Stuck on NRPE for OS X Server

Andrew Davis nccomp at gmail.com
Thu Mar 19 20:40:52 CET 2009


Thanks much. FYI: I know for sure that xinetd was doing it as if I set
/etc/xinetd.d/nrpe to "disable=yes", then did a "kill -HUP
<xinetd_proc_id>, then a netstat -an|grep 5666 it would be listening
anymore. Further, /var/log/system.log showed one service removed for
xinetd. When I reversed this process, it was again listening on 5666 and
system.log showed one service added for xinetd.

That said, I gave up and just did check_by_ssh for these servers. The
plugins all built cleanly. Only NRPE had issues.

  A. Davis
  Email:     nccomp at gmail.com

  "There is no limit to what a man can accomplish
   if he doesn't care who gets the credit." - Ronald Reagan



Allan Clark wrote:
> On Thu, Mar 19, 2009 at 10:57, Andrew Davis <nccomp at gmail.com
> <mailto:nccomp at gmail.com>> wrote:
>
>     One person suggested my openssl version might be too new (0.9.8).
>     I just removed it and installed 0.9.7i, older enough version to be
>     safe and one that I know another user has in a working
>     configuration. After compiling it, I then recompiled NRPE against
>     it and copied the files in place. It still fails with the same error.
>
>     /var/log/system.log shows:
>
>         Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
>         available service
>         Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be
>         run as user/group root!
>
>     I had it set to run as nobody:nobody, but that wasn’t working. I
>     even tried setting to run as daemon:wheel, but the same results.
>     Finally, I created a nagios user and configured /etc/xinetd.d/nrpe
>     to run as nagios:nagios and updated /etc/nagios/nrpe.cfg to use
>     the same. However, all remote tests still result in the following:
>
>     >From the server:
>
>         [nagios at nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H seth
>
>         CHECK_NRPE: Error - Could not complete SSL handshake.
>
>     >From the client:
>
>         Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
>         available service
>         Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be
>         run as user/group root!
>
>     Scouring Google shows that the “cannot be run as ... root” error
>     is in the nrpe.c code. What I can’t figure out is why its trying
>     to run as root instead of the configured user...
>
>     Anyone running NRPE with xinetd for Mac’s? I’m frustrated enough
>     that I almost just want to use check_by_ssh, but I’d prefer to get
>     this working and keep things consistent (ie: with NRPE). My
>     /etc/nagios/nrpe.cfg and /etc/xinetd.d/nrpe are below:
>
>         seth:/etc/xinetd.d root# pwd
>         /etc/xinetd.d
>         seth:/etc/xinetd.d root# cat nrpe
>         # /etc/xinetd.d/nrpe
>         # description: NRPE
>         # default: on
>         service nrpe
>         {
>         flags = REUSE
>         socket_type = stream
>         port = 5666
>         wait = no
>         user = nagios
>         group = nagios
>
>         server = /usr/local/sbin/nrpe
>         server_args = -c /etc/nagios/nrpe.cfg --inetd
>         log_on_failure += USERID
>         disable = no
>         only_from = 127.0.0.1 10.1.1.170
>         }
>
>
> Hi Andrew;
>
> I'm not convinced xinetd is running nrpe for you. As a simple test,
> try changing the port number from 5666 in /etc/xinetd.d/nrpe, but
> leave it as 5666 in nrpe.cfg, and see if you can connect on the old or
> new port -- just to ensure that the port is serviced as a hand-off
> from xinetd. (5666 or 5556?) Normally I'd confirm this with a "sudo
> netstat -pant" but I don't know the equivalent on MacOSX, so I'm
> suggesting quick molestation for proof, even though I see the "only
> 127.0.0.1" setting in nrpe.cfg.
>
> You might want to run xinetd with "-d" option for debugging spam; it
> also doesn't background the process, so run on a different terminal.
> Looking for confirmation that xinetd is changing user after
> accept()/fork().
>
> Allan
> -- 
> allanc at chickenandporn.com <mailto:allanc at chickenandporn.com> "金鱼"
> http://linkedin.com/in/goldfish
> please, no proprietary attachments (http://tinyurl.com/cbgq)
> Sent from: New York NY United States. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20090319/2a7d4017/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list