Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Debian 9 Stretch and Nagios NRPE (command args and SSL compatibility)
Thursday - Jun 22nd 2017 - by - (1 comments)

Debian Stretch (Debian 9) was released a couple of days ago, on June 17th 2017. In March 2016 I wrote about Debian Jessie (Debian 8) and the problem that the NRPE package was compiled without command arguments allowed. I won't go into details why the command arguments were disabled (read the mentioned article to get these details). This article is somewhat of a follow-up.

In Stretch this is still the same "default"; command arguments are still disabled. But additionally Stretch features the new NRPE version 3.x (3.0.1 to be exact). This can be seen as a breakthrough because NRPE came with version 2.1x for the last many years. It's definitely a big and necessary change, because NRPE became outdated yet it is still widely used in combination with Nagios and Icinga. The NRPE project is now also publicly developed (see Nagios NRPE Github repository).

This means that not only one has to recompile the nagios-nrpe Debian source package to enable command arguments, but one also needs to be made aware how to solve backward compatibility issues.

Let's tackle the first challenge: [ Compatibility between NRPE 2.x and 3.x ] -> (meanwhile fixed)

NRPE 3.x is built on much newer SSL/TLS protocols than NRPE 2.x. Therefore SSL communication between the two NRPE versions doesn't work.
Here I tried to connect from check_nrpe (2.15) to a nagios-nrpe-server (3.0.1):

$ ./check_nrpe -H 10.10.45.10
CHECK_NRPE: Error - Could not complete SSL handshake.

On the server side, the following log entries appeared (NRPE debug logging enabled):

Jun 22 09:04:51 stretch nrpe[1267]: Connection from 10.10.45.50 port 33773
Jun 22 09:04:51 stretch nrpe[1267]: Host address is in allowed_hosts
Jun 22 09:04:51 stretch nrpe[1267]: Error: Request packet version was invalid!
Jun 22 09:04:51 stretch nrpe[1267]: Could not read request from client 10.10.45.50, bailing out...
Jun 22 09:04:51 stretch nrpe[1267]: Connection from 10.10.45.50 closed.

The logs clearly show a problem between the packet versions. But if check_nrpe is launched without SSL encryption (using the -n parameter), the connection works:

$ ./check_nrpe -H 10.10.45.10 -n
NRPE v3.0.1

Server side logging now shows:

Jun 22 09:06:18 stretch nrpe[1301]: Connection from 10.10.45.50 port 5528
Jun 22 09:06:18 stretch nrpe[1301]: Host address is in allowed_hosts
Jun 22 09:06:18 stretch nrpe[1301]: Host 10.10.45.50 is asking for command '_NRPE_CHECK' to be run...
Jun 22 09:06:18 stretch nrpe[1301]: Response to 10.10.45.50: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe[1301]: Return Code: 0, Output: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe[1301]: Connection from 10.10.45.50 closed.

Disabling SSL encryption is not a good idea, I agree. But until all hosts (monitoring server and clients) are updated to a newer NRPE 3.x version it is at least a workaround to ensure compatibility between NRPE 2.x and 3.x. As long as the NRPE connection is happening only in the internal networks, there's not too much to worry about either (but be careful if you happen to check servers through the Internet!).

Update July 19th 2017: As you can see in the comment from David Goodwin, that SSL compatibility problem was fixed in NRPE 3.2.0 (see this commit). NRPE 3.2.x can be installed in Debian through the stretch-backports repositories.

Update July 23rd 2017: This is now also fixed in the "original" Stretch-Package (see http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe/nagios-nrpe_3.0.1-3+deb9u1_changelog). No need anymore to use the backports repos.

And now to the second challenge: [ Enable command arguments ]

Heads-up: A ready to use and install package for Debian Stretch (and other Debian and Ubuntu versions) can be found here: https://www.claudiokuenzler.com/downloads/nrpe/ 

1) Add the deb-src line into your /etc/apt/sources.list file, if it doesn't exist yet. Use your preferred mirror:

deb-src http://mirror.switch.ch/ftp/mirror/debian/ stretch main

Update the repository list afterwards:

apt-get update

2) Install the build tools and dependencies needed to compile the package:

apt-get build-dep nagios-nrpe
apt-get install devscripts build-essential

3) Download the nagios-nrpe source package:

apt-get source nagios-nrpe

The files will be downloaded into the current directory.

