[naemon-users] thruk failed to connect - Permission denied. (/var/cache/naemon/live)

[Burke, Andrew]

Hi all.
I upgraded my Centos box ,thruk and naemon to the latest version a couple of days ago. Below is my version info.
[root at myhost ~]# cat /etc/redhat-release
    CentOS Linux release 7.3.1611 (Core)
[root at myhost ~]# rpm -qa | grep 'thruk\|naemon'
    thruk-plugin-reporting-2.12-3.x86_64
    naemon-devel-1.0.6-1.el7.centos.x86_64
    libnaemon-1.0.6-1.el7.centos.x86_64
    naemon-tools-1.0.6-1.el7.centos.x86_64
    libthruk-2.10-1.el7.centos.x86_64
    naemon-thruk-1.0.6-1.el7.centos.x86_64
    naemon-core-1.0.6-1.el7.centos.x86_64
    thruk-base-2.12-3.x86_64
    naemon-1.0.6-1.el7.centos.x86_64
    naemon-debuginfo-1.0.3-1.el7.centos.x86_64
    naemon-core-dbg-1.0.6-1.el7.centos.x86_64
    naemon-livestatus-1.0.6-1.el7.centos.x86_64
    thruk-2.12-3.x86_64
I thought everything had gone well but noticed an issue after a restart yesterday. The thruk ui tells me there is no backend available and the thruk log has entries confirming this.
[root at myhost ~]# tail /var/log/thruk/thruk.log
    [2017/01/25 12:18:22][myhost][ERROR][Thruk] No Backend available
    [2017/01/25 12:18:22][myhost][ERROR][Thruk] on page: http://myhost.example.com/thruk/cgi-bin/status.cgi?host=all&_=1485346700788
    [2017/01/25 12:18:22][myhost][ERROR][Thruk] Naemon: ERROR: failed to connect - Permission denied. (/var/cache/naemon/live)
There is a naemon user  and group and they own the Naemon process and files, thruk runs with the apache user and this user was added to the naemon group.
[root at myhost ~]# ps aux | grep '[t]hruk\|[h]ttpd\|[n]aemon'
    naemon    1134  0.0  0.0 303956   868 ?        S    10:11   0:00 /usr/local/pnp4nagios/bin/npcd -d -f /usr/local/pnp4nagios/etc/npcd.cfg
    naemon    8601  0.3  0.4 157116  8316 ?        Ss   12:07   0:06 /usr/bin/naemon --daemon /etc/naemon/naemon.cfg
    naemon    8602  0.0  0.0  17628  1280 ?        S    12:07   0:00 /usr/bin/naemon --worker /var/lib/naemon/naemon.qh
    naemon    8603  0.0  0.0  17628  1288 ?        S    12:07   0:00 /usr/bin/naemon --worker /var/lib/naemon/naemon.qh
    naemon    8604  0.0  0.0  17628  1280 ?        S    12:07   0:00 /usr/bin/naemon --worker /var/lib/naemon/naemon.qh
    naemon    8605  0.0  0.0  17628  1280 ?        S    12:07   0:00 /usr/bin/naemon --worker /var/lib/naemon/naemon.qh
    naemon    8606  0.0  0.2  91512  5400 ?        S    12:07   0:00 /usr/bin/naemon --daemon /etc/naemon/naemon.cfg
    root      8808  0.0  0.8 349364 16100 ?        Ss   12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    root      8818  0.0  1.3 126612 24824 ?        S    12:07   0:00 perl -x /usr/share/thruk/thruk_auth
    apache    8820  0.0  0.2 299556  4292 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8821  0.0  0.4 349676  7972 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8822  0.0  0.4 349704  7864 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8823  0.0  0.4 349696  7844 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8824  0.0  0.4 350064  8104 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8825  0.0  0.4 350064  8236 ?        S    12:07   0:00 /usr/sbin/httpd -DFOREGROUND
    apache    8853  0.0  2.2 119444 41708 ?        S    12:08   0:01 /usr/bin/perl /usr/share/thruk/script/thruk_fastcgi.pl
    apache   11149  0.0  0.4 349696  7844 ?        S    12:10   0:00 /usr/sbin/httpd -DFOREGROUND
[root@ myhost ~]# id naemon
    uid=995(naemon) gid=994(naemon) groups=994(naemon)
[root@ myhost ~]# id apache
    uid=48(apache) gid=48(apache) groups=994(naemon),48(apache)
The permissions of the socket file and folders that contain it seem ok.
[root at myhost ~]# ls -lad /var/
    drwxr-xr-x. 21 root root 4096 Jan 25 10:10 /var/
[root at myhost ~]# ls -lad /var/cache/
    drwxr-xr-x. 10 root root 112 Jan 25 08:56 /var/cache/
[root at myhost ~]# ls -lad /var/cache/naemon/
    drwxrwsr-x. 3 naemon naemon 29 Jan 25 12:07 /var/cache/naemon/
 [root at myhost ~]# ls -la /var/cache/naemon/live
    srw-rw---- 1 naemon naemon 0 Jan 25 12:07 /var/cache/naemon/live
Accessing the livestatus seems ok for root and naemon users but not for apache user.
[root at myhost ~]# echo -e 'GET hosts\nColumns: name\nFilter: host_name = localhost' | unixcat /var/cache/naemon/live
    localhost
 [root at myhost ~]# su -c "echo -e 'GET hosts\nColumns: name\nFilter: host_name = localhost' | unixcat /var/cache/naemon/live" naemon
    localhost
 [root at myhost ~]# su -c "echo -e 'GET hosts\nColumns: name\nFilter: host_name = localhost' | unixcat /var/cache/naemon/live" apache
    Couldn't connect to UNIX-socket at /var/cache/naemon/live: Permission denied.
If I change the group ownership  to apache is then works
 [root at myhost ~]# chown naemon:apache /var/cache/naemon/live
 [root at myhost ~]# ls -la /var/cache/naemon/live
    srw-rw---- 1 naemon apache 0 Jan 25 12:07 /var/cache/naemon/live
 [root at myhost ~]# su -c "echo -e 'GET hosts\nColumns: name\nFilter: host_name = localhost' | unixcat /var/cache/naemon/live" apache
    localhost
I have other servers running exactly the same setup and they seem ok, must say I am stumped...
Any suggestions?
Thanks
Andrew
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20170126/fc8c6088/attachment.html>