NRPE Charm

Merge ~guoqiao/charm-nrpe:LP1906991-chown-nagios-dirs into charm-nrpe:master

  1. Git
  2. lp:~guoqiao/charm-nrpe
  3. LP1906991-chown-nagios-dirs
  4. Merge into master
Proposed by Joe Guo
Status: Merged
Approved by: Xav Paice
Approved revision: 5db37c59e2fa6b11385f8418a164c285d5735fab
Merge reported by: Joe Guo
Merged at revision: 5db37c59e2fa6b11385f8418a164c285d5735fab
Proposed branch: ~guoqiao/charm-nrpe:LP1906991-chown-nagios-dirs
Merge into: charm-nrpe:master
Diff against target: 25 lines (+14/-0)
1 file modified
hooks/nrpe_utils.py (+14/-0)
Reviewer Review Type Date Requested Status
Xav Paice (community) Approve
Andrea Ieri Approve
Review via email: mp+397462@code.launchpad.net

Commit message

nrpe_utils.py: ensure permission for /var/lib/nagios

This nrpe charm will install nagios-nrpe-server deb package.
In its preinst script[0], it will add nagios user and create `/var/lib/nagios` as home dir.

When other charm like hw-health relates to this charm, they will:

1) setup cronjob to run script
2) generate output file into /var/lib/nagios
3) read output file from /var/lib/nagios

Before, these are all done via root user, so no permission issue.
But recently, the cronjob user is switched from root to nagios, which caused following issues:

1) original output file was created by root, cronjob script by nagios user can not write to it.
2) In some situation, owner of `/var/lib/nagios/` is changed to root, cronjob script can not write file into this dir.

related bugs:

LP: #1906991
LP: #1904045
LP: #1866382

In this patch, we:

1) ensure `/var/lib/nagios` is owned by nagios user
2) setgid on dir group, to ensure any new created file in `/var/lib/nagios` has group `nagios`.

NOTE: this patch avoids to chown recursively, which implies, if there is a legacy output file
owned by root, we have to fix it manually, or fix it from the related charm side.

[0]: https://git.launchpad.net/ubuntu/+source/nagios-nrpe/tree/debian/nagios-nrpe-server.preinst#n28

To post a comment you must log in.
Revision history for this message
David O Neill (dmzoneill) wrote :

Looks fine, added the pythonic alternative. Not sure of our preference to use sub process.

get the additonal +1

Revision history for this message
Joe Guo (guoqiao) wrote :

Hi David, see my inline reply.

Revision history for this message
Andrea Ieri (aieri) wrote :

+1 to use the more pythonic os.chown
-1 to chown recursively: if permissions on files written by other charms are wrong, it's up to them to fix them

Also note Xav's comment[0]. I think using setgid is a good idea.

[0] https://bugs.launchpad.net/charm-hw-health/+bug/1906991/comments/2

review: Needs Fixing
~guoqiao/charm-nrpe:LP1906991-chown-nagios-dirs updated
5db37c5... by Joe Guo

nrpe_utils.py: ensure permission for /var/lib/nagios

This nrpe charm will install nagios-nrpe-server deb package.
In its preinst script[0], it will add nagios user and create `/var/lib/nagios` as home dir.

When other charm like hw-health relates to this charm, they will:

1) setup cronjob to run script
2) generate output file into /var/lib/nagios
3) read output file from /var/lib/nagios

Before, these are all done via root user, so no permission issue.
But recently, the cronjob user is switched from root to nagios, which caused following issues:

1) original output file was created by root, cronjob script by nagios user can not write to it.
2) In some situation, owner of `/var/lib/nagios/` is changed to root, cronjob script can not write file into this dir.

related bugs:

LP: #1906991
LP: #1904045
LP: #1866382

In this patch, we:

1) ensure `/var/lib/nagios` is owned by nagios user
2) setgid on dir group, to ensure any new created file in `/var/lib/nagios` has group `nagios`.

NOTE: this patch avoids to chown recursively, which implies, if there is a legacy output file
owned by root, we have to fix it manually, or fix it from the related charm side.

[0]: https://git.launchpad.net/ubuntu/+source/nagios-nrpe/tree/debian/nagios-nrpe-server.preinst#n28

Signed-off-by: Joe Guo <email address hidden>

Revision history for this message
Andrea Ieri (aieri) wrote :

lgtm

review: Approve
Revision history for this message
Xav Paice (xavpaice) wrote :

LGTM

review: Approve
Revision history for this message
Joe Guo (guoqiao) wrote :

Merged into master as 4379294097433aef3a190b7a15376ba7e04ce60b.
Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/hooks/nrpe_utils.py b/hooks/nrpe_utils.py
2index d59276e..d6b46eb 100644
3--- a/hooks/nrpe_utils.py
4+++ b/hooks/nrpe_utils.py
5@@ -64,6 +64,20 @@ def remove_host_export_fragments(service_name):
6
7 def install_charm_files(service_name):
8 """Install files shipped with charm."""
9+ # The preinst script of nagios-nrpe-server deb package will add nagios user
10+ # and create this dir as home
11+ # ref: https://git.launchpad.net/ubuntu/+source/nagios-nrpe/tree/debian/nagios-nrpe-server.preinst#n28 # NOQA: E501
12+ nagios_home = "/var/lib/nagios"
13+
14+ # it's possible dir owner be changed to root by other process, e.g.: LP1866382
15+ # here we ensure owner is nagios, but didn't apply it resursively intentionally.
16+ shutil.chown(nagios_home, user="nagios", group="nagios")
17+
18+ # the `2` in mode will setgid for group, set dir permission to `drwxr-sr-x`.
19+ # the `s` (setgid) will ensure any file created in this dir inherits parent dir
20+ # group `nagios`, regardless of the effective user, such as root.
21+ os.chmod(nagios_home, 0o2755) # 2 will set the s flag for group
22+
23 nag_dirs = [
24 "/etc/nagios/nrpe.d/",
25 "/usr/local/lib/nagios/plugins",

Subscribers

People subscribed via source and target branches

to all changes: