search

rohit01 / docker_shinken

Automated docker builds for shinken images
http://www.rohit.io/blog/rip-nagios-hello-docker-shinken.html
56 stars 41 forks source link

Shinken docker SSL handshake issue - Remote host #8

Open tezarin opened 8 years ago

tezarin commented 8 years ago

Hi all,

I have Shinken inside docker container running on a host. Then I have remote hosts where I have NRPE installed. They are not on the same machine. Docker IP address is 172.17.0.27 and then I installed the following packages on the remote host: apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard But when I run the check_nrpe command from inside the Shinken docker container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52
CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts: allowed_hosts=127.0.0.1,172.17.0.27 sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks

rohit01 commented 8 years ago

Hi tezarin,

Your remote host will not receive requests from 172.17.0.27. It is behind NAT for outside world. Use the docker host IP.

Thanks & Regards,

Rohit Gupta http://www.rohit.io (Sent from my phone)

On 08-Oct-2015 1:37 am, "tezarin" notifications@github.com wrote:

Hi all,

I have Shinken inside docker container running on a host. Then I have remote hosts where I have NRPE installed. They are not on the same machine. Docker IP address is 172.17.0.27 and then I installed the following packages on the remote host: apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard But when I run the check_nrpe command from inside the Shinken docker container, I get the SSL handshake error:

root@containerID:/usr/lib/nagios/plugins# ./check_nrpe -H 10.154.20.52

CHECK_NRPE: Error - Could not complete SSL handshake.

I changed the followings on my remote host is the allowed_hosts: allowed_hosts=127.0.0.1,172.17.0.27 sudo echo 'dont_blame_nrpe=1' >> /etc/nagios/nrpe_local.cfg Then rebooted the service: sudo service nagios-nrpe-server restart

Can someone please let me know what I did wrong?

Thanks

— Reply to this email directly or view it on GitHub https://github.com/rohit01/docker_shinken/issues/8.

tezarin commented 8 years ago

Hi,

Thanks for your reply. I did what you said but still getting the same error. Did I have to install anything on the Shinken docker container? This is how I try to test the check_nrpe plugin from inside Shinken:

1) cd /usr/lib/nagios/plugin 2) ./check_nrpe -H ipoftheremotehost And I get this error: CHECK_NRPE: Error - Could not complete SSL handshake.

I even ran this on the host where Shinken container is running on: iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much

rohit01 commented 8 years ago

I assume, you did restart nagios-nrpe-server after modifying configuration.

Please find a diagram, explaining the architecture in attachment.

Thanks & Regards,

Rohit Gupta http://www.rohit.io (Sent from my phone)

On 08-Oct-2015 9:22 pm, "tezarin" notifications@github.com wrote:

Hi,

Thanks for your reply. I did what you said but still getting the same error. Did I have to install anything on the Shinken docker container? This is how I try to test the check_nrpe plugin from inside Shinken:

1) cd /usr/lib/nagios/plugin 2) ./check_nrpe -H ipoftheremotehost

I even ran this on the host where Shinken container is running on: iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 5666 -j ACCEPT

Thanks much

— Reply to this email directly or view it on GitHub https://github.com/rohit01/docker_shinken/issues/8#issuecomment-146586126 .

tezarin commented 8 years ago

Thanks. Yes, I restarted it. Couple of things I changed: On the remote host, I commented out the nagios user and added a line for shinken user. Same for the group

nrpe_user=nagios

nrpe_user=shinken

nrpe_group=nagios

nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection refused error: ./check_nrpe -H localhost connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap is not even listed

And when I run nmap servername from the remote host, I see that port 5666 is being filtered: 5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a firewall running: sudo ufw status Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT Followed by sudo ufw reload Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks

rohit01 commented 8 years ago

Connection refused error is more of unable to connect problem. Usually happens when NRPE is down.

