Access request for non-root users to configure nagios

[sxa]

As discussed with @Willsparker we should try and get to a stage where the advice to remove systems by running as root is unnecessary. The current filesystem has things owned by root but that is not ideal as we don't want to give out that level of access unless strictly necessary.

[Willsparker]

I'm going to confirm this can't be done by the Nagios user, once #1861 has been merged. If not, this could be part of #1670 . Looking at the playbook task that starts the Nagios_Ansible_Config_Tool (https://github.com/AdoptOpenJDK/openjdk-infrastructure/blob/a07a50d0646e81671faddb2ff61278592c6cb22d/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/Nagios_Master_Config/tasks/main.yml#L25), it does start the script as root ... we may be able to just add a su - nagios before starting the tool.

[sxa]

ssh -o StrictHostKeyChecking=no root@{{ Nagios_Master_IP }}

😱

[Willsparker]

Yep, okay, I tried to delete test-osuosl-centos74-ppc64le-4.cfg from /usr/local/nagios/etc/servers/, and as suspected, permission denied error when logged in as the Nagios User. Even running chown nagios /path/to/cfg/file didn't let the nagios user delete the file. I'll start looking into how to make the Nagios_Ansible_Config_Tool run as the Nagios user

[sxa]

I'm guessing the servers directory is not writable by the nagios user then

[Willsparker]

Correct - touch foo didn't work. I made the /usr/local/nagios/etc/servers directory writable by everyone using chmod 777 and that allowed touch foo :-) Only other thing that Nagios needs access to, to remove servers, is /usr/local/nagios/etc/objects/hostgroups.cfg, so I'll make that file writable by everyone, too.

@sxa , do you have any machines you're currrently setting up that could be added to Nagios, as a test of making the above Ansible task run as the Nagios User?

[sxa]

DON'T MAKE IT 777. Chown it to nagios instead

[sxa]

I haven't got anything that's quite ready yet, but you can always take one of existing ones out and put it back in 😁 Could probably give you one of the linaro ones if you wanted to play

[Willsparker]

DON'T MAKE IT 777. Chown it to nagios instead

Fixed! :flushed: It's 755, and Nagios owns it, now

I haven't got anything that's quite ready yet, but you can always take one of existing ones out and put it back in grin Could probably give you one of the linaro ones if you wanted to play

Ah its okay, I'll take one out :-) I'll make a backup of the cfg file in case there is any issues

EDIT: Ah, I'll do my tests with build-digitialocean-centos69-x64-2, considering it's disconnected in Jenkins, and I have access to it

[Willsparker]

Okay, the Nagios User can now delete machine definitions from /usr/local/nagios/etc/servers, and edit the /usr/local/nagios/etc/objects/hostgroups.cfg file. The nagios user can also restart the service by running sudo /etc/init.d/nagios restart. I was able to do this by adding the following line into /etc/sudoers nagios ALL = NOPASSWD: /etc/init.d/nagios This allows Nagios to password-less sudo when running /etc/init.d/nagios, but not when running anthing else. So, with that, I think we can update the wiki. I'll still look into running the Nagios_Ansible_Config_Tool as the Nagios user, as it just seems... better? But that can be in a separate issue to stop this one from getting too big :-)

[Willsparker]

The wiki has been updated. Closing issue