Scripts to run on remote hosts

ok when i do
su - icinga
/usr/lib/nagios/plugins/check_by_ssh -C /usr/lib/nagios/plugins/check_script.sh -i /home/icinga/.ssh/id_rsa -H hostip -l root -E -t 30 -------> works

with out -E it doesnot give me output. throws error
Remote command execution failed: Unauthorized access to this machine is prohibited

But my question is on the icinga web GUI it always throws me error. not sure whats the problem. But in command line it works
Please suggest
Remote command execution failed: Warning: Identity file /home/icinga/.ssh/id_rsa not accessible: Permission denied.

Strange -E isn’t supposed to make it work only to suppress error messages in the output.
Do you get a valid output from /usr/lib/nagios/plugins/check_script.sh with -E?

Maybe it’s a motd or a SSH banner you need to deactivate on the remote server?

but its ok i got the output what i need. Please let me know how to pass -E and -t in the icinga director.

also is there a reason on icinga director its not able to identify id_rsa file while in command line does

I think the other thread has the explanation on how to pass stuff to the command via director but with imported commands it’s some times easier to just redefine them in the director and use your own version.

The icinga director doesn’t care about your id_rsa file as he never touches the file system at all.
In the director you build objects in a database that get compiled into icinga DSL config directives and this code gets deployed via icinga API.

image704×421 17.1 KB

zones.d/director-global/commands.conf
object CheckCommand "116-cmd-by-ssh" {
    import "plugin-check-command"
    command = [ PluginDir + "/check_by_ssh" ]
    timeout = 1m
    arguments += {
        "--command" = {
            description = "command to execute on the remote machine"
            required = true
            value = "$by_ssh_command$"
        }
        "-4" = {
            description = "Use IPv4 only"
            set_if = "$by_ssh_ipv4$"
        }
        "-6" = {
            description = "Use IPv6 only"
            set_if = "$by_ssh_ipv6$"
        }
        "-E" = {
            description = "Ignore all or (if specified) first n lines on STDERR [optional]"
            value = "$by_ssh_skip_stderr$"
        }
        "-H" = {
            description = "Host name, IP Address, or unix socket (must be an absolute path)"
            value = "$by_ssh_address$"
        }
        "-c" = {
            description = "Response time to result in critical status (seconds)"
            value = "$by_ssh_crit$"
        }
        "-i" = {
            description = "identity of an authorized key [optional]"
            value = "$by_ssh_identity$"
        }
        "-l" = {
            description = "SSH user name on remote host [optional]"
            value = "$by_ssh_logname$"
        }
        "-o" = {
            description = "Provide ssh options (may be repeated)"
            value = "$by_ssh_options$"
        }
        "-p" = {
            description = "Port number (default: none)"
            value = "$by_ssh_port$"
        }
        "-q" = {
            description = "Tell ssh to suppress warning and diagnostic messages [optional]"
            set_if = "$by_ssh_quiet$"
        }
        "-t" = {
            description = "Seconds before connection times out (default: 10)"
            value = "$by_ssh_timeout$"
        }
        "-w" = {
            description = "Response time to result in warning status (seconds)"
            value = "$by_ssh_warn$"
        }
    }
    vars.by_ssh_address = "$check_address$"
    vars.by_ssh_quiet = false
    vars.check_address = {
        arguments = [  ]
        deprecated = false
        name = "<anonymous>"
        side_effect_free = false
        type = "Function"
    }
    vars.check_ipv4 = "$by_ssh_ipv4$"
    vars.check_ipv6 = "$by_ssh_ipv6$"
}

well. i get this . but in command line it just works on the web gui i get this
UNKNOWN - check_by_ssh: Remote command returned status 255

The same command you get from inspect in icingaweb2 and run as the icinga user?

This is very strange as I read it, the problem is only manifesting on the remote host.
What is the Check Source in icingaweb2 for this service?

when i do inspect in icingaweb2, i can see the
/usr/lib/nagios/plugins/check_by_ssh -C /usr/lib/nagios/plugins/check_script.sh -i /home/icinga/.ssh/id_rsa -H hostip -l root -E 1 -t 30

the same command if i run as
root@icingaserver or icinga@icingaserver -------> works

you mean the service of icinga?

Yes, where is icinga trying to run the check?

I’m out of ideas. Maybe if you activate the debug log restart icinga, force the check, deactivate debug log and restart icinga, we find another lead.

itseems we cannot use -l root, icinga always tries to check with icinga userthough we specify as root. that could be one of the reason. But strange is when i create icinga user on remote and try to copy pubkey to remote host , it asked me password. but the password which i issued for icinga user on remote , the same i have given. it doesnot work

Sorry, the two restarts are just to make the activation and deactivation of the debug log take effect.
The important part for the next steps to see what what gets written in the debug log.

How so? Icinga only runs the command and in inspect and the debug log we should see the exact command that gets executed.

its only a guess not sure though. On the command line it just executes the script i can print output verywell. if we debuglog, it doesnot show anything may be as we are configuring services and commands on director .

The debug log shows what is executed by icinga - has nothing todo with director as the director lives inside icingaweb2 not icinga.

ok the log just displays warning terminated with exit code 255
warning/PluginCheckTask: Check command for object UNKNOWN - check_by_ssh: Remote command '/usr/lib/nagios/plugins/check_script.sh ’ returned status 255 atleast from one of the website they say to use different user which is not working in my case .

Are you sure, there isn’t the exact command icinga executed in the debug log?
What is the auth log on the remote showing?

I have only this
4.072021,latency=0.001131,max_check_attempts=3i,reachable=true,state=0i,state_type=1i 1663328179’.
[2022-09-16 11:36:50 +0000] information/ExternalCommandListener: Executing external command: [1663328210] SCHEDULE_FORCED_SVC_CHECK;host;check_script1663328210

I have only this
4.072021,latency=0.001131,max_check_attempts=3i,reachable=true,state=0i,state_type=1i 1663328179’.
[2022-09-16 11:36:50 +0000] information/ExternalCommandListener: Executing external command: [1663328210] SCHEDULE_FORCED_SVC_CHECK;host;check_script1663328210