MQConnectionFactory();
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, "QM1");
cf.setStringProperty(WMQConstants.WMQ_CONNECTION_NAME_LIST, "localhost(1414)");
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, "DEV.ADMIN.SVRCONN");
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.USERID, "admin");
cf.setStringProperty(WMQConstants.PASSWORD, "passw0rd");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, false);
cf.setIntProperty(WMQConstants.WMQ_CLIENT_RECONNECT_OPTIONS, WMQConstants.WMQ_CLIENT_RECONNECT);
cf.createConnection();
}
}
with
Exception in thread "main" com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Please check if the supplied username and password are correct on the queue manager to which you are connecting. For further information, review the queue manager error logs and the Securing IBM MQ topic within IBM Knowledge Center.
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:531)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:215)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:448)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:8475)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:7815)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection(JmsConnectionFactoryImpl.java:303)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:236)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6005)
at com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6030)
at com.github.agebhar1.MqConnect.main(MqConnect.java:28)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
... 8 more
The server log contains:
2020-04-13T15:02:21.633Z AMQ8077W: Entity 'admin' has insufficient authority to access object QM1 [qmgr].
2020-04-13T15:02:21.633Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.
Container for image 9.1.4.0-r1:
$ podman exec -ti mq-9.1.4.0-r1 bash
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mqm 1 1.6 0.0 970064 16728 ? Ssl 14:33 0:00 runmqserver -nologruntime -dev
mqm 106 0.4 0.0 1146924 40800 ? Ssl 14:33 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
mqm 142 0.0 0.0 346836 17000 ? Sl 14:33 0:00 /opt/mqm/bin/amqzfuma -m QM1
mqm 159 0.0 0.0 197668 10628 ? Ssl 14:33 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
mqm 185 0.1 0.0 2457992 21320 ? Sl 14:33 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
mqm 238 0.1 0.0 1330000 13964 ? Sl 14:33 0:00 /opt/mqm/bin/amqzmur0 -m QM1
mqm 253 0.0 0.0 824748 18344 ? Sl 14:33 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
mqm 258 0.0 0.0 364308 21180 ? Sl 14:33 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
mqm 292 0.0 0.0 549468 13028 ? Sl 14:33 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
mqm 293 0.0 0.0 478612 19420 ? Sl 14:33 0:00 /opt/mqm/bin/amqfqpub -mQM1
mqm 294 0.0 0.0 214792 11272 ? Sl 14:33 0:00 /opt/mqm/bin/amqpcsea QM1
mqm 297 0.0 0.0 394868 10736 ? Sl 14:33 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
mqm 300 0.0 0.0 1016772 17464 ? Sl 14:33 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
mqm 323 0.0 0.0 741616 19048 ? Ssl 14:33 0:00 /opt/mqm/bin/amqfcxba -m QM1
mqm 425 35.4 0.2 5359544 192268 ? SLl 14:33 0:03 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls
mqm 535 3.0 0.0 12016 3292 pts/0 Ss 14:33 0:00 bash
mqm 541 0.0 0.0 43952 3368 pts/0 R+ 14:33 0:00 ps ux
bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root)
Container for image 9.1.5.0-r1:
$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 1.4 0.0 1043792 17152 ? Ssl 14:51 0:00 runmqserver -nologruntime -dev
