Friday, May 24th 2013, 8:14pm UTC+2

You are not logged in.

  • Login
  • Register

[Nconf] Modify $USERx$ macros? Creating a symlink in /usr/local/nconf/static_cfg/ causes "Error: Unexpected token or statement in file"

mbrownnyc

Beginner

Posts: 23

Location: brooklyn

Occupation: Infrastructure engineer

Number of monitoring servers: 1

Nagios Version: -

Icinga Version: 1.6.1 + icinga-web 1.8.1 + ingraph 1.0.1 + lconf

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: 50

Number of services: a bunch

OS: el6

Plugin Version: 1.4.15

IDO-Version: 1.6.1

1

Friday, July 27th 2012, 6:32pm

[Nconf] Modify $USERx$ macros? Creating a symlink in /usr/local/nconf/static_cfg/ causes "Error: Unexpected token or statement in file"

Hello,

I have created a symlink to resource.cfg in the static_cfg directory of nconf, and edited the resource.cfg file to include an additional $USERx$ macro.

When I attempt to use the Deploy option within Nconf, I receive the error:

Source code

 
1

Error: Unexpected token or statement in file '/usr/local/nconf/static_cfg/resource.cfg' on line 24.


When I run the following from command line, I receive no errors:

Source code

 
1

/usr/bin/icinga -v /etc/icinga/icinga.cfg


When I remove the symlink from the static_cfg directory, I do not get the error when trying to deploy through Nconf.

I located a mail thread that describes the fact that resource.cfg is not to be included as a cfg_file with cfg_dir or directly with cfg_file; but as the resource_file.

It's quite clear that this is not the case, but for prominence, I ran the following without anything return:

Source code

 
1

grep -r static_cfg /etc/icinga


Noting the fact that I can run the test with root without an issue and the following, I do not know what could be causing the problem:

Source code

 
1
2
3
4
5
6
7

# grep -r cfg_ . | grep -v "\#cfg_"
./icinga.cfg:# extension) in a particular directory by using the cfg_dir
./icinga.cfg:cfg_dir=/etc/icinga/modules
./icinga.cfg:# object configuration files (see the cfg_file and cfg_dir options above).
./icinga.cfg:cfg_dir=/etc/icinga/nconf
# find /etc/icinga/modules -type s #returns nothing
# find /etc/icinga/nconf -type s #returns nothing


This issue can be avoided if Nconf provides an easy way to modify resource.cfg/the $USERn$ macros. It is not in an obvious place

Any assistance is appreciated.

Thanks,

Matt

[edit]
According to nconf.config as follows:

Source code

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

#
# Static configuration files
#
# List of folders containing additional files that you would like to make editable within NConf (basic text editing).
# We call these files 'static files', because they are not generated by NConf.
# All folders listed here will be included in the output file, together with the generated config.
# We recommend you to copy your static files into the 'nconf/static_cfg' folder.
#
$STATIC_CONFIG = array("static_cfg");

# If security permits it, you could make your active Nagios configuration editable in NConf directly.
# We discourage users from doing this though, because there is a risk that they could accidentally damage their Nagios configuration.
#$STATIC_CONFIG = array("static_cfg", "/etc/nagios");

#
# Syntax checking for static config folders
# Static config will be treated as "global" config. Syntax checking will be run for each Collector / Monitor server.
# In a distributed monitoring setup, you might have to disable syntax checking, if you are getting errors that items don't exist on certain servers.
#
define('CHECK_STATIC_SYNTAX', 1);


Changing CHECK_STATIC_SYNTAX to 0 solves the problem for the Nconf config check, as resource.cfg is not an "object" configuration file.

I implemented the additional access as follows:

Source code

 
1
2
3

ln -s /etc/icinga/resource.cfg /usr/local/nconf/static_cfg
setfacl -m user:apache:rw /etc/icinga/resource.cfg 
sed s/"'CHECK_STATIC_SYNTAX', 1"/"'CHECK_STATIC_SYNTAX', 0"/ -i /usr/local/nconf/config/nconf.php


However, I can not push to prod with the deploy script (in my case shell_exec('sudo /etc/init.d/icinga reload') fails.

Running /usr/bin/icinga -v /etc/icinga/icinga.cfg also fails, citing the file /etc/icinga/nconf/static_cfg/resource.cfg; which I've already proven is not to be included as a cfg_file.

