Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Hi.
We use nrpe-server with own simple bash plugin for testing age of file. After upgrade from Debian 8 ( nrpe-server v. 2.15 ) to Debian 9 ( nrpe-server v. 3.0.1 ), the plugin cannot access the testing file. Here is the code of plugin:
#!/bin/bash
TEST_FILE=/tmp/test_cron
TIME=1800
if ! [ -f $TEST_FILE ]; then
echo "ERROR: Test file not exist"
exit 2
fi
FILE_TIME="$(stat -c %Z $TEST_FILE)"
NOW_TIME="$( date +%s )"
DIFF="$( expr $NOW_TIME - $FILE_TIME )"
if [[ $DIFF -gt $TIME ]]; then
echo "ERROR: Cron not working"
exit 2
fi
echo ok
The script end on first IF condition, it look like that script cannot access the testing file "/tmp/test_cron". The plugin wokrs good, if i run it manulally from console under user nagios over sudo.
I have no idea why it don't work over nrpe server. The is no SELinux on the server, I checked permmions of the file, ..... and before the upgrade the server script worked well.
It doesn't work for any file in arbitrary location. I seted variable TEST_FILE on TEST_FILE=/var/tmp/test, but result was same - The plugin worked good from console, but not over NRPE server. Our others BASH plugins, which doesn't aceess on files work well.
The package is from official Debian repo. We don't use any unofficial repos on this server. I have installed clean Debian 9 server and on it the plugin has same behavior.
So - I was attempting to replicate this in Debian 9. I used the "official" packages (which are maintained by community members, more on this in a bit) and was not able to reproduce your issue.
I manually created the /tmp/test_cron file and at one point it had become deleted - I assume by the systemd temp file handler. But other than that I was able to execute the command through NRPE successfully.
Maybe try moving the file to a non-temporary (/var/tmp may very well be managed by your tmpfiles.d) location, like /home/user1/test_file.
About the packages:
The packages that are available in official Debian, Ubuntu, CentOS, etc. are not maintained by us here at Nagios - those are maintained by community members who chose to help out in open source! So I can't particularly help with those, especially since before they build the packages, they specify a lot of very specific directories which are tuned to their OS of choice (which is why they're doing it to begin with - that's quite a lot of info!!)
Also, the version of NRPE you're using is a tad bit old. I'd really like to know if this same thing is occurring with NRPE 3.2.1 on your server.
Before we go down that route, can you try and set the file location to somewhere that isn't a temporary directory managed by tmpfiles.d/systemd? Also, I'd like to take a look at your nrpe.cfg file and any additional cfgs that you include. Thanks!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
You are right. After moving the test file outside of temp directories the plugin began work.
I found the following setting in systemd for unit nagios-nrpe service:
PrivateTmp=true
The man page for systemd says:
PrivateTmp=
Takes a boolean argument. If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp or /var/tmp impossible. If this is enabled, all temporary files created by a service in these directories will be removed after the service is stopped. Defaults to false. It is possible to run two or more units within the same private /tmp and /var/tmp namespace by using the JoinsNamespaceOf= directive, see systemd.unit(5) for details. This setting is implied if DynamicUser= is set. For this setting the same restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see above. Enabling this setting has the side effect of adding Requires= and After= dependencies on all mount units necessary to access /tmp and /var/tmp. Moreover an implicitly After= ordering on systemd-tmpfiles-setup.service(8) is added. Note that the implementation of this setting might be impossible (for example if mount namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security.
After I have turned this setting off, the check over NRPE works well.
Big thank you for your support!
