Re: Nagios & Jail
On Tue, 6 Jan 2009, Albert Shih wrote: Le 06/01/2009 à 15:06:37+, Bjoern A. Zeeb a écrit On Tue, 6 Jan 2009, Albert Shih wrote: In fact I found the problem : When I compile nagios-plugin ports in a jail the «configure» don't find syntax of ping : checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax But if I compile the same ports in a «normal» server (both are amd64). checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... /sbin/ping -n -c %d %s checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s So if I use the check_ping produce by compiling in a no-jail server on a jail-server it's working. I think it's a bug about the nagios-plugins ports. What you think ? I think most of all configure stuff out there is ... ok, if you compile the port inside a jail and permit raw sockets, does it work then -- either by using the rc.conf option and restarting the jail with rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? You mean I MUST restart the jail after I change the sysctl value ? Because after I change it, I can make a ping from inside the jail without restarting the jail. Well I'm going to make a new jail to check that (all other jail is in production). No, if you manually change the sysctl it's all fine and production immediately. If you change the option .. wait; my fault, raw sockets is not supported by the rc framework in contrast to other things, so there is no option there. I confused this with jail_socket_unixiproute_only in which case just changing it in rc.conf would not be sufficient. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Le 06/01/2009 à 15:06:37+, Bjoern A. Zeeb a écrit > On Tue, 6 Jan 2009, Albert Shih wrote: > > > In fact I found the problem : > > > > When I compile nagios-plugin ports in a jail the «configure» don't find > > syntax of ping : > > > > checking for ping... /sbin/ping > > checking for ping6... /sbin/ping6 > > checking for ICMP ping syntax... configure: WARNING: unable to find usable > > ping syntax > > > > But if I compile the same ports in a «normal» server (both are amd64). > > > > checking for ping... /sbin/ping > > checking for ping6... /sbin/ping6 > > checking for ICMP ping syntax... /sbin/ping -n -c %d %s > > checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s > > > > So if I use the check_ping produce by compiling in a no-jail server on a > > jail-server it's working. > > > > I think it's a bug about the nagios-plugins ports. What you think ? > > I think most of all configure stuff out there is ... ok, if you > compile the port inside a jail and permit raw sockets, does it work > then -- > either by using the rc.conf option and restarting the jail with > rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? You mean I MUST restart the jail after I change the sysctl value ? Because after I change it, I can make a ping from inside the jail without restarting the jail. Well I'm going to make a new jail to check that (all other jail is in production). > > It smells it tries to execute a ping command and that does not > succeed. Yes. I agree. Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Heure local/Local time: Mar 6 jan 2009 17:02:12 CET ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
On Tue, 6 Jan 2009, Albert Shih wrote: In fact I found the problem : When I compile nagios-plugin ports in a jail the «configure» don't find syntax of ping : checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax But if I compile the same ports in a «normal» server (both are amd64). checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... /sbin/ping -n -c %d %s checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s So if I use the check_ping produce by compiling in a no-jail server on a jail-server it's working. I think it's a bug about the nagios-plugins ports. What you think ? I think most of all configure stuff out there is ... ok, if you compile the port inside a jail and permit raw sockets, does it work then -- either by using the rc.conf option and restarting the jail with rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? It smells it tries to execute a ping command and that does not succeed. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Le 18/12/2008 à 18:22:18+0100, Kurt Jaeger a écrit > Hi! > > > I've a problem with check_ping. > > > > [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c > > 5000.0,100% -p 5 > > CRITICAL - You need more args!!! > > Could not open pipe: > > > Anyone have succefully install a nagios server in a jail ? First : Happy new years. > > Yes, and I think it's not a problem with ICMP sockets, but with > the version of check_ping and what it's calling. > > Please try > > ./check_ping -v -v -v -H 212.71.195.58 -w 300.0,80% -c 500.0,100% -p 5 > > and tell us which version of ping it is calling. > Thanks for your answers. In fact I found the problem : When I compile nagios-plugin ports in a jail the «configure» don't find syntax of ping : checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax But if I compile the same ports in a «normal» server (both are amd64). checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... /sbin/ping -n -c %d %s checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s So if I use the check_ping produce by compiling in a no-jail server on a jail-server it's working. I think it's a bug about the nagios-plugins ports. What you think ? In fact that's not very important because I'm going to use check_fping Thanks again for your answer. Regards. JAS -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26 Heure local/Local time: Mar 6 jan 2009 15:48:55 CET ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Hi! > I've a problem with check_ping. > > [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c > 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > Anyone have succefully install a nagios server in a jail ? Yes, and I think it's not a problem with ICMP sockets, but with the version of check_ping and what it's calling. Please try ./check_ping -v -v -v -H 212.71.195.58 -w 300.0,80% -c 500.0,100% -p 5 and tell us which version of ping it is calling. -- p...