One person suggested my openssl version might be too new (0.9.8). I just
removed it and installed 0.9.7i, older enough version to be safe and one
that I know another user has in a working configuration. After compiling
it, I then recompiled NRPE against it and copied the files in place. It
still fails with the same error.
/var/log/system.log shows:
Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service
Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run
as user/group root!
I had it set to run as nobody:nobody, but that wasn't working. I even
tried setting to run as daemon:wheel, but the same results. Finally, I
created a nagios user and configured /etc/xinetd.d/nrpe to run as
nagios:nagios and updated /etc/nagios/nrpe.cfg to use the same. However,
all remote tests still result in the following:
From the server:
[nag...@nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H seth
CHECK_NRPE: Error - Could not complete SSL handshake.
From the client:
Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service
Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run
as user/group root!
Scouring Google shows that the "cannot be run as ... root" error is in
the nrpe.c code. What I can't figure out is why its trying to run as
root instead of the configured user...
Anyone running NRPE with xinetd for Mac's? I'm frustrated enough that I
almost just want to use check_by_ssh, but I'd prefer to get this working
and keep things consistent (ie: with NRPE). My /etc/nagios/nrpe.cfg and
/etc/xinetd.d/nrpe are below:
seth:/etc/xinetd.d root# pwd
/etc/xinetd.d
seth:/etc/xinetd.d root# cat nrpe
# /etc/xinetd.d/nrpe
# description: NRPE
# default: on
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/sbin/nrpe
server_args = -c /etc/nagios/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 10.1.1.170
}
---------------------------
seth:/etc/nagios root# pwd
/etc/nagios
seth:/etc/nagios root# cat nrpe.cfg
#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad (nag...@nagios.org)
#
# Last Modified: 11-23-2007
#
# NOTES:
# This is a sample configuration file for the NRPE daemon. It needs
to be
# located on the remote host that is running the NRPE daemon, not
the host
# from which the check_nrpe client is being executed.
#############################################################################
# LOG FACILITY
# The syslog facility that should be used for logging purposes.
log_facility=daemon
# PID FILE
# The name of the file in which the NRPE daemon should write it's
process ID
# number. The file is only written if the NRPE daemon is started by
the root
# user and is running in standalone mode.
pid_file=/var/run/nrpe.pid
# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd
or xinetd
server_port=5666
# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one
interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd
or xinetd
#server_address=127.0.0.1
# NRPE USER
# This determines the effective user that the NRPE daemon should run
as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd
or xinetd
nrpe_user=nagios
# NRPE GROUP
# This determines the effective group that the NRPE daemon should
run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd
or xinetd
nrpe_group=nagios
# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your
/etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd
or xinetd
allowed_hosts=127.0.0.1
# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow
clients
# to specify arguments to commands that are executed. This option
only works
# if the daemon was configured with the --enable-command-args
configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security
implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments
dont_blame_nrpe=0
# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined
string.
# A space is automatically added between the specified prefix string
and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH
CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo. For this to work, you
need to add
# the nagios user to your /etc/sudoers. An example entry for alllowing
# execution of the plugins from might be:
#
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and
only them)
# without asking for a password. If you do this, make sure you
don't give
# random users write access to that directory or its contents!
# command_prefix=/usr/bin/sudo
# DEBUGGING OPTION
# This option determines whether or not debugging messages are
logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on
debug=0
# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.
command_timeout=60
# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is
sometimes
# seen where a network problem stops the SSL being established even
though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.
connection_timeout=300
# WEEK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary
patches
# were not applied). The random number generator will be seeded from
a file
# which is either a file pointed to by the environment valiable
$RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number
generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak
randomness
#allow_weak_random_seed=1
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external
config file.
#include=<somefile.cfg>
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files
(with a
# .cfg extension) in one or more directories (with recursion).
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>
# COMMAND DEFINITIONS
# Command definitions that this daemon will run. Definitions
# are in the following format:
#
# command[<command_name>]=<command_line>
#
# When the daemon receives a request to return the results of
<command_name>
# it will execute the command specified by the <command_line> argument.
#
# Unlike Nagios, the command line cannot contain macros - it must be
# typed exactly as it should be executed.
#
# Note: Any plugins that are used in the command lines must reside
# on the machine that this daemon is running on! The examples below
# assume that you have plugins installed in a /usr/local/nagios/libexec
# directory. Also note that you will have to modify the definitions
below
# to match the argument format the plugins expect. Remember, these are
# examples only!
# The following examples use hardcoded command arguments...
command[check_disks]=/usr/local/nagios/libexec/check_disk -m -e -w
10% -c 5%
command[check_load]=/usr/local/nagios/libexec/check_load -r -w 5.0
-c 10.0
command[check_memory]=/usr/local/nagios/libexec/check_memory.pl -w
10% -c 5%
command[check_swap]=/usr/local/nagios/libexec/check_swap -a -w 50%
-c 20%
command[check_ntp]=/usr/local/nagios/libexec/check_ntp_time -H
10.1.1.14 -w 1.0 -c 1.5
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w
5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w
150 -c 200
command[check_users]=/usr/local/nagios/libexec/check_users -w 25 -c 50
A. Davis
Email: ncc...@gmail.com
"There is no limit to what a man can accomplish
if he doesn't care who gets the credit." - Ronald Reagan
Andrew Davis wrote:
My /etc/xinetd.d/nrpe is below:
# /etc/xinetd.d/nrpe
# description: NRPE
# default: on
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
# user = nobody
user = daemon
# group = nobody
group = wheel
server = /usr/local/sbin/nrpe
server_args = -c /etc/nagios/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 10.1.1.170
}
Originally, it was set to nobody:nobody. As a test, I set it to
daemon:wheel. In all cases, it gives the "cannot run as root" error. I
guess I can try making a Nagios user & group and testing with that.
