Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shinken docker SSL handshake issue - Remote host #8

Open
tezarin opened this issue Oct 7, 2015 · 9 comments
Open

Shinken docker SSL handshake issue - Remote host #8

tezarin opened this issue Oct 7, 2015 · 9 comments

Comments

@tezarin
Copy link

tezarin commented Oct 7, 2015

Hi all,

I have Shinken inside docker container running on a host. Then I have remote hosts where I have NRPE installed. They are not on the same machine. Docker IP address is 172.17.0.27 and then I installed the following packages on the remote host:
apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard
But when I run the check_nrpe command from inside the Shinken docker container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52
CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts:
allowed_hosts=127.0.0.1,172.17.0.27
sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg
Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks

@rohit01
Copy link
Owner

rohit01 commented Oct 8, 2015

Hi tezarin,

Your remote host will not receive requests from 172.17.0.27. It is behind
NAT for outside world. Use the docker host IP.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io
(Sent from my phone)

On 08-Oct-2015 1:37 am, "tezarin" notifications@github.com wrote:

Hi all,

I have Shinken inside docker container running on a host. Then I have
remote hosts where I have NRPE installed. They are not on the same machine.
Docker IP address is 172.17.0.27 and then I installed the following
packages on the remote host:
apt-get install openssl nagios-nrpe-server nagios-plugins
nagios-plugins-basic nagios-plugins-standard
But when I run the check_nrpe command from inside the Shinken docker
container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52

CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts:
allowed_hosts=127.0.0.1,172.17.0.27
sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg
Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks


Reply to this email directly or view it on GitHub
#8.

@tezarin
Copy link
Author

tezarin commented Oct 8, 2015

Hi,

Thanks for your reply. I did what you said but still getting the same error. Did I have to install anything on the Shinken docker container? This is how I try to test the check_nrpe plugin from inside Shinken:

  1. cd /usr/lib/nagios/plugin
  2. ./check_nrpe -H ipoftheremotehost
    And I get this error: CHECK_NRPE: Error - Could not complete SSL handshake.

I even ran this on the host where Shinken container is running on: iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much

@rohit01
Copy link
Owner

rohit01 commented Oct 8, 2015

I assume, you did restart nagios-nrpe-server after modifying configuration.

Please find a diagram, explaining the architecture in attachment.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io
(Sent from my phone)

On 08-Oct-2015 9:22 pm, "tezarin" notifications@github.com wrote:

Hi,

Thanks for your reply. I did what you said but still getting the same
error. Did I have to install anything on the Shinken docker container? This
is how I try to test the check_nrpe plugin from inside Shinken:

  1. cd /usr/lib/nagios/plugin
  2. ./check_nrpe -H ipoftheremotehost

I even ran this on the host where Shinken container is running on:
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much


Reply to this email directly or view it on GitHub
#8 (comment)
.

@tezarin
Copy link
Author

tezarin commented Oct 8, 2015

Thanks. Yes, I restarted it.
Couple of things I changed:
On the remote host, I commented out the nagios user and added a line for shinken user. Same for the group
#nrpe_user=nagios
nrpe_user=shinken
#nrpe_group=nagios
nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection refused error:
./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap is not even listed

And when I run nmap servername from the remote host, I see that port 5666 is being filtered:
5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a firewall running:
sudo ufw status
Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
Followed by sudo ufw reload
Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks

@rohit01
Copy link
Owner

rohit01 commented Oct 9, 2015

Connection refused error is more of unable to connect problem. Usually
happens when NRPE is down.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io

On Fri, Oct 9, 2015 at 2:15 AM, tezarin notifications@github.com wrote:

Thanks. Yes, I restarted it.
Couple of things I changed:
On the remote host, I commented out the nagios user and added a line for
shinken user. Same for the group
#nrpe_user=nagios
nrpe_user=shinken
#nrpe_group=nagios
nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection
refused error:
./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap
is not even listed

And when I run nmap servername from the remote host, I see that port 5666
is being filtered:
5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a
firewall running:
sudo ufw status
Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
Followed by sudo ufw reload
Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks


Reply to this email directly or view it on GitHub
#8 (comment)
.

@rohit01
Copy link
Owner

rohit01 commented Oct 9, 2015

img_20151008_224853

@tezarin
Copy link
Author

tezarin commented Oct 9, 2015

Thanks much, especially for the great diagram.
I checked from inside the container and looks like I'm not exposing the port 5666:
/usr/lib/nagios/plugins/check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused
connect to address 127.0.0.1 port 5666: Connection refused

I ran this container the exact way your instruction says to run it meaning I did not expose port 5666 anywhere. But since it wasn't exposing the 5666 port, I tried running it like this:

docker run -d -v "$(pwd)/custom_configs:/etc/shinken/custom_configs" -p 5666:5666 -p 80:80 mynewimage:shinken

Now when I run netstat -ant on the host machine where docker container is running on, I see that the port 5666 is being listened to. But I still get the same error when I run the following command from inside the container:

./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused
connect to address 127.0.0.1 port 5666: Connection refused

And

./check_tcp -H localhost -p 5666
Connection refused

And when I run "nmap serverIPaddress" from the remote host, I see that port 5666 is being filtered.

And this is the nrpe user and group for that remote host:

egrep "nrpe_user|nrpe_group" /etc/nagios/nrpe.cfg
#nrpe_user=nagios
nrpe_user=nagios
#nrpe_group=nagios
nrpe_group=nagios

These are the packages I installed on the remote host:

apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard nagios-nrpe-plugin

Edit - I just installed: apt-get install nagios-nrpe-plugin

Ran: service nagios-nrpe-server restart

Now when I run ./check_nrpe -H localhost inside the container, I get the version back: NRPE v2.13

But I still can't get the check_nrpe to work on the remote host:

./check_nrpe -H [remote host IP]
CHECK_NRPE: Error - Could not complete SSL handshake.
/usr/lib/nagios/plugins# ./check_nrpe -H [remote host IP] -n
CHECK_NRPE: Error receiving data from daemon.

Not sure how to fix this, so any info will be much appreciated.

@tezarin
Copy link
Author

tezarin commented Oct 13, 2015

Now on the server, I am able to run check_nrpe:
root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.13

But on the remote host, I get an error:
root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to shinken user and group?

Thanks

@rohit01
Copy link
Owner

rohit01 commented Oct 14, 2015

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to
shinken user and group?
No. This is not required. nagios user and group is fine.

Please follow this issue. Might help:
#5

Thanks & Regards,

Rohit Gupta
http://www.rohit.io

On Wed, Oct 14, 2015 at 12:24 AM, tezarin notifications@github.com wrote:

Now on the server, I am able to run check_nrpe:
root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost

NRPE v2.13

But on the remote host, I get an error:
root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to
shinken user and group?

Thanks


Reply to this email directly or view it on GitHub
#8 (comment)
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants