RHEL7 OEL7 event handler - NRPE: Unable to read output

[junkertf]

Hello,

I try to create an event handler script regarding the document found there

https://assets.nagios.com/downloads/nag ... h-NRPE.pdf

On OEl5-6/RHEL5-6 systems i am reach the point until i can test the handler working from the server side.

On OEL7/RHEL7 systems i become

NRPE: Unable to read output

message.

The weird thing, that if i try to run the configured script from nrpe.cfg, then it is working well.

nagios@ ..../libexec]$ cat ../etc/nrpe.cfg | grep service_restart
command[service_restart]=/bin/sudo /bin/systemctl restart $ARG1$

running with nagios user:

/bin/sudo /bin/systemctl restart ntpd; date; /bin/sudo /bin/systemctl status ntpd
Mon Feb 19 09:48:33 CET 2018
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-02-19 09:48:33 CET; 27ms ago
...

Is there any solution for that problem?

Best regards,

Ferenc

[Francesco]

SELINUX is active?

Code: Select all

# egrep -v '^[[:space:]]*(#|$)'  /etc/selinux/config

# getenforce

If yes, and you can not disable it, please write an HOWTO because I also have to configure NRPE+sudo+SELINUX too


https://bugzilla.redhat.com/show_bug.cgi?id=1201054

[tgriep]

Thanks@ Francesco for the tip. That is one possible cause of the issue.

Another thing to look at is the dont_blame_nrpe settings in the nrpe.cfg file.
Make sure it is set to 1 so the NRPE agent will receive the argument and process it.
Also, the Agent has to be compiled with that enabled as well.

You may need to add an entry in the /etc/sudoers file like the following example so the nagios user can run the command through the NREP Agent.

Code: Select all

nagios ALL=NOPASSWD: /bin/systemctl

[junkertf]

Hello,

sadly all answer is negative....

Code: Select all

[root@oel7t ~]# getenforce
Disabled
[root@oel7t ~]# egrep -v '^[[:space:]]*(#|$)'  /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted

and

Code: Select all

[root@rhel7 nagios]# egrep -v '^[[:space:]]*(#|$)'  /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@rhel7 nagios]# getenforce
Disabled

also

Code: Select all

[root@oel7t ~]#  grep ^nagios /etc/sudoers
nagios ALL=NOPASSWD: ALL
[root@oel7t ~]# grep ^dont_blame /usr/local/nagios/etc/nrpe.cfg
dont_blame_nrpe=1

[root@rhel7 nagios]# grep ^nagios /etc/sudoers
nagios ALL=(ALL)        NOPASSWD: ALL
[root@rhel7 nagios]# grep ^dont_blame /usr/local/nagios/etc/nrpe.cfg
dont_blame_nrpe=1

BTW, i had other check as well with command line argument passing, working all well on these hosts!


Best regards,

Ferenc

[tgriep]

I was able to simulate the message on a Centos7 system running NRPE version 3.2.1.
When I enabled debugging, I found this error when running the command.

nrpe[57400]: WARNING: my_system() seteuid(0): Operation not permitted

The NRPE agent runs as the Nagios user account and when trying to run the systemctl command which needs root privileges, it generated that error but the command did run and restart the service.
It may be a bug and more research has to be done but can you verify that the service is restarted when the command it run?

[junkertf]

for sure i can confirm...

Code: Select all

[nagios@rhel7 ~]$ date; sleep 5; sudo service ntpd restart; date; sudo service ntpd status
Wed Feb 21 06:03:03 CET 2018
Redirecting to /bin/systemctl restart ntpd.service
Wed Feb 21 06:03:08 CET 2018
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-02-21 06:03:08 CET; 49ms ago
  Process: 3660 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3661 (ntpd)
   CGroup: /system.slice/ntpd.service
           └─3661 /usr/sbin/ntpd -u ntp:ntp -u ntp:ntp -p /var/run/ntpd.pid -g

Feb 21 06:03:08 myhuslhqbprhel7.hu.money.ge.com ntpd[3661]: proto: precision = 0.045 usec

same on oel7 platform:

Code: Select all

[nagios@oel7t ~]$ date; sleep 5; sudo service ntpd restart; date; sudo service ntpd status
Wed Feb 21 06:05:37 CET 2018
Redirecting to /bin/systemctl restart ntpd.service
Wed Feb 21 06:05:42 CET 2018
Redirecting to /bin/systemctl status ntpd.service
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-02-21 06:05:42 CET; 50ms ago
  Process: 20292 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 20293 (ntpd)
   CGroup: /system.slice/ntpd.service
           └─20293 /usr/sbin/ntpd -u ntp:ntp -u ntp:ntp -p /var/run/ntpd.pid

Feb 21 06:05:42 myhuslhqbpoel7t.hu.money.ge.com ntpd[20293]: proto: precision = 0.049 usec

thanks!

Ferenc

[tgriep]

Ok, that is good to know that the nagios user can restart the services.

What we figured out is that the when the systemctl command restarts a service, it does not output anything at all and the NRPE agent thinks that it is bad output and generates that message.

To fix that, add the following to the end of the command

Code: Select all

&& echo "Restarting" $ARG1$

so it looks like this

Code: Select all

command[service_restart]=/bin/sudo /bin/systemctl restart $ARG1$ && echo "Restarting" $ARG1$

Save and restart NRPE.

Then when the command runs successfully, it will output Restarting and the name of the service.

If it fails, it will output "NRPE: Unable to read output"
Let us know if this works for you.

[junkertf]

Hello,

Thanks for the solution tgriep, again...!

I must work on the install script to will be fine grained to the OS version and use only systemctl from sudo, BUT it's work like a charm...


Best regards,

Ferenc

[tgriep]

Your very welcome. If you don't have any related questions, shall we close and lock up the post for you?

[junkertf]

No more question in that thread, can be closed as solved!

Best regards,

Ferenc