Foglight fails to start correctly when fapolicyd is enabled on the server
When attempting to run Foglight on a Linux Operating System with fapolicyd (File Access Policy Daemon) enabled, the process will not start or will start with errors.
-bash: ./fms: Operation not permitted
ERROR [native] Unable to load Java VM shared library to start JVM: /fms_home/jre/lib/amd64/server/libjvm.so: cannot open shared object file: Operation not permitted FATAL [native] Unable to start Java VM for Foglight, shutting down.
Depending on the configured policies, the process could start but permission errors for multiple components may be present in the Foglight Management Server logs and impact functionality (E.g. unable to access to the Web Console or activate cartridges):
ERROR [http-exec-8] org.apache.jasper.compiler.JDTCompiler - Error loading source file [/fms_home/state/tomcat/work/Catalina/localhost/console/org/apache/jsp/common/login_jsp.java] java.io.FileNotFoundException: /fms_home/state/tomcat/work/Catalina/localhost/console/org/apache/jsp/common/login_jsp.java (Operation not permitted) at java.io.FileInputStream.open0(Native Method) at java.io.FileInputStream.open(FileInputStream.java:195) at java.io.FileInputStream.<init>(FileInputStream.java:138) at java.io.FileInputStream.<init>(FileInputStream.java:93) at org.apache.jasper.compiler.JDTCompiler$1CompilationUnit.getContents(JDTCompiler.java:109) at org.eclipse.jdt.internal.compiler.parser.Parser.parse(Parser.java:13161)
File access and application execution is being denied by the File Access Policy Deamon (fapolicyd).
The File Access Policy Deamon (fapolicyd) can be used to control access to files and executables based on a set of policies and by default it will only whitelist applications that have been installed by the system package manager.
As Foglight is not installed by the system package manager, custom rules will need to be added or files marked as trusted in fapolicyd in order to allow access and execution of files under the Foglight installation directories for the Management Server (FMS) and Agent Managers (FglAM).
Note: The debug mode in fapolicyd can be used to identify the Foglight files that are being affected and the rules that are denying access in the environment.