Debian Stretch (Debian 9) was released a couple of days ago, on June 17th 2017. In March 2016 I wrote about Debian Jessie (Debian 8) and the problem that the NRPE package was compiled without command arguments allowed. I won't go into details why the command arguments were disabled (read the mentioned article to get these details). This article is somewhat of a follow-up.
In Stretch this is still the same "default"; command arguments are still disabled. But additionally Stretch features the new NRPE version 3.x (3.0.1 to be exact). This can be seen as a breakthrough because NRPE came with version 2.1x for the last many years. It's definitely a big and necessary change, because NRPE became outdated yet it is still widely used in combination with Nagios and Icinga. The NRPE project is now also publicly developed (see Nagios NRPE Github repository).
This means that not only one has to recompile the nagios-nrpe Debian source package to enable command arguments, but one also needs to be made aware how to solve backward compatibility issues. Let's tackle the first challenge.
Note: If you want to take a shortcut without the technical details, just go to https://www.claudiokuenzler.com/downloads/nrpe/, download the deb package, and install it.
NRPE 3.x is built on much newer SSL/TLS protocols than NRPE 2.x. Therefore SSL communication between the two NRPE versions doesn't work.
Here I tried to connect from check_nrpe (2.15) to a nagios-nrpe-server (3.0.1):
$ ./check_nrpe -H 10.10.45.10
CHECK_NRPE: Error - Could not complete SSL handshake.
On the server side, the following log entries appeared (NRPE debug logging enabled):
Jun 22 09:04:51 stretch nrpe: Connection from 10.10.45.50 port 33773
Jun 22 09:04:51 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:04:51 stretch nrpe: Error: Request packet version was invalid!
Jun 22 09:04:51 stretch nrpe: Could not read request from client 10.10.45.50, bailing out...
Jun 22 09:04:51 stretch nrpe: Connection from 10.10.45.50 closed.
The logs clearly show a problem between the packet versions. But if check_nrpe is launched without SSL encryption (using the -n parameter), the connection works:
$ ./check_nrpe -H 10.10.45.10 -n
Server side logging now shows:
Jun 22 09:06:18 stretch nrpe: Connection from 10.10.45.50 port 5528
Jun 22 09:06:18 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:06:18 stretch nrpe: Host 10.10.45.50 is asking for command '_NRPE_CHECK' to be run...
Jun 22 09:06:18 stretch nrpe: Response to 10.10.45.50: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe: Return Code: 0, Output: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe: Connection from 10.10.45.50 closed.
Disabling SSL encryption is not a good idea, I agree. But until all hosts (monitoring server and clients) are updated to a newer NRPE 3.x version it is at least a workaround to ensure compatibility between NRPE 2.x and 3.x. As long as the NRPE connection is happening only in the internal networks, there's not too much to worry about either (but be careful if you happen to check servers through the Internet!).
Update July 19th 2017: As you can see in the comment from David Goodwin, that SSL compatibility problem was fixed in NRPE 3.2.0 (see this commit). NRPE 3.2.x can be installed in Debian through the stretch-backports repositories.
Update July 23rd 2017: This is now also fixed in the "original" Stretch-Package (see http://metadata.ftp-master.
Up to the second challenge:
1) Add the deb-src line into your /etc/apt/sources.list file, if it doesn't exist yet. Use your preferred mirror:
deb-src http://mirror.switch.ch/ftp/mirror/debian/ stretch main
Update the repository list afterwards:
2) Install the build tools and dependencies needed to compile the package:
apt-get build-dep nagios-nrpe
apt-get install devscripts build-essential
3) Download the nagios-nrpe source package:
apt-get source nagios-nrpe
The files will be downloaded into the current directory.
4) Change into the package directory and adapt the debian/rules file:
cd nagios-nrpe-3.0.1/; vi debian/rules
At the end of the "override_dh_auto_configure" the "--enable-command-args" need to be added:
dh_auto_configure -- \
5) Edit the changelog:
This command will ask you to enter information what exactly you have done to this package. In my case I entered the following information:
nagios-nrpe (3.0.1-1) stable; urgency=medium
* Non-maintainer upload.
