1. Setup sudoer using visudo on system hosting sensu-go backend
sudo visudo
2. Add sudo directives to allow sensu group to use a command without password
Ex: control nginx service
### Allow sensu group to control nginx service without requiring a password
%sensu ALL=NOPASSWD:/usr/bin/systemctl stop nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl stop nginx
%sensu ALL=NOPASSWD:/usr/bin/systemctl start nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl start nginx
%sensu ALL=NOPASSWD:/usr/bin/systemctl restart nginx.service
%sensu ALL=NOPASSWD:/usr/bin/systemctl restart nginx
Note: explicit syntax for both nginx.service and nginx, so either calling syntax will work under sudo
3. Test sudo under sensu user with sudo su
Run these invocations under your normal user to test sensu user's ability to use sudo to control nginx
Assumes your normal user has sudo access to run the su command
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl restart nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl restart nginx.service'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl stop nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl start nginx.service'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl start nginx'
sudo su -s /usr/bin/bash - sensu -c 'sudo -S systemctl stop nginx.service'
Note: use systemctl status nginx
between invocations to examine state of nginx service
Note: the su -s option to set shell is required for sensu user as sensu user is defined without a login shell in /etc/passwd
Note: the sudo -S option is required to instruct sudo to use stdin as this calling sequence runs sudo disconnected from a valid tty
4. Configure handler to use sudo
Ex: handler to stop nginx service
type: Handler
api_version: core/v2
metadata:
name: nginx-stop
namespace: default
spec:
command: sudo -S systemctl stop nginx
env_vars: []
filters: []
handlers: []
runtime_assets: []
timeout: 30
type: pipe
Note: the sudo -S option is required to instruct sudo to use stdin as this calling sequence is disconnected from a tty