1

I'm configuring a Icinga2 server and want it to run local scripts on external machines using the check_by_ssh plugin, and I encountered a strange issue. I've searched for an answer for few hours, but no luck.

My command object looks as follows:

object CheckCommand "check_procs" {
        import "by_ssh"
        vars.by_ssh_logname = "root"
        vars.by_ssh_port = "22"
        vars.by_ssh_command = "/tmp/test.sh"
        vars.by_ssh_identity = "/etc/icinga2/conf.d/services/id_rsa.pub"
        vars.by_ssh_ipv4 = "true"
        vars.by_ssh_quiet = "true"
}

The content of test.sh is simply exit 0. I have a trust between my Icinga box and the remote machine I'm running the command at.

When I'm executing the command thru shell, it works

[root@icinga ~]# ssh root@10.10.10.1 -C "/tmp/test.sh"
[root@icinga ~]# echo $?
0

But when it is executed by the server, I see on my Icingaweb2 this output:

UNKNOWN - check_by_ssh: Remote command '/tmp/test.sh' returned status 255

Now I have added a touch success to test.sh script, in order to see if it is executed at all - but it seems it doesn't. That means when Icinga executes my script, it fails before even executing it.

Any clues what can it be? There are no many examples online either of check_by_ssh with Icinga2.

NOTE: Icinga uses root user to identify with the remote server. I know this is not best practice, but this is development env.

UPDATE: I think I have found the issue. The problem is that I'm trying to use root user to login the remote machine. This IS NOT supported, even with public key authentication. The script has to be executed with the user icinga

2nd Update: I got it works. The issue was keys authentication, the fact that icinga uses the user icinga to execute the command (even when using by_ssh_logname attribute) and the addition of vars.by_ssh_options = "StrictHostKeyChecking no"

4

2 回答 2

1

我的问题是使用的 rsa 密钥文件不属于“nagios”用户:

-rw------- 1 nagios nagios 3.2K Nov 30 14:43 id_rsa
-rw-r--r-- 1 nagios nagios  766 Nov 30 14:42 id_rsa.pub
于 2017-11-30T16:39:55.117 回答
1

我发现了问题,在我的情况下很少。

  1. Icinga 使用icinga用户通过 SSH 登录,即使我使用-l root. 因此,要安装 ssh 密钥,我必须ssh-copy-id icinga@HOSTroot用户下执行(Icinga shell 设置为 /sbin/nologin)
  2. 然后我将私钥(同样是 root 用户的)复制到 icinga 文件夹,以便应用程序可以访问它,并更改了文件的所有权
  3. 接下来,我尝试使用icinga用户登录到远程机器sudo -u icinga ssh icinga@HOST -i id_rsa
  4. 如果第 3 步失败,您需要先弄清楚,然后再继续。接下来我做的是添加StrictHostKeyChecking no到模块选项。

瞧,这现在有效。

于 2017-08-15T08:32:22.877 回答