Debian Stretch (Debian 9) was released a couple of days ago, on June 17th 2017. In March 2016 I wrote about Debian Jessie (Debian 8) and the problem that the NRPE package was compiled without command arguments allowed. I won't go into details why the command arguments were disabled (read the mentioned article to get these details). This article is somewhat of a follow-up.
In Stretch this is still the same "default"; command arguments are still disabled. But additionally Stretch features the new NRPE version 3.x (3.0.1 to be exact). This can be seen as a breakthrough because NRPE came with version 2.1x for the last many years. It's definitely a big and necessary change, because NRPE became outdated yet it is still widely used in combination with Nagios and Icinga. The NRPE project is now also publicly developed (see Nagios NRPE Github repository).
This means that not only one has to recompile the nagios-nrpe Debian source package to enable command arguments, but one also needs to be made aware how to solve backward compatibility issues.
Let's tackle the first challenge: [ Compatibility between NRPE 2.x and 3.x ] -> (meanwhile fixed)
NRPE 3.x is built on much newer SSL/TLS protocols than NRPE 2.x. Therefore SSL communication between the two NRPE versions doesn't work.
Here I tried to connect from check_nrpe (2.15) to a nagios-nrpe-server (3.0.1):
$ ./check_nrpe -H 10.10.45.10
CHECK_NRPE: Error - Could not complete SSL handshake.
On the server side, the following log entries appeared (NRPE debug logging enabled):
Jun 22 09:04:51 stretch nrpe: Connection from 10.10.45.50 port 33773
Jun 22 09:04:51 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:04:51 stretch nrpe: Error: Request packet version was invalid!
Jun 22 09:04:51 stretch nrpe: Could not read request from client 10.10.45.50, bailing out...
Jun 22 09:04:51 stretch nrpe: Connection from 10.10.45.50 closed.
The logs clearly show a problem between the packet versions. But if check_nrpe is launched without SSL encryption (using the -n parameter), the connection works:
$ ./check_nrpe -H 10.10.45.10 -n
Server side logging now shows:
Jun 22 09:06:18 stretch nrpe: Connection from 10.10.45.50 port 5528
Jun 22 09:06:18 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:06:18 stretch nrpe: Host 10.10.45.50 is asking for command '_NRPE_CHECK' to be run...
Jun 22 09:06:18 stretch nrpe: Response to 10.10.45.50: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe: Return Code: 0, Output: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe: Connection from 10.10.45.50 closed.
Disabling SSL encryption is not a good idea, I agree. But until all hosts (monitoring server and clients) are updated to a newer NRPE 3.x version it is at least a workaround to ensure compatibility between NRPE 2.x and 3.x. As long as the NRPE connection is happening only in the internal networks, there's not too much to worry about either (but be careful if you happen to check servers through the Internet!).
Update July 19th 2017: As you can see in the comment from David Goodwin, that SSL compatibility problem was fixed in NRPE 3.2.0 (see this commit). NRPE 3.2.x can be installed in Debian through the stretch-backports repositories.
Update July 23rd 2017: This is now also fixed in the "original" Stretch-Package (see http://metadata.ftp-master.
And now to the second challenge: [ Enable command arguments ]
Heads-up: A ready to use and install package for Debian Stretch (and other Debian and Ubuntu versions) can be found here: https://www.claudiokuenzler.com/downloads/nrpe/
1) Add the deb-src line into your /etc/apt/sources.list file, if it doesn't exist yet. Use your preferred mirror:
deb-src http://mirror.switch.ch/ftp/mirror/debian/ stretch main
Update the repository list afterwards:
2) Install the build tools and dependencies needed to compile the package:
apt-get build-dep nagios-nrpe
apt-get install devscripts build-essential
3) Download the nagios-nrpe source package:
apt-get source nagios-nrpe
The files will be downloaded into the current directory.
