Nagios Support Forum

Hi all,

I have a plugin on a remote server that I am using for multiple checks. A few of these checks require that I switch user due to permissions. I have been trying to work around this using sudo, aliases etc but so far have not had any luck. I thought about changing the [plugin directives] in ncpa.cfg, but I only need 1 or 2 specific checks to run as a user other than nagios. I was wondering if anyone has come up with a solution for this?

skynardo,

What happened when you ran sudo plugin?

-Yancy

I didn't see a way to configure the check_ncpa.py command definition so that it first issued sudo since the -M option needs to begin with agent/plugin/check_postgres.pl

To try and work around this, I created a run_check_postgres_as_postgres.sh script on my ncpa client which does the sudo and runs the plugin as the postgres user. When looking at the ncpa_listener.log, things appear to be getting executed correctly, but the Service shows (no output returned from plugin) on my Nagios server.

define command{
command_name check_postgres_checkpoint
command_line $USER1$/check_ncpa.py -H devut517 -t mytoken -M agent/plugin/run_check_postgres_as_postgres.sh/--action\ checkpoint\ -w\ 200\ -c\ 500\
--assume-prod
}
define service{
use generic-service
host_name devut517
check_command check_postgres_checkpoint
service_description check_postgres_checkpoint
}

ncpa_listener.log

2013-11-04 15:00:24,124 40648 DEBUG Running process with command line: ['/bin/sh', '/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh', '--action', 'checkpoint', '-w', '200', '-c', '500', '--assume-prod']
2013-11-04 15:00:24,137 40648 INFO 10.204.240.28 - - [04/Nov/2013 15:00:24] "GET /api/agent/plugin/run_check_postgres_as_postgres.sh/--action%20checkpoint%20-w%20200%20-c%20500%20--assume-prod?token=mytoken&check=1 HTTP/1.0" 200 -

manually running the shell script on the client as the nagios user:

[nagios@devut517 home]$ /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh --action checkpoint -w 200 -c 500 --assume-prod
/usr/local/nagios/libexec/run_check_postgres_as_postgres.sh: line 11: export: `/usr/local/nagios/libexec/check_postgres.pl': not a valid identifier
POSTGRES_CHECKPOINT WARNING: Last checkpoint was 260 seconds ago | age=260;200;500 mode=MASTER

Well I think we need to resolve the error on your script first. Line 11 it says. Additionally, could you post a copy of the script so we know what we are looking at?

my fault, here is the current version, minus the typo I had on the export line.

The initial version was just passing $plugin_args to this script as $1 but had same results.

[nagios@devut517 ~]$ cat /usr/local/nagios/libexec/run_check_postgres_as_postgres.sh
#!/bin/sh
arg1=$1
arg2=$2
arg3=$3
arg4=$4
arg5=$5
arg6=$6
arg7=$7

plugin_name=/usr/local/nagios/libexec/check_postgres.pl
export plugin_name

echo "plugin_name is $plugin_name, 1 is $arg1 2 is $arg2 3 is $arg3 4 is $arg4 5 is $arg5 6 is $arg6 7 is $arg7">/tmp/run_check_postgres_as_postgres.out

/usr/bin/sudo su - postgres -c "$plugin_name $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7"

For the time being I'd recommend either using NRPE for these few checks, or switching the plugin directives. You could follow this recent post on using sudo with NRPE:

http://jamardiblog.wordpress.com/2013/0 ... -requests/

OK, I may work with the directives a bit more as I was hoping to only roll out one agent. If I find a way to make it work will post here.

We'll keep the thread open for you

As it turns out, I was pretty close to getting this to work. I ended up getting it to work by tweaking the ncpa.cfg directives, which doesn't require an additional shell script to do the sudo so think I will go that route (though I did get it working using both methods).
So that I could select which plugin checks I wanted to use sudo for, I copied the check_postgres.pl to check_postgres.su, then added the following directive to run this copy of the plugin with sudo.
[plugin directives]
.su = /usr/bin/sudo su - new_user -c "$plugin_name $plugin_args"

The final issue was that sudo was complaining about not having a tty so I had to turn off requiretty for the nagios user in my sudoers file.