NEED HELP configuring NSCA with INETD

Paul L. Allen pla at softflare.com
Wed Jan 14 23:33:59 CET 2004


Michael Tucker writes: 

> Thanks! I already knew all the basic stuff you mentioned about memory  
> footprints, swapping, load/unload cycles, etc.

Sorry, I wasn't trying to be condescending there, but you asked the sort
of question that left me unable to determine just how much you know and
there are people who end up on lists like this because they get thrown
in at the deep end of being *nix admins. 

> I was wondering what concerns specific to Nagios / nsca / nrpe there
> might be.

I don't know of any specific concerns, just the general concerns that
affect all stand-alone daemons.  However, I have to say that daemons
like inetd have a longer history and undergo a lot more stress in
practise so are more likely to be free of problems.  That's not a slur
on nrpe and ncsa - Ethan may well be a fantastic coder who avoided all
the pitfalls that others have fallen into in the past, but if he is
less than perfect (I sure am) then there is a chance that there are
heisenbugs lurking around.  My guess is that if there are bugs they're
not too serious or we'd have seen a lot of complaints by now. 

> You raised some good points, which I hadn't thought of, especially  about 
> memory leaks, crashing and restarting.

We run qmail here, with DJB's demontools to supervise them, so I
understand some of the concerns about crashing and never coming back.
Then again, MySQL has similar, but more specialized, mechanisms which try
to ensure that if the server process dies for some unknown reason then it
gets restarted.  Daemons I've written usually restart themselves once a
day in case of memory leaks but don't do anything in the way of
phoenixing.  So if these are worries of yours - and I repeat that I have
seen nothing which leads me to worry about ncsa and nrpe in this respect -
then inetd would be a better option. 

> I am mostly interested in running nsca under inetd so I can take  
> advantage of tcp wrappers. (Yeah, I know; it's a "lightweight" security  
> measure, but it's one more layer for the black hats to have to go  
> around.)

It was the limited security of nrpe that made me switch to check_by_ssh.
Because of reasons far too complex to detail here (I've given them before
on this list) our nagios machine is on the end of a cable modem and so
the IP address can change (typically every couple of months).  Since I
have no wish to go around editing hosts.allow on dozens of machines (or
get all the notification e-mails) every couple of months, I either had
to live with no security or switch to check_by_ssh.  And given that
tcp wrappers is only of minimal use these days anyway because of more
sophisticated attacks, I switched. 

> By the way, I've got nrpe working just fine under inetd (on Solaris 9,  
> FWIW). But not nsca. Go figure.

I got nrpe working under xinetd quite happily.  Never tried ncsa. 

> I guess I'll look into xinetd.

Ummmm, Solaris.  I have BAAAAAAD memories of Solaris when I had to look
after a Solaris box.  If Sun ever manage to learn about bash and similar
things that make Linux a joy to use compared to Solaris then I might
revise my opinion.  If you can install xinetd on Solaris easily, and
it comes with example configs (trying to figure out how to convert
inetd configs to xinetd configs without examples is a major pain) then
go for it.  Otherwise, inetd is almost certainly good enough. 

> My PHB is eager for me to deploy this,  

Tell me about it.  Mine loved Big Brother because the simple display
status was easy for him and our pointy-haired clients to understand.
Then I explained to him that with nagios our clients can use a web
interface to schedule downtime or disable checks when machines go down
whereas with BB a techy (usually me or my PHB on a good day) has to
edit config files.  And then I showed him the 2d status map (a real
PHB feature if ever there was one).  And then I showed him the 3d status
map...  Even without the ability for groups to do things to their own
servers, like schedule downtime, the two status maps are a real
selling point. 

> so I'll probably just go with what I've got for the time being,  
> since it is (nominally) working

Been there, done that, worn the T-shirt into rags.  My T-shirt full
of holes nominally clothes me... 

> (and nobody else seems to be able to  figure out what's wrong, either). 

I've had that experience too.  Sometimes, my PHB points out that with
Windows you can get a point-and-click monkey to install stuff and that
with *nix you need a highly-paid techy to figure out how to do things
and I'm tempted to agree with his thoughts of switching to Windoze.
But then I remember that one of the reasons we exist is that we can offer
solutions that Windows just cannot because if you want to do something
MS doesn't think you ought to be able to do then that's just tough.  But
after a few hours fighting something like that, I am tempted...  Really,
really tempted.  It shouldn't be that hard.  And until it isn't that hard,
there is little chance of *nix toppling Windoze in the desktop market. :( 

-- 
Paul Allen
Softflare Support 



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list