Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include_dir function does not work RHEL7 #214

Open
nigemar opened this issue Sep 3, 2019 · 9 comments
Open

include_dir function does not work RHEL7 #214

nigemar opened this issue Sep 3, 2019 · 9 comments
Labels
Need Information

Comments

@nigemar
Copy link

nigemar commented Sep 3, 2019
edited
Loading

Hi,
I am trying to configure nrpe to use the configuration files that we drop under include_dir configuration in the nrpe.cfg file.

I have found that on our RHEL7 boxes when we set this configuration as follows:

include_dir=/etc/nagios/nrpe.d

and add the following file:

nrpe_nifi_cluster.cfg

# puppet managed
command[check_nifi_cluster_query]=/usr/local/bin/nifi-cluster-query.sh

When the nagios runs the check, we get an error saying the command 'check_nifi_cluster_query' not defined:

Running the code from nagios

/usr/lib64/nagios/plugins/check_nrpe -H nifi-03.local-p 5666 -t 30 -c check_nifi_cluster_q                                                            uery
NRPE: Command 'check_nifi_cluster_query' not defined

The nrpe versions information is as follows:

Name        : nrpe
Version     : 3.2.1
Release     : 8.el7
Architecture: x86_64
Install Date: Thu 08 Nov 2018 11:03:36 AEST
Group       : Applications/System
Size        : 364786
License     : GPLv2
Signature   : RSA/SHA256, Wed 17 Oct 2018 02:05:05 AEST, Key ID 6a2faea2352c64e5
Source RPM  : nrpe-3.2.1-8.el7.src.rpm
Build Date  : Wed 17 Oct 2018 01:52:50 AEST
Build Host  : buildvm-06.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.nagios.org
Bug URL     : https://bugz.fedoraproject.org/nrpe
Summary     : Host/service/network monitoring agent for Nagios
Description :
Nrpe is a system daemon that will execute various Nagios plugins
locally on behalf of a remote (monitoring) host that uses the
check_nrpe plugin.  Various plugins that can be executed by the
daemon are available at:
http://sourceforge.net/projects/nagiosplug

While we have the same configuration on RHEL 6 server:

/etc/nagios/nrpe.cfg

# Process the include last of all (this will override any check defined above)
include_dir=/etc/nagios/nrpe.d

File listing on RHEL 6

-rw-r--r--. 1 root root  493 May 15 18:15 vmware.cfg
-rw-r--r--. 1 root root  151 Jun  2 12:25 atm.cfg

atm.cfg

command[check_atm_logs]=/etc/nagios/plugins/check_atm_conns.py -l $ARG1$ -s $ARG2$ -n $ARG3$ -w $ARG4$ -c $ARG5$

Result:

OK: (lines: 2000) last connection from IP [xxx.xxx.xxx.xxxx] in subnet [public] at [2019-09-03 10:18:27]

Client server nrpe

Name        : nrpe                         Relocations: (not relocatable)
Version     : 3.2.1                             Vendor: Fedora Project
Release     : 6.el6                         Build Date: Wed 25 Jul 2018 08:59:08 AEST
Install Date: Wed 22 May 2019 16:05:29 AEST      Build Host: buildvm-32.phx2.fedoraproject.org
Group       : Applications/System           Source RPM: nrpe-3.2.1-6.el6.src.rpm
Size        : 366234                           License: GPLv2
Signature   : RSA/8, Wed 25 Jul 2018 09:01:50 AEST, Key ID 3b49df2a0608b895
Packager    : Fedora Project
URL         : http://www.nagios.org
Summary     : Host/service/network monitoring agent for Nagios
Description :
Nrpe is a system daemon that will execute various Nagios plugins
locally on behalf of a remote (monitoring) host that uses the
check_nrpe plugin.  Various plugins that can be executed by the
daemon are available at:
http://sourceforge.net/projects/nagiosplug
@sawolf
Copy link
Contributor

sawolf commented Sep 3, 2019

Can you show file permissions for the directory? ls -l -d /etc/nagios/nrpe.d

Are you able to find any messages in your log_file (defaults to /usr/local/nagios/var/nrpe.log)?

