Ceph OSD Charm

nagios ceph-osd-checks fail with CIS

Bug #1879667 reported by Gábor Mészáros
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ceph OSD Charm
Fix Released
Undecided
Ioanna Alifieraki
Ceph OSD Charm 21.01

Bug Description

In CIS hardened ceph osd storage node, nagios checks fail with:
[Errno 13] Permission denied: '/var/lib/nagios/ceph-osd-checks'

The files and folders under /var/lib/nagios/* are owned by root:root. Should be nagios:nagios, so that the checks can run and store the results.

/etc/cron.d/check-osd-services run as root. Needs to be run as nagios
that job writes to /var/lock/check-osds.lock, which also has to be owned by nagios.
That accesses /var/lib/ceph/osd/ceph-*/whoami, owned by ceph:ceph, but others readable. /var/lib/ceph is rwxr-x---. Adding nagios to the ceph group grants read access to the nagios user to those files.

Workaround: chown -R nagios:nagios /var/lib/nagios /var/lock/check-osds.lock; usermod -aG ceph nagios; vim /etc/cron.d/check-osd-services and replace root with nagios. systemctl restart nagios-nrpe-server.service

See original description
Gábor Mészáros (gabor.meszaros)
description: updated
Gábor Mészáros (gabor.meszaros)
description: updated
description: updated
Gábor Mészáros (gabor.meszaros)
description: updated
Gábor Mészáros (gabor.meszaros)
description: updated
Revision history for this message
Gábor Mészáros (gabor.meszaros) wrote :

an update that got uncovered when the nodes were rebooted:
/var/lib/ceph/osd/ceph-*/whoami file will get ceph:ceph -rw------- permission set, so nagios cannot access that file, because of the umask 022 setting.

Revision history for this message
Gábor Mészáros (gabor.meszaros) wrote :

not sure if this is about the umask setting, could be due to the systemd tmpfs mount that gets created for the osd devices.

Ioanna Alifieraki (joalif)
Changed in charm-ceph-osd:
assignee: nobody → Ioanna Alifieraki (joalif)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-ceph-osd (master)

Fix proposed to branch: master
Review: https://review.opendev.org/747683

Changed in charm-ceph-osd:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-ceph-osd (master)

Reviewed: https://review.opendev.org/747683
Committed: https://git.openstack.org/cgit/openstack/charm-ceph-osd/commit/?id=25b97b332f0243e5fc4a964b55ffdb3710f1cfc2
Submitter: Zuul
Branch: master

commit 25b97b332f0243e5fc4a964b55ffdb3710f1cfc2
Author: Ioanna Alifieraki <email address hidden>
Date: Mon Aug 24 11:23:25 2020 +0100

    Change file owner so that check_ceph_osd nrpe service can work on CIS hardened environments

    check_ceph_ods_services.py reads /var/lib/nagios file to report ceph
    status back to nagios. This service runs as nagios user and the file
    is owned by root. On CIS hardened servers the default mask is set to
    027 making the permissions of the file 640 instead of 644.
    This results in the service not being able to read the file and the
    status reported to nagios is UNKNOWN even though ceph status is OK.

    Closes-Bug: #1879667

    Change-Id: Ib67b9a2b86a1c22658aeaf41f8e464072ab1828f

Changed in charm-ceph-osd:
status: In Progress → Fix Committed
Edward Hope-Morley (hopem)
Changed in charm-ceph-osd:
milestone: none → 21.01
David Ames (thedac)
Changed in charm-ceph-osd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.