1001 76 0.2 0.0 1643248 46608 ? Ssl 14:51 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 106 0.0 0.0 916016 23556 ? Sl 14:51 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 115 0.0 0.0 197744 10944 ? Ssl 14:51 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 118 0.0 0.0 2953456 27700 ? Sl 14:51 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 159 0.0 0.0 1327528 14040 ? Sl 14:51 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 174 0.0 0.0 1394092 23856 ? Sl 14:51 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 194 0.0 0.0 859884 27924 ? Sl 14:51 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 221 0.0 0.0 547648 13372 ? Sl 14:51 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 223 0.0 0.0 212984 11204 ? Sl 14:51 0:00 /opt/mqm/bin/amqpcsea QM1
1001 225 0.0 0.0 395104 10744 ? Sl 14:51 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 226 0.0 0.0 1047916 25948 ? Sl 14:51 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 229 0.0 0.0 1589380 24508 ? Sl 14:51 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 263 0.0 0.0 1310792 26096 ? Ssl 14:51 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 362 22.8 0.2 5376888 170256 ? SLl 14:51 0:03 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls
1001 481 1.8 0.0 12020 3192 pts/0 Ss 14:51 0:00 bash
1001 487 0.0 0.0 43956 3388 pts/0 R+ 14:51 0:00 ps ux
bash-4.4$ id
uid=1001(1001) gid=0(root) groups=0(root)
diff of 10-dev.mqsc (9.1.4.0-r1 vs. 9.1.5.0-r1)
--- 10-dev.mqsc~9.1.4.0-r1 2020-04-13 16:27:11.331068491 +0200
+++ 10-dev.mqsc~9.1.5.0-r1 2020-04-13 16:26:21.902267288 +0200
@@ -40,8 +40,9 @@
SET CHLAUTH('DEV.APP.SVRCONN') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(CHANNEL) CHCKCLNT(ASQMGR) DESCR('Allows connection via APP channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(BLOCKUSER) USERLIST('nobody') DESCR('Allows admins on ADMIN channel') ACTION(REPLACE)
SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(CHANNEL) DESCR('Allows admin user to connect via ADMIN channel') ACTION(REPLACE)
+SET CHLAUTH('DEV.ADMIN.SVRCONN') TYPE(USERMAP) CLNTUSER('admin') USERSRC(MAP) MCAUSER ('mqm') DESCR ('Allow admin as MQ-admin') ACTION(REPLACE)
* Developer authority records
-SET AUTHREC GROUP('mqclient') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
-SET AUTHREC PROFILE('DEV.**') GROUP('mqclient') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
+SET AUTHREC PRINCIPAL('app') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
+SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
I just gave a quick try with the
- ibm-mqadvanced-server-dev:9.1.5.0-r1-amd64 (from entitled registry) and
- ibmcom/mq:latest
and both work for
adminuser.
- Could you try the below example and see if that works for you ?
- Were there any customizations made by you on top of the dev-image ?
example:
C:\Users\KIRANDARBHA>docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq:latest
C:\Users\KIRANDARBHA>set MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414)
C:\Users\KIRANDARBHA>set MQSAMP_USER_ID=admin
C:\Users\KIRANDARBHA>amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
hello
Sample AMQSPUT0 end
C:\Users\KIRANDARBHA>
I tried with MQExplorer, connecting to remote qmgr using admin user and that worked too.
Hi @KiranDarbha,
(1) tried your example but without success:
$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
$ export MQSAMP_USER_ID=admin
$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2012
(2) There aren't any customization on the image. It's a 1:1 copy from docker hub.
Did you tried the Java example above? This example was working on the previous (9.1.4.0-r1) image.
Since the MQExplorer(java based) is able to connect to the qmgr using the credentials, I don't think the above java program would fail!.
the mq return code for amqsputc sample 2012 refers to MQ_ENVIRONMENT_ERROR
More details on error -
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q040860_.htm
Not sure if that's something in your env .. may be to narraw down we can give this a try on docker playground ? which is fresh box and see if that reproduces same error for you.
