I want to poweroff my NAS and ESXI when there is a power failure. Both of the system run on a Eaton UPS. I only run Linux systems and therefore I can not use the Eaton Manager, Windows only.
Since I use Nagios for other tasks, I would like to create a plugin that, using ssh-public-key, can connect to the above systems and power them off.
The public key of the Nagios user is already installed on the root user of the ESXI (the NAS will come later). When I change user to Nagios (on Nagios server) and manually run the script, this connects to the ESXI and (for the moment) it writes a "testfile" on /tmp. It works.
When the script is ran by Nagios itself, it doesn't. This script runs as a handler:
define host {
name home-monitoring
use generic-host
check_period 24x7
check_interval 5
contact_groups admins
event_handler poweroff_host
register 0
}
cat /usr/lib64/nagios/plugins/poweroff_host.sh
#!/bin/bash
/usr/bin/ssh root@esxi -i /var/spool/nagios/.ssh/id_rsa "touch /tmp/testfile"
cat /etc/nagios/objects/commands.cfg
define command{
command_name poweroff_host
command_line sudo /usr/lib64/nagios/plugins/poweroff_host.sh
}
visudo
(at the bottom of the file)
nagios ALL = (root) NOPASSWD:/usr/lib64/nagios/plugins/poweroff_host.sh
I have also added nagios user to the wheel group (using usermod)
# grep wheel /etc/group
wheel:x:10:nagios
And last, I've been hitting my head here for the last 4 days and keep getting errors in the log. The last error is:
journalctl -xef
stderr line 01: /usr/lib64/nagios/plugins/poweroff_host.sh: line 2: /usr/bin/ssh: Permission denied
Before visudo, the error was no ssh in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin), at least now I managed to change the kind of error.
Can I please have some help and fix the issue?
UPDATE 1:
[root@nagios ~]# audit2allow -i /var/log/audit/audit.log
#============= nagios_t ==============
allow nagios_t ldconfig_exec_t:file { execute getattr };
allow nagios_t nagios_spool_t:dir create;
allow nagios_t pam_var_run_t:dir write;
allow nagios_t ssh_exec_t:file { execute getattr };
allow nagios_t tmpfs_t:dir write;
Fast forward to semodule command but stderr line 01: /usr/lib64/nagios/plugins/poweroff_host.sh: line 2: /usr/bin/ssh: Permission denied is still there :/
I will try disabling Selinux at all :/
So the problem here is that SELinux is not allowing Nagios to do a variety of things which, presumably, you actually want it to do (such as running ssh). It's impossible for the distribution to guess at all the things you might need Nagios to do, so while the SELinux policy allows most things related to monitoring, it isn't allowing these things.
You can work around the issue for the time being by setting Nagios to permissive mode (you don't have to set all of SELinux to permissive, you can do it for individual types):
After doing this, the audit log will over time accumulate all of the AVCs you need to create a custom SELinux policy module, if you wish, and after installing that custom policy module you can return SELinux to enforcing for Nagios.
(Note that it doesn't work to try to create a custom policy module unless the domain is permissive, because not all of the necessary permissions would be triggered and logged in enforcing mode.)