Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments

check_ceph_ods_services.py reads /var/lib/nagios file to report ceph
status back to nagios. This service runs as nagios user and the file
is owned by root. On CIS hardened servers the default mask is set to
027 making the permissions of the file 640 instead of 644.
This results in the service not being able to read the file and the
status reported to nagios is UNKNOWN even though ceph status is OK.

Closes-Bug: #1879667

Change-Id: Ib67b9a2b86a1c22658aeaf41f8e464072ab1828f

files/nagios/collect_ceph_osd_services.py

@@ -6,6 +6,7 @@
 
 import os
 import subprocess
+from pwd import getpwnam
 
 # fasteners only exists in Bionic, so this will fail on xenial and trusty
 try:
@@ -71,6 +72,16 @@ def do_status():
     with open(_tmp_file, 'wt') as f:
         f.writelines(lines)
 
+    # In cis hardened environments check_ceph_osd_services cannot
+    # read _tmp_file due to restrained permissions (#LP1879667).
+    # Changing the owner of the file to nagios solves this problem.
+    # check_ceph_osd_services.py removes this file, so make
+    # sure that we change permissions on a file that exists.
+    nagios_uid = getpwnam('nagios').pw_uid
+    nagios_gid = getpwnam('nagios').pw_gid
+    if os.path.isfile(_tmp_file):
+        os.chown(_tmp_file, nagios_uid, nagios_gid)
+
 
 def run_main():
     # on bionic we can interprocess lock; we don't do it for older platforms

test-requirements.txt

@@ -7,6 +7,7 @@
 #       requirements.  They are intertwined.  Also, Zaza itself should specify
 #       all of its own requirements and if it doesn't, fix it there.
 #
+setuptools<50.0.0  # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85
 charm-tools>=2.4.4
 requests>=2.18.4
 mock>=1.2