runlpcmd Command

Edit online

Purpose

Runs a least-privilege (LP) resource.

Syntax

To run an LP resource:
  • On the local node:

    runlpcmd -N resource_nameRunCmdName [-h] [-TV] ["flags_and_parms"]

  • On all nodes in a domain:

    runlpcmd -a -N resource_nameRunCmdName [-h] [-TV] ["flags_and_parms"]

  • On a subset of nodes in a domain:

    runlpcmd -n host1 [,host2,…] -N resource_nameRunCmdName [-h] [-TV] ["flags_and_parms"]

Description

The runlpcmd command runs an LP resource, which is a root command or script to which users are granted access based on permissions in the LP access control lists (ACLs). You can use the runlpcmd command to call the LP command corresponding to a particular RunCmdName value with access permissions that match the permissions of the calling user. When runlpcmd is called with the -N flag, the LP command that is specified by the resource_name parameter is run. Specify all parameters and flag needed for command invocation using the flags_and_parms parameter. If this parameter is not specified, an empty string is passed to the LP command. This is the default.

If the CheckSum attribute value is 0, runlpcmd returns an error if the ControlFlags value is set to check for CheckSum; otherwise, no errors are returned. If the ControlFlag attribute of the LP command was set to validate the CheckSum before the LP command was run, runlpcmd performs such a check. The command is run only if the calculated CheckSum matches the value of the corresponding CheckSum attribute. If the two do not match, the command is rejected. If, however, the ControlFlags attribute is set to the default value, CheckSum validation is not performed.

You can specify the RunCmdName parameter along with with the -N resource_name flag and parameter combination. However, one restriction applies when you use the RunCmdName parameter. If more than one resource matches the RunCmdName value and the permissions of the calling user, runlpcmd returns an error. If one match exists for the RunCmdName value and the the permissions of the calling user, runlpcmd RunCmdName returns successfully. In order to circumvent this restriction, runlpcmd also lets users run LP commands by specifying their unique names, using the -N resource_name flag and parameter combination.

Before calling the LP command, runlpcmd checks to see if a FilterScript value exists. If so, it passes the FilterArg value and the flags_and_parms parameter string specified on the command line to FilterScript. If FilterScript returns a 0, runlpcmd calls the LP command. If FilterScript execution resulted in a non-zero value, runlpcmd returns an error. If FilterScript was empty, runlpcmd performs some checks, as specified in ControlFlags, and then calls the LP command directly.

The output of this command may include "RC=return_code" as the last line.

This command runs on any node. If you want this command to run on all of the nodes in a domain, use the -a flag. If you want this command to run on a subset of nodes in a domain, use the -n flag. Otherwise, this command runs on the local node.

Flags

-a
Changes one or more resources on all nodes in the domain. The CT_MANAGEMENT_SCOPE environment variable's setting determines the cluster scope. If CT_MANAGEMENT_SCOPE is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope
The runlpcmd command runs once for the first valid scope that the LP resource manager finds. For example, suppose a management domain and a peer domain exist and the CT_MANAGEMENT_SCOPE environment variable is not set. In this case, runlpcmd –a runs in the management domain. To run runlpcmd –a in the peer domain, you must set CT_MANAGEMENT_SCOPE to 2.
-n host1[,host2,…]
Specifies the node or nodes in the domain on which the LP resource is to be changed. By default, the LP resource is changed on the local node. The –n flag is valid only in a management or peer domain. If the CT_MANAGEMENT_SCOPE variable is not set, the LP resource manager uses scope settings in this order:
  1. The management domain, if it exists
  2. The peer domain, if it exists
  3. Local scope

The runlpcmd command runs once for the first valid scope that the LP resource manager finds.

-N resource_name
Specifies the name of the LP resource that you want to run on one or more nodes in the domain.
-h
Writes the command's usage statement to standard output.
-T
Writes the command's trace messages to standard error.
-V
Writes the command's verbose messages to standard output.

Parameters

RunCmdName
Specifies the name of the LP resource that you want to run on one or more nodes in the domain.
"flags_and_parms"
Specifies the flags and parameters that are required input for the LP command or script. If this parameter is not specified, an empty string is passed to the LP command. This is the default.

Security

To run the runlpcmd command, you need:
  • read permission in the Class ACL of the IBM.LPCommands resource class.
  • execute permission in the Resource ACL.

    As an alternative, the Resource ACL can direct the use of the Resource Shared ACL if this permission exists in the Resource Shared ACL.

Permissions are specified in the LP ACLs on the contacted system. See the lpacl file for general information about LP ACLs and the RSCT Administration Guide for information about modifying them.

Exit Status

0
The command has run successfully.
1
An error occurred with RMC.
2
An error occurred with the command-line interface (CLI) script.
3
An incorrect flag was specified on the command line.
4
An incorrect parameter was specified on the command line.
5
An error occurred with RMC that was based on incorrect command-line input.
6
The resource was not found.

Environment Variables

CT_CONTACT
Determines the system that is used for the session with the RMC daemon. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If the environment variable is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the LP resources that are processed.
CT_MANAGEMENT_SCOPE
Determines the management scope that is used for the session with the RMC daemon to process the LP resources. The management scope determines the set of possible target nodes where the resources can be processed. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.

If this environment variable is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output. When the -V flag is specified, this command's verbose messages are written to standard output.

Standard Error

All trace messages are written to standard error.

Examples

To run the LP resource called LP1, which has required input flags and parameters -a -p User Group, enter: 
runlpcmd LP1 "-a -p User Group"

Location

/opt/rsct/bin/runlpcmd
Contains the runlpcmd command