Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments
check_ceph_ods_services.py reads /var/lib/nagios file to report ceph status back to nagios. This service runs as nagios user and the file is owned by root. On CIS hardened servers the default mask is set to 027 making the permissions of the file 640 instead of 644. This results in the service not being able to read the file and the status reported to nagios is UNKNOWN even though ceph status is OK. Closes-Bug: #1879667 Change-Id: Ib67b9a2b86a1c22658aeaf41f8e464072ab1828f
This commit is contained in:
parent
e350ff6144
commit
25b97b332f
|
@ -6,6 +6,7 @@
|
|||
|
||||
import os
|
||||
import subprocess
|
||||
from pwd import getpwnam
|
||||
|
||||
# fasteners only exists in Bionic, so this will fail on xenial and trusty
|
||||
try:
|
||||
|
@ -71,6 +72,16 @@ def do_status():
|
|||
with open(_tmp_file, 'wt') as f:
|
||||
f.writelines(lines)
|
||||
|
||||
# In cis hardened environments check_ceph_osd_services cannot
|
||||
# read _tmp_file due to restrained permissions (#LP1879667).
|
||||
# Changing the owner of the file to nagios solves this problem.
|
||||
# check_ceph_osd_services.py removes this file, so make
|
||||
# sure that we change permissions on a file that exists.
|
||||
nagios_uid = getpwnam('nagios').pw_uid
|
||||
nagios_gid = getpwnam('nagios').pw_gid
|
||||
if os.path.isfile(_tmp_file):
|
||||
os.chown(_tmp_file, nagios_uid, nagios_gid)
|
||||
|
||||
|
||||
def run_main():
|
||||
# on bionic we can interprocess lock; we don't do it for older platforms
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
# requirements. They are intertwined. Also, Zaza itself should specify
|
||||
# all of its own requirements and if it doesn't, fix it there.
|
||||
#
|
||||
setuptools<50.0.0 # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85
|
||||
charm-tools>=2.4.4
|
||||
requests>=2.18.4
|
||||
mock>=1.2
|
||||
|
|
Loading…
Reference in New Issue