Custom host check_command through ssh proxy host

ChrisW · August 25, 2020, 10:21pm

I have thousands of hosts to monitor. Many are other networks that I have to ssh through to a single machine and then run checks from there.

I can’t install agents, and there is no VPN between them, the networks are isolated except for this single point of entry through SSH.

We made a custom hostalive in nagios previously to go through this. I am having trouble replicating this in icinga2.

I made a host with check_command = "proxy-hostalive"

then made this:

object CheckCommand "proxy-hostalive" {
    command = [ "ssh " + bySSHParams + " " + sshUser + "@$parent$ " + pluginsDir + "/check_ping" ]
    arguments= {
        "-H" = "$address$"
        "--critical" = "5,5%"
        "--warning" = "3,5%"
    }

}

The result showing in icingaweb2 is:

execvpe(ssh -i {user_dir}/.ssh/id_rsa {user}@{server-to-ssh-to} /{pluginsDir}/check_ping) failed: No such file or directory

I can copy and paste this command form the result page and run it from the icinga2 server and it finds the check_ping just fine.
Can someone help point in the right direction. This seems like a common enough issue, but I couldn’t find what I wanted to do in my search.

Thanks.

fluxX · August 26, 2020, 5:52am

Hi and welcome!

You need to wrap your ping command into the CheckCommand by_ssh.
This howto tackles also the option for presist connections and gives you an insight how you can configure your check:

Greetz

rsx · August 26, 2020, 7:10am

You need to turn this into an array e.g. something like this:

command = [ "ssh ", bySSHParams, sshUser + “@” + parent + pluginsDir + “/check_ping” ]

ChrisW · August 26, 2020, 2:40pm

@Alex
Your suggestion looks like making a service, the example you linked also uses object Service.
I have already done this to create services that work in this method, but I need the basic host check replicated.
I need to make an “object checkCommand” such that I can link it to the “check_command” in the host definition.

@Roland Sommer

I tried yours and I got a different error this time though. The web interface gave an error of:
Warning: Identity file {user_dir}/.ssh/id_rsa not accessible: No such file or directory.

This file does exist as the services I had defined (and mentioned above) use the same identity file. I use the same global variable (bySSHParams) in both the service and my checkCommand definition. The user that iciniga uses to run has access to this file (if I pretend to be the user from the command line I can cat that file)
Am I missing something here?

Thanks

ChrisW · August 26, 2020, 6:22pm

Solved.

Thank you Roland for the direction.

It turns out every space had to separated out with the comma as part of the array. The bySSHParams included several options so I have to separate them out with:
"-i", "{id_file}", “-o”, “{option}”, “-o”, “{other_option}”
After that it worked. There may be a more elegant solution, but I will work with it.

Thanks.

*Edit with a slightly better solution (In case other people need it)
Made a new constant as bySSHParamsArray with the options all set out in an array for:
bySSHParamsArray=[ "-i", "{id_file}", “-o”, “{option}”, “-o”, “{other_option}”]

Then changed the command to:

command = [ "ssh " ] + bySSHParamsArray + [ sshUser + "@$parent$ ", pluginsDir + “/check_ping” ]