How do you use 'package' plugin provider with sensu::plugin define?

[poolski]

The new package provider is wonderful, but I'm experiencing a couple of issues:

• When plugins (gems) are installed with Puppet, they're owned by root:root with insufficient access for the 'sensu' user. That makes the whole sensu process not work. Here's the stack trace:

Error: Could not start Service[sensu-client]: Execution of '/etc/init.d/sensu-client start' returned 1: Starting sensu-client:/opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:959:in `read': Permission denied - /opt/sensu/embedded/lib/ruby/gems/2.0.0/specifications/sys-proctable-0.9.8-universal-linux.gemspec (Errno::EACCES)
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:959:in `load'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:644:in `block (2 levels) in each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:643:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:643:in `block in each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:642:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:642:in `each_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:658:in `each_normal'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:669:in `_all'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/specification.rb:822:in `each'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:253:in `find_all'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:253:in `matching_specs'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:277:in `to_specs'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/dependency.rb:307:in `to_spec'
    from /opt/sensu/embedded/lib/ruby/2.0.0/rubygems/core_ext/kernel_gem.rb:47:in `gem'
    from /opt/sensu/bin/sensu-client:22:in `<main>'
 failed!

• How do you go from installing the packages to actually making use of them as sensu::check defines? Are there any further steps that need to be taken or should I just be able to reference them as I do right now?

I'm using the master branch of the sensu-puppet module and sensu's embedded ruby, as I've not been able to work out how to make it play nice with system ruby.

[poolski]

I think I've figured it out. It's simpler than I realised, with one massive caveat.

Using the following pattern with the sensu module installs whatever is in the (in my case) sensu::packages array into the sensu embedded gems directory.

$pkg_list = hiera_array('sensu::packages')
package {$pkg_list:
  ensure   => 'latest',
  provider => 'sensu_gem',
}

"sensu::packages": [
  "sensu-plugins-memory-checks",
  "sensu-plugins-disk-checks",
  "sensu-plugins-cpu-checks",
  "sensu-plugins-process-checks",
  "sensu-plugins-load-checks"
]

However, in the current implementation of the module, the permissions don't get set right on any of the embedded gems directories for Sensu to be able to access and run the scripts when the check runs. This seems to be a known issue as this functionality in master isn't fully-fledged yet and.

To get around this, I added the following to the manifest that handles sensu installs across all my nodes and modified the package block to call it.

$pkg_list = hiera_array('sensu::packages')
package {$pkg_list:
  ensure   => 'latest',
  provider => 'sensu_gem',
  notify   => Exec['change-sensu-ownerships']
}

exec {'change-sensu-ownerships':
  command => 'chmod 755 -R /opt/sensu/embedded',
  path    => '/usr/bin:/usr/sbin:/bin',
}

It's not perfect, but it works.

[poolski]

Don't know if it's worth adding this stuff to the documentation for the module or something until 2.0.0 gets released or whenever this functionality is complete. @garethr @jamtur01 @jlambert121 thoughts?

[jlambert121]

@poolski sorry for the slow response on this, I'm not sure I'm following this issue completely (and it could just be because I don't use the gem provided plugins). If you install a plugin with provider => sensu_gem (as root) and the sensu user doesn't have access to the installed gems wouldn't that be more of an issue with either the provider or the underlying gem command? The exec seems like a really bad hack that hides the real issue rather than fixing it.

[poolski]

Totally,

I can't, however, think of a sensible way of dealing with this as sensu runs as the sensu user, whereas Puppet will run as root, consequently installing all gems, regardless of provider with root:root ownerships.

Not quite sure how to get around this :)

[brettswift]

@poolski running into a similar issue. Your solution helps, however I'm wondering if you've found a better solution to this?

[poolski]

@brettswift So far... no.
Although the latest version of the module (master) seems to have resolved that problem - I've run up a totally fresh environment and I'm not seeing the issue popping up anymore.

[ghoneycutt]

Seems that this is no longer an issue. Please re-open if this is not the case. Thank you!