Forum Discussion
rajeev_81179
Nimbostratus
NimbostratusERROR "REJECTING access to capability dac_read_search wrap_pinger8291"
We have 2 data centers and 4 f5's and all the four F5's have this error messages and its not stopping.
However, its not affecting the performace of traffic. everything looks normal....
I am the only Net admin and no one has made any changes...
Has anyone come across such issues....
PLEASE HELP!!!!!!!
(wrap_pinger(23661) profile /usr/bin/bigd active /usr/bin/bigd)
Oct 28 16:23:21 csc-dc2-f501 SubDomain: REJECTING access to capability 'dac_read_search' (wrap_pinger(23663) profile /usr/bin/bigd active /usr/bin/bigd)
Oct 28 16:23:21 csc-dc2-f501 SubDomain: REJECTING access to capability 'dac_read_search' (wrap_pinger(23665) profile /usr/bin/bigd active /usr/bin/bigd)
Oct 28 16:23:21 csc-dc2-f501 SubDomain: REJECTING access to capability 'dac_read_search' (wrap_pinger(23667) profile /usr/bin/bigd active /usr/bin/bigd)
Oct 28 16:23:22 csc-dc2-f501 SubDomain: REJECTING access to capability 'dac_read_search' (wrap_pinger(23669) profile /usr/bin/bigd active /usr/bin/bigd)
Oct 28 16:23:22 csc-dc2-f501 SubDomain: REJECTING access to capability 'dac_read_search' (wrap_pinger(23671) profile /usr/bin/bigd active /usr/bin/bigd)
hoolioCirrostratus
Hi Rajeev,
That's subdomain blocking bigd, the monitoring daemon's dac_read_search access. You could contact F5 Support to ask for help in resolving this issue. It will probably involve modifying the subdomain configuration. You can get some additional info from this related post:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=2949829616
Aaron- rajeev_81179Hi Aaron,
I restarted the ( bigstart restart subdomain ) and the error messages stopped, am not sure what happend, but looks like just a restart helped it - hoolioIf you didn't change the subdomain config and bigd is still trying to do what it was doing, I'd expect the error to continue.
Apparently dac_read_search is:
http://ubuntuforums.org/archive/index.php/t-1049698.html
dac_read_search means to bypass file read permission checks and directory read and execute permission checks
The wrap_pinger is a process which (at least in 4.2) ensures only one instance of an external monitor script is running at a time:
http://vegan.net/lb/archive/10-2003/0026.html
Also, you no longer need to do you own pid file management in your
external EAV's (at least not in 4.2+) - bigd spawns wrap_pinger which
manages the pid file and killing off previously hanging around EAVs, then
wrap_pinger spawns your EAV.
So I'd guess you're using an external monitor and bigd's wrap_pinger process doesn't have permissions to read a directory or file per the subdomain configuration.
Aaron