Solaris 10: Running nrpe in a non-global zone
Justin Amburn
Justin at marketlive.com
Thu Jul 9 20:03:11 CEST 2009
Ok, I took out the tcpd wrapper and set tcp_wrappers to false, but same
issue! Here's my inetadm manifest in plaintext:
bash-3.00# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name="nrpe"
endpoint_type="stream"
proto="tcp"
isrpc=FALSE
wait=FALSE
exec="/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i"
arg0="/usr/local/nagios/bin/nrpe"
user="nagios"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=FALSE
default connection_backlog=10
And here in xml format:
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM
'/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
Service manifest for the nrpe service.
Generated by inetconv(1M) from inetd.conf(4).
-->
<service_bundle type='manifest' name='inetconv:nrpe'>
<service
name='network/nrpe/tcp'
type='service'
version='1'>
<create_default_instance enabled='true'/>
<restarter>
<service_fmri value='svc:/network/inetd:default' />
</restarter>
<!--
Set a timeout of 0 to signify to inetd that we don't want to
timeout this service, since the forked process is the one
that
does the service's work. This is the case for most/all
legacy
inetd services; for services written to take advantage of
SMF
capabilities, the start method should fork off a process to
handle the request and return a success code.
-->
<exec_method
type='method'
name='inetd_start'
exec='/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i'
timeout_seconds='0'>
<method_context>
<method_credential user='nagios' group='other'
/>
</method_context>
<propval name='arg0' type='astring'
value='/usr/local/nagios/bin/nrpe' />
</exec_method>
<!--
Use inetd's built-in kill support to disable services.
-->
<exec_method
type='method'
name='inetd_disable'
exec=':kill'
timeout_seconds='0'>
</exec_method>
</exec_method>
<!--
This property group is used to record information about
how this manifest was created. It is an implementation
detail which should not be modified or deleted.
-->
<property_group name='inetconv' type='framework'>
<propval name='converted' type='boolean' value='true' />
<propval name='version' type='integer' value='1' />
<propval name='source_line' type='astring' value=
'nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe
/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i'
/>
</property_group>
<property_group name='inetd' type='framework'>
<propval name='name' type='astring' value='nrpe' />
<propval name='endpoint_type' type='astring'
value='stream' />
<propval name='proto' type='astring' value='tcp' />
<propval name='wait' type='boolean' value='false' />
<propval name='isrpc' type='boolean' value='false' />
</property_group>
<stability value='External' />
<template>
<common_name>
<loctext xml:lang='C'>
nrpe
</loctext>
</common_name>
</template>
</service>
</service_bundle>
Is there something special that needs to go in the SMF def to explicitly
allow SSL?
Thanks!
Justin
________________________________
From: Grant Byers [mailto:grant.byers at gmail.com]
Sent: Wednesday, July 08, 2009 8:01 PM
To: Nagios Developers List
Subject: Re: [Nagios-devel] Solaris 10: Running nrpe in a non-global
zone
Your exec line is wrong. It should read ;
exec="/usr/local/nagios/bin/nrpe -c
/usr/local/nagios/etc/nrpe.cfg -i"
arg0="/usr/local/nagios/bin/nrpe"
2009/7/9 Justin Amburn <Justin at marketlive.com>
Thanks for replies, guys!
I can run nrpe in global zones under SMF. I can even get nrpe in the
non-global zones to run with the command:
/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i
root at vz3haadp01# /usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.12
*BUT*, when I run it under SMF in the non-global zones I get the SSL
handshake error. In the global zone this works just fine. It's just the
non-global that is causing me a headache.
I've verified that the results from:
inetadm -l svc:/network/nrpe/tcp:default
the evil /etc/nsswitch.conf
/etc/services
crle
ldd
/var/svc/manifest/network/nrpe-tcp.xml
Are the same between the global and the non-global.
See, my ldd shows no errors:
bash-3.00# ldd /usr/local/nagios/bin/nrpe
libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libnsl.so.1 => /lib/libnsl.so.1
libsocket.so.1 => /lib/libsocket.so.1
libc.so.1 => /lib/libc.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libssl_extra.so.0.9.7 =>
/usr/sfw/lib/libssl_extra.so.0.9.7
libcrypto_extra.so.0.9.7 =>
/usr/sfw/lib/libcrypto_extra.so.0.9.7
libm.so.2 => /lib/libm.so.2
I've kept adding and adding to the crle file:
bash-3.00# crle
Configuration file [version 4]: /var/ld/ld.config
Default Library Path (ELF):
/lib:/usr/lib:/usr/sfw/lib:/usr/local/lib
Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system
default)
Command line:
crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib:/usr/local/lib
BUT, since nrpe works in the non-global when not running under SMF, this
seems to be strictly an SMF issue.
Here's my manifest values for both the good and bad zones:
bash-3.00# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name="nrpe"
endpoint_type="stream"
proto="tcp"
isrpc=FALSE
wait=FALSE
exec="/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i"
arg0="/usr/local/nagios/bin/nrpe"
user="nagios"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=TRUE
default connection_backlog=10
Also, in my /etc/nsswitch.conf all of the LDAP references have been
removed. Every attribute is 'files'.
I'm out of ideas here! Does anyone see anything that I may be missing in
the setup?
Thanks!
Justin Amburn
________________________________
From: Grant Byers [mailto:grant.byers at gmail.com]
Sent: Monday, July 06, 2009 8:05 PM
To: Nagios Developers List
Subject: Re: [Nagios-devel] Solaris 10: Running nrpe in a non-global
zone
I'm running NRPE in non-global Solaris 10 zones. Either configure &
build with LDFLAGS="-R/usr/sfw/lib", or add /usr/sfw/lib to the runtime
linker search path. See crle(1).
Regards,
Grant
2009/7/7 Justin Amburn <Justin at marketlive.com>
Hi all,
Does anyone know what custom tweaks need to happen to get nrpe running
in non-global zones on a Solaris 10 box? It's working good in the global
zone, but I get the darned SSL handshake error inside the non-globals.
I'm guessing this is an environment var or LD link issue. Any ideas?
Thanks,
Justin Amburn
------------------------------------------------------------------------
------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
------------------------------------------------------------------------
------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will
have
the opportunity to enter the BlackBerry Developer Challenge. See full
prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20090709/aacced26/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel
More information about the Developers
mailing list