Hello.
I need to execute the itl command file_age with sudo, because nagios has not permissions to read the file I want to check. Our idea is to add this command to sudoers in order to give permissions to execute the plugin check_file_age with sudo.
But I don’t know if it is possible to use the itl command file_age and somehow set to use sudo, because if not, I need to create a new custom command to run check_file_age with sudo, and I prefer not creating a new command.
So the question, is it possible to add sudo to a itl check_command?
ritzgu
January 14, 2021, 1:18pm
2
Hi @ander.lopetegui
You could change the command to command = [ "sudo", PluginDir + "/check_file_age" ]
, but:
The ITL content is updated with new releases. Please do not modify templates and/or objects as changes will be overridden without further notice. (source )
So maybe you should create a new command definition for this somewhere in /etc/icinga2
.
Kind regards,
ritzgu
dgoetz
(Dirk Götz)
January 14, 2021, 2:37pm
3
For security reason I would prefer ACLs over sudo to give access to files.
But if you need it, I would wrap the original command and overwrite the command line.
object CheckCommand "my_file_age" {
import "file_age"
command = [ "/usr/bin/sudo", PluginDir + "/check_file_age" ]
}
This would be update-safe, get changes from updates and can also be done in Director.
1 Like
Hi @ritzgu
As you said, I prefer not changing the ITL command, in case to need to add sudo I would create new command.
But I was asking if there is some variable to change ITL command and run with sudo, something like in this command
Thank
ritzgu
January 14, 2021, 3:46pm
5
Just had a look at the command definition of running_kernel
. Here the variable running_kernel_use_sudo
is evaluated:
if (use_sudo) {
args = [ "sudo" ]
} else {
args = []
}
args += [ PluginContribDir + "/check_running_kernel" ]
I may be wrong but i have not seen this in other commands yet.
That way is nice to implement.
It would be interesting if all commands had this feature by default.
I think, finally I will create a custom command with this use_sudo variable.
Al2Klimov
(Grandmaster)
January 14, 2021, 6:03pm
7
Pro tip:
➜ icinga2 git:(master) cat sudocmd.conf
object CheckCommand "nosudo" {
command = [ "nosudo" ]
arguments = {
"-n" = {
value = "m"
}
}
}
template CheckCommand "withsudo" {
command = [ "sudo" ] + command
}
object CheckCommand "nosudo-withsudo" {
import "nosudo"
import "withsudo"
}
➜ icinga2 git:(master) prefix/sbin/icinga2 daemon -c sudocmd.conf -C
[2021-01-14 19:01:45 +0100] information/cli: Icinga application loader (version: v2.12.0-426-g5f548c8f8)
[2021-01-14 19:01:45 +0100] information/cli: Loading configuration file(s).
[2021-01-14 19:01:45 +0100] warning/config: Ignoring directory '/Users/aklimov/NET/WS/icinga2/prefix/etc/icinga2/zones.d/master' for unknown zone 'master'.
[2021-01-14 19:01:45 +0100] warning/config: Ignoring directory '/Users/aklimov/NET/WS/icinga2/prefix/var/lib/icinga2/api/zones/master' for unknown zone 'master'.
[2021-01-14 19:01:45 +0100] information/ConfigItem: Committing config item(s).
[2021-01-14 19:01:45 +0100] information/ConfigItem: Instantiated 2 CheckCommands.
[2021-01-14 19:01:45 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
[2021-01-14 19:01:45 +0100] information/ScriptGlobal: Dumping variables to file '/Users/aklimov/NET/WS/icinga2/prefix/var/cache/icinga2/icinga2.vars'
[2021-01-14 19:01:45 +0100] information/cli: Finished validating the configuration file(s).
➜ icinga2 git:(master) prefix/sbin/icinga2 object list -t CheckCommand --name nosudo-withsudo
Object 'nosudo-withsudo' of type 'CheckCommand':
% declared in 'sudocmd.conf', lines 14:1-14:37
* __name = "nosudo-withsudo"
* arguments
% = modified in 'sudocmd.conf', lines 3:2-7:2
* -n
* value = "m"
* command = [ "sudo", "nosudo" ]
% = modified in 'sudocmd.conf', lines 2:2-2:23
% = modified in 'sudocmd.conf', lines 11:2-11:31
* env = null
* execute
% = modified in 'methods-itl.conf', lines 19:3-19:23
% = modified in 'methods-itl.conf', lines 19:3-19:23
* arguments = [ "checkable", "cr", "resolvedMacros", "useResolvedMacros" ]
* deprecated = false
* name = "Internal#PluginCheck"
* side_effect_free = false
* type = "Function"
* name = "nosudo-withsudo"
* package = "_etc"
* source_location
* first_column = 1
* first_line = 14
* last_column = 37
* last_line = 14
* path = "sudocmd.conf"
* templates = [ "nosudo-withsudo", "plugin-check-command", "nosudo", "plugin-check-command", "withsudo" ]
% = modified in 'sudocmd.conf', lines 14:1-14:37
% = modified in 'methods-itl.conf', lines 18:2-18:94
% = modified in 'sudocmd.conf', lines 1:0-1:27
% = modified in 'methods-itl.conf', lines 18:2-18:94
% = modified in 'sudocmd.conf', lines 10:1-10:32
* timeout = 60
* type = "CheckCommand"
* vars = null
* zone = ""
➜ icinga2 git:(master)
1 Like