@opsec.eu+49 171 310137212 years to go ! ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Andy Greenwood wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Albert Shih wrote: Hi all. I'm trying to install a nagios server in a jail. I've a problem with check_ping. only thing I see on mine is I have ipv6 disabled: (also, with_fping, with_netsnmp, with_mysql) all others disabled. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Albert Shih wrote: > Hi all. > > I'm trying to install a nagios server in a jail. > > I've a problem with check_ping. > > [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > > So I think it's become the «ping problem». So I put > > sysctl -w security.jail.allow_raw_sockets=1 > > in the host-jail-server. > > In the jail I can make a ping but the nagios check_ping don't work. > > Anyone have succefully install a nagios server in a jail ? > > Regards. I'm not exactly sure how I did it, but I remember having to change something from the defaults when I built the net-mgmt/nagios-plugins port because the check_ping command wasn't working right. I'd suggest going back and re-making that port to see if you get any error messages. I want to say that it wasn't finding the ping binary, but I don't think that's what it was. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklKW8gACgkQEStKVA82Z+0C8ACfX5tAleQZJwkyd4/B6PCyieKj 98IAoKOKSYqguLuecO828//KN8eHWsv1 =CaW0 -END PGP SIGNATURE- ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
What plugin versions are you running? Im running latest also. pkg_info | grep nagios Albert Shih wrote: Le 18/12/2008 à 05:46:18-0500, Michael Scheidell a écrit Try nagios 3.03. I think they will do the trick. I'm using nagios 3.06 ... and it's not working. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Works here (tm). doublecheck these sysctl's: security.jail.socket_unixiproute_only: 1 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 1 Albert Shih wrote: Le 18/12/2008 à 05:46:18-0500, Michael Scheidell a écrit Try nagios 3.03. I think they will do the trick. I'm using nagios 3.06 ... and it's not working. Thanks for your answer. Regards. JAS -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Le 18/12/2008 à 05:46:18-0500, Michael Scheidell a écrit > Try nagios 3.03. > > I think they will do the trick. I'm using nagios 3.06 ... and it's not working. Thanks for your answer. Regards. JAS -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26 Heure local/Local time: Jeu 18 déc 2008 12:05:40 CET ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Try nagios 3.03. I think they will do the trick. Bjoern A. Zeeb wrote: On Wed, 17 Dec 2008, Albert Shih wrote: Hi, I'm trying to install a nagios server in a jail. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
On Thu, Dec 18, 2008 at 5:05 AM, Albert Shih wrote: > Hi all. > > I'm trying to install a nagios server in a jail. > > I've a problem with check_ping. > > [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c > 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > > So I think it's become the «ping problem». So I put > >sysctl -w security.jail.allow_raw_sockets=1 > > in the host-jail-server. > > In the jail I can make a ping but the nagios check_ping don't work. > > Anyone have succefully install a nagios server in a jail ? > I have. I recall having the same problem w/ an older version of nagios. But the recent versions should work fine. I'm using -devel tho. > Regards. > -- > Albert SHIH > SIO batiment 15 > Observatoire de Paris Meudon > 5 Place Jules Janssen > 92195 Meudon Cedex > Téléphone : 01 45 07 76 26 > Heure local/Local time: > Mer 17 déc 2008 22:02:55 CET > ___ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > -- cheers mars ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
hmm we have it working, let me see how. Albert Shih wrote: Hi all. I'm trying to install a nagios server in a jail. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
On Wed, 17 Dec 2008, Albert Shih wrote: Hi, I'm trying to install a nagios server in a jail. I've a problem with check_ping. [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 CRITICAL - You need more args!!! Could not open pipe: So I think it's become the «ping problem». So I put sysctl -w security.jail.allow_raw_sockets=1 in the host-jail-server. In the jail I can make a ping but the nagios check_ping don't work. Anyone have succefully install a nagios server in a jail ? so do you know what check_ping is trying to do? Does it give you an error message? Anything? /bz -- Bjoern A. Zeeb The greatest risk is not taking one.___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Nagios & Jail
Hi all. I'm trying to install a nagios server in a jail. I've a problem with check_ping. [r...@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 CRITICAL - You need more args!!! Could not open pipe: So I think it's become the «ping problem». So I put sysctl -w security.jail.allow_raw_sockets=1 in the host-jail-server. In the jail I can make a ping but the nagios check_ping don't work. Anyone have succefully install a nagios server in a jail ? Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26 Heure local/Local time: Mer 17 déc 2008 22:02:55 CET ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"