Closed siklosipeter closed 5 years ago
Manually starting the C:\Program Files\ICINGA2\sbin\NSCP.msi
succeeded and it works with the previous config.
Since NSClient is just bundled here, you'd want to open an NSClient upstream feature request/bug to disallow the connection attempt at first glance. Once such a thing exists, we may consider updating our docs/installer.
From a peek into the docs, no such thing exists yet: http://docs.nsclient.org/manual/windows_installer.html
I'd say this connection originates from an integrated update check from NSClient itself, and shouldn't harm anything - especially when blocked by a firewall.
The IP address looks suspicious though, 151.139.128.14 belongs to Highwind Network Group seemingly not related to NSClient itself. Are you sure that you're using an icinga2 package downloaded from packages.icinga.com?
Are you sure that you're using an icinga2 package downloaded from packages.icinga.com?
Yes, I'm sure. I actually have two versions of the file, one downloaded on 4th of Jun, the second on 24th of Jun:
4th of Jun:
Name: Icinga2-v2.10.5-x86_64.msi Size: 38069598 Bytes (36 MiB) SHA256: D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8
24th of Jun:
Name: Icinga2-v2.10.5-x86_64.msi Size: 38069598 Bytes (36 MiB) SHA256: D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8
Control (under linux):
[user@host ~]$ wget https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi --2019-06-24 15:55:50-- https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi Resolving packages.icinga.com (packages.icinga.com)... 185.11.254.87 Connecting to packages.icinga.com (packages.icinga.com)|185.11.254.87|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 38069598 (36M) [application/x-msi] Saving to: ‘Icinga2-v2.10.5-x86_64.msi’
100%[=========================================================================================================================================================================>] 38,069,598 2.11MB/s in 19s
2019-06-24 15:56:09 (1.91 MB/s) - ‘Icinga2-v2.10.5-x86_64.msi’ saved [38069598/38069598]
[user@host ~]$ sha256sum Icinga2-v2.10.5-x86_64.msi 2>&1 | tr '[:lower:]' '[:upper:]' D9ACDE96643D699EA6871FC8E6D544B3C868A5A2E179950082F94046821B24E8 ICINGA2-V2.10.5-X86_64.MSI [user@host ~]$
While creating the bug report for NSClient++ I had to look up the version. Is there a reason why Icinga2 uses a more than two year old (0.5.0.62) version of the NSClient?
Please keep in mind that I based this question on the info I found in the installed nsclient's changelog.txt.
This became much more interesting as the NSClient developer pointed me back to you stating, that the nscp.msi is not his installer.
I received an answer from the NSClient++ developer stating that since this installer is not his, thus closed my ticket.
So I dug a bit deeper:
1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f
Also I should mention this again, that
Manually starting the C:\Program Files\ICINGA2\sbin\NSCP.msi succeeded and it works with the previous config.
I don't really know who should investigate this further, but I would like to gather all I know in order to help deciding.
I don't see any HASH information on this download site, so I can't confirm if what I downloaded is valid or not.
[user@host icinga2-agent-install-issue]$ wget -S https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi --2019-06-25 08:36:51-- https://packages.icinga.com/windows/Icinga2-v2.10.5-x86_64.msi Resolving packages.icinga.com (packages.icinga.com)... 185.11.254.87 Connecting to packages.icinga.com (packages.icinga.com)|185.11.254.87|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 25 Jun 2019 06:36:51 GMT Server: Apache Last-Modified: Thu, 23 May 2019 12:10:55 GMT ETag: "244e55e-5898cf96152ea" Accept-Ranges: bytes Content-Length: 38069598 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msi Length: 38069598 (36M) [application/x-msi] Saving to: ‘Icinga2-v2.10.5-x86_64.msi’
100%[=========================================================================================================================================================================>] 38,069,598 1.90MB/s in 20s
2019-06-25 08:37:11 (1.85 MB/s) - ‘Icinga2-v2.10.5-x86_64.msi’ saved [38069598/38069598]
[user@host icinga2-agent-install-issue]$
For your reference here is the HASH of the file I downloaded:
[user@host icinga2-agent-install-issue]$ sha256sum Icinga2-v2.10.5-x86_64.msi d9acde96643d699ea6871fc8e6d544b3c868a5a2e179950082f94046821b24e8 Icinga2-v2.10.5-x86_64.msi [user@host icinga2-agent-install-issue]$
Found in icinga/icinga2 repository
if(WIN32)
if(CMAKE_VS_PLATFORM_NAME STREQUAL "x64")
set(NSCP_URL "https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi")
set(NSCP_SHA256 "1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f")
Download NSCP installer:
[user@host icinga2-agent-install-issue]$ wget -S https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi --2019-06-25 09:29:13-- https://github.com/mickem/nscp/releases/download/0.5.0.62/NSCP-0.5.0.62-x64.msi Resolving github.com (github.com)... 140.82.118.3 Connecting to github.com (github.com)|140.82.118.3|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Tue, 25 Jun 2019 07:29:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Server: GitHub.com Status: 302 Found Vary: X-PJAX Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream Cache-Control: no-cache Set-Cookie: has_recent_activity=1; path=/; expires=Tue, 25 Jun 2019 08:29:14 -0000 Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Sat, 25 Jun 2039 07:29:14 -0000; secure; HttpOnly Set-Cookie: _gh_sess=d2ZnOGNPN2VON2xsWkEwSEtFSWRtWUVCdUExS0R0NVNFL2ViWDJtMkJKcGJSUERYVy9hL1RER1dWMURTSFQ2WWx4UTB2NFpvaWRnRjh6d2U4bDhNVmQ3bWlQVk85UElhOHJWT0pIT2ZzS2gzcnlKd2VGSUo0NVZzcFU2VkNQU0Q2KzFNYzdLVmhFYzNtWDAxVnFURTlPZzZWRU5Za0lYNCt3c0lYZEtldHlxbEYvUW1XbVVNeEZQR2VPS2ZPVEtiLS1WK3h2TnM2QlQ3ODFta2NJZDFlRllBPT0%3D--b5682e787450cea9d856ad5cfd129e524586b5c2; path=/; secure; HttpOnly X-Request-Id: 1611631e-56a3-4244-a0af-e34734dc472f Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors" Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com Vary: Accept-Encoding X-GitHub-Request-Id: A74F:35F7B:7945910:BA7BC71:5D11CD49 Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316 f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream [following] --2019-06-25 09:29:14-- https://github-production-release-asset-2e65be.s3.amazonaws.com/4165401/064d0a02-7aca-11e6-976c-d44f53978590?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190625%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190625T072914Z&X-Amz-Expires=300&X-Amz-Signature=48316f13c7e4cca021d5e63b2e5eea6a0019db794f2c02164293bdb1ffbe0db6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DNSCP-0.5.0.62-x64.msi&response-content-type=application%2Foctet-stream Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.84.227 Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.84.227|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK x-amz-id-2: Uy0SKlPIU90FlVRQ6n9b0JHnqu4gOwxnAlmXhWi4bcGf1Y+Aeyz26EYTFSVUbZTi/+dW2W32+hA= x-amz-request-id: 4C224037833C8E4B Date: Tue, 25 Jun 2019 07:29:15 GMT Last-Modified: Wed, 24 May 2017 05:21:31 GMT ETag: "74a460dedbd98659b8bad24aa91fc29c" Content-Disposition: attachment; filename=NSCP-0.5.0.62-x64.msi Accept-Ranges: bytes Content-Type: application/octet-stream Content-Length: 27426816 Server: AmazonS3 Length: 27426816 (26M) [application/octet-stream] Saving to: ‘NSCP-0.5.0.62-x64.msi’
100%[=========================================================================================================================================================================>] 27,426,816 1.67MB/s in 21s
2019-06-25 09:29:36 (1.22 MB/s) - ‘NSCP-0.5.0.62-x64.msi’ saved [27426816/27426816]
[user@host icinga2-agent-install-issue]$ sha256sum NSCP-0.5.0.62-x64.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f NSCP-0.5.0.62-x64.msi [user@host icinga2-agent-install-issue]$
[user@host icinga2-agent-install-issue]$ file Icinga2-v2.10.5-x86_64.msi Icinga2-v2.10.5-x86_64.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Icinga 2, Author: Icinga Development Team, Keywords: Installer, Comments: This installer database contains the logic and data required to install Icinga 2., Template: x64;1033, Revision Number: {051070E4-7026-49CD-A433-CF32A02FE5E8}, Create Time/Date: Thu May 23 13:08:26 2019, Last Saved Time/Date: Thu May 23 13:08:26 2019, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2 [user@host icinga2-agent-install-issue]$ 7za l Icinga2-v2.10.5-x86_64.msi
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Xeon(R) CPU E5506 @ 2.13GHz (106A5),ASM)
Scanning the drive for archives: 1 file, 38069598 bytes (37 MiB)
Listing archive: Icinga2-v2.10.5-x86_64.msi
ERROR: Icinga2-v2.10.5-x86_64.msi : Icinga2-v2.10.5-x86_64.msi Open ERROR: Can not open the file as [Cab] archive
ERRORS: Headers Error WARNINGS: There are data after the end of archive
Errors: 1 [user@host icinga2-agent-install-issue]$
The HASH of the extracted NSCP installer is the same as what's in the CMakeLists.txt file
[user@host icinga2-agent-install-issue]$ sha256sum CM_FP_sbin.NSCP.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f CM_FP_sbin.NSCP.msi [user@host icinga2-agent-install-issue]$ sha256sum NSCP.msi 1854de86ad4fda3391f273de0f9985b702c014bdec01b26ad28a1343177f537f NSCP.msi [user@host icinga2-agent-install-issue]$ [user@host icinga2-agent-install-issue]$ ls -la total 90752 drwxr-xr-x 2 user users 96 Jun 25 09:32 . drwxr-xr-x 8 user users 4096 Jun 25 08:30 .. -rw-r--r-- 1 user users 27426816 Jun 25 08:43 CM_FP_sbin.NSCP.msi -rw-r--r-- 1 user users 38069598 May 23 14:10 Icinga2-v2.10.5-x86_64.msi -rw-r--r-- 1 user users 27426816 May 24 2017 NSCP-0.5.0.62-x64.msi -rw-r--r-- 1 user users 27426816 Jun 25 10:26 NSCP.msi [user@host icinga2-agent-install-issue]$
Is there a reason why Icinga2 uses a more than two year old (0.5.0.62) version of the NSClient?
Mainly that NSClient++ did not provide a stable 0.5.2 or 0.5.3 or 0.6.0 release for quite a long time. 0.5.0.x was sufficient and stable. 2.11 will bump the bundled file to the latest stable 0.5.2.x branch, including some fixes but no new features (e.g. the permission based API is still missing).
See #7034 for the updated include file.
The only thing our packaging does here - cmake resp. cpack downloads the msi file from the given URL, and compares the hash. This is then bundled into the created msi file, whereas the setup routine of the icinga2 installer just copies the nscp.msi into the program files directory. The user can then either run this manually, or use the setup config wizard button to invoke the NSClient++ setup.
You cannot cab extract the setup package, msi is different. Fortunately there are some methods, one of them is to use msiexec itself.
msiexec /a Icinga2-v2.10.0-x86.msi /qb TARGETDIR=c:\users\michi\downloads\i2
There's no extra effort taken with configuring the NSClient++ msi beforehand, or anything else. So the connection towards that IP address is invoked with calling the nscp.msi. Maybe your system is infected and every msi/setup call does some extra checks. Since you're the first one detecting is and no-one else has seen this for years, I would check whether your system is ok, uses proxies, or msi itself is damanged or Windows is doing sort of update checks here.
I don't believe that this is related to Icinga though, and as such, I'm closing this issue.
Describe the bug
When following the NSClient++ install instructions the NSCP.msi tries to open a network connection and gets killed by our endpoint security system.
In my opinion the installer should:
To Reproduce
Provide a link to a live example, or an unambiguous set of steps to reproduce this bug. Include configuration, logs, etc. to reproduce, if relevant.
Expected behavior
NSClient++ being installed correctly
Screenshots
Can't do a screenshot of a not happening thing
Your Environment
Include as many relevant details about the environment you experienced the problem in
Additional context
icinga2 --version
icinga2 feature list
icinga2 daemon -C