{"id":2762,"date":"2018-11-10T20:15:23","date_gmt":"2018-11-11T01:15:23","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=2762"},"modified":"2018-11-10T20:15:23","modified_gmt":"2018-11-11T01:15:23","slug":"icinga2-and-pagerduty-integration","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2018\/11\/icinga2-and-pagerduty-integration\/","title":{"rendered":"Icinga2 and PagerDuty integration"},"content":{"rendered":"<p>E-mail is not a good way to get my attention in a timely fashion. E-mail is inherently asynchronous, and healthy minds may ignore it for hours or even days at a time. So how do I handle monitoring alerts? One way is by using <a href=\"https:\/\/www.pagerduty.com\/\">PagerDuty<\/a>, a service that can call, text, or send push notifications to you (among other features).<\/p>\n<p>I followed the steps at PagerDuty&#8217;s <a href=\"https:\/\/www.pagerduty.com\/docs\/guides\/icinga2-integration-guide\/\">Icinga2 Integration Guide<\/a>, but no alerts were coming through. What went wrong?<br \/>\n<!--more--><\/p>\n<p>I checked the Icinga2 log file for messages containing <em>pagerduty<\/em>. On most systems:<\/p>\n<pre><code>grep -i pagerduty \/var\/log\/icinga2\/icinga2.log<\/code><\/pre>\n<p>It looked like a permissions issue:<\/p>\n<pre><code>[2018-09-07 16:50:20 -0500] warning\/PluginNotificationTask: Notification command for object 'stephano' (PID: 11482, arguments: '\/usr\/local\/bin\/pagerduty_icinga.pl' 'enqueue' '-f' 'pd_nagios_object=host') terminated with exit code 128, output: execvpe(\/usr\/local\/bin\/pagerduty_icinga.pl flush) failed: Permission denied<\/code><\/pre>\n<p>What was going on?<\/p>\n<p>I should note that I did not follow the instructions in the integration guide exactly. For example, I did not add the crontab entry to the icinga user&#8217;s crontab. I instead added the following to <code>\/etc\/cron.d\/pagerduty<\/code>:<\/p>\n<pre><code>* * * * * icinga \/usr\/local\/bin\/pagerduty_icinga.pl flush<\/code><\/pre>\n<p>That should accomplish the thing, though.<\/p>\n<p>Also, I made the permissions on <code>\/usr\/local\/bin\/pagerduty_icinga.pl<\/code> fairly restrictive, but the icinga user still had permission to read and execute the script:<\/p>\n<pre><code>$ ls -l \/usr\/local\/bin\/pagerduty_icinga.pl\r\n-rwxr-x---. 1 root icinga 9144 Sep  7 16:18 \/usr\/local\/bin\/pagerduty_icinga.pl<\/code><\/pre>\n<p>Then I remembered to check SELinux:<\/p>\n<pre><code>$ sudo ausearch -f pagerduty_icinga.pl\r\ntype=AVC msg=audit(1541712215.916:326539): avc:  denied  { ioctl } for  pid=20609 comm=\"perl\" path=\"\/usr\/local\/bin\/pagerduty_icinga.pl\" dev=\"dm-2\" ino=5529476 scontext=system_u:system_r:icinga2_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<\/code><\/pre>\n<p>Sure enough, all of the other files in that directory had the context <code>bin_t<\/code>, but <code>pagerduty_icinga.pl<\/code> still had the SELinux type context from my home directory:<\/p>\n<pre><code>$ ls -lZ \/usr\/local\/bin\/pagerduty_icinga.pl\r\n-rwxr-x---. root icinga unconfined_u:object_r:user_home_t:s0   \/usr\/local\/bin\/pagerduty_icinga.pl<\/code><\/pre>\n<p>I set the appropriate type context and ran <code>restorecon<\/code>:<\/p>\n<pre><code>$ sudo semanage fcontext -a -t bin_t \/usr\/local\/bin\/pagerduty_icinga.pl\r\n$ sudo restorecon -v \/usr\/local\/bin\/pagerduty_icinga.pl\r\n$ ls -lZ \/usr\/local\/bin\/pagerduty_icinga.pl\r\n-rwxr-x---. root icinga unconfined_u:object_r:bin_t:s0   \/usr\/local\/bin\/pagerduty_icinga.pl<\/code><\/pre>\n<p>After that change, the PagerDuty integration worked!<\/p>\n<p>The entire issue stemmed from the difference between <em>copying<\/em> [<code>cp<\/code>] the file (as specified in the integration guide) and <em>moving<\/em> [<code>mv<\/code>] the file. I figured there was no point in leaving a stray copy of the script in my home directory, so I simply moved the file:<\/p>\n<pre><code>$ sudo mv pagerduty_icinga.pl \/usr\/local\/bin\/<\/code><\/pre>\n<p>A copy of the file would have inherited the SELinux context of the parent directory (<code>bin_t<\/code>), but moving the file preserved the SELinux context.<\/p>\n<p>As it turns out, <code>mv<\/code> includes an option to update the SELinux file context, which would have solved my problem:<\/p>\n<pre><code>-Z, --context\r\n              set SELinux security context of destination file to default type<\/code><\/pre>\n<p>I have some additional thoughts about the differences between moving and copying files, but those will have to wait for another day.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After following the steps in PagerDuty&#8217;s Icinga2 integration guide, I still wasn&#8217;t getting my expected PagerDuty alerts. This stemmed from a permissions issue relating to SELinux. I was able to update the SELinux type context for the PagerDuty script and then it worked as expected. This post describes the details of those steps.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[484],"tags":[495,516,458],"class_list":["post-2762","post","type-post","status-publish","format-standard","hentry","category-monitoring","tag-icinga2","tag-pagerduty","tag-selinux"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=2762"}],"version-history":[{"count":13,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2762\/revisions"}],"predecessor-version":[{"id":2877,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/2762\/revisions\/2877"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=2762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=2762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=2762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}