Debian 9 Stretch (and newer) rebuilt Nagios NRPE Server (with command args and SSL compatibility)

Written by Claudio Kuenzler - 6 comments

Published on June 22nd 2017 - last updated on September 21st 2023 - Listed in Linux Monitoring Nagios Icinga

---

Debian Stretch (Debian 9) was released a couple of days ago, on June 17th 2017. In March 2016 I wrote about Debian Jessie (Debian 8) and the problem that the NRPE package was compiled without command arguments allowed. I won't go into details why the command arguments were disabled (read the mentioned article to get these details). This article is somewhat of a follow-up.

In Stretch this is still the same "default"; command arguments are still disabled. But additionally Stretch features the new NRPE version 3.x (3.0.1 to be exact). This can be seen as a breakthrough because NRPE came with version 2.1x for the last many years. It's definitely a big and necessary change, because NRPE became outdated yet it is still widely used in combination with Nagios and Icinga. The NRPE project is now also publicly developed (see Nagios NRPE Github repository).

This means that not only one has to recompile the nagios-nrpe Debian source package to enable command arguments, but one also needs to be made aware how to solve backward compatibility issues. Let's tackle the first challenge.

If you want to take a shortcut without the technical details, just go to my NRPE downloads, download the deb package for your Debian version, and install it using dpkg -i <package>.deb.

Compatibility between NRPE 2.x and 3.x (meanwhile fixed)

NRPE 3.x is built on much newer SSL/TLS protocols than NRPE 2.x. Therefore SSL communication between the two NRPE versions doesn't work.
Here I tried to connect from check_nrpe (2.15) to a nagios-nrpe-server (3.0.1):

$ ./check_nrpe -H 10.10.45.10
CHECK_NRPE: Error - Could not complete SSL handshake.

On the server side, the following log entries appeared (NRPE debug logging enabled):

Jun 22 09:04:51 stretch nrpe[1267]: Connection from 10.10.45.50 port 33773
Jun 22 09:04:51 stretch nrpe[1267]: Host address is in allowed_hosts
Jun 22 09:04:51 stretch nrpe[1267]: Error: Request packet version was invalid!
Jun 22 09:04:51 stretch nrpe[1267]: Could not read request from client 10.10.45.50, bailing out...
Jun 22 09:04:51 stretch nrpe[1267]: Connection from 10.10.45.50 closed.

The logs clearly show a problem between the packet versions. But if check_nrpe is launched without SSL encryption (using the -n parameter), the connection works:

$ ./check_nrpe -H 10.10.45.10 -n
NRPE v3.0.1

Server side logging now shows:

Jun 22 09:06:18 stretch nrpe[1301]: Connection from 10.10.45.50 port 5528
Jun 22 09:06:18 stretch nrpe[1301]: Host address is in allowed_hosts
Jun 22 09:06:18 stretch nrpe[1301]: Host 10.10.45.50 is asking for command '_NRPE_CHECK' to be run...
Jun 22 09:06:18 stretch nrpe[1301]: Response to 10.10.45.50: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe[1301]: Return Code: 0, Output: NRPE v3.0.1
Jun 22 09:06:18 stretch nrpe[1301]: Connection from 10.10.45.50 closed.

Disabling SSL encryption is not a good idea, I agree. But until all hosts (monitoring server and clients) are updated to a newer NRPE 3.x version it is at least a workaround to ensure compatibility between NRPE 2.x and 3.x. As long as the NRPE connection is happening only in the internal networks, there's not too much to worry about either (but be careful if you happen to check servers through the Internet!).

Update July 19th 2017: As you can see in the comment from David Goodwin, that SSL compatibility problem was fixed in NRPE 3.2.0 (see this commit). NRPE 3.2.x can be installed in Debian through the stretch-backports repositories.

Update July 23rd 2017: This is now also fixed in the "original" Stretch-Package (see http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe/nagios-nrpe_3.0.1-3+deb9u1_changelog). No need anymore to use the backports repos.

