Stuck on NRPE for OS X Server
Andrew Davis
nccomp at gmail.com
Thu Mar 19 20:40:52 CET 2009
Thanks much. FYI: I know for sure that xinetd was doing it as if I set
/etc/xinetd.d/nrpe to "disable=yes", then did a "kill -HUP
<xinetd_proc_id>, then a netstat -an|grep 5666 it would be listening
anymore. Further, /var/log/system.log showed one service removed for
xinetd. When I reversed this process, it was again listening on 5666 and
system.log showed one service added for xinetd.
That said, I gave up and just did check_by_ssh for these servers. The
plugins all built cleanly. Only NRPE had issues.
A. Davis
Email: nccomp at gmail.com
"There is no limit to what a man can accomplish
if he doesn't care who gets the credit." - Ronald Reagan
Allan Clark wrote:
> On Thu, Mar 19, 2009 at 10:57, Andrew Davis <nccomp at gmail.com
> <mailto:nccomp at gmail.com>> wrote:
>
> One person suggested my openssl version might be too new (0.9.8).
> I just removed it and installed 0.9.7i, older enough version to be
> safe and one that I know another user has in a working
> configuration. After compiling it, I then recompiled NRPE against
> it and copied the files in place. It still fails with the same error.
>
> /var/log/system.log shows:
>
> Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
> available service
> Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be
> run as user/group root!
>
> I had it set to run as nobody:nobody, but that wasn’t working. I
> even tried setting to run as daemon:wheel, but the same results.
> Finally, I created a nagios user and configured /etc/xinetd.d/nrpe
> to run as nagios:nagios and updated /etc/nagios/nrpe.cfg to use
> the same. However, all remote tests still result in the following:
>
> >From the server:
>
> [nagios at nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H seth
>
> CHECK_NRPE: Error - Could not complete SSL handshake.
>
> >From the client:
>
> Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
> available service
> Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be
> run as user/group root!
>
> Scouring Google shows that the “cannot be run as ... root” error
> is in the nrpe.c code. What I can’t figure out is why its trying
> to run as root instead of the configured user...
>
> Anyone running NRPE with xinetd for Mac’s? I’m frustrated enough
> that I almost just want to use check_by_ssh, but I’d prefer to get
> this working and keep things consistent (ie: with NRPE). My
> /etc/nagios/nrpe.cfg and /etc/xinetd.d/nrpe are below:
>
> seth:/etc/xinetd.d root# pwd
> /etc/xinetd.d
> seth:/etc/xinetd.d root# cat nrpe
> # /etc/xinetd.d/nrpe
> # description: NRPE
> # default: on
> service nrpe
> {
> flags = REUSE
> socket_type = stream
> port = 5666
> wait = no
> user = nagios
> group = nagios
>
> server = /usr/local/sbin/nrpe
> server_args = -c /etc/nagios/nrpe.cfg --inetd
> log_on_failure += USERID
> disable = no
> only_from = 127.0.0.1 10.1.1.170
> }
>
>
> Hi Andrew;
>
> I'm not convinced xinetd is running nrpe for you. As a simple test,
> try changing the port number from 5666 in /etc/xinetd.d/nrpe, but
> leave it as 5666 in nrpe.cfg, and see if you can connect on the old or
> new port -- just to ensure that the port is serviced as a hand-off
> from xinetd. (5666 or 5556?) Normally I'd confirm this with a "sudo
> netstat -pant" but I don't know the equivalent on MacOSX, so I'm
> suggesting quick molestation for proof, even though I see the "only
> 127.0.0.1" setting in nrpe.cfg.
>
> You might want to run xinetd with "-d" option for debugging spam; it
> also doesn't background the process, so run on a different terminal.
> Looking for confirmation that xinetd is changing user after
> accept()/fork().
>
> Allan
> --
> allanc at chickenandporn.com <mailto:allanc at chickenandporn.com> "金鱼"
> http://linkedin.com/in/goldfish
> please, no proprietary attachments (http://tinyurl.com/cbgq)
> Sent from: New York NY United States.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090319/2a7d4017/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list