ICMP stopped working in 29.0.1

Just installed the latest update on my system two days ago and since then everything shows as down for ICMP. I only found one thread regarding regarding ICMP issues and followed all steps to try to get it working again. All pinger libraries are installed and paths are correct. When trying to manually set the pinger instead of using auto detect the service will start then immediately stop a few seconds later. If I let the system use auto detect the service will start and stay running but the issue persists.
This is the thread I followed:

Found these messages in the logs but I’m having trouble understanding. They seem to indicate permission issues but I’m starting the opennms service as root the way I always have?

I tried to attach a portion of the manager log but was unable to paste it in here? There are a lot of messages similar to this one:

“2021-11-24 12:15:30,398 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See ICMP - OpenNMS for information on configuring ICMP for non-root.
2021-11-24 12:15:30,401 ERROR [Main] o.o.n.i.AbstractPingerFactory: Unexpected exception thrown while trying to create pinger of type class org.opennms.netmgt.icmp.jni.JniPinger
java.lang.IllegalArgumentException: Unexpected exception thrown while trying to create pinger of type class org.opennms.netmgt.icmp.jni.JniPinger”

Here is some more info from the log:

2021-11-24 12:22:00,866 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jna.JnaPinger, but it was unable to ping localhost: IPv4 and IPv6 are not available.
2021-11-24 12:22:00,866 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Best available pinger is: class org.opennms.netmgt.icmp.NullPinger
2021-11-24 12:22:00,867 WARN  [Main] o.o.n.i.NullPinger: NullPinger cannot set traffic class.  Ignoring.
2021-11-24 12:22:00,867 INFO  [Main] o.o.n.i.NullPinger: isV4Available() called, lying and saying 'true'
2021-11-24 12:22:00,867 INFO  [Main] o.o.n.i.NullPinger: isV6Available() called, lying and saying 'true'
2021-11-24 12:22:00,867 INFO  [Main] o.o.n.v.Manager: Using ICMP implementation: org.opennms.netmgt.icmp.best.BestMatchPinger
2021-11-24 12:22:00,868 INFO  [Main] o.o.n.v.Manager: IPv4 ICMP available? true
2021-11-24 12:22:00,868 INFO  [Main] o.o.n.v.Manager: IPv6 ICMP available? true

The big difference between any release before 29.x is, we run now as a non-root user. So during the upgrade phase, there are a few things you can verify on your system. If you can tell us your operating system we could probably be a bit more specific. The Kernel version is also interesting. To make this work in general you need to make you have the two packages jicmp and jicmp6 from the OpenNMS repository installed. When you run install -dis we search the shared object libraries on your system and persist them to ${OPENNMS_HOME}/etc/libraries.properties. You can easily check if the path to the *.so files match and really exist on your system. If the files don’t exist, the issue is somewhere installing the JICMP and JICMP6 packages.

First there should be a system account called opennms. He needs to be the owner of everything including JRobin/RRD files in your ${OPENNMS_HOME} directory. If you have a bigger environment and collect a lot of performance data changing the ownership in ${OPENNMS_HOME}/share/rrd can really take a while.

The second thing is, by default an application running with a system account can’t open datagram sockets for ICMP. In Linux Kernels 3.10+ there is now a Kernel system control property net.ipv4.ping_group_range. We set it in /etc/sysctl.d/99-opennms-non-root-icmp.conf and the group ID (gid) range set there, should match or include the opennms system accounts gid. The command sysctl net.ipv4.ping_group_range will show you the setting in your running kernel.

In hope this helps to troubleshoot the issue a bit more in detail.

Thanks for the information to help with troubleshooting. My system is CentOS 8. There is a system account named opennms and it has full permissions to everything in /opt/opennms

This is what shows in /etc/sysctl.d/99-opennms-non-root-icmp.conf and also when I run sysctl net.ipv4.ping_group_range

net.ipv4.ping_group_range = 1 489

Also I already checked to make sure that the required libraries exist and paths are correct as suggested in the other thread I posted above.

