Nagios Support Forum

Hi Guys,

I have the following output from the CLI:

[root@localhost libexec]# ./check_hop x.x.x.x y.y.y.y z.z.z.z
OK! Currently routing via z.z.z.z

Then from within the config manager using the 'Test Check Command' button:

COMMAND: /usr/local/nagios/libexec/check_hop x.x.x.x y.y.y.y z.z.z.z
OUTPUT: CRITICAL! Routing not matching!!!

I've had a colleague double check and the IPs are spot on.

I applied the config regardless thinking it might be a bug in the 'Test Check Command' button but no luck, the check comes back critical whereas it's still OK at the CLI.

Happy to mail screen grabs to you can see the IPs

Nick

Try running the command on the CLI as the nagios and apache users instead of root, and show the output.

Logged on as root I was able to su to nagios and got:

The specified type of tracerouting is allowed for superuser only
CRITICAL! Routing not matching!!!
./check_hop: line 22: /tmp/result: Permission denied

The traceroute command being run is traceroute -n -I

So I guess I can change the permissions on /tmp but is that wise? Can I make the plugin work from elsewhere? No idea on allowing the traceroute :/

Depends on how the /tmp/result file is being used. If it is being overwritten but not deleted you could just create the file and give it ownership and permissions to read and write to nagios.

Are you sure you didn't inadvertently create the /tmp/result (file?/directory?) when you ran the command as root? (ls -l /tmp/result or ls -l | grep result and check the ownership/permissions to verify) If so, just delete it or change the owner/perms so the nagios user can create/access it. I suspect the check_hop script is creating a temporary file and not cleaning up after itself...bad script...particularly if it creates a generic file that might be used by checks against several hosts...

jwelch, is spot on! I'd definitely look at removing that file in temp, then making sure the script cleans itself up, unless it needs that result file for later averaging, in which case making sure it is owned my nagios:nagios and has at least user and group rw access should resolve the issue.

Yep that was that, removed the result file and then ran the script first time as nagios and that error is gone.

Thanks so much!

The one I now have left:

The specified type of tracerouting is allowed for superuser only

The script runs traceroute -n -I (I'm having words with my VPLS provider as to why I need to use TCP traceroute to one of my sites in parallel!)

So this link here: http://ubuntuforums.org/showthread.php?t=1009657 led me to add the bold line into my /etc/sudoers file, using visudo. I added it in the logical spot (alphabetical order as per the exisitng file)

# Include files in /etc/sudoers.d
#includedir /etc/sudoers.d
User_Alias NAGIOSXI=nagios
User_Alias NAGIOSXIWEB=apache
NAGIOSXI ALL = NOPASSWD:/bin/traceroute -n -I
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios restart


But to no avail. Same error: The specified type of tracerouting is allowed for superuser only

Is there a process I need to kick over to reflect the sudoers change? Have I made the change correctly??

Thanks again!

Nick

Oh and for reference, check_hop is actually http://exchange.nagios.org/directory/Pl ... te/details

That sudoers line, will only allow you to run the command with sudo. In this case, I would suggest looking at the script and prepend sudo to the traceroute command line. Try running it again as the nagios user after doing that and see what your results are. I should note, you do not want to call the entire script as sudo, just within the script, that single traceroute command needs to be executed as root.

I should also note, if that is the /etc/sudoers.d/nagios.conf file or another placed by us there, it will very likely get overwritten on any update, and should be placed in a separate sudoers config instead.

Ok...

So now I get a:

sudo: parse error in /etc/sudoers near line 110


So I guess that's not great news :/

I did actually get that when I edited the file but as I added a line and cloned the one above I assumed it was ignorable. Having removed the line I added it's not fixed the Sudoers file!

Won't be rebooting this box anytime soon I guess.

Now, before I started I did a 'cp sudoers sudoers.old' as root. Is my best bet now to reverse that copy or to troubleshoot the sudoers file?


This post http://support.nagios.com/forum/viewtop ... 16&t=11113 shows my issue. However Mr No's answer isn't clear to me. Should I remove the Alias line from /etc/sudoers with visudo or from /etc/sudoers.d/nagiosxi with vi?

Sorry to be needy...

Further to this I commented the Alias from /etc/sudoers and now sudo works again. I'd still like your guidance on doing this correctly.

However I'm now still getting prompted for a password for the nagios user when the check command executes: sudo /bin/traceroute -n -I blah blah.

But I'm assuming this line:

NAGIOSXI ALL = NOPASSWD:/bin/traceroute -n -I

has had an effect otherwise I'd be still getting the error re super users and tracerouting.

So at this point I'm at a dead end, I"ve seemingly allowed the traceroute but even though the sudoers line states NOPASSWD I'm still getting a prompt?