[dev.icinga.com #10693] Add running_kernel_use_sudo option for the running_kernel check

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10693

Created by hostedpower on 2015-11-20 15:32:11 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2015-11-23 12:35:04 +00:00)
Target Version: 2.4.1
Last Update: 2015-11-26 07:18:38 +00:00 (in Redmine)

Backport?: Already backported
Include in Changelog: 1

---

Hi,

This is the latest version of the script: https://raw.githubusercontent.com/oftc/dsa-nagios/master/dsa-nagios-checks/checks/dsa-check-running-kernel

I don't see any reason why we would call it with sudo. I tried on a few OS's and did not need sudo at all...

Was this put in by mistake?

I propose for removal if we can avoid sudo requirements :)

Jo

Attachments

• 0001-Remove-sudo-from-check_running_kernel-since-not-requ.patch hostedpower - 2015-11-20 15:33:47 +00:00

Changesets

2015-11-22 11:36:50 +00:00 by (unknown) 1d1f15c

Implement Platform* global variables

refs #10693

2015-11-23 06:51:36 +00:00 by (unknown) 0adf001

Implement Platform* global variables

refs #10693

2015-11-23 07:04:57 +00:00 by (unknown) e571e22

Implement Platform* global variables

refs #10693

2015-11-23 12:10:25 +00:00 by (unknown) 2320f7a

Implement Platform* global variables

refs #10693

2015-11-23 12:29:45 +00:00 by (unknown) 5f22076

Add running_kernel_use_sudo option for the running_kernel check

fixes #10693

2015-11-26 10:18:05 +00:00 by (unknown) 3916ef0

Build fix for Windows

refs #10693

2015-11-26 10:19:32 +00:00 by (unknown) b14a48d

Implement Platform* global variables

refs #10693

2015-11-26 10:19:33 +00:00 by (unknown) 330e8db

Add running_kernel_use_sudo option for the running_kernel check

fixes #10693

2015-11-26 10:19:33 +00:00 by (unknown) 141f255

Build fix for Windows

refs #10693

[icinga-migration]

Updated by hostedpower on 2015-11-20 15:34:02 +00:00

• File added 0001-Remove-sudo-from-check_running_kernel-since-not-requ.patch

Please find a patch attached

[icinga-migration]

Updated by gbeutner on 2015-11-21 03:33:22 +00:00

• Status changed from New to Feedback

• Assigned to set to hostedpower

  gunnar@atlantis:~$ wget https://raw.githubusercontent.com/oftc/dsa-nagios/master/dsa-nagios-checks/checks/dsa-check-running-kernel
  --2015-11-21 04:32:45-- https://raw.githubusercontent.com/oftc/dsa-nagios/master/dsa-nagios-checks/checks/dsa-check-running-kernel
  Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
  Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 7694 (7.5K) [text/plain]
  Saving to: ‘dsa-check-running-kernel’

  100%[==========================================================================================>] 7,694 --.-K/s in 0s

  2015-11-21 04:32:46 (529 MB/s) - ‘dsa-check-running-kernel’ saved [7694/7694]

  gunnar@atlantis:$ chmod +x dsa-check-running-kernel
  gunnar@atlantis:$ ./dsa-check-running-kernel
  ./dsa-check-running-kernel: line 41: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  ./dsa-check-running-kernel: line 41: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  ./dsa-check-running-kernel: line 41: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  ./dsa-check-running-kernel: line 41: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  ./dsa-check-running-kernel: line 41: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  cat: /boot/vmlinuz-3.2.0-77-virtual: Permission denied
  UNKNOWN: Failed to get a version string from image /boot/vmlinuz-3.2.0-77-virtual
  gunnar@atlantis:$ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description: Ubuntu 14.04.3 LTS
  Release: 14.04
  Codename: trusty
  gunnar@atlantis:$

[icinga-migration]

Updated by gbeutner on 2015-11-21 03:34:31 +00:00

Arguably there's no reason why the kernel image wouldn't be world-readable (considering that you could just download the .deb file from the mirror and unpack it somewhere else) - but that's apparently the way things work on Ubuntu right now.

[icinga-migration]

Updated by hostedpower on 2015-11-21 07:55:30 +00:00

Thanks gunnarbeutner, that was one of the few I did not test.