When I try to run a ping test from the karaf shell this is what I see

admin@opennms()> ping 192.168.2.1
PING: /192.168.2.1 java.lang.UnsupportedOperationException

Can you share the output for these two commands from the Karaf shell:

admin@opennms()> system:property opennms.library.jicmp
admin@opennms()> system:property opennms.library.jicmp6

As requested here is the output from the commands:

admin@opennms()> system:property opennms.library.jicmp
/usr/lib64/libjicmp.so
admin@opennms()> system:property opennms.library.jicmp6
/usr/lib64/libjicmp6.so

I also checked again to verify the required libraries are present:

$ ls -l /usr/lib64/libjicmp.so
-rwxr-xr-x. 1 root root 15272 Jan 31  2019 /usr/lib64/libjicmp.so

$ ls -l /usr/lib64/libjicmp6.so
-rwxr-xr-x. 1 root root 15264 Jan 31  2019 /usr/lib64/libjicmp6.so

I’m still seeing this in the manager.log when I start opennms. It seems to indicate a permission issue? I already tried the steps suggested for running ICMP as non-root in the wiki.

2021-11-26 10:02:08,153 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Searching for best available pinger...
2021-11-26 10:02:08,170 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,173 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,174 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,174 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,176 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,192 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,192 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni6.Jni6Pinger, but it was unable to ping localhost: System error binding ICMP socket to ID 6654 (13, Permission denied)
2021-11-26 10:02:08,193 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,193 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni6.Jni6Pinger, but it was unable to ping localhost: System error binding ICMP socket to ID 6654 (13, Permission denied)
2021-11-26 10:02:08,198 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni6.Jni6Pinger, but it was unable to ping localhost: System error creating ICMPv6 socket (97, Address family not supported by protocol)
2021-11-26 10:02:08,215 DEBUG [Main] o.o.j.j.NativeDatagramSocket: org.opennms.jicmp.jna.UnixV4NativeSocket(2, 1, 20160)
2021-11-26 10:02:08,309 DEBUG [Main] o.o.j.j.NativeDatagramSocket: Failed to create class org.opennms.jicmp.jna.UnixV4NativeSocket SOCK_DGRAM socket (null).  Trying with SOCK_RAW.
2021-11-26 10:02:08,310 DEBUG [Main] o.o.n.i.j.JnaIcmpMessenger: Unable to initialize IPv4 Pinger.
java.lang.reflect.InvocationTargetException: null
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at org.opennms.jicmp.jna.NativeDatagramSocket.create(NativeDatagramSocket.java:94) ~[org.opennms.core.icmp-jna-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.jna.V4Pinger.<init>(V4Pinger.java:57) ~[opennms-icmp-jna-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.jna.JnaIcmpMessenger.<init>(JnaIcmpMessenger.java:58) [opennms-icmp-jna-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.jna.JnaPinger.initialize(JnaPinger.java:72) [opennms-icmp-jna-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.jna.JnaPinger.isV4Available(JnaPinger.java:101) [opennms-icmp-jna-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.best.BestMatchPingerFactory.tryPinger(BestMatchPingerFactory.java:72) [opennms-icmp-best-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.best.BestMatchPingerFactory.findPinger(BestMatchPingerFactory.java:137) [opennms-icmp-best-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.best.BestMatchPinger.initialize(BestMatchPinger.java:129) [opennms-icmp-best-29.0.1.jar:?]
	at org.opennms.netmgt.icmp.best.BestMatchPinger.isV4Available(BestMatchPinger.java:101) [opennms-icmp-best-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Manager.testPinger(Manager.java:258) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Manager.doTestLoadLibraries(Manager.java:242) [org.opennms.core.daemon-29.0.1.jar:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71) [?:?]
	at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:260) [?:?]
	at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:112) [?:?]
	at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:46) [?:?]
	at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:237) [?:?]
	at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:138) [?:?]
	at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:252) [?:?]
	at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809) [?:?]
	at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) [?:?]
	at org.opennms.netmgt.vmmgr.Invoker.invoke(Invoker.java:277) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Invoker.invokeMethods(Invoker.java:206) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Starter.start(Starter.java:157) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Starter.startDaemon(Starter.java:95) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Controller.start(Controller.java:173) [org.opennms.core.daemon-29.0.1.jar:?]
	at org.opennms.netmgt.vmmgr.Controller.main(Controller.java:150) [org.opennms.core.daemon-29.0.1.jar:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.opennms.bootstrap.Bootstrap$4.run(Bootstrap.java:531) [opennms_bootstrap.jar:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: com.sun.jna.LastErrorException: [1] Operation not permitted
	at org.opennms.jicmp.jna.UnixV4NativeSocket.socket(Native Method) ~[org.opennms.core.icmp-jna-29.0.1.jar:?]
	at org.opennms.jicmp.jna.UnixV4NativeSocket.<init>(UnixV4NativeSocket.java:55) ~[org.opennms.core.icmp-jna-29.0.1.jar:?]
	... 43 more

