NagiosXI NCPA deployment failing - FIXED

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Post Reply
deby23456
Posts: 21
Joined: Tue Apr 11, 2023 1:44 pm

NagiosXI NCPA deployment failing - FIXED

Post by deby23456 »

Did some digging today. I'm not sure how this isn't being reported as a widespread problem.

When I would attempt to deploy the NCPA agent (first time, first use of the agent in our enterprise) from NagiosXI UI:

Configure -> Deploy Agent -> Auto Deployment -> Deploy Agent

It would fail, every time. An inspection of the RAW log for past auto deployments showed:

Code: Select all

    "hosts": {
                            "<snip>": {
                                "_ansible_no_log": false,
                                "action": "command",
                                "changed": true,
                                "cmd": "yum localinstall ncpa.rpm -y",
                                "delta": "0:00:01.286438",
                                "end": "2023-03-07 12:25:30.279795",
                                "failed": true,
                                "invocation": {
                                    "module_args": {
                                        "_raw_params": "yum localinstall ncpa.rpm -y",
                                        "_uses_shell": true,
                                        "argv": null,
                                        "chdir": "/tmp",
                                        "creates": null,
                                        "executable": null,
                                        "removes": null,
                                        "stdin": null,
                                        "stdin_add_newline": true,
                                        "strip_empty_ends": true,
                                        "warn": true
                                    }
                                },
                                "msg": "non-zero return code",
                                "rc": 1,
                                "start": "2023-03-07 12:25:28.993357",
                                "stderr": "\n\nPackage ncpa.rpm is not signed",
                                "stderr_lines": [
                                    "",
                                    "",
                                    "Package ncpa.rpm is not signed" 
So this shows that YUM failed to install the local rpm package from /tmp/ncpa.rpm because it did not pass GPG checks. (This checking is defined in /etc/yum.conf on the remote system with:

Code: Select all

    gpgcheck=1
    localpkg_gpgcheck=1
It appears that even as far back as NCPA 2.2.2 (el7 x86_64) the RPMs themselves were not GPG signed.

Code: Select all

    Name        : ncpa
    Version     : 2.2.2
    Release     : 1.el7
    Architecture: x86_64
    Install Date: (not installed)
    Group       : Network/Monitoring
    Size        : 30669459
    License     : Nagios Open Software License Version 1.3
    Signature   : (none)                  <------ This shows the RPM wasn't GPG signed
    Source RPM  : ncpa-2.2.2-1.el7.src.rpm
    Build Date  : Fri 19 Jun 2020 12:25:19 PM EDT
    Build Host  : centos7x64
    Relocations : /usr/local
    Vendor      : Nagios Enterprises, LLC
    URL         : https://www.nagios.org/ncpa/help.php
    Summary     : A cross-platform active and passive monitoring agent
    Description :
    The Nagios Cross-Platform Agent is used with Nagios XI and Nagios Core to run active
    and/or passive checks on any operating system. Installs with zero requirements using a
    bundled version of Python.
We are running NagioXI 5.9.1

So here's the funny thing. NagiosXI uses Ansible to deploy the agent.

The ansible role and task is found here on the NagiosXI server:
/usr/local/nagiosxi/html/config/deployment/roles/ncpa_install_linux/tasks/main.yml

If we inspect the defined tasks for the install process we find:

Code: Select all

    - name: Install NCPA (RedHat & CentOS)  
      shell: yum localinstall ncpa.rpm -y  
      args:    
         chdir: /tmp  
      when: ansible_os_family == "RedHat"
By installing the local RPM packge this way, if GPG checking is enabled in /etc/yum.conf, the installation will always fail since Nagios didn't GPG sign their package.

I will note that it is not a good idea, even remotely, to disable GPG checking for yum/rpm.

To get around this issue without having to generally disable GPG checking in my yum.conf, I re-wrote the installation task:

Code: Select all

    - name: Install NCPA (RedHat & CentOS)
      yum:
        conf_file: /etc/yum.conf
        name: /tmp/ncpa.rpm
        state: present
        disable_gpg_check: true
      when: ansible_os_family == "RedHat"
This is the preferred syntax for Ansible. In the NCPA deployment raw log we find this message:

Code: Select all

    "warnings": ["Consider using the yum module rather than running 'yum'.  If you need to use command because yum is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message."]
After making this change, NCPA deployments using SSH user/pass auth type were successful.

I hope this helps and the root issues are addressed in later NagiosXI releases.

Thank you.

answer: Thanks for posting this workaround!
Post Reply