NCPA upgrade without internet access?

[MonitorGuy]

Checking to see if there is a solution yet for deploying NCPA updates in an offline environment? (i.e. https://support.nagios.com/forum/viewto ... A+internet)

Working out the process for upgrading NCPA from 2.2.2 to 2.4.0

Can you please provide the reason for requiring internet access (and URL domain required to pull NCPA down at least) hopefully we can get approval to add to our proxy to allow access.

I couldn't find if the the NCPA agent can be pushed from the Nagios XI server, or if the monitored server only pulls down updates from the internet location?

Just trying to understand the process after reading through the KB, so I can better explain the needs to the account I'm supporting.
https://support.nagios.com/kb/article/a ... t-869.html

Thanks,

Craig

[ssax]

I'm looking into this and will post an update shortly.

[ssax]

If you look at this file:

Code: Select all

/usr/local/nagiosxi/html/config/deployment/roles/ncpa_install_linux/tasks/main.yml

You'll see the tasks in there download the latest version of NCPA from here on each deployment to make sure you're deploying the latest version:

Code: Select all

https://assets.nagios.com/downloads/

Which would be TCP 443.

Or are you talking about just upgrading the NCPA agent on the end systems through the package manager of the system?

[MonitorGuy]

Due to our monitored servers not having internet access, I'm checking to see if the Nagios XI server can push a stored NCPA agent version to Windows and Linux servers for deployment?

I looked at the main.yml file, but I'm not familiar with Ansible, my Linux SA doesn't believe the ROI is there to setup since we have about 100 servers, mostly Windows.

It would be nice to update NCPA agents at the push of a button, but unless there's a security reason to update, if it ain't broke, leave it.

Let me know if that's what you were referring to, or if there's another alternative to upgrading?

Thanks,

Craig

[ssax]

You could do it through SCCM/group policy/psexec/remote powershell/or some other config management solution but we don't currently have any guidance for those methods.

If your Windows systems are at least running Windows 10 (build 1809 and later), Windows Server 2019, or Windows 2022 it's pretty simple to install SSH on Windows now:

https://docs.microsoft.com/en-us/window ... l_firstuse

Given that you don't currently have a config management solution to manage your Windows systems for installing or upgrading software/etc and that Ansible is included with Nagios XI already for its own use, you may want to give a try if your security team will allow it so that you can handle operations for other tasks that you may want to do.

If you decide to give it a try on a system, see here:

https://www.nagios.com/solutions/ansible/

These videos will walk you through using Ansible on the XI system for NCPA:

https://support.nagios.com/kb/article/n ... l-819.html

[MonitorGuy]

Trying to get management to take a closer look at using Ansible, since it's Opensource, the only cost appears to be time unless we decide we need support.

Will take a little more work, but I think it will be worth it.

Thanks,

Craig

[ssax]

I think it would be too, only because you don't currently have anything, it's included, and is free.

Windows allowing SSH now from a MS package opens up a lot of opportunities for flexibility.

While we don't support developing Ansible playbooks, if you run these commands it should give you an example to play with that should transfer the file that has already been downloaded to the XI server to the remote system before running:
- NOTE: Do these outside of the XI codebase, don't put them under where the rest are as they will be reverted on an upgrade

Code: Select all

mkdir ncpa_install_win_offline
cd ncpa_install_win_offline
cat << EOF >> ansible.cfg
[defaults]
stdout_callback = json
host_key_checking = False

[paramiko_connection]
record_host_keys = False

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null
EOF
cat << EOF > main.yml
--
- name: Create directory structure
  ansible.windows.win_file:
    path: C:\Temp2\
    state: directory

- name: Copy file in place
  ansible.windows.win_copy:
    src: ncpa-latest.exe
    dest: C:\Temp2\ncpa-latest.exe

- name: Install Latest NCPA Version
  win_package:
    path: C:\Temp2\ncpa-latest.exe
    product_id: '{732ae10d-f3f1-4946-85c3-0a2aee05e716}'
    arguments:
    - /S
    - /token='{{ ncpa_token }}'
EOF
cat << EOF > install_agent_win_offline.yml
---
- name: Install Agent (Windows)
  hosts: all
  remote_user: YOUR_WINDOWS_ADMIN_USERNAME

  vars:
    ncpa_token: 'YOUR_NCPA_TOKEN'
    ansible_ssh_pass: 'YOUR_WINDOWS_ADMIN_PASSWORD'
    ansible_connection: ssh
    ansible_shell_type: cmd

  roles:
    - role: main.yml
EOF

Then put your host's IP addresses in a file called "hosts" in that same directory.

Then download this and put it in that same directory:

https://assets.nagios.com/downloads/ncp ... latest.exe

Then change these in your install_agent_win_offline.yml file:

Code: Select all

YOUR_WINDOWS_ADMIN_USERNAME
YOUR_NCPA_TOKEN
YOUR_WINDOWS_ADMIN_PASSWORD

Then run the task:

Code: Select all

ansible-playbook install_agent_win_offline.yml -i hosts