The article running as non-root from the wiki is for Horizon < 29. With Horizon > 29 it will run as the opennms system user. Can you ensure everything in /opt/opennms is owned by the opennms system user and the process tries to run as the user opennms when you verify it with ps aux?

Permissions seem to be ok and process is running as the opennms user:

 ls -l /opt/opennms
total 136
drwxrwxr-x.  2 opennms opennms  4096 Nov 23 08:09 bin
drwxrwxr-x. 11 opennms opennms  4096 Nov 23 08:09 contrib
drwxrwxr-x.  7 opennms opennms  4096 Nov 24 11:12 data
drwxrwxr-x.  2 opennms opennms  4096 Nov 23 08:09 deploy
drwxrwxr-x. 27 opennms opennms 12288 Nov 24 12:21 etc
drwxrwxr-x.  2 opennms opennms  4096 Dec 11  2019 instances
drwxr-xr-x.  4 opennms opennms  4096 Nov 19 13:43 jetty-webapps
-rw-rw-r--.  1 opennms opennms     6 Nov 26 10:03 karaf.pid
drwxrwxr-x.  6 opennms opennms 90112 Nov 23 08:10 lib
lrwxrwxrwx.  1 opennms opennms    16 Nov 23 08:10 logs -> /var/log/opennms
lrwxrwxrwx.  1 opennms opennms    12 Nov 23 08:10 share -> /var/opennms
drwxrwxr-x. 30 opennms opennms  4096 Nov 23 08:10 system

opennms   341992  0.0  0.0  24644  2548 ?        S    10:02   0:00 bash /etc/init.d/opennms -s start
opennms   341993 44.9 25.3 6433092 1819456 ?     Sl   10:02  10:29 /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java --add-mo
2021-11-26 10:02:08,170 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,173 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,173 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,174 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,174 INFO  [Main] o.o.n.i.b.BestMatchPingerFactory: Found pinger class org.opennms.netmgt.icmp.jni.JniPinger, but it was unable to ping localhost: System error binding ICMP socket to ID 9174 (13, Permission denied)
2021-11-26 10:02:08,176 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.
2021-11-26 10:02:08,192 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://wiki.opennms.org/wiki/ICMP for information on configuring ICMP for non-root.

the messages above show that there is a problem opening the datagram ports in the Kernel from the OpenNMS user. Can you verify the OpenNMS group ID is the same or is in the range 489?

The group ID is in the range:

$ id opennms
uid=489(opennms) gid=489(opennms) groups=489(opennms)

I don’t see anything in the post about what distro you’re running, but if it’s EL7 or equivalent, the 3.10 kernel doesn’t have support for net.ipv4.ping_group_range. You’ll have to setcap cap_net_raw+ep /path/to/your/bin/java instead.

It’s in one of the replies above. CentOS 8.

@GTrevize8 can you try what @dino2gnt suggested? Give java the capability to bind to raw sockets with:

setcap cap_net_raw+ep /path/to/your/bin/java

Here are the results of making the changes suggested by @dino2gnt .

I stopped the opennms service before running the command.

$ sudo setcap cap_net_raw+ep /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java

$ getcap /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java
/usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java = cap_net_raw+ep

I then tried to start the opennms service again but it fails.


● opennms.service - OpenNMS server
   Loaded: loaded (/usr/lib/systemd/system/opennms.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-11-30 10:45:59 EST; 24s ago
  Process: 652136 ExecStop=/etc/init.d/opennms stop (code=exited, status=0/SUCCESS)
  Process: 654093 ExecStart=/etc/init.d/opennms -s start (code=exited, status=1/FAILURE)
 Main PID: 641096

