NagiosXI NCPA deployment failing - FIXED
Posted: Wed Apr 12, 2023 9:55 am
Did some digging today. I'm not sure how this isn't being reported as a widespread problem.
When I would attempt to deploy the NCPA agent (first time, first use of the agent in our enterprise) from NagiosXI UI:
Configure -> Deploy Agent -> Auto Deployment -> Deploy Agent
It would fail, every time. An inspection of the RAW log for past auto deployments showed:
So this shows that YUM failed to install the local rpm package from /tmp/ncpa.rpm because it did not pass GPG checks. (This checking is defined in /etc/yum.conf on the remote system with:
It appears that even as far back as NCPA 2.2.2 (el7 x86_64) the RPMs themselves were not GPG signed.
We are running NagioXI 5.9.1
So here's the funny thing. NagiosXI uses Ansible to deploy the agent.
The ansible role and task is found here on the NagiosXI server:
/usr/local/nagiosxi/html/config/deployment/roles/ncpa_install_linux/tasks/main.yml
If we inspect the defined tasks for the install process we find:
By installing the local RPM packge this way, if GPG checking is enabled in /etc/yum.conf, the installation will always fail since Nagios didn't GPG sign their package.
I will note that it is not a good idea, even remotely, to disable GPG checking for yum/rpm.
To get around this issue without having to generally disable GPG checking in my yum.conf, I re-wrote the installation task:
This is the preferred syntax for Ansible. In the NCPA deployment raw log we find this message:
After making this change, NCPA deployments using SSH user/pass auth type were successful.
I hope this helps and the root issues are addressed in later NagiosXI releases.
Thank you.
answer: Thanks for posting this workaround!
When I would attempt to deploy the NCPA agent (first time, first use of the agent in our enterprise) from NagiosXI UI:
Configure -> Deploy Agent -> Auto Deployment -> Deploy Agent
It would fail, every time. An inspection of the RAW log for past auto deployments showed:
Code: Select all
"hosts": {
"<snip>": {
"_ansible_no_log": false,
"action": "command",
"changed": true,
"cmd": "yum localinstall ncpa.rpm -y",
"delta": "0:00:01.286438",
"end": "2023-03-07 12:25:30.279795",
"failed": true,
"invocation": {
"module_args": {
"_raw_params": "yum localinstall ncpa.rpm -y",
"_uses_shell": true,
"argv": null,
"chdir": "/tmp",
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"msg": "non-zero return code",
"rc": 1,
"start": "2023-03-07 12:25:28.993357",
"stderr": "\n\nPackage ncpa.rpm is not signed",
"stderr_lines": [
"",
"",
"Package ncpa.rpm is not signed"
Code: Select all
gpgcheck=1
localpkg_gpgcheck=1
Code: Select all
Name : ncpa
Version : 2.2.2
Release : 1.el7
Architecture: x86_64
Install Date: (not installed)
Group : Network/Monitoring
Size : 30669459
License : Nagios Open Software License Version 1.3
Signature : (none) <------ This shows the RPM wasn't GPG signed
Source RPM : ncpa-2.2.2-1.el7.src.rpm
Build Date : Fri 19 Jun 2020 12:25:19 PM EDT
Build Host : centos7x64
Relocations : /usr/local
Vendor : Nagios Enterprises, LLC
URL : https://www.nagios.org/ncpa/help.php
Summary : A cross-platform active and passive monitoring agent
Description :
The Nagios Cross-Platform Agent is used with Nagios XI and Nagios Core to run active
and/or passive checks on any operating system. Installs with zero requirements using a
bundled version of Python.
So here's the funny thing. NagiosXI uses Ansible to deploy the agent.
The ansible role and task is found here on the NagiosXI server:
/usr/local/nagiosxi/html/config/deployment/roles/ncpa_install_linux/tasks/main.yml
If we inspect the defined tasks for the install process we find:
Code: Select all
- name: Install NCPA (RedHat & CentOS)
shell: yum localinstall ncpa.rpm -y
args:
chdir: /tmp
when: ansible_os_family == "RedHat"
I will note that it is not a good idea, even remotely, to disable GPG checking for yum/rpm.
To get around this issue without having to generally disable GPG checking in my yum.conf, I re-wrote the installation task:
Code: Select all
- name: Install NCPA (RedHat & CentOS)
yum:
conf_file: /etc/yum.conf
name: /tmp/ncpa.rpm
state: present
disable_gpg_check: true
when: ansible_os_family == "RedHat"
Code: Select all
"warnings": ["Consider using the yum module rather than running 'yum'. If you need to use command because yum is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message."]
I hope this helps and the root issues are addressed in later NagiosXI releases.
Thank you.
answer: Thanks for posting this workaround!