* Compiled with command arguments enabled
-- Claudio Kuenzler
6) Create the new deb package:
debuild -us -uc -sa
7) Move one directory up and you will see the newly created files:
cd ..; ls -la | grep 3.0.1-1
-rw-r--r-- 1 ckadm ckadm 53352 Jun 22 09:24 nagios-nrpe-plugin-dbgsym_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 30118 Jun 22 09:24 nagios-nrpe-plugin_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 73252 Jun 22 09:24 nagios-nrpe-server-dbgsym_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.stretch.deb
-rw-r--r-- 1 ckadm ckadm 13792 Jun 22 09:24 nagios-nrpe_3.0.1-1.debian.tar.xz
-rw-r--r-- 1 ckadm ckadm 1225 Jun 22 09:24 nagios-nrpe_3.0.1-1.dsc
-rw-r--r-- 1 ckadm ckadm 50600 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.build
-rw-r--r-- 1 ckadm ckadm 5787 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.buildinfo
-rw-r--r-- 1 ckadm ckadm 2880 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.changes
8) The deb package can now be installed:
root@stretch:/ # dpkg -i /home/ckadm/nagios-nrpe-server_3.0.1-1_amd64.deb
dpkg: warning: downgrading nagios-nrpe-server from 3.0.1-3 to 3.0.1-1
(Reading database ... 36589 files and directories currently installed.)
Preparing to unpack .../nagios-nrpe-server_188.8.131.52_amd64.deb ...
Unpacking nagios-nrpe-server (3.0.1-1) over (3.0.1-3) ...
Setting up nagios-nrpe-server (3.0.1-1) ...
Processing triggers for systemd (232-25) ...
Processing triggers for man-db (184.108.40.206-2) ...
To make sure the new binary is used, restarted the daemon:
root@stretch:/etc/nagios# systemctl restart nagios-nrpe-server
NRPE checks using arguments are now working:
$ ./check_nrpe -H 10.10.45.10 -n -c check_load -a "1,2,3" "4,5,6"
OK - load average: 0.22, 0.09, 0.04|load1=0.220;1.000;4.000;0; load5=0.090;2.000;5.000;0; load15=0.040;3.000;6.000;0;
NRPE server side logging shows:
Jun 22 09:18:03 stretch nrpe: Connection from 10.10.45.50 port 26246
Jun 22 09:18:03 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:18:03 stretch nrpe: Host 10.10.45.50 is asking for command 'check_load' to be run...
Jun 22 09:18:03 stretch nrpe: Running command: /usr/lib/nagios/plugins/check_load -w 1,2,3 -c 4,5,6
Jun 22 09:18:03 stretch nrpe: Command completed with return code 0 and output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe: Return Code: 0, Output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe: Connection from 10.10.45.50 closed.
Update July 28th 2017: The deb package, containing the enabled command arguments, was updated to contain the SSL fixes. New file name: nagios-nrpe-server_3.0.1-3+deb9u1.1_amd64.stretch.deb. You can find the nagios-nrpe-server packages with command arguments enabled here: https://www.claudiokuenzler.com/downloads/nrpe/.
Update May 15th 2019: Added deb package for Debian 10 Buster: https://www.claudiokuenzler.com/downloads/nrpe/. Command arguments are still disabled in the default package.
Reno from France wrote on Oct 18th, 2017:
Very useful informations, thank you boss! :)
David Goodwin from United Kingdom wrote on Jul 15th, 2017:
The SSL issue appears to be fixed (it is for me anyway, where my nagios server is still on Jessie, but I upgraded one monitored server to Stretch and found that my checks failed)
apt-get install -t stretch-backports nagios-nrpe-server
AWS Android Ansible Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Consul Container Containers CouchDB DB DNS Database Databases Docker ELK ElasticSearch Elasticsearch Filebeat FreeBSD GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb2 InfluxDB Internet Java Kibana Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Rancher SSL Security Shell SmartOS Solaris Surveillance SystemD TLS Tomcat Ubuntu Unix VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder