Execute handler command in raspberry pi

Sensu Go
1

Hi,

I set sensu-agent in raspberry pi 4B. It works well to run checks. but has issue to run handler command.

Look like the handler command is run with root user. however, it is different to sudo su root user.
I tried to run id root in pi cli and run id root as handler command and got follow:
pi cli: uid=0(root) gid=0(root) groups=0(root)
output of handler : uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n

No sure why the root user is different. Does anyone run handler in PI?

2

Hey,

There might be a bit of a language barrier here, I’m having trouble understanding what you are talking about.

In the context of Sensu terminology, handler commands are exetubles usually run by the sensu-backend, not the sensu-agent. And since you didn’t refer to sensu-backend it’s really clear to me what your are trying to describe.

But since you mention both sudo and su, I can definitely confirm those two commands can have some very striking operational differences. sudo command, depending on its version and how its configured, can manipulate/sanitize the environment variables in a way that su cannot.

I’ll also add that running Sensu executables as root is probably not a good idea. In the official Sensu packages, we make it a point to provide init service definition that runs Sensu executables as user sensu out of the box. There are security implications with running sensu-agent and sensu-backend as root for bare metal systems. I’m not saying you can’t do that, I’m just saying I wouldn’t do that.

-jef

3

Thanks Jef, for the reply.

Maybe I can reword my issue:
I have two raspberry PI. 4B. One PI run sensu-backend and sensuctl, another one run sensu-agent.

I created a very simple check with following config

{
  "type": "CheckConfig",
  "api_version": "core/v2",
  "metadata": {
    "name": "y_system_info_checker"
  },
  "spec": {
    "command": "python /home/pi/checkers/bin/y_system_info.py",
    "subscriptions": [
      "system"
    ],
    "handlers": [
      "y_system_info"
    ],
    "interval": 60,
    "publish": true
  }
}

y_system_info.py only has two line of code: import platform;print(platform.machine())

And here is handler

{
  "type": "Handler",
  "api_version": "core/v2",
  "metadata": {
    "name": "y_system_info",
    "namespace": "default"
  },
  "spec": {
    "command": "sh /home/pi/handlers/bin/y_system_info.sh",
    "type": "pipe"
  }
}

y_system_info.py only has two line of code: import platform;print(platform.machine())

Then I got following issue from sensu-backend log

{"check_name":"y_system_info_checker","check_namespace":"default","component":"pipeline/legacy","entity_name":"192.168.199.247","entity_namespace":"default","event_id":"bea8f6f6-e037-4564-b9c0-50bcf3da5291","handler":"y_system_info","level":"info","msg":"event pipe handler executed","**output":"sh: can't open '/home/pi/handlers/bin/y_system_info.sh': No such file or directory\n"**,"pipeline":"legacy-pipeline","pipeline_workflow":"legacy-pipeline-workflow-y_system_info","status":2,"time":"2022-07-06T23:23:16Z"}

I am 100% y_system_info.py exist in /home/pi/handlers/bin

Then I updated handler’s command just run a simple command whoami

{"check_name":"y_system_info_checker","check_namespace":"default","component":"pipeline/legacy","entity_name":"192.168.199.247","entity_namespace":"default","event_id":"33a9f148-a295-430e-b24a-0b84993acd75","handler":"y_system_info","level":"info","msg":"event pipe handler executed","**output":"root\n",**"pipeline":"legacy-pipeline","pipeline_workflow":"legacy-pipeline-workflow-y_system_info","status":0,"time":"2022-07-06T23:25:16Z"}

so I know sensu-agent host run handler command as root.

Next step I run mkdir test_create_folder && ls in handler’s command

{"check_name":"y_system_info_checker","check_namespace":"default","component":"pipeline/legacy","entity_name":"192.168.199.247","entity_namespace":"default","event_id":"04a3f0cb-7f95-4df7-927f-09e54b8092af","handler":"y_system_info","level":"info","msg":"event pipe handler executed","output":"bin\ndev\netc\nhome\nlib\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntest.sh\n**test_create_folder**\ntest_folder\ntmp\ntmp.txt\nusr\nvar\ny_system_info\n","pipeline":"legacy-pipeline","pipeline_workflow":"legacy-pipeline-workflow-y_system_info","status":0,"time":"2022-07-06T23:31:46Z"}

clearly test_create_folder has been create. however when I tried to run command in sensu-agent host
sudo su
cd /
ls
bin boot dev etc home lib lost+found media mnt opt proc root run sbin srv sys tmp usr
var

there is no test_create_folder

So I don’t know why handler command execute as root user, but it has different folder accessibility when I directly run command in sensu-agent host.

4

The sensu-agent doesn’t run handlers.
The sensu-backend runs handlers.

sensu-agents run checks and hooks to generate sensu-events.
sensu-backends process events (some events produced by the sensu-agents)
So the backends run filters,mutators and handlers.

5

Thanks @jspaleta .

Very interesting. If I understand correctly when you said “the backends run filters, mutator and handlers”, does that means handlers run executable command in back-end’s host, not on agent host?

If that is right, if I want to check agent host wifi connectivity if wifi is disconnect, I want to restart agent’s host. How should I do it?

6

yes handlers are running by the backend host.

If you need a host to try to reboot itself with no external supervision, you’re going to end up writing something like a polling cron job or systemd timer.

7

Right, that make sense now. Thank @jspaleta