On 02.10.17 09:51, Gijs Rijnders wrote:
On 9/17/17 12:08 PM, Gerald Vogt wrote:
On 17.09.17 11:27, Gijs Rijnders wrote:
I have an Icinga2 master node, and I want to monitor other Linux hosts
for apt package availability. I read that I have to install Icinga2
locally as Satellite on every host, and connect it to the master node. I
You don't have to do that. An option to install icinga2 on every host
is to run the checks via ssh. We use ssh key authentication on the
master to log into an account on the hosts. Via sudoers the account on
the host can run the necessary checks if root privileges are required.
The authorized_keys on the host runs a special shell script which
makes sure only the checks we need can be executed.
I have tried some configuration for running check_apt "by_ssh", but it
doesn't work out for me. Could you give me an example about how you
managed to do this?
Well, it's not so simple to easily get it condensed into a short example.
On the icinga2 server, assuming you already have a CheckCommand running
the check locally on the icinga2 server you can wrap it for by_ssh like
this:
object CheckCommand "by_ssh_swap" {
import "swap"
vars.by_ssh_command = command
vars.by_ssh_arguments = arguments
import "by_ssh"
vars.by_ssh_logname = "icingatest"
vars.by_ssh_quiet = true
}
icingatest is the user account for executing icinga checks on the remote
host. The icinga user on the icinga2 server has a SSH RSA key to log
into the remote host without password as user icingatest (i.e.
~icingatest/.ssh/authorized_keys contains the rsa public key of the
icinga2 icinga user...)
For security reasons the rsa key on the remote host is limited to
executing a dispatch script:
---
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/icingatest/bin/dispatch.sh"
ssh-rsa AAAA...
---
The dispatch script makes sure that only icinga checks can be executed,
basically allowing to run checks only in directories
/usr/lib64/nagios/plugins and /home/icingatest/bin/icinga.
Checks which can run as icingatest user, e.g. load, swap, etc. are
covered. If a check requires root (or any other specific user/system
account) privileges I put a wrapper script into
/home/icingatest/bin/icinga to call the check with sudo, e.g.
---
# cat /home/icingatest/bin/icinga/check_updates
#! /bin/bash
sudo /usr/lib64/nagios/plugins/check_updates $*
---
Allow this to run without tty and password in sudoers:
---
Defaults:icingatest !requiretty
icingatest ALL=(root) NOPASSWD:
/usr/lib64/nagios/plugins/check_updates
---
To check the ssh setup you can "simulate" the by_ssh call from the
icinga2 server:
---
# sudo -u icinga /usr/lib64/nagios/plugins/check_by_ssh -H
remote.example.com -l icingatest -C 'check_updates'
---
That should work...
-Gerald
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
