confdroid/confdroid_nrpe

Fork 0

Files

12ww1160 b1ecf513d1 OP#421 more spelling

2026-02-13 19:14:43 +01:00

6.9 KiB

Raw Blame History

Readme

Readme

Synopsis

NRPE allows monitoring tools like NAGIOS or ICINGA to connect to clients for monitoring purposes.

confdroid_nrpe is a fully parameterized Puppet module to automate NRPE installation and configuration.

WARNING

Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production

Features

install nrpe binaries
manage NRPE service user properties
manage directory structure (file system permissions, selinux context) through parameters
manage configuration files through parameters:
- nrpe.conf
- nrpe.cfg
manage sudo role for nagios user on NRPE clients
manage dynamic NRPE check command definitions
manage iptables (optional). set ne_incl_fwto true.
manage selinux rule exceptions (optional)
manage NRPE service

Note: The value for the nagios_server variable is derived from a global parameter set in Foreman (nagios_server), because the parameter is used across multiple modules. You need to set that manually in Foreman under "Global Parameters". Same for nagios_source, the value for the firewall source, which should point to the source IP or source range for the nagios server querying NRPE.

Repo Documentation

See the full Puppet documentation including parameters in docs/index.html

Dependencies

All dependencies must be included in the catalogue.

confdroid_resources to manage YUM repositories and common resources like EPEL.
puppetlabs firewall to manage iptables

Deployment

confdroid_nrpe does typically not need to be specifically declared. It will be auto-required by cd_nagios with default settings. Only if you want to override settings declare it specifically.

native Puppet deployment

via site.pp or nodes.pp

node 'example.example.net' {
  include nrpe
}

through Foreman:

In order to apply parameters through Foreman, **confdroid_nrpe::params*- must be added to the host or host group in question, unless the defaults are fully acceptable across the estate.

See more details about class deployment on Confdroid.com.

Managing Check Commands

In order to connect a Nagios monitoring server to clients through NRPE, you must define commands and the desired argument strings on the clients. The default NRPE installation comes with a few examples of such commands, which are also included in this module. However, every environment is very different in their requirements and Nagios via Puppet is all about the ability to dynamically set command arguments based on default variables / overrides. For that reason no hard-coded commands are included, but instead all commands are set via argument strings, where possible.

The commands are created within /etc/nrpe.d/command.cfg , every set of instructions creates a new line.

Defining commands is as simple as that:

confdroid_nrpe::commands::definitions { 'check_users':
      ne_check_cmd      =>  'check_users',
      ne_cmd_argstring  =>  '-w $ARG1$ -c $ARG2$',
    }

It is very recommendable to define such commands directly within Puppet modules or profiles, so any node running the particular service controlled by the module will automatically get the required check commands defined as well, while nodes not running the service also do not contain the command check. The same then is true for Nagios checks, so you would have both the NRPE command definition and the Nagios check contained in Puppet modules or profiles to have it in one location.

SELINUX

All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

Known Problems

SSL/TLS support: Version 3 of NRPE supposedly has support for SSL/ TLs. However, at the time of writing this module, this seems to be buggy, as I was unable to start the NRPE service as soon as the ssl_cert_file line was uncommented in the configuration file, despite having valid certs in the right position on the node. This happened when installing manually, not through this Puppet module. For that reason I included the $ne_enable_ssl boolean parameter, which is set to false by default, hence disabling SSL/TLS options until this has been fixed upstream, or a valid workaround has been found. Setting this option to true will include all SSL / TLS settings.

Troubleshooting

CHECK_NRPE: Unable to read output: Nagios sudo access also needs Selinux to allow this. Default settings in this module take care for both through $ne_allow_sudo and $ne_include_selinux.
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected): This is down to the new illegal meta characters feature via nasty_metachars, i.e. if you included an additional character which actually be part of a check, or if a custom check contains a default illegal character.

Support

OS: Rocky 9
Puppet 8

Tests

Puppet Lint
- excluded tests:
  - --no-variable_scope-check: not applicable as we are inheriting parameters from params class. the lint check does not distinguish between facts and inherited parameters.
  - --no-top_scope_facts: iptables does not recognize otherwise
Puppet Parser
ERB Template Parser
Sonar Quality Gate

Contact Us

Disclaimer

ConfDroid as entity is entirely independent from Puppet. We provide custom configuration modules, written for specific purposes and specific environments. The modules are tested and supported only as documented, and require testing in designated environments (i.e. lab or development environments) for parameter tuning etc. before deploying into production environments.

6.9 KiB Raw Blame History