What am I supposed to do to allow editing of resources.cfg from within Nconf (more specifically editing of the $USERn$ macros)?
Reliability Monitoring... featuring icinga, icinga-web, icinga-reporting, lconf, ingraph, and eventdb.

This post has been edited 5 times, last edit by "mbrownnyc" (Jul 27th 2012, 7:02pm)

dnsmichi

Super Moderator

Posts: 5,990

Birthday: May 30th 1983 (29)

Gender: male

Location: Nürnberg

Occupation: Consultant / Developer beim besten Arbeitgeber der Welt @netways

Number of monitoring servers: Icinga: 4x dev, 10++ prod, Icinga2: 2x dev

Nagios Version: s/nagios/icinga/

Icinga Version: 1.9.1 / GIT

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 1000+

Number of services: 15000+

OS: RHEL, Debian, SUSE

Plugin Version: 1.4.16

IDO-Version: 1.9.1 / GIT MySQL/Postgresql/Oracle

Other Addons: Icinga Web, PNP, check_multi, inGraph, EventDB, LConf

2

Friday, July 27th 2012, 7:26pm

and the content of resource.cfg is?
+++ Icinga / LConf Developer +++ Senior Consultant at []NETWAYS> +++
+++ Icinga 1.9 || Icinga 2 +++ Icinga Support || IRC +++

mbrownnyc

Beginner

Posts: 23

Location: brooklyn

Occupation: Infrastructure engineer

Number of monitoring servers: 1

Nagios Version: -

Icinga Version: 1.6.1 + icinga-web 1.8.1 + ingraph 1.0.1 + lconf

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: 50

Number of services: a bunch

OS: el6

Plugin Version: 1.4.15

IDO-Version: 1.6.1

3

Friday, July 27th 2012, 7:32pm

Thanks for getting back to me so quickly.

It's "normal," as I only modified the $USER1$ macro (plugin path).

Source code

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# cat /etc/icinga/resource.cfg
###########################################################################
#
# RESOURCE.CFG - Sample Resource File for Icinga
#
# You can define $USERx$ macros in this file, which can in turn be used
# in command definitions in your host config file(s).  $USERx$ macros are
# useful for storing sensitive information such as usernames, passwords,
# etc.  They are also handy for specifying the path to plugins and
# event handlers - if you decide to move the plugins or event handlers to
# a different directory in the future, you can just update one or two
# $USERx$ macros, instead of modifying a lot of command definitions.
#
# The CGIs will not attempt to read the contents of resource files, so
# you can set restrictive permissions (600 or 660) on them.
#
# Icinga supports up to 32 $USERx$ macros ($USER1$ through $USER32$)
#
# Resource files may also be used to store configuration directives for
# external data sources like MySQL...
#
###########################################################################

# Sets $USER1$ to be the path to the plugins
$USER1$=/usr/local/nagios/libexec/

# Sets $USER2$ to be the path to event handlers
#$USER2$=/usr/local/nagios/libexec//eventhandlers

# Store some usernames and passwords (hidden from the CGIs)
#$USER3$=someuser
#$USER4$=somepassword


Again, just because I was so verbose in my original post I want to reiterate, my goal is to set $USERn$ macros within the Nconf interface.


Thanks for your time,

MAtt
Reliability Monitoring... featuring icinga, icinga-web, icinga-reporting, lconf, ingraph, and eventdb.

Wolfgang

Sage

Posts: 7,238

Gender: male

Number of monitoring servers: 2

Nagios Version: 3.2.1

Icinga Version: Icinga 1.7.x

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: >70

Number of services: >200

OS: SLES11

Plugin Version: 1.4.15

Other Addons: NRPE 2.6, NSCA 2.7, PNP 0.4.14 / 0.6.18

4

Saturday, July 28th 2012, 11:26am

Well, one reason for not being allowed to edit $USER$ variables via NConf might be - apart from the obvious path to the plugins - that they are used to contain sensitive information like passwords. Having different people being able to edit the configuration this still might be considered "secret".
Du brauchst Hilfe? / You need help?