Thanks & Regards,

Rohit Gupta http://www.rohit.io

On Fri, Oct 9, 2015 at 2:15 AM, tezarin notifications@github.com wrote:

Thanks. Yes, I restarted it. Couple of things I changed: On the remote host, I commented out the nagios user and added a line for shinken user. Same for the group

nrpe_user=nagios

nrpe_user=shinken

nrpe_group=nagios

nrpe_group=shinken

Now, when I run check_nrpe inside the container, I get a connection refused error: ./check_nrpe -H localhost connect to address ::1 port 5666: Connection refused

Then running nmap on the localhost outside the container returns that nmap is not even listed

And when I run nmap servername from the remote host, I see that port 5666 is being filtered: 5666/tcp filtered nrpe

On the server host where Shinken container is running, I don't see a firewall running: sudo ufw status Status: inactive

But I ran this anyway: iptables -A INPUT -p tcp --dport 5666 -j ACCEPT Followed by sudo ufw reload Which returns: Firewall not enabled (skipping reload)

Can you please help me figure it out?

Thanks

— Reply to this email directly or view it on GitHub https://github.com/rohit01/docker_shinken/issues/8#issuecomment-146680363 .

rohit01 commented 8 years ago

img_20151008_224853

tezarin commented 8 years ago

Thanks much, especially for the great diagram. I checked from inside the container and looks like I'm not exposing the port 5666: /usr/lib/nagios/plugins/check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused connect to address 127.0.0.1 port 5666: Connection refused

I ran this container the exact way your instruction says to run it meaning I did not expose port 5666 anywhere. But since it wasn't exposing the 5666 port, I tried running it like this:

docker run -d -v "$(pwd)/custom_configs:/etc/shinken/custom_configs" -p 5666:5666 -p 80:80 mynewimage:shinken

Now when I run netstat -ant on the host machine where docker container is running on, I see that the port 5666 is being listened to. But I still get the same error when I run the following command from inside the container:

./check_nrpe -H localhost
connect to address ::1 port 5666: Connection refused connect to address 127.0.0.1 port 5666: Connection refused

And

./check_tcp -H localhost -p 5666 Connection refused

And when I run "nmap serverIPaddress" from the remote host, I see that port 5666 is being filtered.

And this is the nrpe user and group for that remote host:

egrep "nrpe_user|nrpe_group" /etc/nagios/nrpe.cfg

nrpe_user=nagios

nrpe_user=nagios

nrpe_group=nagios

nrpe_group=nagios

These are the packages I installed on the remote host:

apt-get install openssl nagios-nrpe-server nagios-plugins nagios-plugins-basic nagios-plugins-standard nagios-nrpe-plugin

Edit - I just installed: apt-get install nagios-nrpe-plugin

Ran: service nagios-nrpe-server restart

Now when I run ./check_nrpe -H localhost inside the container, I get the version back: NRPE v2.13

But I still can't get the check_nrpe to work on the remote host:

./check_nrpe -H [remote host IP] CHECK_NRPE: Error - Could not complete SSL handshake. /usr/lib/nagios/plugins# ./check_nrpe -H [remote host IP] -n CHECK_NRPE: Error receiving data from daemon.

Not sure how to fix this, so any info will be much appreciated.

tezarin commented 8 years ago

Now on the server, I am able to run check_nrpe: root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost
NRPE v2.13

But on the remote host, I get an error: root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to shinken user and group?

Thanks

rohit01 commented 8 years ago

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to shinken user and group? No. This is not required. nagios user and group is fine.

Please follow this issue. Might help: https://github.com/rohit01/docker_shinken/issues/5

Thanks & Regards,

Rohit Gupta http://www.rohit.io

On Wed, Oct 14, 2015 at 12:24 AM, tezarin notifications@github.com wrote:

Now on the server, I am able to run check_nrpe: root@ContainerIP:/# /usr/lib/nagios/plugins/check_nrpe -H localhost

NRPE v2.13

But on the remote host, I get an error: root@RemotehostIP:/# /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 CHECK_NRPE: Error - Could not complete SSL handshake.

Did you guys have to change nrpe_user=nagios and nrpe_group=nagios to shinken user and group?

Thanks

— Reply to this email directly or view it on GitHub https://github.com/rohit01/docker_shinken/issues/8#issuecomment-147812983 .