check_nrpe problems: Unable to read output and seteuid(0)
Posted: Mon Jun 17, 2019 9:59 am
I have recently setup a new XI system using the off-line tarball install. The installation ran without errors, and adding hosts and services to monitor is mostly going OK, except for check_nrpe.
Host being monitored:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
rpm -qa |egrep -i "nagios|nrpe"
nagios-plugins-ssh-2.2.1-16.20180725git3429dad.el7.x86_64
nrpe-3.2.1-8.el7.x86_64
nagios-plugins-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-swap-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-perl-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-load-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-http-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-ntp-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nagios-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-common-4.4.3-1.el7.x86_64
nagios-plugins-nrpe-3.2.1-8.el7.x86_64
nagios-plugins-disk-2.2.1-16.20180725git3429dad.el7.x86_64
Nagios system:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
rpm -qa |egrep -i "nagios|nrpe"
nagiosxi-pnp-5.6.3-1.el7.x86_64
nagiosxi-nagiosplugins-5.6.3-1.el7.x86_64
nagiosxi-nrpe-5.6.3-1.el7.x86_64
nagiosxi-nsca-5.6.3-1.el7.x86_64
perl-Nagios-Monitoring-Plugin-0.51-1.el7.noarch
nagiosxi-nxti-5.6.3-1.el7.x86_64
nagiosxi-ndoutils-5.6.3-1.el7.x86_64
nagiosxi-wkhtmltox-5.6.3-1.el7.x86_64
nagios-repo-7-3.el7.noarch
nagiosxi-nagvis-5.6.3-1.el7.x86_64
nagiosxi-shellinabox-5.6.3-1.el7.x86_64
nagiosxi-nrds-5.6.3-1.el7.x86_64
nagiosxi-wmic-5.6.3-1.el7.x86_64
nagiosxi-5.6.3-1.el7.x86_64
nagiosxi-mrtg-5.6.3-1.el7.x86_64
nagiosxi-nagioscore-5.6.3-1.el7.x86_64
nagiosxi-nagiosmobile-5.6.3-1.el7.x86_64
There is no proxy between the nagios system and the hosts being monitored;
Both the nagios system and the monitored hosts are VMware virtual Linux systems.
tail -f /var/log/messages
Jun 17 10:12:29 cliplsat01 nrpe[20535]: CONN_CHECK_PEER: checking if host is allowed: 172.20.132.62 port 57483
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): is host >172.20.132.62< an allowed host >172.20.132.62<
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): is host >172.20.132.62< an allowed host >172.20.132.62<
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): host
is in allowed host list!
Jun 17 10:12:29 cliplsat01 nrpe[20536]: WARNING: my_system() seteuid(0): Operation not permitted
I can run the plugin on the system at the command line just fine:
$ ./check_mem.py -w10 -c5
OK: Free memory percentage is 57% (18378 MB)
And as the "nrpe" userID:
$ sudo -u nrpe /usr/lib64/nagios/plugins/check_mem.py -w 10 -c 5
OK: Free memory percentage is 57% (18377 MB)
Nrpe runs as user "nrpe";
ps -ef |grep nrpe
nrpe 17549 1 0 09:57 ? 00:00:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f -n
The host IP address has been added to "allowed_hosts" in /etc/nagios/nrpe.cfg;
"dont_blame_nrpe" has been set to 1; and the command has been added to the config file like this:
command[check_mem.py]=/usr/lib64/nagios/plugins/check_mem.py -c $ARG1$ -w $ARG2$
The custom plugin check_mem.py reads /proc/meminfo, which has this ownership and permissions:
ls -l /proc/meminfo
-r--r--r-- 1 root root 0 Jun 17 10:17 /proc/meminfo
So no setuid should be required to read that.
Running the check remotely from the Nagios system, I get this:
$ /usr/local/nagios/libexec/check_nrpe -n -E -g /root/nrpe_check.log -H cliplsat01 -c check_mem.py -a -w10 -c5
NRPE: Unable to read output
(I had to use "-n" and set "-n" in /etc/sysconfig/nrpe to get rid of the "Could not complete SSL handshake" failure error)
And in the log file /usr/local/nagios/var/nagios.log I get this:
[1560777848] SERVICE NOTIFICATION: nagiosadmin;cliplsat01.pcc.int;RAM;UNKNOWN;xi_service_notification_handler;
NRPE: Unable to read output
What config am I missing, and is there a way to turn on debug logging on the Nagois system so I can get more informative error messages?
