Solaris 10: Running nrpe in a non-global zone

Justin Amburn Justin at marketlive.com
Thu Jul 9 22:58:52 CEST 2009


Found the problem. It was rather misleading, but the chown and chmod
values for nrpe.cfg were all wonky, with numbers uid/gids instead of
names/groups. I had to reset them to nagios:nagios and chmod 775 to get
it working. 



The indication was logged in /var/adm/messages:

 

Jul  9 13:49:09 nrpe[15135]: [ID 301881 daemon.error] Unable to open
config file '/usr/local/nagios/etc/nrpe.cfg' for reading

Jul  9 13:49:09 nrpe[15135]: [ID 576867 daemon.error] Config file
'/usr/local/nagios/etc/nrpe.cfg' contained errors, aborting...

Thanks for the replies-much appreciated, 

Justin

________________________________

From: Justin Amburn [mailto:Justin at marketlive.com] 
Sent: Thursday, July 09, 2009 11:03 AM
To: Nagios Developers List
Subject: Re: [Nagios-devel] Solaris 10: Running nrpe in a non-global
zone

 

Ok, I took out the tcpd wrapper and set tcp_wrappers to false, but same
issue! Here's my inetadm manifest in plaintext:

 

bash-3.00# inetadm -l svc:/network/nrpe/tcp:default

SCOPE    NAME=VALUE

         name="nrpe"

         endpoint_type="stream"

         proto="tcp"

         isrpc=FALSE

         wait=FALSE

         exec="/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i"

         arg0="/usr/local/nagios/bin/nrpe"

         user="nagios"

default  bind_addr=""

default  bind_fail_max=-1

default  bind_fail_interval=-1

default  max_con_rate=-1

default  max_copies=-1

default  con_rate_offline=-1

default  failrate_cnt=40

default  failrate_interval=60

default  inherit_env=TRUE

default  tcp_trace=FALSE

         tcp_wrappers=FALSE

default  connection_backlog=10

 

 

And here in xml format:

 

<?xml version='1.0'?>

<!DOCTYPE service_bundle SYSTEM
'/usr/share/lib/xml/dtd/service_bundle.dtd.1'>

<!--

    Service manifest for the nrpe service.

 

    Generated by inetconv(1M) from inetd.conf(4).

-->

 

<service_bundle type='manifest' name='inetconv:nrpe'>

 

<service

        name='network/nrpe/tcp'

        type='service'

        version='1'>

 

        <create_default_instance enabled='true'/>

 

        <restarter>

                <service_fmri value='svc:/network/inetd:default' />

        </restarter>

 

        <!--

            Set a timeout of 0 to signify to inetd that we don't want to

            timeout this service, since the forked process is the one
that

            does the service's work. This is the case for most/all
legacy

            inetd services; for services written to take advantage of
SMF

            capabilities, the start method should fork off a process to

            handle the request and return a success code.

        -->

        <exec_method

                type='method'

                name='inetd_start'

                exec='/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i'

                timeout_seconds='0'>

                <method_context>

                        <method_credential user='nagios' group='other'
/>

                </method_context>

                <propval name='arg0' type='astring'

                    value='/usr/local/nagios/bin/nrpe' />

        </exec_method>

 

        <!--

            Use inetd's built-in kill support to disable services.

        -->

        <exec_method

                type='method'

                name='inetd_disable'

                exec=':kill'

                timeout_seconds='0'>

        </exec_method>

        </exec_method>

 

        <!--

            This property group is used to record information about

            how this manifest was created.  It is an implementation

            detail which should not be modified or deleted.

        -->

        <property_group name='inetconv' type='framework'>

                <propval name='converted' type='boolean' value='true' />

                <propval name='version' type='integer' value='1' />

                <propval name='source_line' type='astring' value=

'nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe
/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i'

                />

        </property_group>

 

        <property_group name='inetd' type='framework'>

                <propval name='name' type='astring' value='nrpe' />

                <propval name='endpoint_type' type='astring'
value='stream' />

                <propval name='proto' type='astring' value='tcp' />

                <propval name='wait' type='boolean' value='false' />

                <propval name='isrpc' type='boolean' value='false' />

        </property_group>

 

        <stability value='External' />

 

        <template>

                <common_name>

                        <loctext xml:lang='C'>

nrpe

                        </loctext>

                </common_name>

        </template>

</service>

 

</service_bundle>

 

 

 

Is there something special that needs to go in the SMF def to explicitly
allow SSL?

Thanks!

Justin 

________________________________

From: Grant Byers [mailto:grant.byers at gmail.com] 
Sent: Wednesday, July 08, 2009 8:01 PM
To: Nagios Developers List
Subject: Re: [Nagios-devel] Solaris 10: Running nrpe in a non-global
zone

 

Your exec line is wrong. It should read ;

 

         exec="/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i"

         arg0="/usr/local/nagios/bin/nrpe"

 

 

2009/7/9 Justin Amburn <Justin at marketlive.com>

Thanks for replies, guys!