Nagios-Doc (3.x, de)

Icinga-Doc: (de) (en)

PNP-Troubleshooting (de) (en)

mbrownnyc

Beginner

Posts: 23

Location: brooklyn

Occupation: Infrastructure engineer

Number of monitoring servers: 1

Nagios Version: -

Icinga Version: 1.6.1 + icinga-web 1.8.1 + ingraph 1.0.1 + lconf

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: 50

Number of services: a bunch

OS: el6

Plugin Version: 1.4.15

IDO-Version: 1.6.1

5

Monday, July 30th 2012, 7:08pm

Quoted from "Wolfgang"

Well, one reason for not being allowed to edit $USER$ variables via NConf might be - apart from the obvious path to the plugins - that they are used to contain sensitive information like passwords. Having different people being able to edit the configuration this still might be considered "secret".


Since it's common in other web-based nagios/icinga "configurators" to allow $USERn$ macros to be edited (see centreon), I assumed that the feature was also presented within Nconf.


Allow me to rephrase my question without focus on setting the $USERn$ macros through the web UI:


Why does icinga treat any file which I have created a symbol link in /usr/local/nconf/static_cfg as a cfg_file?

I can not locate why this would be, and have investigated with the following:

Knowing that the cfg_dirs in my icinga.ini are /etc/icinga/modules and /etc/icinga/nconf only...

Source code

 
1
2
3
4
5
6
7

# grep -r cfg_ . | grep -v "\#cfg_"
./icinga.cfg:# extension) in a particular directory by using the cfg_dir
./icinga.cfg:cfg_dir=/etc/icinga/modules
./icinga.cfg:# object configuration files (see the cfg_file and cfg_dir options above).
./icinga.cfg:cfg_dir=/etc/icinga/nconf
# find /etc/icinga/modules -type s #returns nothing
# find /etc/icinga/nconf -type s #returns nothing


...what is in my ./config/nconf.php that is telling nconf to push /usr/local/nconf/static_cfg/* to be cfg_file?
Please see the contents of my ./config/nconf.php.


I am making the following assumption:
  • Any file(s) located within the configured $STATIC_CONFIG path is assumed to be a nagios object configuration file.
  • Upon "Generate Nagios config" (generate_config.php), Nconf inserts these files into its database.
  • Upon "Deploy" (HTTP POST: call_file.php?module_file=deployment/main.php value="Deploy") Nconf then generates cfg files and follows the method assigned within deployment.ini.


It seems flawed to assume that all "files" located in static_cfg are to be treated as icinga/nagios object cfg_files.

I am looking for confirmation that this is what Nconf is doing, then I can assume that the purpose of the configured target directories within the $STATIC_CONFIG array are actually:
"# List of folders containing additional files that you would like to make editable within NConf (basic text editing).
# We call these files 'static files', because they are not generated by NConf.
# All folders listed here will be included in the output file, together with the generated config.
# We recommend you to copy your static files into the 'nconf/static_cfg' folder."

Oh. I see now.

I thought that the purpose of the feature was to simply offer the ability for users to edit any given file through the web UI; but, it's clear that any files included within $STATIC_CONFIG will be deployed as any other cfg_file. I apologize for misunderstanding the feature!


Have you guys dealt with a feature request for editing the resource.cfg file... specifically the $USERn$ macros within the UI? It seems like it would be a good thing for administrative users; or is this to feature bloaty?


Thanks,

Matt
Reliability Monitoring... featuring icinga, icinga-web, icinga-reporting, lconf, ingraph, and eventdb.

This post has been edited 1 times, last edit by "mbrownnyc" (Jul 30th 2012, 7:16pm)

dnsmichi

Super Moderator

Posts: 5,990

Birthday: May 30th 1983 (29)

Gender: male

Location: Nürnberg

Occupation: Consultant / Developer beim besten Arbeitgeber der Welt @netways

Number of monitoring servers: Icinga: 4x dev, 10++ prod, Icinga2: 2x dev

Nagios Version: s/nagios/icinga/

Icinga Version: 1.9.1 / GIT

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 1000+

Number of services: 15000+

OS: RHEL, Debian, SUSE

Plugin Version: 1.4.16

IDO-Version: 1.9.1 / GIT MySQL/Postgresql/Oracle

Other Addons: Icinga Web, PNP, check_multi, inGraph, EventDB, LConf

6

Monday, July 30th 2012, 7:36pm

you are mixing 2 things here.

