Do not launch a shell for each check

Thomas Guyot-Sionnest dermoth at aei.ca
Mon Oct 4 06:33:22 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10-10-03 10:53 PM, Ethan Galstad wrote:
> Ton Voon wrote:
>> On 29 Sep 2010, at 12:36, Matthieu Kermagoret wrote:
>>
>>> On Tue, Jun 1, 2010 at 3:49 PM, Matthieu Kermagoret
>>> <mkermagoret at merethis.com> wrote:
>>>> The patch I propose, handle simple commands with shell quoting  
>>>> (simple
>>>> and double quote). Every command containing any of these characters
>>>> (escaped or not) will be handled by the shell --> !$^&*()~[]|{};<>?`
>>>> <--
>>>>
>>>> So any feedback on this new proposal ?
>>>>
>>> Could it somehow make it into HEAD ? It would resolve issue #86.
>>
>> Is it possible to get some libtap tests running against these?
>>
>> If so, I'd be happy to review what you have done in the tests.
>>
>> However, this is quite an intrusive change, so would have to go into  
>> the next feature branch.
>>
>> Ton
> 
> Agreed - Nice idea, but it should probably wait for a 3.3.x release.
> 
> Once I release 3.2.3, I'll create a 3.2.x branch and this can get
> committed to HEAD.

FWIW I've suggested something like that for a long time but never got
around coding it. I think we should use a different command type (i.e.
two possible command line option, either one of them and never both
would be required). Just like for command arguments, they could be
separated with "!".

For example take my (slightly complex) SNMP load average command:
> command_line $USER1$/check_snmp -H $HOSTADDRESS$ -o .1.3.6.1.4.1.2021.10.1.3.1,.1.3.6.1.4.1.2021.10.1.3.2,.1.3.6.1.4.1.2021.10.1.3.3 -w $ARG1$ -c $ARG2$ -C $USER5$ -l 1min: -l 5min: -l 15min: -l Load -D ", " -m UCD-SNMP-MIB

It could be rewritten as:
> command_exec $USER1$/check_snmp!-H!$HOSTADDRESS$!-o!.1.3.6.1.4.1.2021.10.1.3.1,.1.3.6.1.4.1.2021.10.1.3.2,.1.3.6.1.4.1.2021.10.1.3.3!-w!$ARG1$!-c!$ARG2$!-C!$USER5$!-l!1min:!-l!5min:!-l!15min:!-l!Load!-D!, !-m!UCD-SNMP-MIB

This also allow passing empty arguments and doesn't require nagios to do
any single/double quote parsing, which could break some complex command
definitions (that would likely be much easier to write in the _exec form
anyway...)

And I think the same would be beneficial for NRPE as well, allowing at
the same time to safely pass arguments using the exec form...

- -- 
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkypWRIACgkQ6dZ+Kt5BchZngQCg3CfjajrI9scS+9KFJkTExsSd
eAoAoJfIwJ7djwriD3a+ZpYok4fv0p4W
=B9OE
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d




More information about the Developers mailing list