 

 I can run nrpe in global zones under SMF. I can even get nrpe in the
non-global zones to run with the command:

/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i

root at vz3haadp01# /usr/local/nagios/libexec/check_nrpe -H localhost

NRPE v2.12

 

*BUT*, when I run it under SMF in the non-global zones I get the SSL
handshake error. In the global zone this works just fine. It's just the
non-global that is causing me a headache.

 

I've verified that the results from:

   inetadm -l svc:/network/nrpe/tcp:default

   the evil /etc/nsswitch.conf

   /etc/services

   crle

   ldd

   /var/svc/manifest/network/nrpe-tcp.xml

 

Are the same between the global and the non-global.

 

See, my ldd shows no errors:

 

bash-3.00# ldd /usr/local/nagios/bin/nrpe

        libssl.so.0.9.7 =>       /usr/sfw/lib/libssl.so.0.9.7

        libcrypto.so.0.9.7 =>    /usr/sfw/lib/libcrypto.so.0.9.7

        libnsl.so.1 =>   /lib/libnsl.so.1

        libsocket.so.1 =>        /lib/libsocket.so.1

        libc.so.1 =>     /lib/libc.so.1

        libmp.so.2 =>    /lib/libmp.so.2

        libmd.so.1 =>    /lib/libmd.so.1

        libscf.so.1 =>   /lib/libscf.so.1

        libdoor.so.1 =>  /lib/libdoor.so.1

        libuutil.so.1 =>         /lib/libuutil.so.1

        libgen.so.1 =>   /lib/libgen.so.1

        libssl_extra.so.0.9.7 =>
/usr/sfw/lib/libssl_extra.so.0.9.7

        libcrypto_extra.so.0.9.7 =>
/usr/sfw/lib/libcrypto_extra.so.0.9.7

        libm.so.2 =>     /lib/libm.so.2

 

I've kept adding and adding to the crle file:

 

bash-3.00# crle

 

Configuration file [version 4]: /var/ld/ld.config

  Default Library Path (ELF):
/lib:/usr/lib:/usr/sfw/lib:/usr/local/lib

  Trusted Directories (ELF):    /lib/secure:/usr/lib/secure  (system
default)

 

Command line:

  crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib:/usr/local/lib

 

BUT, since nrpe works in the non-global when not running under SMF, this
seems to be strictly an SMF issue.

 

Here's my manifest values for both the good and bad zones:

 

bash-3.00# inetadm -l svc:/network/nrpe/tcp:default

SCOPE    NAME=VALUE

         name="nrpe"

         endpoint_type="stream"

         proto="tcp"

         isrpc=FALSE

         wait=FALSE

         exec="/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i"

         arg0="/usr/local/nagios/bin/nrpe"

         user="nagios"

default  bind_addr=""

default  bind_fail_max=-1

default  bind_fail_interval=-1

default  max_con_rate=-1

default  max_copies=-1

default  con_rate_offline=-1

default  failrate_cnt=40

default  failrate_interval=60

default  inherit_env=TRUE

default  tcp_trace=FALSE

         tcp_wrappers=TRUE

default  connection_backlog=10

 

Also, in my /etc/nsswitch.conf all of the LDAP references have been
removed. Every attribute is 'files'.

 

I'm out of ideas here! Does anyone see anything that I may be missing in
the setup?

 

 

Thanks!

 

Justin Amburn

 

________________________________

From: Grant Byers [mailto:grant.byers at gmail.com] 
Sent: Monday, July 06, 2009 8:05 PM
To: Nagios Developers List
Subject: Re: [Nagios-devel] Solaris 10: Running nrpe in a non-global
zone

 

I'm running NRPE in non-global Solaris 10 zones. Either configure &
build with LDFLAGS="-R/usr/sfw/lib", or add /usr/sfw/lib to the runtime
linker search path. See crle(1).

 

Regards,

Grant

 

2009/7/7 Justin Amburn <Justin at marketlive.com>

Hi all,

Does anyone know what custom tweaks need to happen to get nrpe running
in non-global zones on a Solaris 10 box? It's working good in the global
zone, but I get the darned SSL handshake error inside the non-globals.
I'm guessing this is an environment var or LD link issue. Any ideas?

Thanks,

Justin Amburn


------------------------------------------------------------------------
------

_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

 


------------------------------------------------------------------------
------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will
have
the opportunity to enter the BlackBerry Developer Challenge. See full
prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20090709/7dd35692/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel


More information about the Developers mailing list