Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How do you use 'package' plugin provider with sensu::plugin define? #384

Closed
poolski opened this issue Jul 16, 2015 · 7 comments
Closed

How do you use 'package' plugin provider with sensu::plugin define? #384

poolski opened this issue Jul 16, 2015 · 7 comments
Labels

Comments

@poolski
Copy link
Contributor

poolski commented Jul 16, 2015

The new package provider is wonderful, but I'm experiencing a couple of issues:

  • When plugins (gems) are installed with Puppet, they're owned by root:root with insufficient access for the 'sensu' user. That makes the whole sensu process not work. Here's the stack trace:
Error: Could not start Service[sensu-client]: Execution of '/etc/init.d/sensu-client start' returned 1: Starting sensu-client:/opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:959:in `read': Permission denied - /opt/sensu/embedded/lib/ruby/gems/2.0.0/specifications/sys-proctable-0.9.8-universal-linux.gemspec (Errno::EACCES)
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:959:in `load'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:644:in `block (2 levels) in each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:643:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:643:in `block in each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:642:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:642:in `each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:658:in `each_normal'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:669:in `_all'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:822:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:253:in `find_all'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:253:in `matching_specs'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:277:in `to_specs'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:307:in `to_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/core_ext/kernel_gem.rb:47:in `gem'
    from /opt/sensu/bin/sensu-client:22:in `<main>'
 failed!
  • How do you go from installing the packages to actually making use of them as sensu::check defines? Are there any further steps that need to be taken or should I just be able to reference them as I do right now?

I'm using the master branch of the sensu-puppet module and sensu's embedded ruby, as I've not been able to work out how to make it play nice with system ruby.

@poolski
Copy link
Contributor Author

poolski commented Jul 17, 2015

I think I've figured it out. It's simpler than I realised, with one massive caveat.

Using the following pattern with the sensu module installs whatever is in the (in my case) sensu::packages array into the sensu embedded gems directory.

$pkg_list = hiera_array('sensu::packages')
package {$pkg_list:
  ensure   => 'latest',
  provider => 'sensu_gem',
}
"sensu::packages": [
  "sensu-plugins-memory-checks",
  "sensu-plugins-disk-checks",
  "sensu-plugins-cpu-checks",
  "sensu-plugins-process-checks",
  "sensu-plugins-load-checks"
]

However, in the current implementation of the module, the permissions don't get set right on any of the embedded gems directories for Sensu to be able to access and run the scripts when the check runs. This seems to be a known issue as this functionality in master isn't fully-fledged yet and.

To get around this, I added the following to the manifest that handles sensu installs across all my nodes and modified the package block to call it.

$pkg_list = hiera_array('sensu::packages')
package {$pkg_list:
  ensure   => 'latest',
  provider => 'sensu_gem',
  notify   => Exec['change-sensu-ownerships']
}

exec {'change-sensu-ownerships':
  command => 'chmod 755 -R /opt/sensu/embedded',
  path    => '/usr/bin:/usr/sbin:/bin',
}

It's not perfect, but it works.

@poolski
Copy link
Contributor Author

poolski commented Jul 17, 2015

Don't know if it's worth adding this stuff to the documentation for the module or something until 2.0.0 gets released or whenever this functionality is complete. @garethr @jamtur01 @jlambert121 thoughts?

@jlambert121
Copy link
Contributor

@poolski sorry for the slow response on this, I'm not sure I'm following this issue completely (and it could just be because I don't use the gem provided plugins). If you install a plugin with provider => sensu_gem (as root) and the sensu user doesn't have access to the installed gems wouldn't that be more of an issue with either the provider or the underlying gem command? The exec seems like a really bad hack that hides the real issue rather than fixing it.

@poolski
Copy link
Contributor Author

poolski commented Aug 10, 2015

Totally,

I can't, however, think of a sensible way of dealing with this as sensu runs as the sensu user, whereas Puppet will run as root, consequently installing all gems, regardless of provider with root:root ownerships.

Not quite sure how to get around this :)

@brettswift
Copy link

@poolski running into a similar issue. Your solution helps, however I'm wondering if you've found a better solution to this?

@poolski
Copy link
Contributor Author

poolski commented Nov 16, 2015

@brettswift So far... no.
Although the latest version of the module (master) seems to have resolved that problem - I've run up a totally fresh environment and I'm not seeing the issue popping up anymore.

@ghoneycutt
Copy link
Collaborator

Seems that this is no longer an issue. Please re-open if this is not the case. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants