NRPE install failing on firewall [CentOS 7]

[eloyd]

Customer is trying to put the NRPE client onto CentOS 7 boxes and getting this:

Code: Select all

Running './4-firewall'...
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
FirewallD is not running
RESULT=252
 
===================
INSTALLATION ERROR!
===================
Installation step failed - exiting.
Check for error messages in the install log (install.log).
 
If you require assistance in resolving the issue, please include install.log
in your communications with Nagios XI technical support.
 
The script that failed was: './4-firewall'

Install steps were:

Code: Select all

yum -y install wget openssl-devel
cd /tmp 
wget http://assets.nagios.com/downloads/nagiosxi/agents/linux-nrpe-agent.tar.gz 
tar xzf linux-nrpe-agent.tar.gz 
cd linux-nrpe-agent 
./fullinstall 

There is no firewall running on this server.

[rkennedy]

If no firewall is on the server, then that could be the reasoning. Try modifying the fullinstall script and removing this line -

Code: Select all

run_sub ./4-firewall

Re-run it, and let us know the results.

[eloyd]

I can confirm that it is due to no iptables installed. Iptables is deprecated on CentOS 7 so the install script should be updated to detect the absence of iptables rather than failing.

[hsmith]

If you turn on firewalld, does it complete? I think this may have happened when I was installing on one of my VPS.

[eloyd]

It works if one installs iptables. I consider this a failure of the install script that it fails to detect a system that does not have firewall software installed and then aborts the install. In this particular case, our customer is running embedded Linux on hardware controllers for things like commercial freezers and conveyor belt systems. VERY limited memory space and firewalls are simply not required. I would rather see the install script probe for firewalld and/or iptables and just continue if they're not installed. That would make more sense.

[hsmith]

I'll do some testing versus this, and then get a bug report over to John if I can reproduce it. You're saying the script doesn't behave if there is no iptables, even if firewalld is present?

[eloyd]

My testing indicated that iptables needed to be installed, but I am out of the office today. I can check on Monday.

[hsmith]

I just did yum remove iptables on my new machine. I believe that removes firewalld as well, since it's just a frontend for iptables. I just want to make sure I get all the relevant information before I submit anything.

[hsmith]

Reproduced, internal bug report submitted. The workaround is just touch installed.firewall, but there should be no need for a workaround

[eloyd]

Thanks. As soon as our test box finishes getting upgraded VMware management, I'll double check that that's do-able for our customer.