NRPE check parameters getting lost

Question

I'm running Shinken and have a pack which includes several commands that run bash scripts on the monitored host via NRPE. I have a check on the host which runs a bash script that takes 4 parameters. When it runs only 1 of the 4 parameters I pass in the commands.cfg makes it to the host for use by the script.

I've searched around a lot on this issue and haven't been able to find a solution. From what I've read most problems people report with passing parameters to NRPE stem from not having "dont_blame_nrpe" set properly or from not having nrpe compiled with support for parameters. This is not the case for my situation. dont_blame_nrpe is set to 1 and the module was compiled with parameter support. What's more, I have a check on the same host (set up within the same pack) that takes a single parameter and works just fine.

Here is my commands.cfg in the pack:

define command {
    command_name   check_nrpe
    command_line   $PLUGINSDIR$/check_nrpe -u -H $HOSTADDRESS$ -c $ARG1$ -a '$ARG2$ $ARG3$ $ARG4$ $ARG5$'
}

I've also tried the above with double quotes around the whole set of arguments and double quotes around each individual argument. I get the same result no matter what.

And the service definition:

define service{
    service_description check-worker-count
    use            generic-service
    register       0
    host_name      nrpe-pack
    check_command  check_nrpe!check-worker-count!worker-name!12!90!80
}

And the /etc/nrpe.d/check-worker-count.cfg on the host:

command[check-worker-count]=/usr/lib64/nagios/plugins/check_worker_count.sh -n $ARG1$ -p $ARG2$ -w $ARG3$ -c $ARG4$

I have the script on the host outputting $* at the very beginning and here is what it's getting:

-n worker-name -p -w -c

Compare to a run of the script locally with the parameters passed at the command line:

-n worker-name -p 12 -w 90 -c 80

I'm sure you've seen the warning several times, but it's important enough to point it out here: Permitting NRPE to pass arguments to the client (dont_blame_nrpe=1) is a huge security risk. Be very, very careful with this. — Gene, Aug 10 '15 at 18:54
Gene, thanks for the warning. I have been told this, but can't seem to find commentary on what the risks actually are. Be that as it may, our security team has already agreed to allowing this feature for the environment in which I'm working. — Degenerate DevOps, Aug 10 '15 at 18:58

score 2 · Accepted Answer · answered Aug 10 '15 at 20:05

2

Don't bother separating all of the -a ARGs into separate ARGs in the Nagios conf. You'll drive yourself crazy with the quotes. For simplicity, make your command_line something like:

$PLUGINSDIR$/check_nrpe -u -t 30 -H $HOSTADDRESS$ -c $ARG1$ -a $ARG2$

And then use it like this:

check_command  check_nrpe!check-worker-count!worker-name 12 90 80

At least, that's how you would do it in Nagios/Icinga. Should be the same for Shinken.

answered Aug 10 '15 at 20:05

Keith

4,627
14
25

This appears to have worked for me. One note: I did not have to change the .cfg on the host after making this change. It seems like the nrpe daemon on the host side split out that space-delimited string and applied it to the command correctly. – Degenerate DevOps Aug 10 '15 at 20:18

NRPE check parameters getting lost

1 Answers1