Nagios Support Forum

Hello. We are researching whether Nagios can support our infrastructure. The topology is... unique.

Imagine we have servers in 4 networks, A,B,C,D. Consider all of these networks to be private and no traffic routes between them, except for a few multi-homed servers. One server on network A has two network adapters, one in network A and the other in network B. One server in network B has an adapter in B and another in C, and so on. The only way from network A to reach a server on network D is by SSHing into a server on each network.

Now I know that Nagios supports the idea of 'parents', but this appears to be only to support the concept of reachability. It doesn't seem that Nagios agents will "pass the bucket" from one server to the next. It appears that the Nagios server still needs to be able to resolve an IP address itself. It doesn't make the request from the parent host.

A simple test bed consisting of 3 VMs in virtualbox will prove this:

VM1 - Nagios server
192.168.1.120 - Bridged to LAN

VM2 - Linux server
192.168.1.121 - Bridged to LAN
10.10.1.1 - Internal network "A"

VM3 - Linux server
10.10.1.2 - Internal network "A"
10.20.1.1 - Internal network "B"
...


In my hosts.cfg

define host {
use linux-server
host_name networkA_host
alias cent-1
address 192.168.1.121,10.10.1.1
}

define host {
use linux-server
host_name networkB_host
parents networkA_host
alias cent-2
address 10.10.1.2
}

Nagios reports that networkB_host is CRITICAL - network unreachable

One important fact here is that the Nagios server would *never* be able to resolve 10.10.1.2 directly. It would only be able to do that if it were on 10.10.1.1 already and making the request from there. I can talk from the Nagios server down to networkA_host, down to network_host using ssh hops. I can ping from each hop. It's not a firewall issue.

As goofy as it is, does Nagios support this?

Well, this could potentially be done in a roundabout way using SSH or one of our agents like NRPE but it would be a pain to manage.

Essentially, you would have to "encapsulate" the checks you want to run by having each server in the chain pass it along as yet another command. In your example it would be like saying:

VM1, tell VM2 to tell VM3 to run this command: check_ping -H 10.20.1.1

Basically a big game of telephone, except that computers are generally much better at relaying information than children in a classroom.

Honestly though, if there is some network-level solution that could handle this routing transparently that would be much easier to maintain and configure.

Thank you, tmcdonald! I think we will need to proceed with nested check_nrpe calls, as cumbersome as that will be. Hopefully nagios XI can ease our configuration pains, but this seems such an edge case it would not surprise me if XI cannot.

XI still relies on Core in the backend to handle all the checking, so yes it will need to rely on some sort of Core-compliant method. XI will definitely help with configuration though, since you can set something up once and get it working how you like, then just copy it to other hosts or servers as needed.

It would be interesting if Nagios Core could support a hosts.cfg declaration of something like 'proxy_parents'. This would behave like 'parents' but use them as a proxy. I suppose each plugin would need to know how to interpret this, as check_by_ssh would probably just use ProxyCommand with netcat, and nrpe would hook up intermediate check_nrpe calls to transport the request.

You can certainly put in a feature request for this, but adding that functionality into Core would be quite a major addition and not something I can imagine would be done any time soon.