However does it require sudo in the check? Or is it enough to remove the sudo from the check explicitly and just put icinga user into the sudo'ers on Ubuntu? I have no idea if there is a more intelligent way of using sudo for this so it's not required on all OS'es.

Another idea would be to split the check with and without sudo and set the option as a config variable. Something like: running_kernel_use_sudo = true/false.

It's a pity that for 1 OS we now have to give sudo on all other OS'es as well.

[icinga-migration]

Updated by gbeutner on 2015-11-21 10:49:34 +00:00

The kernel belongs to root:root and is not group/world readable. Adding the Icinga user to the sudo group would make no difference:

$ ls -l /boot
total 58696
-rw-r--r-- 1 root root  1165261 Aug 11 18:15 abi-3.13.0-62-generic
-rw-r--r-- 1 root root  1165260 Nov  6 20:57 abi-3.13.0-68-generic
-rw-r--r-- 1 root root   165763 Aug 11 18:15 config-3.13.0-62-generic
-rw-r--r-- 1 root root   165763 Nov  6 20:57 config-3.13.0-68-generic
drwxr-xr-x 5 root root    12288 Nov 21 11:48 grub
-rw-r--r-- 1 root root 19219032 Sep 29 06:48 initrd.img-3.13.0-62-generic
-rw-r--r-- 1 root root 19216900 Nov 10 08:37 initrd.img-3.13.0-68-generic
-rw-r--r-- 1 root root   176500 Mar 12  2014 memtest86+.bin
-rw-r--r-- 1 root root   178176 Mar 12  2014 memtest86+.elf
-rw-r--r-- 1 root root   178680 Mar 12  2014 memtest86+_multiboot.bin
-rw------- 1 root root  3392306 Aug 11 18:15 System.map-3.13.0-62-generic
-rw------- 1 root root  3392383 Nov  6 20:57 System.map-3.13.0-68-generic
-rw------- 1 root root  5820896 Aug 11 18:15 vmlinuz-3.13.0-62-generic
-rw------- 1 root root  5822400 Nov  6 20:57 vmlinuz-3.13.0-68-generic

[icinga-migration]

Updated by hostedpower on 2015-11-21 11:08:55 +00:00

What about something like this?

object CheckCommand "running_kernel" {
    import "plugin-check-command"

    vars.running_kernel_use_sudo = false
    if(vars.running_kernel_use_sudo){
        command = [ "sudo", PluginContribDir + "/check_running_kernel" ]
    }else{
        command = [ PluginContribDir + "/check_running_kernel" ]
    }
}

I wonder if it would not be a better idea to create a method which could be used generally in icinga. Because some other plugins like check_yum and check_apt normally run without sudo, but for some actions they require it.If we could specify it with some parameter what we want when running a check, I think it would be better.

PS: I tested older Ubuntu here, even there it seems not required. I don't have a 14.04 to test unfortunately.

[icinga-migration]

Updated by gbeutner on 2015-11-23 12:12:50 +00:00

• Category set to ITL

• Status changed from Feedback to Assigned

• Assigned to changed from hostedpower to gbeutner

    vars.running_kernel_use_sudo = false
    if(vars.running_kernel_use_sudo){
  

This would obviously always be false. However I'm going to add a few global variables which can be used to detect the operating system Icinga 2 is running on.

[icinga-migration]

Updated by hostedpower on 2015-11-23 12:27:28 +00:00

Haha you are right! But you get the idea!

I think some built-in parameter/mechanism which specifies sudo would be even better. It could be used for all plugins then!

Jo

[icinga-migration]

Updated by gbeutner on 2015-11-23 12:30:20 +00:00

• Target Version set to 2.5.0

[icinga-migration]

Updated by gbeutner on 2015-11-23 12:30:44 +00:00

• Tracker changed from Bug to Feature
• Subject changed from check_running_kernel does not require sudo to Add running_kernel_use_sudo option for the running_kernel check

[icinga-migration]

Updated by Anonymous on 2015-11-23 12:35:04 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset 5f22076.

[icinga-migration]

Updated by gbeutner on 2015-11-26 07:18:38 +00:00

• Target Version changed from 2.5.0 to 2.4.1
• Backport? changed from TBD to Yes