[hobbit] Hobbit client executing a script to be proactive if a problem occurs?

Haertig, David F (Dave) haertig at avaya.com
Fri Apr 11 22:40:00 CEST 2008


Yes, all of my Hobbit clients have ssh authorized_keys setup to allow
the Hobbit server in without password.  In the case where I need to run
a script on the Hobbit client under a different userid than 'hobbit',
that other userid also has the Hobbit servers pubkey in its
authorized_keys file.  Alternately, you gould use setuid scripts on the
client (very unsecure), or use "expect" in your Hobbit server scripts
and "sudo" on the client end to gain access to the userid you need.
This second expect/sudo route is doable, but messy and requires you to
have the 'hobbit' password from the client end stored on your server
(not the most secure thing).

When coworkers ask me to use Hobbit to "fix" something on their client
end I council them that Hobbit really is an alerting system and not a
repairing system.  But if they really want me to attempt an automated
"repair", then they have to put my pubkey into their authorized_keys
files, therefore giving me full access to their userid on the client
machine.  I also mandate that if they want me to restart a process, that
I will only kill it.  The restart must be their responsibility (using a
local cronjob or whatever).  This further insulates me from any
political fallback regarding a failed automated repair attempt on an
errant process.  Further insolation for me is provided by me informing
everyone (management too) that they can shut off my automated Hobbit
repairs at any time, instantaneously, by simply removing my pubkey from
their authorized_keys file(s).  It's called "CYA" for when I am
pressured to make Hobbit do something that it rally wasn't designed for.

-----Original Message-----
From: Chris Wopat [mailto:chrisw at supranet.net] 
Sent: Friday, April 11, 2008 12:51 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] Hobbit client executing a script to be proactive
if a problem occurs?

Haertig, David F (Dave) wrote:
> Here is how I execute a remote "pkill" on a client.  Replace 
> "client_server" with your client hostname, and replace "client_userid"
> with the userid (on the client) that you want to run the script 
> (pkill) under.  Also, set up ssh pubkey authentication between the 
> Hobbit server and client so that ssh does not prompt you for a
password.
> 
> 
> hobbit_alerts.cfg:

<snip>

Thanks, this is exactly what I needed to get started. I can un-wrap the
lines no problem, only a few were anyway.

I'm assuming you're using ssh keys? My current hobbit server
installation (from FreeBSD ports) has no home dir set, so it looks like
I'll have to set one to store its side of the keys.

--Chris

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe at hswn.dk





More information about the Xymon mailing list