On 21.07.17 17:16, Garrett Pye wrote:
Thank you for the information. Made a couple config changes to run via
nrpe and results below. Although still unclear based on the
documentation where the variables needed to invoke nrpe command to run
on remote server.
Inline image 1
*baschisp02.conf*
*
*
object Service "Check_PS" {
host_name = "baschisp02"
check_command = "nrpe"
vars.nrpe_command = "check_hp_ps"
vars.nrpe_port = "5666"
*/etc/sudoers*
Sorry, but this is getting more and more confusing. What sudoers is
that? Is this on the icinga server or on the remote server? You seem to
confuse the checks running on the icinga server with the checks which
are running on the remote (monitored) server through nrpe.
Editing sudoers on the icinga server won't do anything for the checks
running on the remote end. Your nrpe service on the remote end must be
able to call the remote checks and if their is sudo involved on that end
it must be defined in sudoers.
The icinga server has nothing to do with that.
I also warned to be extremely careful with sudoers changes.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
icinga ALL=(ALL) ALL
This allows the user icinga to execute anything as anyone including
root, i.e. if anyone knows password of the icinga user that person has
full root access to the server.
Never ever do that! Always only define the exact programs to be called
as root in sudoers so that the account can only run exactly what it
needs as root and nothing else.
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING,
PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
%icinga ALL=(ALL) NOPASSWD:ALL
This is even worse: anyone with group icinga can access anything as any
account including root without even needing to enter (and thus knowing)
a password! Don't do this ever!
#
# Disable "ssh hostname sudo <cmd>", because it will show the password
in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults !requiretty
I would also recommend to set this option only for the account which
actually needs it and not for all...
I suggest you first find our whether you can access the remote checks
through nrpe: on your icinga server try this as icinga user:
$ /usr/lib64/nagios/plugins/check_nrpe -H 1.1.1.1 -p 5666 -c check_hp_ps
replace the 1.1.1.1 with the IPv4 address defined in the host object of
baschisp02.
This is the call your icinga server makes internally to check the
service. If this doesn't work find out why. It's most likely a problem
on the remote end and not on your icinga server.
And again: for this to work it's absolutely not necessary to tweak the
sudoers on the icinga server. sudoers on the icinga server has nothing
to do with this. Remove the changes above from your icinga server!
-Gerald
On Thu, Jul 20, 2017 at 10:51 PM, Gerald Vogt <[email protected]
<mailto:[email protected]>> wrote:
On 20.07.17 20:50, Garrett Pye wrote:
Existing Linux server environment already has custom PERL
plugins established reporting to Nagios via NRPE. In setting up
Icinga environment to invoke the same utilities do these have to
migrate to the /usr/lib64/nagios/plugins directory or can they
be run on the server itself? (I assume that would be satellite
configuration).
These are two completely different things:
Checks running on the icinga server itself can be anywhere.
Following the general directory layout, however, is as always
recommended.
You should never install anything into the distribution /usr
directories. I would always keep all those directories for
installation from packages only. Mixing in your own local
installations there makes it hard to find them and at worst may be
overwritten at any time by a package which happens to use the same
file name.
Install your own scripts into /usr/local (or /opt), i.e.
/usr/local/lib64/nagios/plugins. If you use RHEL7/CentOS7 with
SeLinux I highly recommend /usr/local as it automatically applies
the same security contexts to /usr/local.
If you need to run checks on a remote server you can either install
icinga on the remote server and use a satellite there or you can run
checks through a ssh connection or nrpe. As you seem to have nrpe
already running on the remote end you can use that, i.e. icinga
connects through nrpe to the remote server and executes the checks
there.
I did move one plugin to the directory to test it but received
output as displayed and not all the information this plug in
displays.
Inline image 2
The script you call needs root privileges and does sudo to get
those. If you need this then you should allow this in sudoers with
NOPASSWD and !requiretty. Of course, be extremely careful that you
only allow the command required and that the command called cannot
be easily exploited for other purposes as it's running as root.
The other question looking through the documentation is a number
of the plugins require to run with root privileges.
*COMMANDS.CONF*
object CheckCommand "check_hp_ps" {
command = [ PluginDir + "/check_hp_ps" ]
}
That depends on the check script. Some checks from nagios-plugins
use setuid root programs. Otherwise you may need a wrapper script
which uses sudo. But that really depends on the script and what you
need.
-Gerald
*SERVICES.CONF*
apply Service "Check_PS" {
check_command = "check_hp_ps"
assign where host.name <http://host.name> <http://host.name>
== NodeName
}
//Garrett
_______________________________________________
icinga-users mailing list
[email protected] <mailto:[email protected]>
https://lists.icinga.org/mailman/listinfo/icinga-users
<https://lists.icinga.org/mailman/listinfo/icinga-users>
_______________________________________________
icinga-users mailing list
[email protected] <mailto:[email protected]>
https://lists.icinga.org/mailman/listinfo/icinga-users
<https://lists.icinga.org/mailman/listinfo/icinga-users>
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.icinga.org/mailman/listinfo/icinga-users
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.icinga.org/mailman/listinfo/icinga-users
