Icinga2 satellite in openshift

Icinga 2
1

Hi,

I am trying to run an icinga2 satellite in an hosted Openshift Cluster. The issue is that the container gets started on the OpenShift Container Platform with an arbitrarily assigned user ID. This is due to security and we can’t change that. If I try to start the icinga2 service in the container I am getting the following error:

$ /usr/sbin/icinga2 daemon -x debug -c /etc/icinga2/icinga2.conf -e /var/log/icinga2/icinga2.err
critical/cli: setgroups() failed with error code 1, “Operation not permitted”
critical/cli: Please re-run this command as a privileged user or using the “nagios” account.

I already tried a workaround using nss-wrapper described here https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines.

As you can see below, I am user nagios, but not in the right group.

$ getent passwd nagios
nagios:x:1000170000:0::/var/lib/nagios:/bin/bash

However I am getting the same issue.

Is this just a matter of permissioning? What can I change within the Container to be able to start icinga2 with any user? Any help is welcome. Thanks in advance. Regards.

2

Hey :slight_smile:

Are you able to run Icinga - or anything else for that matter - in your container as root?

3

Hi Henrik, I’ve got it working following the guide https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines and changing the ownership (uid & gid) of the following directories to the uid & guid which is used by openshift:

/etc/icinga2
/var/log/icinga2
/var/cache/icinga2
/var/lib/icinga2
/var/spool/icinga2
/run/icinga2

if anybody needs help with this please let me know.

Regards

Anthony

1 Like
4

Glad you’ve got that problem solved :smiley:

5

I am trying to deploy my Icinga master on openshift and am encountering the same issue, but am not having any luck. I am pulling the latest Icinga docker image and modifying it. I’m tried the link provided above to spoof the icinga user and I have changed the gid permissions on /data. (In the offical icinga docker image /etc/icinga2 and /var are linked to /data). Any suggestions?