Executing service check as postgres user vs root

[awilson]

Hi. We have a few filesystem checks where the mount point is owned by the postgres user. It appears that the service checks that use sudo only sudo to root and don't have options to sudo to specified users. Have I misunderstood how those checks work?

The nagios user receives access permission errors. The business owners are not inclined to change the filesystem permissions.

Thanks!

[lmiltchev]

We were able to come up with a "workaround" in our test environment, but your mileage may vary. I hope the example below can at least point you to the right direction.

On the remote system, we set up a mountpoint, owned by postgres:

Code: Select all

df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_nagiosxi-lv_root
                       37G  9.0G   27G  26% /
tmpfs                 3.9G     0  3.9G   0% /dev/shm
/dev/sda1             477M  126M  327M  28% /boot
tmpfs                 512M     0  512M   0% /root/postgresdirnew

ls -lad /root/postgresdirnew
drwxrwxrwt. 2 postgres postgres 40 Aug 22 09:43 /root/postgresdirnew

We set up a wrapper script, named check_postgrespartion.sh, placed it in the plugins directory and made it executable:

Code: Select all

#!/bin/bash

(su postgres; /usr/local/nagios/libexec/check_disk $@)

We set up a NRPE command in the /usr/local/nagios/etc/nrpe/common.cfg file:

Code: Select all

command[check_disk_postgres]=sudo /usr/local/nagios/libexec/check_postgrespartion.sh $ARG1$

added the following line to the sudoers:

Code: Select all

nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_postgrespartion.sh *

and restarted NRPE:

Code: Select all

service nrpe restart

Next, we tested it by running the following command from the CLI on the Nagios XI server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H x.x.x.x -c check_disk_postgres -a '-w 10% -c 5% -p /root/postgresdirnew'
DISK OK - free space: /root/postgresdirnew 512 MB (100.00% inode=100%);| /root/postgresdirnew=0MB;460;486;0;512

Hope this helps.

[awilson]

Thanks. I'll test this and reply.
Thanks for working on it.

[lmiltchev]

Sure - let us know how it went. We will keep this topic open for the time being.

[awilson]

Hi. I'm just getting back to this. Before getting your reply I asked the server team to do the following:

Code: Select all

1. On the REMOTE server Please copy /usr/local/nagios/libexec/check_disk to /usr/local/nagios/libexec/check_disk_pgsql 
2. Add the nagios user to the REMOTE server's sudoers file with "nagios ALL = NOPASSWD:/usr/local/nagios/libexec/check_disk_pgsql 
3. Please close the task to indicate that the task is completed 
Then the Nagios team will alter the service check parameter so that $ARG1$ references the new check_disk_pgsql copy that is referenced in the sudoers file. 

They did what I asked. Is this salvageable, or should I start over with the wrapper script?

Thanks!

[lmiltchev]

This should work.

Are you going to be running the check locally (on the remote machine), then sending passive check results to the Nagios XI server or you are planning on using active checks, e.g. check_nrpe?

[awilson]

It will be using active checks.

It is ok to close this. Thanks.

[lmiltchev]

Sounds good! I am closing this topic.