A. Davis
Email: ncc...@gmail.com
"There is no limit to what a man can accomplish
if he doesn't care who gets the credit." - Ronald Reagan
Allan Clark wrote:
Reply is bottom-posted.
On Wed, Mar 18, 2009 at 16:57, Andrew Davis <ncc...@gmail.com
<mailto:ncc...@gmail.com>> wrote:
If I'm reading this correctly, the line about "NRPE daemon cannot
be run as user/group root!" is directly from the source code of
NRPE. Its not an xinetd thing. I've confirmed that xinetd is
running and listening on port 5666. I tried changing the
owner/group from nobody:nobody to another unprivileged user, but
it didn't work. Same results. It appears that despite my
configuring the /etc/nagios/nrpe.cfg and the /etc/xinetd.d/nrpe
files to use a user other than root, it still tries to start it
as the root user and thus when an incoming connection comes in,
it gives the "NRPE daemon cannot be run as user/group root!"
error. Any thoughts on how to rectify this? Since NRPE is working
fine on Linux, is this just a Mac OS X thing? Any help would be
immensely appreciated.
AD
Andrew Davis wrote:
FYI: /var/log/system.log on the client shows:
Mar 18 16:08:07 shu xinetd[29066]: START: nrpe pid=557
from=10.1.1.170
Mar 18 16:08:07 shu nrpe[557]: Error: NRPE daemon cannot be run
as user/group root!
whether I do the default test (with SSL) or use the -n flag to
test w/o SSL. The odd thing is that the nrpe config in
/etc/xinetd.d is set to run as nobody:nobody and
/etc/nagios/nrpe.cfg is owned by nobody:nobody. Only
/usr/local/sbin/nrpe is owned by root (as it should be), but is
also set to 755 perms. I've compared to a Linux box I have with
NRPE and xinetd working properly and the permissions are identical.
I'm stumped...
Andrew Davis wrote:
I have two Mac OS X servers, one running 10.3, the other
running 10.4. Neither can be upgraded to 10.5 due to third
party s/w constraints. Both are PPC based XServe's.
Trying to compile nrpe with:
./configure --sysconfdir=/etc/nagios --enable-ssl
Initially, I got the "cannot find ssl libraries" error:
~
checking for SSL headers... SSL headers found in /usr/local/ssl
checking for SSL libraries... configure: error: Cannot find
ssl libraries
I downloaded the latest openssl and built it with:
./config --prefix=/usr/local shared
--openssldir=/usr/local/openssl
make
make test
make install
I then had to edit ~/src/nrpe/configure and change the
reference from libssl.so to libssl.dylib
After that, nrpe compiled cleanly and I was able to move
~src/nrpe/src/nrpe to /usr/local/sbin and start xinetd up. I've
confirmed that port 5666 is open and xinetd is running:
/usr/local/src/nrpe-2.12/src root# ps waux|grep xinet|grep
-v greproot 29066 0.0 -0.0 27484 308 ?? Ss
3:53PM 0:00.02 /usr/sbin/xinetd -pidfile
/var/run/xinetd.pid -stayalive
/usr/local/src/nrpe-2.12/src root# netstat -an|grep
5666tcp4 0 0 *.5666
*.* LISTEN
However, when connecting from the remote server, I get:
/usr/local/nagios/libexec/check_nrpe -H host.mydomain.org
<http://host.mydomain.org>
CHECK_NRPE: Error - Could not complete SSL handshake.
The same test but w/o SSL gives yields:
[nag...@nephilim src]$ /usr/local/nagios/libexec/check_nrpe
-n -H host.mydomain.org <http://host.mydomain.org>
CHECK_NRPE: Received 0 bytes from daemon. Check the remote
server logs for error messages.
So two questions:
1) I'm a UNIX guy, but obviously Mac's are A) different and B)
a tad different being BSD-based. So what's the proper way to
stop/restart the xinetd daemon?
2) Any thoughts on SSL handshake error? I've googled it, but
I'm not getting very far.
Anyone have a step-by-step for compiling nagios plugins and
NRPE from source on OS X 10.x (specifically 10.3 and 10.4)? I'm
using NRPE for all other internal hosts, so I prefer to use it
for the Mac's too. I know I could do it via check_by_ssh and
get around this, but I prefer to use NRPE if I can.
--
On a Mac, your xinetd is a bolt-on over the launchd that's there by
default; you've obviously got it running. Since you're in
/etc/xinetd.d/<something>, you need to cnfigure a different username
via xinetd's config. Look for a /etc/xinetd.d/nrpe file, or similar,
containing the config for your nrpe service. I tend to grep for the
port number in order to find the file. Remember to check /local/*
The time service has an example with juicy comments:
service time
{
# This is for quick on or off of the service
disable = yes
...
...
# External services must fill out the following
# user =
# group =
...
...
}
Take a look there, see if you can choose a better username and/or
group and if your port of xinetd honours it. I don't know if you
have a nrpe user, or run it as nobody.
A better option would be a proper launchd config, allowing you to
shutdown xinetd if you're installing it there for this purpose only,
but then it's a Mac-only thing, and would be more difficult to
maintain for non-Mac people.
Allan
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
