4

I know this is a very common error where RTFM is usually the correct answer, but, I think I've covered all the obvious points.

NRPE is running as the user nagios

When I use sudo su - nagios to become the nagios user, and copy and paste in the command from /etc/nagios/nrpe.conf it works perfectly, generating output as expected.

When I turn on debugging, nothing is logged after the NRPE plugin loads (there are entries logged while the service is restarting).

What can be going on? Surely something should be logged in the debug logs? Is there a way to force more verbose logging (comments in config file suggest not).

SELinux is not logging any issues.

In the general the script is quite normal, with one exception, it shells out to a command using sudo. The nagios user has been granted passwordless access to the command being shelled out to, and that it working when I su to the nagios user.

Update: After re-configuring sudo so it does not insist on a tty, I have my check working successfully over SSH, returning the expected result. It still will not work over NRPE though.

Bart B
  • 3,419
  • 6
  • 30
  • 42
  • any chance nrpe isn't actually running as nagios user? – uSlackr May 23 '12 at 16:18
  • Is the exit code from the command correct, i.e., 0, 1, 2 or 3? – cjc May 23 '12 at 17:41
  • The nrpe config file is telling it to run as nagios, and ps -eaf verifies that it's obeying it's config. – Bart B May 24 '12 at 09:51
  • I can confirm that the exit codes returned are 0,1,2, or 3, and nothing else. – Bart B May 24 '12 at 09:51
  • I don't HAVE a solution! The fact that it now also works over SSH only makes it more perplexing that it won't work over nrpe! – Bart B May 24 '12 at 14:27
  • when debug=1 in nrpe.cfg, it should output to syslog for any remote request, make sure you are querying the right server with check_nrpe – Ruslan Kabalin Jun 12 '12 at 16:10
  • Please show us the your command definition in `nrpe.cfg`, `egrep 'tty|nagios' /etc/sudoers`? Did you used to run this as root user? – quanta Aug 02 '12 at 02:12

1 Answers1

1

The problem was SELinux which, on RHEL at least, stops the NRPE service doing pretty much anything.

The simplest solution is to turn off SELinux, but of course that is not ideal. The only other solution seems to be to write your own custom policy for NRPE, which is beyond my ability ATM.

Bart B
  • 3,419
  • 6
  • 30
  • 42