Forum Discussion
Chris_Chaloux_1
Nimbostratus
NimbostratusClass file permission issue
All -
Does anyone know what the permissions need to be for class files that live under /var/class.
I am hosting a class file in a sub off of this location and get the following error during a b load:
BIGpipe class operation error:
01070644:3: The requested class file (/var/class/oos/**com/oos.**com.index.html.class) exists, but does not have read/write privilege.
The structure starting from class all the way down has 775 so I can't see where the issue is. Anyone else run into this?
rayden_75606755 user and group root
hoolioCirrostratus
I'd guess the issue is with the subdirectory within the /var/class directory. If you move the class file to /var/class does it work?
Aaron- I'm with Aaron on this one. I'm thinking there's an issue with reading a class file outside of that specific directory. I seem to recall hearing something about this being hard-set somewhere in the system for security. I can't seem to find any notes on that though, so at the moment it's just a hunch.
Colin - rayden_75606can you give an example of your i-rule that you use to call on the class? I just tried a few levels of subdirectories and it worked for me!
- hoolioThe error is caused by subdomain blocking access to the subdirectory. You can work around the issue by not using classes in subdirectories under /var/class. Else, here are steps to allow MCPD access to the /var/class subdirectory:
GUI error:
01070644:3: The requested class file (/var/class/subdir/subdir.test.class) exists, but does not have read/write privilege.
/var/log/kern.log:
Nov 10 10:41:12 test SubDomain: REJECTING rw access to /var/class/subdir/subdir.test.class (mcpd(24866) profile /bin/mcpd active /bin/mcpd)
There are two related files which you'd need to modify to allow access from the GUI and via iControl to subdirectories under /var/class:
/etc/subdomain.d/bin.mcpd
/etc/subdomain.d/usr.local.www.iControl.iControlPortal.cgi
grep -R class /etc/subdomain.d/*
bin.mcpd: /var/class/* lrw,
usr.local.www.iControl.iControlPortal.cgi: /var/class/* lrw,
I wasn't able to find documentation on this, but it looks like you can give recursive access by changing the /var/class/* entries to /var/class/**.
I tested this by:
- creating an external class file under /var/class/subdomain/subdir.test.class
- modifiying the /etc/subdomain.d/bin.mcpd file entry from /var/class/* lrw, to /var/class/** lrw
- restarting subdomain (bigstart restart subdomain)
I could then create an external class in the GUI which referenced the /var/class/subdir/subdir.test.class file.
Note that you should also modify the usr.local.www.iControl.iControlPortal.cgi entry for /var/class to allow iControl apps to access this class.
Aaron - JRahm
Admin
Note that future upgrades/hotfixes may blow those changes away, so you'll want to have a detailed documentation process for making changes to system files. - hoolioThat's a very good point, citizen_elah.
It would be cleaner to just put the external file in the /var/class directory. If you do need to use a subdirectory for some reason, it would make sense to open a case with F5 Support and ask them to support subdirectory access for iControl and MCPD to /var/class/.
Aaron 
Jonathan_41420a
