In CIS hardened ceph osd storage node, nagios checks fail with:
[Errno 13] Permission denied: '/var/lib/nagios/ceph-osd-checks'
The files and folders under /var/lib/nagios/* are owned by root:root. Should be nagios:nagios, so that the checks can run and store the results.
/etc/cron.d/check-osd-services run as root. Needs to be run as nagios
that job writes to /var/lock/check-osds.lock, which also has to be owned by nagios.
That accesses /var/lib/ceph/osd/ceph-*/whoami, owned by ceph:ceph, but others readable. /var/lib/ceph is rwxr-x---. Adding nagios to the ceph group grants read access to the nagios user to those files.
Workaround: chown -R nagios:nagios /var/lib/nagios /var/lock/check-osds.lock; usermod -aG ceph nagios; vim /etc/cron.d/check-osd-services and replace root with nagios. systemctl restart nagios-nrpe-server.service
an update that got uncovered when the nodes were rebooted: ceph/osd/ ceph-*/ whoami file will get ceph:ceph -rw------- permission set, so nagios cannot access that file, because of the umask 022 setting.
/var/lib/