You can log-into - https://labs.play-with-docker.com/ and follow below instructions
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --publish 1414:1414 --detach ibmcom/mq
docker ps
docker exec -ti <pod-id>bash
cd /opt/mqm/samp/bin
export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
export MQSAMP_USER_ID=admin
./amqsputc DEV.QUEUE.1 QM1```
Here's the output I receive when I try this on docker playground
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2305640f0835 ibmcom/mq:latest "runmqdevserver" 5 seconds ago Up 3 seconds 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp optimistic_chatelet [node1] (local) [email protected] ~ $ docker exec -ti 2305640f0835 bash bash-4.4$ cd /opt/mqm/samp/bin bash-4.4$ export MQSERVER=DEV.ADMIN.SVRCONN/TCP/localhost(1414) bash: syntax error near unexpected token `(' bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" bash-4.4$ export MQSAMP_USER_ID=admin bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1 Sample AMQSPUT0 start Enter password: ******** target queue is DEV.QUEUE.1 hello
on https://labs.play-with-docker.com/ it work's
[node1] (local) [email protected] ~
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fc04bf2f6750 ibmcom/mq "runmqdevserver" 5 minutes ago Up 4 minutes 9157/tcp, 0.0.0.0:1414->1414/tcp, 9443/tcp great_engelbart
[node1] (local) [email protected] ~
$ docker exec -ti fc04bf2f6750 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
target queue is DEV.QUEUE.1
but w/ Podman it fails:
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3fe554a7ca5f docker.io/ibmcom/mq:9.1.5.0-r1 21 hours ago Up 21 hours ago 0.0.0.0:1414->1414/tcp mq-9.1.5.0-r1
$ podman exec -ti mq-9.1.5.0-r1 bash
bash-4.4$ cd /opt/mqm/samp/bin
bash-4.4$ export MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)"
bash-4.4$ export MQSAMP_USER_ID=admin
bash-4.4$ ./amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ********
MQCONNX ended with reason code 2035
(One of) the difference between the both images 9.1.4.0-r1 and 9.1.5.0-r1 is the user which runs/owns the process within the container:
9.1.4.0-r1:
bash-4.4$ id
uid=888(mqm) gid=888(mqm) groups=888(mqm),0(root)
9.1.5.0-r1:
uid=1001(1001) gid=0(root) groups=0(root)
Maybe Podmans and Dockers behavior is different at this point. But running the latest (9.1.5.0-r1) image w/ Podman it isn't possible to login to queue manager with default credentials.
I can reproduce this as well:
$ podman run -d -e LICENSE=accept -e MQ_ADMIN_PASSWORD=foobar -e MQ_QMGR_NAME=QM1 --name qm1 --volume qm1data:/mnt/mqm ibmcom/mq
8a58bb5f066a4a9ba132e4ef35823022c22927f5da1f2a2864283cb725ca3c0d
$ podman exec -e MQSERVER="DEV.ADMIN.SVRCONN/TCP/localhost(1414)" -e MQSAMP_USER_ID=admin -ti --privileged qm1 /opt/mqm/samp/bin/amqsputc DEV.QUEUE.1 QM1
Sample AMQSPUT0 start
Enter password: ******
MQCONNX ended with reason code 2035
Error: non zero exit code: 243: OCI runtime error
I also see the following in the container logs:
2020-04-14T12:51:02.519Z CPU architecture: amd64
2020-04-14T12:51:02.519Z Linux kernel version: 4.18.0-147.5.1.el8_1.x86_64
2020-04-14T12:51:02.520Z Base image: Red Hat Enterprise Linux 8.1 (Ootpa)
2020-04-14T12:51:02.520Z Running as user ID 1001 with primary group 0
2020-04-14T12:51:02.520Z Capabilities (bounding set): chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap
2020-04-14T12:51:02.520Z seccomp enforcing mode: filtering
2020-04-14T12:51:02.520Z Process security attributes: none
2020-04-14T12:51:02.520Z Detected 'xfs' volume mounted to /mnt/mqm
2020-04-14T12:51:02.623Z Using queue manager name: QM1
2020-04-14T12:51:02.632Z Created directory structure under /var/mqm
2020-04-14T12:51:02.632Z Image created: 2020-03-31T06:57:13+00:00
2020-04-14T12:51:02.632Z Image tag: ibm-mqadvanced-server-dev:9.1.5.0-r1-amd64
2020-04-14T12:51:02.650Z MQ version: 9.1.5.0
2020-04-14T12:51:02.650Z MQ level: p915-ifix-L200325.DE
2020-04-14T12:51:02.650Z MQ license: Developer
...
2020-04-14T12:51:14.595Z AMQ8077W: Entity 'mqm' has insufficient authority to access object QM1 [qmgr].
2020-04-14T12:51:14.595Z AMQ9557E: Queue Manager User ID initialization failed for 'mqm'.
So there's something different going on with Podman. FYI @davidjmccann @LPowlett
FYI @agebhar1, the MQ 9.1.5 container image was changed to be able to support running as any user ID, and mostly removes the concept of an "mqm" user, so the result of id is expected.
@arthurbarr the problem is also present on 2nd Release of 9.1.5.0 (9.1.5.0-r2), so I updated the title.
