check_by_ssh vs. ssh (when executed, have different environments)

John P. Rouillard rouilj at cs.umb.edu
Thu Oct 12 02:30:40 CEST 2006


Top posting. Reformatted:

In message <1160608259.963.32.camel at localhost>, Craig Worthington writes:
>On Thu, 2006-10-12 at 08:43, John P. Rouillard wrote:
>> In message <A7B0A9F02975A74A845FE85D0B95B8FA05371A07 at misex01.ena.com>,
>> "Marc Powell" writes:
>> >> On Behalf Of Bret Goodfellow
>> >> The user (nagios) is the id that is executing both ssh and check_by_ssh
>.
>> >> When these commands are run, the "environments" established for ssh and
>> >> check_by_ssh are different (why)?
>> >> 
>> >check_by_ssh does not initiate a full login shell when executing
>> >commands. In fact, it is a simple but intelligent wrapper for 'ssh
>> >user at host somecommand' so as such, the ssh command on the remote host is
>> >going to see only the environment variables available for a non-login
>> >process and those that ssh specifically sets. 'man ssh' and search for
>> >'ENVIRONMENT'. That section of the man page will detail the limited
>> >number of environment variables that ssh will set on it's own and how to
>> >add others via $HOME/.ssh/environment. check_by_ssh doesn't modify or
>> >limit the remote environment in any way. 
>> 
>> Also the envirnment passed to ssh when run under check_by_ssh is
>> sanitized as well to limited set of variables. You need to look at the
>> code to see how it sanitizes the environment to prevent security
>> issues. One of the things that this prevents is use of the ssh agent
>> to authenticate for check_by_ssh.
>> 
>> So what you need to do is write a shell wrapper that sets the varibles
>> you need for check_oracle and invoke the wrapper instead of
>> check_oracle directly.

>On the same sort of ssh track...
>
>Is it possible to configure ssh or check_by_ssh to use a ssh tunnel ?
>I have a number of heavy loaded computers (executing climate models)
>where re-establishing ssh connections every 30 seconds is causing a load
>problem. 
>
>I guess the goal would be to have a check-plugin were it looks for a
>tunnel and then leaves the tunnel open after the check has finished. Is
>there a existing check which does something like this ??

I would replace the ssh command with a wrapper (if check_by_ssh
provided a command arg for the ssh command it should use it would be
easier say: "-P /path/to/ssh/wrapper"). Then have the wrapper
implement the master mode (-M argument to recent ssh commands) for the
host if run by nagios. Alternatively you could use fsh in place of ssh
if the user is nagios (at the cost of having to install the daemon etc
ugh.)

Also supposedly check_by_ssh can run checks for multiple services at
the same time. See the -C, -O and -s arguments. I have never been able
to get it to work. With this feature you could run a single ssh to
execute say 5 check_disk commands. As I said I haven't gotten it to
work, but it could cut down on the number of ssh connections that are
needed.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list