- icinga provides the core and a readonly / command sending capable ui (namely 2, classic ui and icinga web)
- nconf is an addon to icinga, using its own backend and frontend, generating config files which are to be included in icinga.cfg then for the core to read

so once you tell icinga.cfg to read everything from a special dir via cfg_dir, icinga core will read that recursively. that is only valid for object configuration. resource.cfg is a different config, classified as "main configuration", providing user macros which may contain sensitive information such as snmp communities, database passwords, or in the most common use case, the plugins path too.
for security reasons, the apache user normally cannot read that file, only the core reads it once at startup (when having root privilegues, before dropping those). some people do not care about that security level and expose resource.cfg to web uis (as the icinga classic ui feature for full command line resolution implies too), but that highly depends on the developer of the ui plus the user installing the ui.

if you want to reach the nconf developers, you should target them directly. i am not sure if they read over here.
http://forum.nconf.org

ps: i won't be able to help further, i've never installed config uis for icinga.
+++ Icinga / LConf Developer +++ Senior Consultant at []NETWAYS> +++
+++ Icinga 1.9 || Icinga 2 +++ Icinga Support || IRC +++

mbrownnyc

Beginner

Posts: 23

Location: brooklyn

Occupation: Infrastructure engineer

Number of monitoring servers: 1

Nagios Version: -

Icinga Version: 1.6.1 + icinga-web 1.8.1 + ingraph 1.0.1 + lconf

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: 50

Number of services: a bunch

OS: el6

Plugin Version: 1.4.15

IDO-Version: 1.6.1

7

Monday, July 30th 2012, 10:18pm

Thanks again for your reply.

I understand all of this fully. I didn't expect that this forum was really an icinga support forum, but I did "cross-post" in the nconf forum already, so that nconf developers may reply.

I really simply misunderstood the feature.

Icinga, Icinga-web(new) and icinga-reporting are a great set of tools, and I've finished writing up my implementation so that others can (hopefully) most easily implement them very quickly.


Thanks for your great work!

Matt
Reliability Monitoring... featuring icinga, icinga-web, icinga-reporting, lconf, ingraph, and eventdb.

This post has been edited 1 times, last edit by "mbrownnyc" (Jul 30th 2012, 10:25pm)

dnsmichi

Super Moderator

Posts: 5,990

Birthday: May 30th 1983 (29)

Gender: male

Location: Nürnberg

Occupation: Consultant / Developer beim besten Arbeitgeber der Welt @netways

Number of monitoring servers: Icinga: 4x dev, 10++ prod, Icinga2: 2x dev

Nagios Version: s/nagios/icinga/

Icinga Version: 1.9.1 / GIT

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 1000+

Number of services: 15000+

OS: RHEL, Debian, SUSE

Plugin Version: 1.4.16

IDO-Version: 1.9.1 / GIT MySQL/Postgresql/Oracle

Other Addons: Icinga Web, PNP, check_multi, inGraph, EventDB, LConf

8

Monday, July 30th 2012, 11:19pm

this forum is just a great place for the monitoring community, so on team icinga we decided not to reinvent the wheel (it wouldn't make sense imho), but point users to an active monitoring community. as you might figure, this forum is more than just "icinga", and from my experience you will gain a lot of know how from reading and keeping up with the community. language barriers are sometimes difficult, but english should be the logical fallback when german is not understood/spoken.

you will also find plenty of icinga devs as well as addon/plugin devs over here, even if not directly marked (possibly everyone should update their signatures ;-D ). most icinga members are reading the mailinglists, and some are also online on irc (see my signature).

thanks for sharing your howto, this helps a bit more on understanding the selinux problem - which is currently the showstopper to bring my packages to EPEL upstream (https://dev.icinga.org/issues/2921). i've added it as a source for the install guides collection urls here. https://wiki.icinga.org/display/howtos/I…ides+Collection

btw - would you be interested in working together on the selinux issue, bringing this into packages (repoforge and even EPEL)? if so, drop me a line to michael.friedrich(at)univie.ac.at :-)
+++ Icinga / LConf Developer +++ Senior Consultant at []NETWAYS> +++
+++ Icinga 1.9 || Icinga 2 +++ Icinga Support || IRC +++

Similar threads