Podman:
bash-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
1001:x:1001:0:container user:/:/bin/sh
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.2 0.0 1043864 16372 ? Ssl 09:26 0:00 runmqserver -nologruntime -dev
1001 80 0.0 0.0 1721148 46720 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 110 0.0 0.0 843960 22744 ? Sl 09:26 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 116 0.0 0.0 197744 10856 ? Ssl 09:26 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 119 0.0 0.0 3048004 33392 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 161 0.0 0.0 1329112 14308 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 177 0.0 0.0 1398784 25708 ? Sl 09:26 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 194 0.0 0.0 1011224 27464 ? Sl 09:26 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 222 0.0 0.0 1052088 26108 ? Sl 09:26 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 229 0.0 0.0 547648 12764 ? Sl 09:26 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 230 0.0 0.0 212984 12192 ? Sl 09:26 0:00 /opt/mqm/bin/amqpcsea QM1
1001 232 0.0 0.0 395104 10868 ? Sl 09:26 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 234 0.0 0.0 1519180 25028 ? Sl 09:26 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 276 0.0 0.0 1241232 25796 ? Ssl 09:26 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 363 3.6 0.2 5363580 184572 ? SLl 09:26 0:06 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.t
1001 490 0.0 0.0 12016 3300 pts/0 Ss 09:27 0:00 bash
1001 765 0.0 0.0 44592 3420 pts/0 R+ 09:29 0:00 ps ux
Docker:
bash-4.4$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
bash-4.4$ ps ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.1 0.4 838800 18232 ? Ssl 09:15 0:01 runmqserver -nologruntime -dev
1001 73 0.0 1.0 1360616 43044 ? Ssl 09:15 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
1001 108 0.0 0.6 813560 24708 ? Sl 09:15 0:00 /opt/mqm/bin/amqzfuma -m QM1
1001 114 0.0 0.2 214400 11936 ? Ssl 09:15 0:00 /opt/mqm/bin/amqzmgr0 -m QM1
1001 117 0.0 0.8 1357492 35824 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmuc0 -m QM1
1001 133 0.0 0.3 1167664 14908 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmur0 -m QM1
1001 159 0.0 0.6 1349284 24944 ? Sl 09:15 0:00 /opt/mqm/bin/amqzmuf0 -m QM1
1001 175 0.0 0.7 888808 28592 ? Sl 09:15 0:00 /opt/mqm/bin/amqrrmfa -m QM1 -t2332800 -s2592000 -p2592000 -g5184000 -c3600
1001 200 0.0 0.3 528264 14148 ? Sl 09:15 0:00 /opt/mqm/bin/runmqchi -m QM1 -q SYSTEM.CHANNEL.INITQ -r
1001 203 0.0 0.3 193600 13624 ? Sl 09:15 0:00 /opt/mqm/bin/amqpcsea QM1
1001 204 0.0 0.3 543356 12416 ? Sl 09:15 0:00 /opt/mqm/bin/runmqlsr -r -m QM1 -t TCP -p 1414
1001 210 0.0 0.6 1338716 25704 ? Sl 09:15 0:00 /opt/mqm/bin/amqzlaa0 -mQM1 -fip0
1001 220 0.0 0.6 1019232 27048 ? Sl 09:15 0:00 /opt/mqm/bin/amqfqpub -mQM1
1001 257 0.0 0.6 1282112 26848 ? Ssl 09:15 0:00 /opt/mqm/bin/amqfcxba -m QM1
1001 337 1.3 3.8 2139300 155400 ? SLl 09:15 0:19 /opt/mqm/java/jre64/jre/bin/java -javaagent:/opt/mqm/web/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -XX:MaxPermSize=256m -Djdk.tl
1001 482 0.0 0.1 35064 4384 pts/0 Ss+ 09:19 0:00 bash
1001 527 0.0 0.1 35064 4464 pts/1 Ss 09:19 0:00 bash
1001 629 0.0 0.4 363368 16388 ? Ssl 09:25 0:00 /opt/mqm/bin/amqrmppa -m QM1
1001 955 0.0 0.0 47504 3612 pts/1 R+ 09:40 0:00 ps ux
The difference seems to be runmqservers invocation of amqzxma0:
Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001 -- user exists in /etc/passwd
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm -- user does not exists in /etc/passwd
Unfortunatelly the current sources for 9.1.5.0-r2 are not available of runmqserver to see why there is a different.