4) Change into the package directory and adapt the debian/rules file:
cd nagios-nrpe-3.0.1/; vi debian/rules
At the end of the "override_dh_auto_configure" the "--enable-command-args" need to be added:
dh_auto_configure -- \
5) Edit the changelog:
This command will ask you to enter information what exactly you have done to this package. In my case I entered the following information:
nagios-nrpe (3.0.1-1) stable; urgency=medium
* Non-maintainer upload.
* Compiled with command arguments enabled
-- Claudio Kuenzler
6) Create the new deb package:
debuild -us -uc -sa
7) Move one directory up and you will see the newly created files:
cd ..; ls -la | grep 3.0.1-1
-rw-r--r-- 1 ckadm ckadm 53352 Jun 22 09:24 nagios-nrpe-plugin-dbgsym_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 30118 Jun 22 09:24 nagios-nrpe-plugin_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 73252 Jun 22 09:24 nagios-nrpe-server-dbgsym_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.deb
-rw-r--r-- 1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.stretch.deb
-rw-r--r-- 1 ckadm ckadm 13792 Jun 22 09:24 nagios-nrpe_3.0.1-1.debian.tar.xz
-rw-r--r-- 1 ckadm ckadm 1225 Jun 22 09:24 nagios-nrpe_3.0.1-1.dsc
-rw-r--r-- 1 ckadm ckadm 50600 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.build
-rw-r--r-- 1 ckadm ckadm 5787 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.buildinfo
-rw-r--r-- 1 ckadm ckadm 2880 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.changes
8) The deb package can now be installed:
root@stretch:/ # dpkg -i /home/ckadm/nagios-nrpe-server_3.0.1-1_amd64.deb
dpkg: warning: downgrading nagios-nrpe-server from 3.0.1-3 to 3.0.1-1
(Reading database ... 36589 files and directories currently installed.)
Preparing to unpack .../nagios-nrpe-server_18.104.22.168_amd64.deb ...
Unpacking nagios-nrpe-server (3.0.1-1) over (3.0.1-3) ...
Setting up nagios-nrpe-server (3.0.1-1) ...
Processing triggers for systemd (232-25) ...
Processing triggers for man-db (22.214.171.124-2) ...
To make sure the new binary is used, restarted the daemon:
root@stretch:/etc/nagios# systemctl restart nagios-nrpe-server
NRPE checks using arguments are now working:
$ ./check_nrpe -H 10.10.45.10 -n -c check_load -a "1,2,3" "4,5,6"
OK - load average: 0.22, 0.09, 0.04|load1=0.220;1.000;4.000;0; load5=0.090;2.000;5.000;0; load15=0.040;3.000;6.000;0;
NRPE server side logging shows:
Jun 22 09:18:03 stretch nrpe: Connection from 10.10.45.50 port 26246
Jun 22 09:18:03 stretch nrpe: Host address is in allowed_hosts
Jun 22 09:18:03 stretch nrpe: Host 10.10.45.50 is asking for command 'check_load' to be run...
Jun 22 09:18:03 stretch nrpe: Running command: /usr/lib/nagios/plugins/check_load -w 1,2,3 -c 4,5,6
Jun 22 09:18:03 stretch nrpe: Command completed with return code 0 and output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe: Return Code: 0, Output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe: Connection from 10.10.45.50 closed.
Update July 28th 2017: The deb package, containing the enabled command arguments, was updated to contain the SSL fixes. New file name: nagios-nrpe-server_3.0.1-3+deb9u1.1_amd64.stretch.deb. You can find the nagios-nrpe-server packages with command arguments enabled here: https://www.claudiokuenzler.com/downloads/nrpe/.
Reno from France wrote on Oct 18th, 2017:
Very useful informations, thank you boss! :)
David Goodwin from United Kingdom wrote on Jul 15th, 2017:
The SSL issue appears to be fixed (it is for me anyway, where my nagios server is still on Jessie, but I upgraded one monitored server to Stretch and found that my checks failed)
apt-get install -t stretch-backports nagios-nrpe-server
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu