Mk_docker.py plugin on 1.6.0p7 doesn't seem to work

dansou901 · February 5, 2020, 3:36pm

Hi!
I’ve got a problem setting up mk_docker.py. On our check_mk host, 1.6.0p7 is installed. On the docker node I’m trying to monitor, the newest agent software is installed (1.6.0p7). The docker node is using latest Ubuntu LTS (18.04 bionic). The mk_docker.py plugin is installed under /usr/lib/check_mk_agent/plugins and marked as executable. I even added the checkmk user to the docker group so that it is able to execute docker commands. The docker python library is installed correctly:
Python 2.7.17 (default, Nov 7 2019, 10:07:09)
[GCC 7.4.0] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import docker
>>> docker.version
‘4.1.0’
>>>
When I run mk_docker.py as checkmk user from the command line, it displays docker_node_info correctly:
<<<docker_node_info:sep(0)>>>
@docker_version_info{“PluginVersion”: “0.1”, “DockerPyVersion”: “4.1.0”, “ApiVersion”: “1.40”}
However, when I run it from the Web GUI, it gives me errors:
<<<docker_node_info:sep(0)>>>
@docker_version_info {“PluginVersion”: “0.1”, “DockerPyVersion”: “4.1.0”}
{“Unknown”: “Plugin exception in MKDockerClient.init: Error while fetching server API version: (‘Connection aborted.’, error(13, ‘Permission denied’))”}
I performed a reboot of the docker node prior to running the check via Web GUI.
What am I missing here? Thanks for helping and sorry for the long post!
Regards
Daniel

dansou901 · February 6, 2020, 2:02pm

Some new findings. I’m running check_mk_agent via xinetd, but as unprivileged user checkmk. This way, the docker plugin won’t get a connection to the docker api, even when the checkmk user is a member of the docker group. If I run the check_mk_agent via xinetd as root user, everything works just fine. I just don’t want to run it as root. What permission is missing to the checkmk user to be able to access the docker api?
Regards,
Daniel

dansou901 · February 7, 2020, 3:06pm

As I couldn’t get it to work just with the checkmk user, I implemented a workaround using sudo:
In /usr/lib/check_mk_agent/plugins, I created a new folder named docker and moved the script mk_docker.py there. Then I created a new file mk_docker.py in the plugins directory containing just

#!/bin/bash
sudo ./docker/mk_docker.py

and made it executable. As last step I added the following to /etc/sudoers:

checkmk ALL = NOPASSWD: /usr/lib/check_mk_agent/plugins/docker/mk_docker.py

That way, it’s still possible to let check_mk_agent be run as checkmk user with the additional mk_docker.py plugin which is the only one allowed to be run as root.
If anyone finds a better alternative to this workaround, feel free to contribute your findings!
Regards,
Daniel