I have 1 host that needs to run a custom check that has to be run as root, even granting sudo permission doesn't help in this case. So I am wondering if there is a way to do this without making the entire agent have to run as root using the AllowRoot directive?
-
-
sudo works fine with Zabbix. What are trying to do? -
not in this case, running puppet cert list --all doesn't work that way at all.Comment
-
May be it requires special options in sudoers? Does it work from command line? Like
Code:$ sudo -u root /usr/bin/puppet cert list --all
Comment
-
See this:
Summary:
Set in /etc/zabbix/zabbix-agent.conf:
AllowRoot=0
UserParameter=puppet.key,sudo puppet cert list --all
After that create a new file in /etc/sudoers.d
$ sudo cat > /etc/sudoers.d/zabbix <<EOL
Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_CMD = /usr/bin/puppet
zabbix ALL = (root) NOPASSWD: ZABBIX_CMD
EOL
$ sudo chmod 400 /etc/sudoers.d/zabbix
$ sudo service zabbix-agent restartLast edited by hpeti2; 04-03-2016, 16:19.Comment
-
Well, I have to set the zabbix user to use /bin/bash in order to test this. With sudo set like this:
zabbix ALL=(ALL) NOPASSWD: ALL
I get:
$ sudo -u zabbix /usr/bin/puppet cert list
/usr/share/rubygems/rubygems/path_support.rb:68:in `path=': undefined method `+' for nil:NilClass (NoMethodError)
from /usr/share/rubygems/rubygems/path_support.rb:30:in `initialize'
from /usr/share/rubygems/rubygems.rb:357:in `new'
from /usr/share/rubygems/rubygems.rb:357:in `paths'
from /usr/share/rubygems/rubygems.rb:379:in `path'
from /usr/share/rubygems/rubygems/specification.rb:794:in `dirs'
from /usr/share/rubygems/rubygems/specification.rb:658:in `each_normal'
from /usr/share/rubygems/rubygems/specification.rb:669:in `_all'
from /usr/share/rubygems/rubygems/specification.rb:822:in `each'
from /usr/share/rubygems/rubygems/specification.rb:864:in `find'
from /usr/share/rubygems/rubygems/specification.rb:864:in `find_inactive_by_path'
from /usr/share/rubygems/rubygems.rb:175:in `try_activate'
from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:132:in `rescue in require'
from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:144:in `require'
from <internal:abrt_prelude>:2:in `<compiled>'
So as you can see there are rubygem errors, and zabbix's $HOME being /var/lib/zabbix doesn't help.
Even running this as another ordinary user doesn't output anything, you have to be root.Comment
-
$ sudo -u root /usr/bin/puppet cert listComment
-
the only way I could get it to work was to set AllowRoot = 1. Otherwise its almost like zabbix agent isn't calling sudo, isn't there a command_prefix or similar like nagios had?
Using the lastb command as a simpler example:
UserParameter=puppet.dmi,lastb
$ sudo -u root lastb
btmp begins Tue Mar 1 03:36:03 2016
$ zabbix_get -s puppet -k puppet.dmi
lastb: /var/log/btmp: Permission denied
Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_CMD = /usr/bin/puppet, /usr/bin/lastb, /usr/sbin/dmidecode
zabbix ALL = (root) NOPASSWD: ZABBIX_CMD
$ visudo -sc
/etc/sudoers: parsed OK
/etc/sudoers.d/nrpe_sudo: parsed OK
/etc/sudoers.d/zabbix_sudo: parsed OKLast edited by solarflow99; 05-03-2016, 00:30.Comment
-
ah-ha, that did it.
Thanks everyone for your help, it works, and provides a good example how this can be done.Comment
Comment