It also fails in 9.2.0.0-r1. I spent some more time and the difference which yields to the MQRC_NOT_AUTHORIZED error for admin is the wrong user id on `amqzxma0 (mqm vs. 1001)
Podman: /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
Docker: /opt/mqm/bin/amqzxma0 -m QM1 -x -u mqm
runmqserver starts the queue manager (strmqm) process with the queue manager name. The queue manager process strmqm itself starts the execution controller amqzxma0 as one of the first jobs. On execution call of amqzxma0 the argument for the user differs between Podman and Docker which can be seen in an strace excerpt:
Podman
618 17:31:12.899655 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "1001"], ["LD_LIBRARY_PATH=/opt/mqm/lib64", "MQS_PERMIT_UNKNOWN_ID=true", "LANG=en_US.UTF-8", "HOSTNAME=", "AMQ_DIAGNOSTIC_MSG_SEVERITY=1", "AMQ_ADDITIONAL_JSON_LOG=1", "container=podman", "PWD=/", "HOME=/", "MQ_OVERRIDE_DATA_PATH=/mnt/mqm/d"..., "MQ_CONNAUTH_USE_HTP=true", "MQ_GENERATE_CERTIFICATE_HOSTNAME"..., "MQ_DEV=true", "TERM=xterm", "SHLVL=1", "LICENSE=accept", "MQ_QMGR_NAME=QM1", "MQ_USER_NAME=mqm", "MQ_GRACE_PERIOD=30", "PATH=/usr/local/sbin:/usr/local/"..., "MQ_ENABLE_EMBEDDED_WEB_SERVER=1", "LOG_FORMAT=basic", "MQ_OVERRIDE_INSTALLATION_NAME=In"..., "_=/usr/bin/strace"] <unfinished ...>
Docker
704 17:50:10.312635 execve("/opt/mqm/bin/amqzxma0", ["/opt/mqm/bin/amqzxma0", "-m", "QM1", "-x", "-u", "mqm"], 0x7ffe4414db48 /* 24 vars */ <unfinished ...>
Both container started with --privileged to enable tracing with strace. strace was copied into container from registry.redhat.io/rhel8/support-tools.
The environment variable for the mq user MQ_USER_NAME is ignored on Podman:
Podman
$ podman run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ podman exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME
ibm
bash-4.4$ ps ux | grep amqzxma0
1001 248 0.0 0.0 1716364 46356 ? Ssl 07:55 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u 1001
1001 1706 0.0 0.0 9176 1084 pts/0 S+ 08:07 0:00 grep amqzxma0
Docker
$ docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --env MQ_USER_NAME=ibm --publish 1414:1414 --publish 9443:9443 --detach --name mq_9.2.0.0-r1 docker.io/ibmcom/mq:9.2.0.0-r1
$ docker exec -ti mq_9.2.0.0-r1 bash
bash-4.4$ echo $MQ_USER_NAME
ibm
bash-4.4$ ps ux | grep amqzxma0
1001 214 0.0 1.0 1359896 42632 ? Ssl 07:56 0:00 /opt/mqm/bin/amqzxma0 -m QM1 -x -u ibm
1001 733 0.0 0.0 9176 956 pts/0 S+ 08:09 0:00 grep amqzxma0
There is something different while run strmqm to determine the mq user name from the environment to start amqzxma0 between Podman and Docker.
The source of strmqm is not available, so you (IBM @arthurbarr @LPowlett) might have a look.
--
A workaround to run the image on Podman w/ default admin connection is to create a custom image:
FROM ibmcom/mq
USER 1001
COPY 10-dev.mqsc.tpl /etc/mqm/10-dev.mqsc.tpl
whereas 10-dev.mqsc.tpl is generated by
sed -e "s/MCAUSER ('mqm')/MCAUSER ('1001')/g" incubating/mqadvanced-server-dev/10-dev.mqsc.tpl > 10-dev.mqsc.tpl
Was this ever resolved\explained? I'm getting a very similar issue with 9.2.0.3 and 9.2.0.4 builds (using docker) where the amqzxma0 process starts with '-u root' when MQ_USER_NAME=mqm is set.