Thanks,
mark gree ne
Host being monitored:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
rpm -qa |egrep -i "nagios|nrpe"
nagios-plugins-ssh-2.2.1-16.20180725git3429dad.el7.x86_64
nrpe-3.2.1-8.el7.x86_64
nagios-plugins-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-swap-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-perl-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-load-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-http-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-ntp-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-plugins-nagios-2.2.1-16.20180725git3429dad.el7.x86_64
nagios-common-4.4.3-1.el7.x86_64
nagios-plugins-nrpe-3.2.1-8.el7.x86_64
nagios-plugins-disk-2.2.1-16.20180725git3429dad.el7.x86_64
Nagios system:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)
rpm -qa |egrep -i "nagios|nrpe"
nagiosxi-pnp-5.6.3-1.el7.x86_64
nagiosxi-nagiosplugins-5.6.3-1.el7.x86_64
nagiosxi-nrpe-5.6.3-1.el7.x86_64
nagiosxi-nsca-5.6.3-1.el7.x86_64
perl-Nagios-Monitoring-Plugin-0.51-1.el7.noarch
nagiosxi-nxti-5.6.3-1.el7.x86_64
nagiosxi-ndoutils-5.6.3-1.el7.x86_64
nagiosxi-wkhtmltox-5.6.3-1.el7.x86_64
nagios-repo-7-3.el7.noarch
nagiosxi-nagvis-5.6.3-1.el7.x86_64
nagiosxi-shellinabox-5.6.3-1.el7.x86_64
nagiosxi-nrds-5.6.3-1.el7.x86_64
nagiosxi-wmic-5.6.3-1.el7.x86_64
nagiosxi-5.6.3-1.el7.x86_64
nagiosxi-mrtg-5.6.3-1.el7.x86_64
nagiosxi-nagioscore-5.6.3-1.el7.x86_64
nagiosxi-nagiosmobile-5.6.3-1.el7.x86_64
There is no proxy between the nagios system and the hosts being monitored;
Both the nagios system and the monitored hosts are VMware virtual Linux systems.
tail -f /var/log/messages
Jun 17 10:12:29 cliplsat01 nrpe[20535]: CONN_CHECK_PEER: checking if host is allowed: 172.20.132.62 port 57483
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): is host >172.20.132.62< an allowed host >172.20.132.62<
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): is host >172.20.132.62< an allowed host >172.20.132.62<
Jun 17 10:12:29 cliplsat01 nrpe[20535]: is_an_allowed_host (AF_INET): host
is in allowed host list!
Jun 17 10:12:29 cliplsat01 nrpe[20536]: WARNING: my_system() seteuid(0): Operation not permitted
I can run the plugin on the system at the command line just fine:
$ ./check_mem.py -w10 -c5
OK: Free memory percentage is 57% (18378 MB)
And as the "nrpe" userID:
$ sudo -u nrpe /usr/lib64/nagios/plugins/check_mem.py -w 10 -c 5
OK: Free memory percentage is 57% (18377 MB)
Nrpe runs as user "nrpe";
ps -ef |grep nrpe
nrpe 17549 1 0 09:57 ? 00:00:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f -n
The host IP address has been added to "allowed_hosts" in /etc/nagios/nrpe.cfg;
"dont_blame_nrpe" has been set to 1; and the command has been added to the config file like this:
command[check_mem.py]=/usr/lib64/nagios/plugins/check_mem.py -c $ARG1$ -w $ARG2$
The custom plugin check_mem.py reads /proc/meminfo, which has this ownership and permissions:
ls -l /proc/meminfo
-r--r--r-- 1 root root 0 Jun 17 10:17 /proc/meminfo
So no setuid should be required to read that.
Running the check remotely from the Nagios system, I get this:
$ /usr/local/nagios/libexec/check_nrpe -n -E -g /root/nrpe_check.log -H cliplsat01 -c check_mem.py -a -w10 -c5
NRPE: Unable to read output
(I had to use "-n" and set "-n" in /etc/sysconfig/nrpe to get rid of the "Could not complete SSL handshake" failure error)
And in the log file /usr/local/nagios/var/nagios.log I get this:
[1560777848] SERVICE NOTIFICATION: nagiosadmin;cliplsat01.pcc.int;RAM;UNKNOWN;xi_service_notification_handler;
NRPE: Unable to read output
What config am I missing, and is there a way to turn on debug logging on the Nagois system so I can get more informative error messages?
Thanks,
mark gree ne