[dev.icinga.com #13213] Configure commands for sudo in director

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/13213

Created by bcogel on 2016-11-16 13:11:42 +00:00

Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-11-17 10:25:11 +00:00 (in Redmine)

---

I'm trying to set up a command to be used through sudo with director.

What does work:

• Define the check command "eDir Time" with command "/usr/bin/sudo /usr/lib/nagios/plugins/check_edir_time" (or "/usr/bin/sudo /usr/lib64/nagios/plugins/check_edir_time").
• Service is defined with name "eDir Time" and check command "eDir Time"
• Check command preview is now

object CheckCommand "eDIR Time" {
import "plugin-check-command"
command = [ "/usr/bin/sudo", "/usr/lib/nagios/plugins/check_edir_time" ]
}

• Check result is now

OK: All reachable servers have time in sync. OK: All servers were contacted.

• system log for sudo shows

sudo: icinga : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_edir_time

What doesn't work is to somehow replace "/usr/lib/nagios/plugins" with PluginDir. Depending on what I'm doing, I get the plugin result in Icinga:

sudo: Kein TTY vorhanden und kein »askpass«-Programm angegeben

and in the system log things like

sudo: icinga : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=check_edir_time

or

sudo: icinga : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=PluginDir+"/check_edir_time"

So the problem is not to get sudo working as expected, but to get the director and/or icinga2 to setup the paths correct and to expand the defined constant. At the moment I'm getting code like

command = [ PluginDir + "/sudo", "PluginDir+check_edir_time" ]

command = [ PluginDir + "/sudo", "check_edir_time" ]

....

Things would be easier if I could simply select a commandtype ' sudo Plugin Check Command' or select a checkbox 'Run as (sudo)' with perhaps a field for a sudo username in the 'new command' dialog.

In both cases director could use PluginDir as constant in the commands without side effects to generate the expected code:

command = [ "sudo", PluginDir + "/check_edir_time" ]

Regards
Berthold Cogel

[icinga-migration]

Updated by bcogel on 2016-11-17 10:25:11 +00:00

Another option is to set 'sudo mode' in the service definition. So you don't have to define a command twice in case it should be executed with sudo on one system and without sudo on another....

[cflinspach]

In director it only adds "PluginDir" if you just use a relative path. If you use the full path it doesn't prefix it with PluginDir. An example is we have a plugin that uses icmp from Net::Ping which required root access. so for our "Command" we have /usr/bin/sudo /usr/lib/nagios/plugins/check_ap_status.pl and the "preview" tab shows

object CheckCommand "ap_status" {
    import "plugin-check-command"
    command = [
        "/usr/bin/sudo",
        "/usr/lib/nagios/plugins/check_ap_status.pl"
    ]

And we used visudo and added:

# Nagios
nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_ap_status.pl

The command works fine and runs with sudo.

[Thomas-Gelf]

Thanks for the detailed explanation, @cflinspach - I'll close this issue.