Icinga on openshift

I am attempting to run the full Icinga stack (Icinga2, IcingaWeb, IcingaDb) in an openshift cluster. The issue I am facing is that all containers on openshift are started with an arbitrary user ID, and a group ID of 0 (root). When I try to start the Icinga daemon I receive the following error:

critical/cli: setgroups() failed with error code 1, “Operation not permitted”
critical/cli: Please re-run this command as a privileged user or using the “icinga” account.

I already tried a workaround using nss-wrapper described here https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines .

With the workaround I am the icinga user but still in the root group.

$ getent password icinga
icinga:1007440000:0::/var/lib/icinga:/usr/sbin/nologin

I have tried the suggestion here: Icinga2 satellite in openshift of changing the file permissions. I changed all the file permissions for /data (For the icinga docker image /etc/ and /var are links to directorys in /data) to 777 and verified they are under the root group. I have also tried changing the permissions for /etc/init.d/icinga2 and /usr/sbin/icinga2.

I have tried the following settings in /etc/sysconfig/icinga2:

ICINGA2_GROUP=root

In the container, I have tried directly changing the icinga entry in /etc/passwd to directly reflect the UID/GID that will be used.

Thus far I haven’t been able to get around the issue and am not sure what else to try. Any help is welcome.

As an FYI. I am running into similar permission issues with the IcingaWeb and IcingaDB containers as well, but haven’t given them enough attention yet.

Never fails, you ask a question then find the answer. The solution for me was to use the nss_wrapper workaround described on the Openshift link in my initial post. However, which that work around I needed to modify my start command from:

icinga2 daemon

to

icinga2 daemon -D RunAsGroup=root

Hi @krisrave, glad you found the solution. Find my solution below for the icinga2 satellite on openshift.

Dockerfile:

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND="noninteractive"
RUN apt update && apt install -y tzdata  wget gnupg gettext \
    libnss-wrapper apt-transport-https

RUN echo "Europe/Berlin" > /etc/timezone
RUN ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
RUN dpkg-reconfigure -f noninteractive tzdata

RUN wget -O - https://packages.icinga.com/icinga.key | apt-key add -
RUN echo "deb https://packages.icinga.com/ubuntu icinga-focal main" > \
    /etc/apt/sources.list.d/focal-icinga.list
RUN echo "deb-src https://packages.icinga.com/ubuntu icinga-focal main" >> \
    /etc/apt/sources.list.d/focal-icinga.list
RUN apt update && apt upgrade -y && apt install -y icinga2 perl

COPY ./passwd.template /var/lib/nagios/
COPY ./run.sh /var/lib/nagios/run.sh
RUN chmod 0755 /var/lib/nagios/run.sh

RUN mkdir -p /usr/share/perl/
RUN mkdir -p /usr/local/share/perl/
RUN ln -s /usr/share/perl/5.30.0 /usr/local/share/perl/5.30.0
RUN mkdir -p /run/icinga2/cmd

RUN chgrp -R 0 /var/lib/nagios && \
    chmod -R g+rwX /var/lib/nagios
RUN chgrp -R 0 /etc/icinga2 && \
    chmod -R g+rwX /etc/icinga2
RUN chgrp -R 0 /var/log/icinga2 && \
    chmod -R g+rwX /var/log/icinga2
RUN chgrp -R 0 /var/cache/icinga2 && \
    chmod -R g+rwX /var/cache/icinga2
RUN chgrp -R 0 /var/lib/icinga2 && \
    chmod -R g+rwX /var/lib/icinga2
RUN chgrp -R 0 /var/spool/icinga2 && \
    chmod -R g+rwX /var/spool/icinga2
RUN chgrp -R 0 /run/icinga2 && \
    chmod -R g+rwX /run/icinga2

EXPOSE 5665
WORKDIR /var/lib/nagios
ENTRYPOINT ["/var/lib/nagios/run.sh"]

run.sh:

#!/bin/sh

export USER_ID=$(id -u)
export GROUP_ID=$(id -g)
envsubst < /var/lib/nagios/passwd.template > /tmp/passwd
export LD_PRELOAD=/usr/lib/libnss_wrapper.so
export NSS_WRAPPER_PASSWD=/tmp/passwd
export NSS_WRAPPER_GROUP=/etc/group

mkdir -p /var/lib/icinga2/certs
echo "${MASTER_CERT}" > /var/lib/icinga2/certs/ca.crt

/usr/sbin/icinga2 node setup --cn ${icinga2_satellite_fqdn} \
--endpoint ${icinga_master_a},${icinga_master_a_ip},${icinga_master_port} \
--endpoint ${icinga_master_b},${icinga_master_b_ip},${icinga_master_port} \
--zone ${icinga2_satellite_fqdn} \
--parent_zone master \
--trustedcert /var/lib/icinga2/certs/ca.crt \
--accept-commands \
--accept-config \
--disable-confd \
-DRunAsGroup=$(id -ng) -DRunAsUser=$(id -un)

echo "${NODE_CERT_KEY}" > /var/lib/icinga2/certs/${icinga2_satellite_fqdn}.key
echo "${NODE_CERT_CSR}" > /var/lib/icinga2/certs/${icinga2_satellite_fqdn}.csr
echo "${NODE_CERT_CRT}" > /var/lib/icinga2/certs/${icinga2_satellite_fqdn}.crt

/usr/sbin/icinga2 feature enable api -DRunAsGroup=$(id -ng) -DRunAsUser=$(id -un)

/usr/sbin/icinga2 api setup --cn ${icinga2_satellite_fqdn} -DRunAsGroup=$(id -ng) -DRunAsUser=$(id -un)

find /etc/icinga2/conf.d/ -type f -not -name 'api-users.conf' -print0 | xargs -0 rm

/usr/sbin/icinga2 daemon -x debug -c /etc/icinga2/icinga2.conf \
-DRunAsGroup=$(id -ng) -DRunAsUser=$(id -un) -e /var/log/icinga2/icinga2.err