Shinken docker SSL handshake issue - Remote host

[tezarin]

Hi all,

I have Shinken inside docker container running on a host. Then I have remote hosts where I have NRPE installed. They are not on the same machine. Docker IP address is 172.17.0.27 and then I installed the following packages on the remote host:
apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard
But when I run the check_nrpe command from inside the Shinken docker container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52
CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts:
allowed_hosts=127.0.0.1,172.17.0.27
sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg
Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks

[rohit01]

Hi tezarin,

Your remote host will not receive requests from 172.17.0.27. It is behind
NAT for outside world. Use the docker host IP.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io
(Sent from my phone)

On 08-Oct-2015 1:37 am, "tezarin" [email protected] wrote:

Hi all,

I have Shinken inside docker container running on a host. Then I have
remote hosts where I have NRPE installed. They are not on the same machine.
Docker IP address is 172.17.0.27 and then I installed the following
packages on the remote host:
apt-get install openssl nagios-nrpe-server nagios-plugins
nagios-plugins-basic nagios-plugins-standard
But when I run the check_nrpe command from inside the Shinken docker
container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52

CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts:
allowed_hosts=127.0.0.1,172.17.0.27
sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg
Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks

—
Reply to this email directly or view it on GitHub
#8.

[tezarin]

Hi,

Thanks for your reply. I did what you said but still getting the same error. Did I have to install anything on the Shinken docker container? This is how I try to test the check_nrpe plugin from inside Shinken:

1. cd /usr/lib/nagios/plugin
2. ./check_nrpe -H ipoftheremotehost
   And I get this error: CHECK_NRPE: Error - Could not complete SSL handshake.

I even ran this on the host where Shinken container is running on: iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much

[rohit01]

I assume, you did restart nagios-nrpe-server after modifying configuration.

Please find a diagram, explaining the architecture in attachment.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io
(Sent from my phone)

On 08-Oct-2015 9:22 pm, "tezarin" [email protected] wrote:

Hi,

Thanks for your reply. I did what you said but still getting the same
error. Did I have to install anything on the Shinken docker container? This
is how I try to test the check_nrpe plugin from inside Shinken:

1. cd /usr/lib/nagios/plugin
2. ./check_nrpe -H ipoftheremotehost

I even ran this on the host where Shinken container is running on:
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much

—
Reply to this email directly or view it on GitHub
#8 (comment)
.

[tezarin]

Thanks. Yes, I restarted it.
Couple of things I changed:
On the remote host, I commented out the nagios user and added a line for shinken user. Same for the group
#nrpe_user=nagios
nrpe_user=shinken
#nrpe_group=nagios
nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection refused error:
./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap is not even listed

And when I run nmap servername from the remote host, I see that port 5666 is being filtered:
5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a firewall running:
sudo ufw status
Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
Followed by sudo ufw reload
Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks

[rohit01]

Connection refused error is more of unable to connect problem. Usually
happens when NRPE is down.

Thanks & Regards,

Rohit Gupta
http://www.rohit.io

On Fri, Oct 9, 2015 at 2:15 AM, tezarin [email protected] wrote:

Thanks. Yes, I restarted it.
Couple of things I changed:
On the remote host, I commented out the nagios user and added a line for
shinken user. Same for the group
#nrpe_user=nagios
nrpe_user=shinken
#nrpe_group=nagios
nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection
refused error:
./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap
is not even listed

And when I run nmap servername from the remote host, I see that port 5666
is being filtered:
5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a
firewall running:
sudo ufw status
Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
Followed by sudo ufw reload
Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks

—
Reply to this email directly or view it on GitHub
#8 (comment)
.

[rohit01]

[tezarin]

Thanks much, especially for the great diagram.
I checked from inside the container and looks like I'm not exposing the port 5666:
/usr/lib/nagios/plugins/check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused
connect to address 127.0.0.1 port 5666: Connection refused

I ran this container the exact way your instruction says to run it meaning I did not expose port 5666 anywhere. But since it wasn't exposing the 5666 port, I tried running it like this:

docker run -d -v "$(pwd)/custom_configs:/etc/shinken/custom_configs" -p 5666:5666 -p 80:80 mynewimage:shinken

Now when I run netstat -ant on the host machine where docker container is running on, I see that the port 5666 is being listened to. But I still get the same error when I run the following command from inside the container:

./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused
connect to address 127.0.0.1 port 5666: Connection refused

And

./check_tcp -H localhost -p 5666
Connection refused

And when I run "nmap serverIPaddress" from the remote host, I see that port 5666 is being filtered.

And this is the nrpe user and group for that remote host:

egrep "nrpe_user|nrpe_group" /etc/nagios/nrpe.cfg
#nrpe_user=nagios
nrpe_user=nagios
#nrpe_group=nagios
nrpe_group=nagios

These are the packages I installed on the remote host:

apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard nagios-nrpe-plugin

Edit - I just installed: apt-get install nagios-nrpe-plugin

Ran: service nagios-nrpe-server restart

Now when I run ./check_nrpe -H localhost inside the container, I get the version back: NRPE v2.13

But I still can't get the check_nrpe to work on the remote host:

./check_nrpe -H [remote host IP]
CHECK_NRPE: Error - Could not complete SSL handshake.
/usr/lib/nagios/plugins# ./check_nrpe -H [remote host IP] -n
CHECK_NRPE: Error receiving data from daemon.

Not sure how to fix this, so any info will be much appreciated.

[tezarin]

Now on the server, I am able to run check_nrpe:
root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.13

But on the remote host, I get an error:
root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to shinken user and group?

Thanks

[rohit01]

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to
shinken user and group?
No. This is not required. nagios user and group is fine.

Please follow this issue. Might help:
#5

Thanks & Regards,

Rohit Gupta
http://www.rohit.io

On Wed, Oct 14, 2015 at 12:24 AM, tezarin [email protected] wrote:

Now on the server, I am able to run check_nrpe:
root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost

NRPE v2.13

But on the remote host, I get an error:
root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to
shinken user and group?

Thanks

—
Reply to this email directly or view it on GitHub
#8 (comment)
.