[Nagiosplug-devel] check_ping and check_icmp confusion

[Andreas Ericsson]

Jason Crawford wrote:
> On 2/22/06, Andreas Ericsson <ae at op5.se> wrote:
> 
>>Andreas Ericsson wrote:
>>
>>>
>>Oh, and the most compelling reasons not to use check_ping:
>>* It runs /bin/ping and parses the output. This works nicely so long as
>>the developers have access to a ping that produces output in a certain
>>format, but that's not as predictable as some like to think.
>>* It is *much* slower than check_icmp.
>>* It consumes more resources.
>>* The code is ugly enough to make a mans eyes pop.
>>
> 
> True, trying to use /bin/ping on a system no developer has seen yet
> would be a bit difficult, as well as running a separate binary does
> take up more resources. And when I was trying to track down that
> check_ping segfault issue, going over that code wasn't the easiest.
> Having check_icmp chroot(2) itself would definetly improve security
> quite a bit, but I also wonder how much more resources it would
> consume (never did chroot(2) benchmarks before).
> 

Virtually none. chroot(2) is a very simple system call that comes at the 
expense of setting a couple of variables in the kernel. The relevant 
parts are in fs/open.c (sys_chroot), fs/namespace.c (set_fs_root()) and 
fs/namei.c (set_fs_altroot()).

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231