NRPE allowed_hosts woes with IPv6 on RHEL/CentOS 6

[Tilman]

A fully IPv6 dual stack enabled network is monitored by Nagios 3.5.1 installed from EPEL on a CentOS 6.7 server. Monitored hosts run NRPE agents, all of which are configured to run as daemons (not via xinetd) with the configuration line

Code: Select all

allowed_hosts=bombur.example.com

where bombur.example.com is the Nagios server's FQDN which resolves in DNS to both the IPv4 and IPv6 addresses:

Code: Select all

% host bombur
bombur.example.com has address 192.0.2.28
bombur.example.com has IPv6 address 2001:db8:f00:ba8::28

This works fine for hosts running NRPE releases before 2.15 which lack IPv6 support and ony accept IPv4 connections.
But EPEL recently updated NRPE to release 2.15 which adds IPv6 support.
On all the hosts that got updated to NRPE 2.15, connections from the Nagios server are now rejected with the log message:

Code: Select all

nrpe[21665]: Host 2001:db8:f00:ba8::28 is not allowed to talk to us!

IOW the allowed_hosts=<hostname> directive allows only the IPv4 address of the given host, not its IPv6 address.

Mother Google found a report on NRPE supporting only one IP address per hostname.
I tried to work around this problem by creating two separate hostnames bombur-v4 and bombur-v6 each resolving to only one address, and changing the allowed_hosts directive to:

Code: Select all

allowed_hosts=bombur-v4.example.com,bombur-v6.example.com

Regrettably that does not work either. NRPE now logs:

Code: Select all

Allowing connections from: bombur-v4.example.com,bombur-v6.example.com
2001:db8:f00:ba8::28 is not allowed to talk to us!

even though bombur-v6.example.com is verified to resolve to 2001:db8:f00:ba8::28.

Bug? Known problem? By design? Feature?

[jdalrymple]

Bug? Known problem? By design? Feature?

I'll go with Bug for right now.

What happens if you explicitly place the IP into the allowed_hosts directive. Just wondering if we're chasing a resolution issue or if IPv6 is just broken altogether.

[Tilman]

Ah, sorry, I forgot to mention that. Specifying the numeric addresses, ie.

Code: Select all

allowed_hosts=192.0.2.28,2001:db8:f00:ba8::28

works fine.

[jdalrymple]

For sure a bug then. Honestly - probably the quicker way to get it looked at is via NRPE's github. Go here and submit a descriptive issue, feel free to link the forum post:

https://github.com/NagiosEnterprises/nrpe

If you don't have an account I'll be happy to do it for you, but if you can you'll know when it's fixed.

I'll do some internal testing and mentioning to devs, but I doubt I'll be able to make a solution and furthermore I can't imagine I'm going to have any sort of different findings than you are.

Just FYI, the behavior of NRPE in daemonized mode is as follows:

Every time a check_nrpe request comes in a forward lookup is done, if the IP matches it works, if the record doesn't match check_nrpe fails with "CHECK_NRPE: Error - Could not complete SSL handshake."

It certainly seems fair that we adjust it so it looks up AAAA records in addition to As. Seems to me all AAAA records aren't working for you.

[Tilman]

I already did:

https://github.com/NagiosEnterprises/nrpe/issues/31

It didn't stir much interest so far:

tilmanschmidt opened this Issue 5 days ago · 0 comments

But thanks for reminding me I should update it with my latest findings and a link to the discussion here.

[tmcdonald]

It can take some time to get traction on an issue since we have quite a few projects and products to work on. I've commented on the issue myself just to add some weight to it and get it properly labeled.

Since we have a feature request open for this, I'd like to close this thread if it's alright with you.

[Tilman]

Sure, go ahead and close it if you see no interest in further discussion here. From my perspective everything has been said.