@nigemar
Copy link
Author

nigemar commented Sep 3, 2019

Sure,

Here is the permission set for the host that is failing to find the checks:

total 4
drwxr-xr-x. 2 root root 35 Sep  2 12:45 ./
drwxrwxr-x. 5 root root 68 Sep  2 15:04 ../
-rw-r--r--. 1 root root 89 Sep  2 12:19 nrpe_nifi_cluster.cfg

/etc/nagios/nrpe.d# ls -ld .
drwxr-xr-x. 2 root root 35 Sep  2 12:45 ./

Here is the SELinux contexts applied to the nrpe.cfg and the nrpe_nifi_cluster.cfg

/etc/nagios# ls -lZ /etc/nagios/nrpe.cfg  /etc/nagios/nrpe.d/nrpe_nifi_cluster.cfg
-rw-r--r--. root root system_u:object_r:nrpe_etc_t:s0  /etc/nagios/nrpe.cfg
-rw-r--r--. root root system_u:object_r:nrpe_etc_t:s0  /etc/nagios/nrpe.d/nrpe_nifi_cluster.cfg

Here is the boolean for nagios sudo

/etc/nagios# getsebool -a |grep -i nagios_run_sudo
nagios_run_sudo --> on

Looking at /var/log/messages, this an SELinux issue:

2019-09-04T07:49:29.142982+10:00 enk-nifi-03 nrpe[12711]: Could not open config directory '/etc/nagios/nrpe.d' for reading.
2019-09-04T07:49:29.143497+10:00 enk-nifi-03 nrpe[12711]: Continuing with errors...
2019-09-04T07:49:29.147873+10:00 enk-nifi-03 nrpe[12711]: Starting up daemon
2019-09-04T07:49:29.150269+10:00 enk-nifi-03 nrpe[12711]: Server listening on 0.0.0.0 port 5666.
2019-09-04T07:49:29.150983+10:00 enk-nifi-03 nrpe[12711]: Warning: Daemon is configured to accept command arguments from clients!
2019-09-04T07:49:29.151522+10:00 enk-nifi-03 nrpe[12711]: Listening for connections on port 5666
2019-09-04T07:49:29.152076+10:00 enk-nifi-03 nrpe[12711]: Allowing connections from: xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx, xxx.xsx.xsx.xxx

Do you know what context needs to be set for this directory and contents?

@nigemar
Copy link
Author

nigemar commented Sep 3, 2019

I have tried setting the context to use both nrpe_etc_t and nagios_etc_t and both still give the same warning about not being able to read
Could not open config directory '/etc/nagios/nrpe.d' for reading.

Do you know what the correct context should be?

@nigemar
Copy link
Author

nigemar commented Sep 3, 2019

Turns out setting the module context to be: etc_t allows the SELinux to read this correctly.

I am guessing the nrpe_etc_t or nagios_etc_t is broken in terms of system access. Do I need to submit this to red hat or this a policy you have developed?

@sawolf
Copy link
Contributor

sawolf commented Sep 4, 2019

Okay, that makes more sense. We don't maintain anything with regard to SELinux. If I remember correctly, this is part of a package distributed by Fedora/EPEL, so I'm not sure if you'd submit to Red Hat or somewhere else.

@nigemar
Copy link
Author

nigemar commented Sep 5, 2019

Than, I will raise a ticket with EPEL and then link it back to here and vice versa.

Thanks.

@nigemar
Copy link
Author

nigemar commented Sep 5, 2019

EPEL bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1749156

@mhjacks
Copy link

mhjacks commented Mar 9, 2020

We're working on updating the SELinux policy relative to nagios and NRPE in epel7; this issue should be fixed soon.

@jbeaujour
Copy link

Hello,
It seems there is the same behaviour on RH8 and 4.0.2-2 and SELinux enabled
On RH7 4.0.3-6, it works fine but without SELinux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Need Information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sawolf @mhjacks @jbeaujour @nigemar