Nov 30 10:45:58 SHS1 systemd[1]: Starting OpenNMS server...
Nov 30 10:45:59 SHS1 opennms[654093]: Starting OpenNMS: WARNING: unsure how to handle Java version output:
Nov 30 10:45:59 SHS1 opennms[654093]: /opt/opennms/bin/find-java.sh: line 23: [: : integer expression expected
Nov 30 10:45:59 SHS1 opennms[654093]: /opt/opennms/bin/find-java.sh: line 25: [: : integer expression expected
Nov 30 10:45:59 SHS1 opennms[654093]: /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No >
Nov 30 10:45:59 SHS1 systemd[1]: opennms.service: Control process exited, code=exited status=1
Nov 30 10:45:59 SHS1 opennms[654093]: Unknown value return from doStatus: 127
Nov 30 10:45:59 SHS1 opennms[654093]: [FAILED]
Nov 30 10:45:59 SHS1 systemd[1]: opennms.service: Failed with result 'exit-code'.
Nov 30 10:45:59 SHS1 systemd[1]: Failed to start OpenNMS server.

I noticed the output mentioned a missing library, libjli.so, but when I searched for the file I found it in two places.

/usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/lib/jli/libjli.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/lib/amd64/jli/libjli.so

I ran the find-javs.sh as a normal user and it fails but then I ran again as root and it finds a different java

$ /opt/opennms/bin/find-java.sh
WARNING: unsure how to handle Java version output:
/opt/opennms/bin/find-java.sh: line 23: [: : integer expression expected
/opt/opennms/bin/find-java.sh: line 25: [: : integer expression expected

$ sudo /opt/opennms/bin/find-java.sh
/opt/APC/PowerChuteBusinessEdition/jre


I tried reversing the changes to the java capabilities and the opennms service successfully started again

sudo setcap cap_net_raw-ep /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java

$ sudo systemctl status opennms
● opennms.service - OpenNMS server
   Loaded: loaded (/usr/lib/systemd/system/opennms.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-11-30 11:24:38 EST; 1min 54s ago
  Process: 652136 ExecStop=/etc/init.d/opennms stop (code=exited, status=0/SUCCESS)
  Process: 660392 ExecStart=/etc/init.d/opennms -s start (code=exited, status=0/SUCCESS)
 Main PID: 661539 (java)
    Tasks: 429 (limit: 43338)
   Memory: 1.5G
   CGroup: /system.slice/opennms.service
           ├─661538 bash /etc/init.d/opennms -s start
           └─661539 /usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64/bin/java --add-modules=java.base,java.compiler,java.datatransfer,java.desktop,java.instrument,java.logging,java.>

Nov 30 11:24:30 SHS1 systemd[1]: Starting OpenNMS server...
Nov 30 11:24:38 SHS1 systemd[1]: opennms.service: Can't open PID file /opt/opennms/logs/opennms.pid (yet?) after start: No such file or directory
Nov 30 11:24:38 SHS1 systemd[1]: opennms.service: Supervising process 661539 which is not our child. We'll most likely not notice when it exits.
Nov 30 11:24:38 SHS1 systemd[1]: Started OpenNMS server.

yeap.

echo "/usr/lib/jvm/java-11-openjdk-11.0.13.0.8-3.el8_5.x86_64//lib/jli" > /etc/ld.so.conf.d/java.conf
ldconfig

Was the double // a typo?
Should I run this then add the capabilities to the java again?
What does this do? Is this basically just telling java where to find the libraries?

yeah :slight_smile:

Exactly.

There may be one other location that needs to be in ldconfig, i don’t have a setcap nonroot envuronment in front of me at the moment.

@dino2gnt

I think that did the trick. I’m starting to see some ICMP outages being cleared from my board. I think now it’s just a matter of waiting for everything to be polled again. :crossed_fingers:

Thanks very much to you and @indigo for taking the time to help me with this issue.

2 Likes

@dino2gnt

Are the capabilities applied with setcap persistent across reboots or is something else needed to make them permanent?

Also is there a way to force an ICMP check on a node? About half of my nodes still show as down for ICMP.

It’s permanent, with caveats:

  • It’s path specific, so if you reference the java binary through an alternate path, it won’t have the caps
  • java paths on Cent/RHEL are also version specific, so if you update java, the path to the binary will change, so no caps

I tend to use runjava -S /path/to/java and point to one of the non-versioned, symlinked paths, e.g. /usr/lib/jvm/jre-11-openjdk/bin/java and setcap that, so it doesn’t lose the cap on updates.