CentOS 7 custom service failure (Interactive authentication required)

I am trying to setup an OFBiz fork called Scipio as a service on CentOS 7.

The service wrapper script changes the user to a dedicated one for the program. All of the program's files are owned and in the group under that dedicated user name.

If I grant execute permissions on the script, have it sitting in a sub directory of the program, and log in as that dedicated user, and execute it directly like a standard bash script it functions perfectly. BUT, if I copy it to /etc/rc.d/init.d/scipio and attempt to execute it as another user (my normal account) using sudo, (executing "normally" or as service), it fails.

It looks like the error is something to the effect of:

failed to start service interactive authentication required

Here are the permissions (ls -l):

-rwxr-xr-x. 1 root root 4165 Jul  8 16:00 /etc/rc.d/init.d/scipio

Here's how I like to launch it (as a sudoer):

sudo service scipio restart

Here's the script itself:

#!/bin/sh
#####################################################################
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#####################################################################
#
# scipio       This shell script takes care of starting and stopping
#              the Scipio ERP server
#
# chkconfig: 2345 80 10
# description: Scipio ERP

# Source function library
# this does not exist in Debian/Ubuntu/etc. => see  rc.ofbiz.for.debian
# => comment out and use "echo failure" and "echo success" in place of echo_failure and echo_success (minor anyway)
. /etc/rc.d/init.d/functions

# Source networking configuration
# this does not exist in Debian/Ubuntu/etc. => see  rc.ofbiz.for.debian
. /etc/sysconfig/network

# Paths - Edit for your locations
JAVA_BINARY=$JAVA_HOME/bin/java
OFBIZ_HOME=/opt/scipio-erp
OFBIZ_LOG=$OFBIZ_HOME/runtime/logs/console.log

# VM Options
JAVA_VMOPTIONS="-Xms128M -Xmx1024M -XX:MaxPermSize=512M"

# Java arguments
JAVA_ARGS="-jar ofbiz.jar"

# *nix user ofbiz should run as (you must create this user first)
OFBIZ_USER=scipio

# OFBiz processes running
ofbizprocs() {
    OFBIZ_PROCS=`/bin/ps h -o pid,args -C java | /bin/grep -e "$JAVA_ARGS" | /bin/egrep -o "^[[:space:]]*[[:digit:]]*"`
}

# Checking user...
checkuser() {
    if [ "$USER" != "$OFBIZ_USER" ]; then
        echo failure
        echo
        echo "Only users root or $OFBIZ_USER should start/stop the application"
        exit 1
    fi
}

# Start OFBiz
start() {
    echo -n "Starting OFBiz: "
    checkuser
    ofbizprocs
    if [ "$OFBIZ_PROCS" != "" ]; then
        echo failure
        echo
        echo "OFBiz is already running..."
        return 1
    fi

    # All clear
    cd $OFBIZ_HOME
    umask 007
    /bin/rm -f $OFBIZ_LOG
    $JAVA_BINARY $JAVA_VMOPTIONS $JAVA_ARGS >>$OFBIZ_LOG 2>>$OFBIZ_LOG&
    echo success
    return 0
}

# Stop OFBiz
stop() {
    echo -n "Stopping OFBiz: "
    checkuser
    ofbizprocs
    if [ "$OFBIZ_PROCS" == "" ]; then
        echo failure
        echo
        echo "OFBiz is not running..."
        return 1
    fi

    # All clear
    cd $OFBIZ_HOME
    umask 007
    $JAVA_BINARY $JAVA_VMOPTIONS $JAVA_ARGS -shutdown >>$OFBIZ_LOG
    ofbizprocs
    if [ "$OFBIZ_PROCS" != "" ]; then
        # Let's try to -TERM
        /bin/kill -TERM $OFBIZ_PROCS
    fi
    ofbizprocs
    if [ "$OFBIZ_PROCS" != "" ]; then
        # Let's try it the hard way!
        /bin/kill -9 $OFBIZ_PROCS
    fi
    ofbizprocs
    if [ "$OFBIZ_PROCS" != "" ]; then
        echo failure
        echo
        echo "Some processes could not be stopped:"
        echo $OFBIZ_PROCS
        echo "A possible solution is to try this command once more!"
        return 1
    else
        echo success
        return 0
    fi
}

# If root is running this script, su to $OFBIZ_USER first
# Note that under Debian/Ubuntu/etc. you should use instead
# if [ "$USER" = "root" ]; then
if [ "$UID" = "0" ]; then
    exec su - $OFBIZ_USER -c "$0 $1"
fi

case "$1" in
    'start')
        start
    ;;
    'stop')
        stop
    ;;
    'restart')
        stop
        start
    ;;
    'status')
        ofbizprocs
        if [ "$OFBIZ_PROCS" == "" ]; then
            echo "OFBiz is stopped"
            exit 1
        else
            echo "OFBiz is running"
            exit 0
        fi
    ;;
    *)
        echo "Usage: $0 {start|stop|kill|restart|status|help}"
        exit 1
    ;;
esac
echo
exit $?

It seems like this is a CentOS 7 specific issue. I believe the services model changed, and these init.d style scripts aren't the natural mechanism anymore. Maybe this is SELinux related?

Update

JAVA_HOME should be defined, as I previously ran:

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64/jre

sudo sh -c "echo export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64/jre >> /etc/environment"

… I tested and confirmed that is resolving in this context.

Journaled error message

-- Unit session-c16.scope has begun starting up.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: Starting scipio (via systemctl):  Failed to start scipio.service: Interactive authentication required.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: See system logs and 'systemctl status scipio.service' for details.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: [FAILED]
Jul 09 20:56:19 SERVERNAME-XXXX su[27942]: pam_unix(su-l:session): session closed for user scipio
Jul 09 20:56:19 SERVERNAME-XXXX systemd[1]: scipio.service: control process exited, code=exited status=1
Jul 09 20:56:19 SERVERNAME-XXXX systemd[1]: Failed to start SYSV: Scipio ERP.
-- Subject: Unit scipio.service has failed

Best Answer

It looks to me like JAVA_HOME isn't defined. Thus, when you try to run the script, /bin/java doesn't exist, and it fails.

If you do it as a logged in user, you likely end up with that environment variable either defined in a rc file, or inherited from the user you were before changing to the service account.

Yes, CentOS 7 did switch to using systemd rather than initV -- but an initscript like that should still work even if it's deprecated.

Best Answer

Related Solutions

Linux – “service thesqld stop” times out (then found out that “thesqld dead but subsys locked”)

Centos 7 with SElinux: openvpn and DNS

Related Topic