[Nagiosplug-devel] Re: check_by_ssh patch

[Stanley Hopcroft]

Dear Folks,

I am writing to thank you for your letters and say,

On Wed, Mar 31, 2004 at 07:07:49PM +0200, Andreas Ericsson wrote:
 .. snip ...

> 
> I know that, but how does it work under the hood?
>

Perl is built into Nagios using the techniques described in Perlembed
(in partic the persistent interpeter) providing full access to the Perl
API and the Perl parse tree (doesn't quite know what he's talking
about here) for each Perl plugin that has been run.

A driver <path_to_Nag>/bin/p1.pl is called in checks.c when a Perl 
plugin is detected.

The driver maintains a global and persistent hash of compiled plugins.

Nag calls the driver twice

1 in 

/* call our perl interpreter to compile and optionally cache the command
*/

perl_call_argv("Embed::Persistent::eval_file", G_DISCARD | G_EVAL,
args);


to check if the plugin needs compiling (by checking if the plugin is 
found in the hash)

If it hasn't been compiled or the source has changed, it is string
eval'd to get it compiled, and  the hash updated.


2 in 

 /* execute our previously compiled script - from 
perl_call_argv("Embed::Persistent::eval_file",..) */

perl_call_pv("Embed::Persistent::run_package", G_EVAL | G_ARRAY);

/* note this is my source tree so it is slightly different to yours */

At this point the plugin is known to be compiled, so it is run by the 
driver in such a way that it is not recompiled ( eval { }; ).

The plugin parse tree stays in core because Perl does. There is _no_ new 
Perl each time a plugin is run (unlike the non-epn case).

Because of this persistence, global values hang around and can cause
side effects.


> If perl (the program) 
> is invoked every time a precompiled image needs to execute I seriously 
> doubt the effectiveness of the epn.

It isn't. Perl is loaded only once by Nagios when Nagios initialises
(this will change to be periodic I think in 2.0 to deal with Perl memory
leaks).


I think it is effective; the tradeoff is 

. leaks

. more memory usage

(ie well worth it).


> If it doesn't, then how can it the 
> elevated privileges of the script be retained?
> That's why the epn was mentioned in the follow-up question.
> 

Since each plugin is compiled only once, I think ePN is unsuitable for 
setuid.

I use a C wrapper to execve the Perl plugin (and take the perf hit) in 
this case.

Lastly, 

Yours sincerely.

-- 
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------

'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'

from Meditation 17, J Donne.