Running the Checkmk agent without root privileges

Editor’s Note: This is an article from a community member who wish to remain anonymous. Nevertheless, the discussion here is open! The author and the tribe29 team would gladly follow-up with more details. We wanted to post this to start a discussion, so we count on you to share your thoughts :blush:

The tribe29 team always recommends using the Checkmk agent as root. Because the Shell script is completely transparent, you should be able to convince others to follow this best practice. There may be really special conditions however, in which you absolutely have no chance to get permission to run Checkmk as root, for instance with managed servers where the provider will not give up the root rights − even after you have tried to convince them.

Our fellow community member had such a case, and would like to share his solution in a quick summary here. The following solution has been used in a productive environment, but you really do need to know what you are doing. Even if you are experienced with Linux and Checkmk, the post below might not be sufficient to reproduce all the things that need to be done to make this work.

Disclaimer: Be aware, that this procedure is not supported by tribe29.

Environment

This How-To requires you to set the paths via environment variables, an option that is available since v1.6. of Checkmk.

The Checkmk agent is equal in any edition, so this applies to the Enterprise Edition and Raw Edition.

Resolution

1. Setup

Create user ‘monitoring’ with /home/monitoring as home directory and /bin/bash as shell.
Then create a separate folder in the home directory named ‘checkmk’ (for MK_LIBDIR).

Create a couple of folders now within /home/monitoring/checkmk

bin/ − checkmark agent
conf/ − (MK_CONFDIR)
var/ − (MK_VARDIR)
local/ − for local checks
plugins/ − for plug-ins
checks/ − for external checks, e.g., as mrpe

Download the agent from http://MONITORING-SERVER/SITENAME/check_mk/agents/check_mk_agent.linux to /home/monitoring/checkmk/bin (in the current version of your site)

Download the plug-ins you need from the monitoring server and put them in /home/monitoring/checkmk/plugins

In some distributions a bin folder is created directly in the home directory − this is very useful for this project. Create it yourself if it is not already available. Here you can store, for example waitmax, so that you do not have to install it on all systems. The binary can also be downloaded via URL http://MONITORING-SERVER/SITENAME/check_mk/agents/waitmax . This works well especially for automation tools like Ansible,Puppet or Salt

2. Environment Variables

In order to use the Checkmk agent you now have to set environment variables for the user monitoring , in this case in the ~/.bashrc

MK_LIBDIR=

MK_CONFDIR=

MK_VARDIR=

PATH=/home/monitoring/bin:/sbin/:/usr/sbin/:$PATH

The PATH variable is extended for two reasons:

  • If not provided by the distribution, the local bin path in the home directory must be added here
  • Some distributions do not extend the PATH variable with the ‘sbin’ paths, but this is very useful for ethtool

3. Access via SSH

For the access via SSH a small wrapper script is needed, since with an SSH login no interactive shell is opened and therefore no .bashrc, etc. is evaluated. But to use the new set variable and the customized PATH variable, an interactive bash must be forced in the script. This can be achieved with the following example scripts: (It wasn’t tested if a wrapper script is needed for systemd / xinetd)

#!/bin/bash -i

/home/monitoring/checkmk/bin/check_mk_agent.linux

And with that you are done. This procedure requires a bit of work, but the agent will run without root rights, no package installation is necessary, and everything is possible with the user rights (when monitoring via SSH).

Further Considerations

  • Not recommended for anyone without good Linux expertise
  • Create sudo rules for checks requiring root access, e.g. hardware checks or cluster checks.
  • Add the user monitoring to the group docker , if you want to monitor Docker
  • Add the user monitoring to the group adm , if you want to monitor syslog

A basic monitoring of a system is possible without root rights under Linux or another unix-like OS such as FreeBSD. Many plug-ins also can run under normal user rights, e.g., mk_apt, logwatch, Docker.

We are happy to hear your feedback, and it would be great if we can work together to complete this how-to for solutions for edge-cases.

5 Likes

Thanks for sharing this!

2 Likes