0

Nagios Server is running in a docker container. It's reaching out for host checks through NRPE running on various hosts within the network.

The docker host is 10.10.100.100

Iptables ONLY allows inbound on tcp 5666 from 10.10.100.100 for inbound NRPE checks

The nrpe check coming from Nagios succesfully makes it past the firewall. This would prove that the packet source address is indeed 10.10.100.100

The NRPE config has:

server_port=5666
allowed_hosts=10.10.100.100

When making an nrpe call, the NRPE syslog states: 

Oct 20 18:42:32 dockerz01 nrpe[13382]: Allowing connections from: 10.10.100.100
Oct 20 18:42:59 dockerz01 nrpe[13411]: Host 172.20.0.2 is not allowed to talk to us!

This means that the packet sent to NRPE would have a source address of 172.20.0.2 (which is the Docker container IP, within the docker bridge network). If so, how would it make it through the firewall?!

This doesn't quite make sense, and I'm a bit stumped

Of course, by setting allowed_hosts=172.20.0.2 in the NRPE config gets around the issue, but that's not persistent and doesn't truly solve the issue here.

Does Nagios send what it 'thinks' is the "source" IP in the NRPE packet, and that's what NRPE judges the "source" address from? If so, how can that be altered? What am I missing here? My goal is to put the Docker host as the allowed_host as I know that's static and won't change.

emmdee
  • 2,187
  • 12
  • 36
  • 60
  • I this case, do you mean that the NRPE agent is running on the Docker host and the Docker container is connecting to the NRPE agent on the same host that it is running on? – Andy Shinn Oct 21 '17 at 16:52
  • No, NRPE is running on a different host – emmdee Oct 23 '17 at 16:24
  • I think you might be able to get away with configuring the container's hostname in the nrpe configuration (the Nagios container) and that might be able to get around the IP changes that may occur – ryekayo Oct 23 '17 at 18:34
  • There is no NRPE daemon running on the Nagios host (container) itself so I'm not sure what configuration file I would adjust for your suggestion. From Nagios server (container) itself I'm just calling the `check_nrpe` command to check NRPE running on other hosts. Is there still a config file for check_nrpe? – emmdee Oct 23 '17 at 19:00

1 Answers1

0

On a host with multiple addresses, you can choose which one to send check_nrpe requests from via the -b option.

In your case, -b 10.10.100.100

Other than that, it just follows routing rules.

Keith
  • 4,637
  • 15
  • 25
  • Thanks, however it appears I will have to unfortunately hardcode my Nagios IP here? I don't see a Nagios ```$MACRONAME$``` for the Nagios server IP itself, only the ```$HOSTADDRESS$``` not the ```$SERVERADDRESS$``` -- any tips on that? – emmdee Oct 23 '17 at 16:44
  • Getting an error when trying `-b` : Command: ```/opt/nagios/libexec/check_nrpe -H mynode.local.site -b 10.10.100.100 -c check_load``` Output: ```bind: 10.10.100.100: Cannot assign requested address``` ```connect to host mynode.local.site port 5666: Cannot assign requested address``` – emmdee Oct 23 '17 at 19:01
  • Oh, I think I mis-read your question then. The host OS has 10.10.100.100, but the docker container has a 172.x address? This isn't going to work for you then, unless you NAT it or something. – Keith Oct 23 '17 at 21:34
  • That's a shame :/ I'll just have to leave the 172.x subnet on `allowed_hosts` – emmdee Oct 23 '17 at 22:27