Mailinglist Archive: opensuse-packaging (132 mails)

< Previous Next >
[opensuse-packaging] RFC: moving from separate users to user monitoring for everything
  • From: Lars Vogdt <lrupp@xxxxxxx>
  • Date: Wed, 11 Jan 2017 13:17:40 +0100
  • Message-id: <20170111131740.578e44da@lenovo>
Hi

I'm maintaining some packages in the server:monitoring repository and
want to make my live a bit easier in the future (and I hope that also
our users will benefit from it)...

At the moment, we follow upstream very close regarding the names of the
users and groups used for monitoring related packages (and especially
daemons):

Package | User(s) | Group(s)
------------------------------------------------
icinga | icinga | icinga, icingacmd
naemon | naemon | naemon
nagios | nagios | nagios, nagcmd
shinken | shinken | shinken
zabbix | zabbix, zabbixs | zabbix, zabbixs

Please note that at least icinga, naemon, nagios and shinken are very
similar and even their configuration is more or less compatible. So you
can easily migrate between the different daemons without too much
administration overhead.

While - from a security stand point - the current approach to use the
upstream users/groups is very smart, as it allows you to run multiple
daemons on a single host that can not influence each other, it becomes
more and more a nightmare from a packaging (and customer) view:

A lot of 3rd party applications want to get access to sockets,
directories or other parts, that belong to the corresponding daemon
(check_mk*, pnp4nagios, BPView, {nagios-,icinga-www} - as both can run
also on the other core, nagiosgrapher, nagiosgraph, nagserv, nsca, ...
just to name a few). As result, there have to be either "permission"
files to change the ownerships after installation of sucha 3rd party
application - or even separate $pkg-$daemon sub-packages that come with
the correct owner:group setup for the $daemon part.

The problem with "permissions":
* there is a small, but important time frame between installing a
package update and executing "chkstat --system --set" on the host to
correct the ownerships again
* it needs additional openSUSE specific READMEs and support for users
that are not aware of the fact that they might need to edit a file,
that is not mentioned upstream, before the application works
* our security team does not seem to like the approach ;-)

The problem with a separate sub-package:
* Some (older?) openSUSE distribution checks had problems with files and
directories that were packaged in multiple sub-packages (even if the
sub-packages conflicted with each other). Which made it impossible to
get the package in Factory at all.
* Even with "supplements" and "suggests", people might have to choose
their sub-package manually, if there is just a small mistake.
* it becomes a packagers nightmare to adapt all the available plugins
and 3rd party apps for all the possible monitoring daemons...

So instead of maintaining a growing list of packages that require more
and more time for packaging and maintenance (to support users by
providing help to install 3rd party app X together with daemon Y), I
like to get your feedback about the following approach:

* use only the following users - at least for the packages icinga,
nagios, naemon and shinken: monitoring
* use only the following main group: monitoring
* use only the following sub-group: monitorcmd

That would allow the 3rd party applications/packages to use the same
user/group without any modifications.

From a security stand point, this might be a nightmare, correct. But
please think how often a user is running more than one monitoring
solution in parallel on the same machine?

Instead: how often might it be that a user wants to migrate from one
monitoring solution to another and has to go through a lot of config
files and filesystem permissions before he can start with the
real migration?

We need to document the new "generic/default monitoring user/group on
openSUSE", of course. But we also would need more and more
documentation if we follow the current approach - so I do not see this
as negative impact.

An alternative might be to reduce the available monitoring packages for
openSUSE to get more time for packaging and documentation if we stay on
the current system. But I like freedome, so I do not like this point ;-)

As far as I found out (but I did only a small research), other
distributions like Debian are using also just one set of monitoring
users/groups for the compatible monitoring applications. If someone
knows more, I would be very happy to hear.

So my question is: what is your opinion?

CU,
Lars


--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >