Univention Bugzilla – Bug 44454
NRPE complains about allowed_hosts hostname as invalid IPv6 address
Last modified: 2017-06-19 15:04:53 CEST
# univention-app info UCS: 4.2-0 errata2 App Center compatibility: 4 Installed: kde=4 Upgradable: nagios-nrpe-server: 2.15-1 NRPE complains about the automatic entry of ldap_master in /etc/nagios/nrpe.cfg as allowed_hosts because it thinks this is a IPv6 address: > Apr 23 21:12:39 ucs-7125 systemd[1]: Starting LSB: Start/Stop the Nagios remote plugin execution daemon... > Apr 23 21:12:39 ucs-7125 nrpe[2073]: Invalid IPv6 address in ACL: ucs-7125.intranet.example.org > Apr 23 21:12:39 ucs-7125 nagios-nrpe-server[2069]: Starting nagios-nrpe: nagios-nrpe. > Apr 23 21:12:39 ucs-7125 systemd[1]: PID file /var/run/nagios/nrpe.pid not readable (yet?) after start. > Apr 23 21:12:39 ucs-7125 nrpe[2074]: Starting up daemon > Apr 23 21:12:39 ucs-7125 systemd[1]: Started LSB: Start/Stop the Nagios remote plugin execution daemon. > Apr 23 21:12:39 ucs-7125 nrpe[2074]: Server listening on 0.0.0.0 port 5666. > Apr 23 21:12:39 ucs-7125 nrpe[2074]: Server listening on :: port 5666. > Apr 23 21:12:39 ucs-7125 nrpe[2074]: Listening for connections on port 0 > Apr 23 21:12:39 ucs-7125 nrpe[2074]: Allowing connections from: ucs-7125.intranet.example.org This is an upstream issue: "allowed_hosts does not work with a hostname resolving to an IPv6 address" → https://github.com/NagiosEnterprises/nrpe/issues/31 → fixed in nrpe-3.0 (available in Debian Stretch) So we could either switch to nrpe-3.0 or use IP addresses instead of hostnames. This way, monitoring would still work even if DNS doesn't: "allowed_hosts doesn't work, if one of the hostnames can't be resolved by dns" → https://github.com/NagiosEnterprises/nrpe/issues/24 → fixed in nrpe-3.0 (available in Debian Stretch)
The log message is harmless, but ipv6 in nrpe-server is broken currently: -> more /etc/nagios/nrpe.cfg| grep allowed_hosts= allowed_hosts=master.w2k12.test -> host master.w2k12.test master.w2k12.test has address 10.200.7.150 master.w2k12.test has IPv6 address 2001:4dd0:ff00:8c42:ff07::150 -> /usr/lib/nagios/plugins/check_nrpe -H 2001:4dd0:ff00:8c42:ff07::150 -c UNIVENTION_DNS CHECK_NRPE: Error - Could not complete SSL handshake. -> journalctl -f Host 2001:4dd0:ff00:8c42:ff07::150 is not allowed to talk to us! -> /usr/lib/nagios/plugins/check_nrpe -H 10.200.7.150 -c UNIVENTION_DNS DNS OK: 0,014 seconds response time. www.univention.de returns 78.47.199.152|time=0,013934s;;;0,000000 -> journalctl -f Host address is in allowed_hosts so i guess nrpe does not work in ipv6 only environments
Added a patch for nagios-nrpe based on https://github.com/NagiosEnterprises/nrpe/commit/1ac990954b7806d9cc92fa340808b29219e872a1: 005-ipv6-4.2-0-0-ucs/2.15-1-errata4.2-0is_an_allowed_host-fix.patch Changed one thing in is_an_allowed_host(): -if (!memcmp(&addr6.sin6_addr, &host, sizeof(addr6.sin6_addr))) +if (!memcmp(&addr6.sin6_addr, host, sizeof(addr6.sin6_addr))) The upstream version (&host) didn't work for me. Memcmp takes two pointers (int memcmp ( const void * ptr1, const void * ptr2, size_t num )) but the host variable at this point is already a pointer. nagios-nrpe-2.15/src/nrpe.c +1080 is_an_allowed_host(AF_INET6, (void *)&(nptr6->sin6_addr)) so no need for '&' here (or?) errata4.2-0: nagios-nrpe.yaml
Tests: OK Advisory: OK
<http://errata.software-univention.de/ucs/4.2/47.html>