Installing NRPE 2.12 from source as a SMF managed service in Solaris 10
Installing NRPE on Solaris 10 involves just a bit more than your normal './configure && make && make install' routine. However, all the dependencies are likely present on a freshly installed system, you just have to tell NRPE where to find it. There's one file you need to patch, and then it will install. From there it's easy to plug into SMF!
First, let's make sure some directories are present, and create our Nagios user:
# mkdir /usr/local # groupadd nagios # useradd -m -c "nagios system user" -d /usr/local/nagios -g nagios -m nagios
Next, download and extract the source code to NRPE:
$ cd /tmp/ $ /usr/sfw/bin/wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz $ gzip -dc nrpe-2.12.tar.gz | tar -xvf - $ cd nrpe-2.12
Now, we need to tell the configure script where to find the openssl libraries, and make sure that GCC is in our path:
$ PATH=$PATH:/usr/sfw/bin:/usr/ccs/bin ./configure --with-ssl=/usr/sfw/ --with-ssl-lib=/usr/sfw/lib/
That should run just fine. Before we build, we need to apply a quick fix to nrpe.c. If you don't do this, you'll get an error from make that says "nrpe.c:617: error: 'LOG_AUTHPRIV' undeclared (first use in this function)".
$ perl -pi -e 's/LOG_AUTHPRIV/LOG_AUTH/; s/LOG_FTP/LOG_DAEMON/' src/nrpe.c
Now, we should be okay to build it:
$ PATH=$PATH:/usr/sfw/bin:/usr/ccs/bin make
Then, install it as root:
# PATH=$PATH:/usr/sfw/bin:/usr/ccs/bin make install
Either copy the nrpe.cfg sample included in the source code, or drop your own into /usr/local/nagios/etc/nrpe.cfg. Now, stay logged in as root for the following, now we'll get NRPE setup to run under SMF.
First, we need to setup the service and present it to inetd:
echo "nrpe 5666/tcp # NRPE" >> /etc/services echo "nrpe stream tcp nowait nagios /usr/sfw/sbin/tcpd /usr/local/nagios/bin/nrpe \ -c /usr/local/nagios/etc/nrpe.cfg -i" >> /etc/inet/inetd.conf
Now, tell SMF to pull in the inetd config:
inetconv
At this point, the SMF service is available, but we want to use TCP wrappers so that only our Nagios server can talk to NRPE (substitute $NAGIOS_IP with the IP of your Nagios server):
inetadm -m svc:/network/nrpe/tcp:default tcp_wrappers=TRUE echo "nrpe: LOCAL, $NAGIOS_IP" >> /etc/hosts.allow echo "nrpe: ALL" >> /etc/hosts.deny
Finally, fire up the service:
svcadm enable nrpe/tcp
That's it! Nagios should be able to monitor your Solaris 10 box now. Someday, I'll make a package for this, but you can pretty well copy and paste the code here to get up and running.
Comments
How about to run it in a non-global zone?
Thanks for the how-to. I can run nrpe in global zones under SMF. I can even get nrpe in the non-global zones to run with the command:
/usr/local/nagios/bin/nrpe –c /usr/local/nagios/etc/nrpe.cfg –i
root@vz3haadp01# /usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.12
*BUT*, when I run it under SMF in the non-global zones I get the SSL handshake error. In the global zone this works just fine. It’s just the non-global that is causing me a headache.
I’ve verified that the results from:
inetadm -l svc:/network/nrpe/tcp:default
the evil /etc/nsswitch.conf
/etc/services
crle
ldd
/var/svc/manifest/network/nrpe-tcp.xml
Are the same between the global and the non-global.
See, my ldd shows no errors:
bash-3.00# ldd /usr/local/nagios/bin/nrpe
libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libnsl.so.1 => /lib/libnsl.so.1
libsocket.so.1 => /lib/libsocket.so.1
libc.so.1 => /lib/libc.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7
libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7
libm.so.2 => /lib/libm.so.2
I've kept adding and adding to the crle file:
bash-3.00# crle
Configuration file [version 4]: /var/ld/ld.config
Default Library Path (ELF): /lib:/usr/lib:/usr/sfw/lib:/usr/local/lib
Trusted Directories (ELF): /lib/secure:/usr/lib/secure (system default)
Command line:
crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib:/usr/local/lib
BUT, since nrpe works in the non-global when not running under SMF, this seems to be strictly an SMF issue.
Here's my manifest values for both the good and bad zones:
bash-3.00# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name="nrpe"
endpoint_type="stream"
proto="tcp"
isrpc=FALSE
wait=FALSE
exec="/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i"
arg0="/usr/local/nagios/bin/nrpe"
user="nagios"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=TRUE
default connection_backlog=10
Also, in my /etc/nsswitch.conf all of the LDAP references have been removed. Every attribute is ‘files’.
I’m out of ideas here! See anything that I may be missing in the setup?
Thanks!
Justin
TCP Wrappers maybe?
Justin,
Sorry for pointing to something so menial, but I have to ask - did you modify hosts.allow on your non-Global zone? SMF shows you're using TCP wrappers, and not configuring hosts.allow would do exactly what you're describing.
Even if it's not that, hang in there - I've got it running on non-Global zones, so we can figure out what's wrong at some point.
Justin
Post new comment