4) Change into the package directory and adapt the debian/rules file:

cd nagios-nrpe-3.0.1/; vi debian/rules

At the end of the "override_dh_auto_configure" the "--enable-command-args" need to be added:

    dh_auto_configure -- \
        --prefix=/usr \
        --sysconfdir=/etc \
        --libdir=/usr/lib/nagios \
        --libexecdir=/usr/lib/nagios/plugins \
        --localstatedir=/var \
        --enable-ssl \
        --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
        --with-piddir=/var/run/nagios \
        --enable-command-args

5) Edit the changelog:

dch -i

This command will ask you to enter information what exactly you have done to this package. In my case I entered the following information:

 nagios-nrpe (3.0.1-1) stable; urgency=medium

  * Non-maintainer upload.
  * Compiled with command arguments enabled

 -- Claudio Kuenzler   Thu, 22 Jun 2017 09:15:13 +0200

6) Create the new deb package:

debuild -us -uc -sa

7) Move one directory up and you will see the newly created files:

cd ..; ls -la | grep 3.0.1-1
-rw-r--r--  1 ckadm ckadm  53352 Jun 22 09:24 nagios-nrpe-plugin-dbgsym_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm  30118 Jun 22 09:24 nagios-nrpe-plugin_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm  73252 Jun 22 09:24 nagios-nrpe-server-dbgsym_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.stretch.deb
-rw-r--r--  1 ckadm ckadm  13792 Jun 22 09:24 nagios-nrpe_3.0.1-1.debian.tar.xz
-rw-r--r--  1 ckadm ckadm   1225 Jun 22 09:24 nagios-nrpe_3.0.1-1.dsc
-rw-r--r--  1 ckadm ckadm  50600 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.build
-rw-r--r--  1 ckadm ckadm   5787 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.buildinfo
-rw-r--r--  1 ckadm ckadm   2880 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.changes

8) The deb package can now be installed:

root@stretch:/ # dpkg -i /home/ckadm/nagios-nrpe-server_3.0.1-1_amd64.deb
dpkg: warning: downgrading nagios-nrpe-server from 3.0.1-3 to 3.0.1-1
(Reading database ... 36589 files and directories currently installed.)
Preparing to unpack .../nagios-nrpe-server_3.0.1.1_amd64.deb ...
Unpacking nagios-nrpe-server (3.0.1-1) over (3.0.1-3) ...
Setting up nagios-nrpe-server (3.0.1-1) ...
Processing triggers for systemd (232-25) ...
Processing triggers for man-db (2.7.6.1-2) ...

To make sure the new binary is used, restarted the daemon:

root@stretch:/etc/nagios# systemctl restart nagios-nrpe-server

NRPE checks using arguments are now working:

$ ./check_nrpe -H 10.10.45.10 -n -c check_load -a "1,2,3" "4,5,6"
OK - load average: 0.22, 0.09, 0.04|load1=0.220;1.000;4.000;0; load5=0.090;2.000;5.000;0; load15=0.040;3.000;6.000;0;

NRPE server side logging shows:

Jun 22 09:18:03 stretch nrpe[17194]: Connection from 10.10.45.50 port 26246
Jun 22 09:18:03 stretch nrpe[17194]: Host address is in allowed_hosts
Jun 22 09:18:03 stretch nrpe[17194]: Host 10.10.45.50 is asking for command 'check_load' to be run...
Jun 22 09:18:03 stretch nrpe[17194]: Running command: /usr/lib/nagios/plugins/check_load -w 1,2,3 -c 4,5,6
Jun 22 09:18:03 stretch nrpe[17194]: Command completed with return code 0 and output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe[17194]: Return Code: 0, Output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe[17194]: Connection from 10.10.45.50 closed.

Update July 28th 2017: The deb package, containing the enabled command arguments, was updated to contain the SSL fixes. New file name: nagios-nrpe-server_3.0.1-3+deb9u1.1_amd64.stretch.deb. You can find the nagios-nrpe-server packages with command arguments enabled here: https://www.claudiokuenzler.com/downloads/nrpe/.

 

Add a comment

Show form to leave a comment

Comments (newest first):

David Goodwin from United Kingdom wrote on Jul 15th, 2017:
The SSL issue appears to be fixed (it is for me anyway, where my nagios server is still on Jessie, but I upgraded one monitored server to Stretch and found that my checks failed)

Try :

apt-get install -t stretch-backports nagios-nrpe-server


See http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe/nagios-nrpe_3.2.0-3~bpo9+1_changelog


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7423 Days
until Death of Computers
Why?