Discussion:
Icinga2: permission denied executing /usr/lib64/nagios/plugins/check_fping
Diana Scannicchio
11 years ago
Permalink
Hi all,
with Icinga2 I am getting permission denied when executing the command

/usr/lib64/nagios/plugins/check_fping

The command is installed via the rpm nagios-plugins-fping-1.4.16-10.el6.x86_64
and as usual has the following permissions:

-rwsr-x--- 1 root nagios 54840 Oct 17 2013 /usr/lib64/nagios/plugins/check_fping

The user icinga has been added to the nagios group:

id icinga
uid=498(icinga) gid=499(icinga) groups=498(icingacmd),497(nagios),499(icinga)

I did not changed the configuration in "/etc/sysconfig/icinga2” so Icinga2 runs with the icinga group.
ICINGA2_USER=icinga
ICINGA2_GROUP=icinga
ICINGA2_COMMAND_USER=icinga
ICINGA2_COMMAND_GROUP=icingacmd

This was quite unexpected aa with Icinga the user Icinga, once added to the nagios group, was able to execute the command
/usr/lib64/nagios/plugins/check_fping

So I am wondering what changed in Icinga2 with respect to Icinga.
Could you please let me know if this is expected or if there is an issue?
Thank you in advance for any help or suggestion you could provide.
Best regards,

Diana

P.S. I installed the last version Version: r2.0.0-3 via rpm.


-
Diana Scannicchio
University of California, Irvine
ATLAS TDAQ SysAdmin group
Office: +41 22 76 75240
OnCall: 164851
Michael Friedrich
11 years ago
Permalink
...
Manually executing the check as icinga user says what?

# sudo -u icinga ....
Post by Diana Scannicchio
Best regards,
Diana
P.S. I installed the last version Version: r2.0.0-3 via rpm.
-
Diana Scannicchio
University of California, Irvine
ATLAS TDAQ SysAdmin group
Office: +41 22 76 75240
OnCall: 164851
_______________________________________________
icinga-users mailing list
https://lists.icinga.org/mailman/listinfo/icinga-users
-- 
Michael Friedrich, DI (FH)
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | ***@netways.de

** Open Source Backup Conference 2014 - September - osbconf.org **
** Puppet Camp Duesseldorf 2014 - Oktober - netways.de/puppetcamp **
** OSMC 2014 - November - netways.de/osmc **
** OpenNebula Conf 2014 - Dezember - opennebulaconf.com **
Diana Scannicchio
11 years ago
Permalink
Hi Michael,
executing manually it works:

sudo -u icinga /usr/lib64/nagios/plugins/check_fping hostname
FPING OK - hostname (loss=0%, rta=0.520000 ms)|loss=0%;;;0;100 rta=0.000520s;;;0.000000

while on the web interface (classic igui) I get

execvpe(/usr/lib64/nagios/plugins/check_fping) failed.: Permission denied

And in the command definition I added the following

object CheckCommand "ipmi_ping" {
import "plugin-check-command"
command = [ PluginDir + "/check_fping", "$host.name$-mgmt", "-w $arg1$", "-c $arg2$", "-n 5", "-i 500" ]
}

Thank you,

Diana
...
-
Diana Scannicchio
University of California, Irvine
ATLAS TDAQ SysAdmin group
Office: +41 22 76 75240
OnCall: 164851
Michael Friedrich
11 years ago
Permalink
Hi Diana,
...
That's not correct argument pairing, rather entirely pass all arguments
and values as single array items (for proper shell escaping).

The even better approach is to use command arguments afterall. And one
with using templates similar to the ping command we already provide with
Icinga 2.

I've taken the liberty to implement that for the next version.

template CheckCommand "fping-common" {
import "plugin-check-command"

command = [ PluginDir + "/check_fping" ]

arguments = {
"host" = {
value = "$fping_address$"
skip_key = true
order = 0
}
"-w" = "$fping_wrta$,$fping_wpl$%"
"-c" = "$fping_crta$,$fping_cpl$%"
"-n" = "$fping_number$"
"-i" = "$fping_interval$"
"-b" = "$fping_bytes$"
"-T" = "$fping_target_timeout$"
"-S" = "$fping_source_ip$"
"-I" = "$fping_source_interface$"
}

vars.fping_wrta = 100
vars.fping_wpl = 5
vars.fping_crta = 200
vars.fping_cpl = 15
vars.fping_number = 5
vars.fping_interval = 500
}

object CheckCommand "fping4" {
import "fping-common"

command += [ "-4" ]

vars.fping_address = "$address$"
}

object CheckCommand "fping6" {
import "fping-common"

command += [ "-6" ]

vars.fping_address = "$address6$"
}


For you it's important to understand how command arguments work.

1) set vars.fping_<attr> in your service definition. don't use that non
telling $argx$ foo. that's old style and doesn't help you understand the
plugin arguments!

2) $fping_address$ is automatically set to $address$ on command
execution. If you require a different value, like "$host.name$-mgmt",
set it like so in your service definition.

vars.fping_address = "$host.name$-mgmt"

3) one command object (or template) to rule them all. keep that in mind
when creating future commands. that'll save you a lot of writing. and if
you think your command definition should be included upstream, open a
feature request at dev.icinga.org and attach your patch. every
contribution is much appreciated!

Please let me know if that works for you, I've only tested the
configuration against validation but not runtime ;)

kind regards,
Michael

https://git.icinga.org/?p=icinga2.git;a=commit;h=a277e2dc3f9f7482317fbe25e706b83393835cb4

Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
--extra-opts=[section][@file]
Read options from an ini file. See http://nagiosplugins.org/extra-opts
for usage and examples.
-4, --use-ipv4
Use IPv4 connection
-6, --use-ipv6
Use IPv6 connection
-H, --hostname=HOST
name or IP Address of host to ping (IP Address bypasses name
lookup, reducing system load)
-w, --warning=THRESHOLD
warning threshold pair
-c, --critical=THRESHOLD
critical threshold pair
-b, --bytes=INTEGER
size of ICMP packet (default: 56)
-n, --number=INTEGER
number of ICMP packets to send (default: 1)
-T, --target-timeout=INTEGER
Target timeout (ms) (default: fping's default for -t)
-i, --interval=INTEGER
Interval (ms) between sending packets (default: fping's default for -p)
-S, --sourceip=HOST
name or IP Address of sourceip
-I, --sourceif=IF
source interface name
-v, --verbose
Show details for command-line debugging (Nagios may truncate output)
...
--
DI (FH) Michael Friedrich

***@gmail.com || icinga open source monitoring
https://twitter.com/dnsmichi || lead core developer
***@jabber.ccc.de || https://www.icinga.org/team
irc.freenode.net/icinga || dnsmichi

-- 
Michael Friedrich, DI (FH)
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | ***@netways.de

** Open Source Backup Conference 2014 - September - osbconf.org **
** Puppet Camp Duesseldorf 2014 - Oktober - netways.de/puppetcamp **
** OSMC 2014 - November - netways.de/osmc **
** OpenNebula Conf 2014 - Dezember - opennebulaconf.com **

Loading...