IBM Support

QRadar: Deploy changes Failed: FileNotFoundException: /store/tmp/status/addhost.txt (Permission denied)

Troubleshooting


Problem

This article explains how to diagnose and resolve when deployment changes fail, especially for the console, due to the FileNotFoundException for files under the /store/tmp directory.
 

Symptom

When you perform the deployment changes, it directly goes into an error state. And found the following error traces in the qradar.log.
127.0.0.1 [tomcat.tomcat] [xxxxxxxx (1030) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] java.io.FileNotFoundException: /store/tmp/status/addhost.txt (Permission denied)
127.0.0.1 [tomcat.tomcat] [xxxxxxxx (5985) /console/JSON-RPC/QRadar.scheduleDeployment QRadar.scheduleDeployment] java.io.FileNotFoundException: /store/tmp/forensics.yar (Permission denied)
 

Cause

This issue happens because the folder /store/tmp is not a symbolic link to /storetmp. Also, its permission is compared to the /storetmp folder.

Diagnosing The Problem

Use the command ls -l to check whether a symbolic link is created, and the owner must be nobody: nobody. If the output of ls -l /store/tmp is not the same as the following, you need to check the Resolving the problem section.
 
[root@xxxxx~]# ls -l /store/tmp
lrwxrwxrwx 1 nobody nobody 10 Jan  4  2022 /store/tmp -> /storetmp

Resolving The Problem

Follow the following steps to resolve the issue.
 

  1. On the Console, stop the services first:

    # systemctl stop hostcontext
# systemctl stop tomcat

     

    NOTE: 

    -> GUI will be unavailable for 5-10 minutes since it is restarting.
    -> Refer below document for impact of restarting core services. Kindly schedule downtime while performing the workaround.
    QRadar: Core services and the impact of restarting services

  2. Create the following backup directory and move the /store/tmp directory.

    mkdir /store/ibm_support/
mv /store/tmp /store/ibm_support/

  3. Create a new Symbolic link by using the following command.

    # ln -s /storetmp /store/tmp

  4. Change ownership of /store/tmp and /store/tmp/status.

    # chown -h nobody:nobody /store/tmp
# chown -h nobody:nobody /store/tmp/status

  5. Check  /store/tmp is a symbolic link, and the owner is nobody.

    # ls -l /store/tmp
lrwxrwxrwx 1 nobody nobody 10 Jan  4  2022 /store/tmp -> /storetmp/

  6. Restart services in sequence.

    systemctl restart hostservices
systemctl start tomcat
systemctl start hostcontext
  7. Perform the deployment changes.
     
 
  • Result
    After you assign the symbolic link and required ownership, deployment changes will be completed successfully.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS012772811","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 August 2023

UID

ibm17001779

Page Feedback