OpenStack RabbitMQ Server Charm

nrpe check_rabbitmq_queues fails when CIS hardened

Bug #1940495 reported by Billy Olsen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack RabbitMQ Server Charm
Fix Released
Undecided
Unassigned
OpenStack RabbitMQ Server Charm 21.10

Bug Description

The NRPE check check_rabbitmq_queues assumes it has read access to the crontab entry, but in a CIS hardened system the nagios user does not have read access to /etc/cron.d, which causes the nrpe check to fail.

Manual checks will cause the following output:

root@juju-4278df-77-lxd-6:/etc# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_rabbitmq_queue -t 50
NRPE: Unable to read output

Failures look similar to the following when running the python script as the nagios user:

root@juju-4278df-77-lxd-6:~# sudo -u nagios /usr/local/lib/nagios/plugins/check_rabbitmq_queues.py -c \* \* 100 200 /var/lib/rabbitmq/data/juju-4278df-77-lxd-6_queue_stats.dat
Traceback (most recent call last):
  File "/usr/local/lib/nagios/plugins/check_rabbitmq_queues.py", line 183, in <module>
    for f in args.stats_file]
  File "/usr/local/lib/nagios/plugins/check_rabbitmq_queues.py", line 183, in <listcomp>
    for f in args.stats_file]
  File "/usr/local/lib/nagios/plugins/check_rabbitmq_queues.py", line 123, in check_stats_file_freshness
    cronspec = get_stats_cron_schedule()
  File "/usr/local/lib/nagios/plugins/check_rabbitmq_queues.py", line 106, in get_stats_cron_schedule
    with open(CRONJOB) as f:
PermissionError: [Errno 13] Permission denied: '/etc/cron.d/rabbitmq-stats'

Billy Olsen (billy-olsen)
Changed in charm-rabbitmq-server:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-rabbitmq-server (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-rabbitmq-server/+/805109

Changed in charm-rabbitmq-server:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-rabbitmq-server (master)

Reviewed: https://review.opendev.org/c/openstack/charm-rabbitmq-server/+/805109
Committed: https://opendev.org/openstack/charm-rabbitmq-server/commit/fd8d018babb16de3ea54f9c99bdd4a9c572695ea
Submitter: "Zuul (22348)"
Branch: master

commit fd8d018babb16de3ea54f9c99bdd4a9c572695ea
Author: Billy Olsen <email address hidden>
Date: Wed Aug 18 20:48:46 2021 -0700

    Move cron max file age calculation to rabbit_utils

    The check_rabbitmq_queues nrpe check accesses the cron file created
    for running collect stats job. This is done in order to determine if
    the stats are too old and an alert should be raised. The nagios user
    does not have access to read the cron job when running in a hardened
    environment where /etc/cron.d is not readable.

    This change refactors this logic to move the calculation of maximum
    age for a stats file from the check_rabbitmq_queues script and into
    the rabbit_utils code where it is generating the nrpe configuration.
    A new (optional) parameter is added to the check_rabbitmq_queues
    script to accept the maximum age in seconds a file can last be
    modified.

    This change also removes the trusty support in hooks/install and
    hooks/upgrade-charm as the rabbit_utils.py file needs to import a
    dependency which is installed by the scripts. It is cleaned up to make
    sure the croniter package is always installed on install or upgrade.

    Change-Id: If948fc921ee0b63682946c7cc879ac50e971e588
    Closes-Bug: #1940495
    Co-authored-by: Aurelien Lourot <email address hidden>

Changed in charm-rabbitmq-server:
status: In Progress → Fix Committed
Aurelien Lourot (aurelien-lourot)
Changed in charm-rabbitmq-server:
milestone: none → 21.10
Alex Kavanagh (ajkavanagh)
Changed in charm-rabbitmq-server:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.