Page 2 of 4

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Tue Nov 14, 2017 12:53 pm
by pmoradiya
npolovenko wrote:@pmoradiya, Can you manually switch to tomcat8 user and attempt to run the plugin?

Code: Select all

 su - tomcat8
And then:

Code: Select all

/usr/bin/sudo -u tomcat8 /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
Does that work?
I'd also modify permissions for JvmInspector.jar to allow for tomcat8 user.

Code: Select all

chown tomcat8 JvmInspector.jar

Cannot switch to the user using "su - tomcat8" as it doesn't have shell.

I have tried changing ownership of JvmInspector.jar to tomcat8 but no luck yet.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Wed Nov 15, 2017 12:17 pm
by npolovenko
@pmoradiya, That might be the cause of this problem. When you're running the command with -u tomcat8 the system is trying to run it in a shell. Please enable the shell access for this user:
1. Open /etc/passwd file and look for tomcat8 username.
2. Change the ending from /sbin/nologin to /bin/bash

*After that please make sure that you can logion with su - tomcat8.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Wed Nov 15, 2017 6:35 pm
by pmoradiya
npolovenko wrote:@pmoradiya, That might be the cause of this problem. When you're running the command with -u tomcat8 the system is trying to run it in a shell. Please enable the shell access for this user:
1. Open /etc/passwd file and look for tomcat8 username.
2. Change the ending from /sbin/nologin to /bin/bash

*After that please make sure that you can logion with su - tomcat8.
The nagios user is able to switch to tomcat8 and can run the nrpe command as below:

Code: Select all

as nagios user
$ /usr/bin/sudo -u tomcat8 /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
OK 39 |threads=39;;;
That means nagios user is able to switch to tomcat8 user and run above command.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Thu Nov 16, 2017 12:49 pm
by npolovenko
@pmoradiya, When you run the command locally you're using a shell. But NRPE doesn't run with a shell. And then I believe when NRPE sees -u tomcat8 it tries to actually run the following command using a shell. But tomcat8 does not have a shell. Does that make sense?

Let's try to change the command in nrpe.cfg file(for sake of the experiment):

Code: Select all

/usr/bin/sudo -u tomcat8 /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
To:

Code: Select all

/usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
After that please restart nrpe:

Code: Select all

service nrpe restart
or

Code: Select all

service xinted restart
Depending on your configuration.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Thu Nov 16, 2017 2:30 pm
by mcapra
npolovenko wrote:But NRPE doesn't run with a shell.
I believe NRPE uses popen for the actual command execution:
https://github.com/NagiosEnterprises/nr ... 2245-L2280

Which I believe piggy-backs off the shell of the parent process's user (but I am so totally not a glibc expert).

Surprisingly I can't find much information on how popen handles this particular situation, but I can't imagine popen is going to have a concept of what shell should be used for a given execution beyond the user under which the parent process is running (for security reasons among others). In a nutshell, it's entirely possible Bash (your nagios user's shell) is taking some liberties in this particular situation that popen cannot. Liberties like passing the current shell off to the targeted user.

For this reason, you might also try specifying a shell in your command definition:

Code: Select all

/usr/bin/sudo -u tomcat8 bash /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
# or
/usr/bin/sudo -u tomcat8 sh /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Thu Nov 16, 2017 4:43 pm
by npolovenko
That makes sense, @mcapra. Thanks for the help! @pmoradiya, Please keep us updated on this issue.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Fri Nov 17, 2017 10:57 am
by pmoradiya
mcapra wrote:
For this reason, you might also try specifying a shell in your command definition:

Code: Select all

/usr/bin/sudo -u tomcat8 bash /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
# or
/usr/bin/sudo -u tomcat8 sh /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 195 -c 225
Thanks @mcapra and @npolovenko for your detailed attention to this. I tried adding bash or sh to the command definition that returned "Unable to read output"

Code: Select all

root@server1:/usr/local/nagios/libexec# ./check_nrpe -H localhost -c check_tomcat_threads
NRPE: Unable to read output

root@server1:/usr/local/nagios/libexec# ./check_nrpe -H localhost -c check_tomcat_threads
NRPE: Unable to read output

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Fri Nov 17, 2017 4:12 pm
by npolovenko
@pmoradiya, In your first post you mentioned that this exact plugin works just fine on another client servers. Let's assume for now that it is the NRPE compatibility issue. Can you check what version of NRPE do the other servers have? nrpe -V
You could remove the new nrpe client from the servers using this tutorial:https://support.nagios.com/kb/article/n ... -nrpe.html
Before you do that I'd make a copy of /usr/local/nagios/nrpe.cfg file and save it somewhere safe.
Then you can install the older version instead. If you tell us which version you need I can provide you with a download link.
https://sourceforge.net/projects/nagios/files/nrpe-2.x/

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Fri Nov 17, 2017 5:13 pm
by pmoradiya
npolovenko wrote:@pmoradiya, In your first post you mentioned that this exact plugin works just fine on another client servers. Let's assume for now that it is the NRPE compatibility issue. Can you check what version of NRPE do the other servers have? nrpe -V
You could remove the new nrpe client from the servers using this tutorial:https://support.nagios.com/kb/article/n ... -nrpe.html
Before you do that I'd make a copy of /usr/local/nagios/nrpe.cfg file and save it somewhere safe.
Then you can install the older version instead. If you tell us which version you need I can provide you with a download link.
https://sourceforge.net/projects/nagios/files/nrpe-2.x/
All my client servers are running the same version (v3.2.1), installed and configured exactly the same way.

Code: Select all

root@server-1:/usr/local/nagios/libexec# ./check_nrpe -H localhost
NRPE v3.2.1
I will follow above steps to backup cfg, uninstall current version and install older version. I will keep you posted.

Re: NRPE: UNKNOWN Can't connect to the JVM

Posted: Mon Nov 20, 2017 1:07 pm
by npolovenko
@pmoradiya, Sounds good, keep us updated!