Hi all,
I have a plugin on a remote server that I am using for multiple checks. A few of these checks require that I switch user due to permissions. I have been trying to work around this using sudo, aliases etc but so far have not had any luck. I thought about changing the [plugin directives] in ncpa.cfg, but I only need 1 or 2 specific checks to run as a user other than nagios. I was wondering if anyone has come up with a solution for this?
Running remote plugin with check_ncpa.py as another user
Re: Running remote plugin with check_ncpa.py as another user
skynardo,
What happened when you ran sudo plugin?
-Yancy
What happened when you ran sudo plugin?
-Yancy
Re: Running remote plugin with check_ncpa.py as another user
I didn't see a way to configure the check_ncpa.py command definition so that it first issued sudo since the -M option needs to begin with agent/plugin/check_postgres.pl
To try and work around this, I created a run_check_postgres_as_postgres.sh script on my ncpa client which does the sudo and runs the plugin as the postgres user. When looking at the ncpa_listener.log, things appear to be getting executed correctly, but the Service shows (no output returned from plugin) on my Nagios server.
define command{
command_name check_postgres_checkpoint
command_line $USER1$/check_ncpa.py -H devut517 -t mytoken -M agent/plugin/run_check_postgres_as_postgres.sh/--action\ checkpoint\ -w\ 200\ -c\ 500\
--assume-prod
}
define service{
use generic-service
host_name devut517
check_command check_postgres_checkpoint
service_description check_postgres_checkpoint
}
ncpa_listener.log
2013-11-04 15:00:24,124 40648 DEBUG Running process with command line: ['/bin/sh', '/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh', '--action', 'checkpoint', '-w', '200', '-c', '500', '--assume-prod']
2013-11-04 15:00:24,137 40648 INFO 10.204.240.28 - - [04/Nov/2013 15:00:24] "GET /api/agent/plugin/run_check_postgres_as_postgres.sh/--action%20checkpoint%20-w%20200%20-c%20500%20--assume-prod?token=mytoken&check=1 HTTP/1.0" 200 -
manually running the shell script on the client as the nagios user:
[nagios@devut517 home]$ /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh --action checkpoint -w 200 -c 500 --assume-prod
/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh: line 11: export: `/usr/local/nagios/libexec/check_postgres.pl': not a valid identifier
POSTGRES_CHECKPOINT WARNING: Last checkpoint was 260 seconds ago | age=260;200;500 mode=MASTER
To try and work around this, I created a run_check_postgres_as_postgres.sh script on my ncpa client which does the sudo and runs the plugin as the postgres user. When looking at the ncpa_listener.log, things appear to be getting executed correctly, but the Service shows (no output returned from plugin) on my Nagios server.
define command{
command_name check_postgres_checkpoint
command_line $USER1$/check_ncpa.py -H devut517 -t mytoken -M agent/plugin/run_check_postgres_as_postgres.sh/--action\ checkpoint\ -w\ 200\ -c\ 500\
--assume-prod
}
define service{
use generic-service
host_name devut517
check_command check_postgres_checkpoint
service_description check_postgres_checkpoint
}
ncpa_listener.log
2013-11-04 15:00:24,124 40648 DEBUG Running process with command line: ['/bin/sh', '/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh', '--action', 'checkpoint', '-w', '200', '-c', '500', '--assume-prod']
2013-11-04 15:00:24,137 40648 INFO 10.204.240.28 - - [04/Nov/2013 15:00:24] "GET /api/agent/plugin/run_check_postgres_as_postgres.sh/--action%20checkpoint%20-w%20200%20-c%20500%20--assume-prod?token=mytoken&check=1 HTTP/1.0" 200 -
manually running the shell script on the client as the nagios user:
[nagios@devut517 home]$ /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh --action checkpoint -w 200 -c 500 --assume-prod
/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh: line 11: export: `/usr/local/nagios/libexec/check_postgres.pl': not a valid identifier
POSTGRES_CHECKPOINT WARNING: Last checkpoint was 260 seconds ago | age=260;200;500 mode=MASTER
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Running remote plugin with check_ncpa.py as another user
Well I think we need to resolve the error on your script first. Line 11 it says. Additionally, could you post a copy of the script so we know what we are looking at?
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Re: Running remote plugin with check_ncpa.py as another user
my fault, here is the current version, minus the typo I had on the export line.
The initial version was just passing $plugin_args to this script as $1 but had same results.
[nagios@devut517 ~]$ cat /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh
#!/bin/sh
arg1=$1
arg2=$2
arg3=$3
arg4=$4
arg5=$5
arg6=$6
arg7=$7
plugin_name=/usr/local/nagios/libexec/check_postgres.pl
export plugin_name
echo "plugin_name is $plugin_name, 1 is $arg1 2 is $arg2 3 is $arg3 4 is $arg4 5 is $arg5 6 is $arg6 7 is $arg7">/tmp/run_check_postgres_as_postgres.out
/usr/bin/sudo su - postgres -c "$plugin_name $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7"
The initial version was just passing $plugin_args to this script as $1 but had same results.
[nagios@devut517 ~]$ cat /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh
#!/bin/sh
arg1=$1
arg2=$2
arg3=$3
arg4=$4
arg5=$5
arg6=$6
arg7=$7
plugin_name=/usr/local/nagios/libexec/check_postgres.pl
export plugin_name
echo "plugin_name is $plugin_name, 1 is $arg1 2 is $arg2 3 is $arg3 4 is $arg4 5 is $arg5 6 is $arg6 7 is $arg7">/tmp/run_check_postgres_as_postgres.out
/usr/bin/sudo su - postgres -c "$plugin_name $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7"
-
slansing
- Posts: 7698
- Joined: Mon Apr 23, 2012 4:28 pm
- Location: Travelling through time and space...
Re: Running remote plugin with check_ncpa.py as another user
For the time being I'd recommend either using NRPE for these few checks, or switching the plugin directives. You could follow this recent post on using sudo with NRPE:
http://jamardiblog.wordpress.com/2013/0 ... -requests/
http://jamardiblog.wordpress.com/2013/0 ... -requests/
Re: Running remote plugin with check_ncpa.py as another user
OK, I may work with the directives a bit more as I was hoping to only roll out one agent. If I find a way to make it work will post here.
Re: Running remote plugin with check_ncpa.py as another user
We'll keep the thread open for you
Former Nagios employee
Re: Running remote plugin with check_ncpa.py as another user
As it turns out, I was pretty close to getting this to work. I ended up getting it to work by tweaking the ncpa.cfg directives, which doesn't require an additional shell script to do the sudo so think I will go that route (though I did get it working using both methods).
So that I could select which plugin checks I wanted to use sudo for, I copied the check_postgres.pl to check_postgres.su, then added the following directive to run this copy of the plugin with sudo.
[plugin directives]
.su = /usr/bin/sudo su - new_user -c "$plugin_name $plugin_args"
The final issue was that sudo was complaining about not having a tty so I had to turn off requiretty for the nagios user in my sudoers file.
So that I could select which plugin checks I wanted to use sudo for, I copied the check_postgres.pl to check_postgres.su, then added the following directive to run this copy of the plugin with sudo.
[plugin directives]
.su = /usr/bin/sudo su - new_user -c "$plugin_name $plugin_args"
The final issue was that sudo was complaining about not having a tty so I had to turn off requiretty for the nagios user in my sudoers file.