Unable to specify uid and gid in check

[precurse]

Hello,

I'm trying to specify a user to run a specific script as since it's better practice to run things with the least necessary privileges. However, when I try to specify it in the check, the cookbook fails to run.

Example that works:

monit_check 'nginx' do
  check "if does not exist then restart
      if does not exist then exec /etc/monit/slack.rb"
  start_program '/etc/init.d/nginx start'
  stop_program '/etc/init.d/nginx stop'
end

Example that does not work:

monit_check 'nginx' do
  check "if does not exist then restart
      if does not exist then exec /etc/monit/slack.rb as uid nobody and gid nobody"
  start_program '/etc/init.d/nginx start'
  stop_program '/etc/init.d/nginx stop'
end

However, according to the Monit documentation, this is a valid check: https://mmonit.com/monit/documentation/monit.html#ACTION

EXEC can be used to execute an arbitrary program and send an alert. If you choose this action you must state the program to be executed and if the program requires arguments you must enclose the program and its arguments in a quoted string. You may optionally specify the uid and gid the executed program should switch to upon start. The program is by default executed only once, on the state change. You can enable program repetition when the error persists for given number of cycles. For instance:

if failed then exec "/usr/local/bin/sms.sh" as uid nobody and gid nobody repeat every 5 cycles

Thanks!

[coderanger]

I think you need need:

check "if does not exist then restart
      if does not exist then exec /etc/monit/slack.rb as uid \"nobody\" and gid \"nobody\""

or alternately (same effect, maybe a little easier to read):

  check [
    'if does not exist then restart'
    'if does not exist then exec /etc/monit/slack.rb as uid "nobody" and gid "nobody"',
  ]

[coderanger]

But the key point in either case is the names are in double quotes. Also make sure your Monit is new enough to support the feature.

[precurse]

That one particular example showed them with quotes, but others don't.. So I think it's optional (just not consistent in the examples).

I just tried with escaped quotes but it failed too.

Should the version of monit really matter if it's the cookbook that is failing to run? Stackoverflow looks like it has examples from 2010 using "as uid and guid": http://serverfault.com/questions/50628/how-i-configure-monit-to-start-a-process-with-a-specific-user

Thanks

[coderanger]

What's the error from the cookbook? The only thing I would expect from that is a validation failure which means that monit -t is rejecting the config as invalid.

[precurse]

Ah good point. Error is:

    Error executing action `create` on resource 'monit_check[nginx]'
    ================================================================================

    Chef::Exceptions::ValidationFailed
    ----------------------------------
    file[/etc/monit/conf.d/nginx.conf] (/var/chef/cache/cookbooks/poise-monit/files/halite_gem/poise_monit/resources/monit_config.rb line 90) had an error: Chef::Exceptions::ValidationFailed: Proposed content for /etc/monit/con
f.d/nginx.conf failed verification #<Chef::Resource::File::Verification:0x00000003dc3ae0>

    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/poise/files/halite_gem/poise/helpers/notifying_block.rb:69:in `notifying_block'
    /var/chef/cache/cookbooks/poise-monit/files/halite_gem/poise_monit/resources/monit_config.rb:72:in `action_create'```

I'll try manually validating it with monit -t

[coderanger]

Yep, Monit itself says it isn't a valid config, the cookbook is just the messenger :)

[precurse]

hah, good call.

# /opt/monit-5.16/bin/monit -t -c /etc/monit/monitrc /etc/monit/conf.d/nginx.conf:5: Requested group not found on the system 'nobody'

user nobody exists on ubuntu, but group doesn't.

Thanks!

[coderanger]

Glad I could help. We should probably improve the validation feature in Chef to expose that message out to the user :)