icingaweb2 Permission denied

Question

Please help me to solve this issue with icingaweb

icinga2: Can't send external Icinga command to the local command file "/var/run/icinga2/cmd/icinga2.cmd": Permission denied.

#0 /usr/share/icingaweb2/modules/monitoring/application/forms/Command/Object/ScheduleServiceDowntimeCommandForm.php(191): Icinga\Module\Monitoring\Command\Transport\CommandTransport->send(Object(Icinga\Module\Monitoring\Command\Object\ScheduleHostDowntimeCommand))
#1 /usr/share/icingaweb2/modules/monitoring/application/forms/Command/Object/ScheduleHostDowntimeCommandForm.php(108): Icinga\Module\Monitoring\Forms\Command\Object\ScheduleServiceDowntimeCommandForm->scheduleDowntime(Object(Icinga\Module\Monitoring\Command\Object\ScheduleHostDowntimeCommand), Object(Icinga\Web\Request))
#2 /usr/share/php/Icinga/Web/Form.php(1152): Icinga\Module\Monitoring\Forms\Command\Object\ScheduleHostDowntimeCommandForm->onSuccess()
#3 /usr/share/icingaweb2/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php(128): Icinga\Web\Form->handleRequest()
#4 /usr/share/icingaweb2/modules/monitoring/application/controllers/HostController.php(155): Icinga\Module\Monitoring\Web\Controller\MonitoredObjectController->handleCommandForm(Object(Icinga\Module\Monitoring\Forms\Command\Object\ScheduleHostDowntimeCommandForm))
#5 /usr/share/php/Zend/Controller/Action.php(516): Icinga\Module\Monitoring\Controllers\HostController->scheduleDowntimeAction()
#6 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch('scheduleDowntim...')
#7 /usr/share/php/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#8 /usr/share/php/Icinga/Application/Web.php(384): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#9 /usr/share/php/Icinga/Application/webrouter.php(109): Icinga\Application\Web->dispatch()
#10 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...')
#11 {main}

Answer 1

In my case (CentOS 7) all I had to do was to ensure the icinga2 feature 'command' was enabled, and restart the service.

icinga2 feature enable command
systemctl restart icinga2.service

Answer 2

The error message is probably correct. You'll need to setup the correct unix permissions for that file. The CentOS7 packages do the right thing there, but for me the problem was related to selinux. Check SELinux denials to see if your commands are being denied:

ausearch -m avc --start recent

Check the context of the command file:

# ls -lZ /var/run/icinga2/cmd/icinga2.cmd
prw-rw----. icinga icingacmd system_u:object_r:var_run_t:s0 /var/run/icinga2/cmd/icinga2.cmd

I fixed this by installing the icinga2-selinux package after all the other configuration. In particular, you need to (re)install it after enabling the local (named pipe) command transport. After re-installing icinga2-selinux, the correct context should be:

# ls -lZ /var/run/icinga2/cmd/icinga2.cmd
prw-rw----. icinga icingacmd system_u:object_r:icinga2_command_t:s0 /var/run/icinga2/cmd/icinga2.cmd

Restart icinga2 and Apache.

Answer 3

Disabling selinux will help. Temp disable selinux and try again.

setenforce 0 

If it works, try a permanent one. Edit /etc/selinux/config and make sure

SELINUX=disabled

Answer 4

For me, the command feature were enabled. Everything were well installed. I'm using Debian.

I checked when ls /var/run/icinga -lh (lh options means detailed), and I found that (cleaned output):

drwx------ www-data cmd
drwx------ www-data icinga2.pid

As the file were ran with root, it didn't have any options on the file. After running chmod 777 /var/run/icinga2/cmd or simply change the owner with chown command, it will fix it.