My sensu agent is running with sensu user, I am running metrics-per-process.rb check to check tomcat. I have installed psutil which is required for metrics-per-process.rb. Now problem is that when check run by sensu agent it faces Access denied as shown below. I gave ownership to “/usr/lib64/python2.7/site-packages/psutil” to sensu user but no to avail. Please help me regarding the issue.
Traceback (most recent call last):
File “/opt/sensu-plugins-ruby/embedded/lib/ruby/gems/2.4.0/gems/sensu-plugins-process-checks-3.2.0/bin/metrics-per-process.py”, line 330, in
main()
File “/opt/sensu-plugins-ruby/embedded/lib/ruby/gems/2.4.0/gems/sensu-plugins-process-checks-3.2.0/bin/metrics-per-process.py”, line 323, in main
graphite_printer(multi_pid_process_stats(pids, options.metrics_regexes), options.graphite_scheme)
File “/opt/sensu-plugins-ruby/embedded/lib/ruby/gems/2.4.0/gems/sensu-plugins-process-checks-3.2.0/bin/metrics-per-process.py”, line 244, in multi_pid_process_stats
stats = Counter(stats) + Counter(stats_per_pid(pid, metrics_regexes))
File “/opt/sensu-plugins-ruby/embedded/lib/ruby/gems/2.4.0/gems/sensu-plugins-process-checks-3.2.0/bin/metrics-per-process.py”, line 236, in stats_per_pid
stats.update(connection_stats(process_handler, metrics_regexp))
File “/opt/sensu-plugins-ruby/embedded/lib/ruby/gems/2.4.0/gems/sensu-plugins-process-checks-3.2.0/bin/metrics-per-process.py”, line 199, in connection_stats
tcp_conns = process_handler.connections(kind=‘tcp’)
File “/usr/lib64/python2.7/site-packages/psutil/init.py”, line 1278, in connections
return self._proc.connections(kind)
File “/usr/lib64/python2.7/site-packages/psutil/_pslinux.py”, line 1516, in wrapper
raise AccessDenied(self.pid, self._name)
psutil.AccessDenied: psutil.AccessDenied (pid=1910)
hey!
So real quick response while I have a minute.
What is most likely going on is your system is treating the information you want to access as privileged.
You’ll need to make a decision on how you want to give the sensu-agent service the necessary privileged access. The sensu-agent packages come pre-configured to run as the unprivileged ‘sensu’ user on linux systems as a good default security practice, But the trade-off for that is, operators like yourself have to do a little more work to grant the sensu user enhanced privileged if your monitoring needs require access to privileged system information
I personally would suggest looking into configuring sudo for the specific command so that the sensu user can run the command with the least privileged access as possible. If you need help with that, I can probably come up with an example sudo configuration and check command if you are unfamiliar with tuning sudo.
-jef
Thanks for you reply. If I add sensu in sudo group or wheel in Centos OR run sensu-agent with root privileges. Both are not the same things? If we can tune sudo group or wheel group please guide me according or share some helping material.
I would definitely recommend that you configure sudo as narrowly as possible to give the sensu user access to only the commands needs instead of running the sensu agent with enhanced privileges.
Or make use of the linux kernel capabilities if available to provide fine grained controls…to ensure the sensu-agent process and child processes only have read access to privileged information. I think it’s possible to use kernel capabilities defined in the systemd startup script for agent. I’ll need to test this for myself though to make sure it works as I expect.
I’ll try to write up an article that covers the options this week here in the forums and provide more details on multiple approaches.
-jef
-jef