Up to the second challenge:

Enable command arguments

1) Add the deb-src line into your /etc/apt/sources.list file, if it doesn't exist yet. Use your preferred mirror:

deb-src http://mirror.switch.ch/ftp/mirror/debian/ stretch main

Update the repository list afterwards:

apt-get update

2) Install the build tools and dependencies needed to compile the package:

apt-get build-dep nagios-nrpe
apt-get install devscripts build-essential

3) Download the nagios-nrpe source package:

apt-get source nagios-nrpe

The files will be downloaded into the current directory.

4) Change into the package directory and adapt the debian/rules file:

cd nagios-nrpe-3.0.1/; vi debian/rules

At the end of the "override_dh_auto_configure" the "--enable-command-args" need to be added:

    dh_auto_configure -- \
        --prefix=/usr \
        --sysconfdir=/etc \
        --libdir=/usr/lib/nagios \
        --libexecdir=/usr/lib/nagios/plugins \
        --localstatedir=/var \
        --enable-ssl \
        --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
        --with-piddir=/var/run/nagios \
        --enable-command-args

5) Edit the changelog:

dch -i

This command will ask you to enter information what exactly you have done to this package. In my case I entered the following information:

 nagios-nrpe (3.0.1-1) stable; urgency=medium

  * Non-maintainer upload.
  * Compiled with command arguments enabled

 -- Claudio Kuenzler   Thu, 22 Jun 2017 09:15:13 +0200

6) Create the new deb package:

debuild -us -uc -sa

7) Move one directory up and you will see the newly created files:

cd ..; ls -la | grep 3.0.1-1
-rw-r--r--  1 ckadm ckadm  53352 Jun 22 09:24 nagios-nrpe-plugin-dbgsym_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm  30118 Jun 22 09:24 nagios-nrpe-plugin_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm  73252 Jun 22 09:24 nagios-nrpe-server-dbgsym_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.deb
-rw-r--r--  1 ckadm ckadm 347278 Jun 22 09:24 nagios-nrpe-server_3.0.1-1_amd64.stretch.deb
-rw-r--r--  1 ckadm ckadm  13792 Jun 22 09:24 nagios-nrpe_3.0.1-1.debian.tar.xz
-rw-r--r--  1 ckadm ckadm   1225 Jun 22 09:24 nagios-nrpe_3.0.1-1.dsc
-rw-r--r--  1 ckadm ckadm  50600 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.build
-rw-r--r--  1 ckadm ckadm   5787 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.buildinfo
-rw-r--r--  1 ckadm ckadm   2880 Jun 22 09:24 nagios-nrpe_3.0.1-1_amd64.changes

8) The deb package can now be installed:

root@stretch:/ # dpkg -i /home/ckadm/nagios-nrpe-server_3.0.1-1_amd64.deb
dpkg: warning: downgrading nagios-nrpe-server from 3.0.1-3 to 3.0.1-1
(Reading database ... 36589 files and directories currently installed.)
Preparing to unpack .../nagios-nrpe-server_3.0.1.1_amd64.deb ...
Unpacking nagios-nrpe-server (3.0.1-1) over (3.0.1-3) ...
Setting up nagios-nrpe-server (3.0.1-1) ...
Processing triggers for systemd (232-25) ...
Processing triggers for man-db (2.7.6.1-2) ...

To make sure the new binary is used, restarted the daemon:

root@stretch:/etc/nagios# systemctl restart nagios-nrpe-server

NRPE checks using arguments are now working:

$ ./check_nrpe -H 10.10.45.10 -n -c check_load -a "1,2,3" "4,5,6"
OK - load average: 0.22, 0.09, 0.04|load1=0.220;1.000;4.000;0; load5=0.090;2.000;5.000;0; load15=0.040;3.000;6.000;0;

NRPE server side logging shows:

Jun 22 09:18:03 stretch nrpe[17194]: Connection from 10.10.45.50 port 26246
Jun 22 09:18:03 stretch nrpe[17194]: Host address is in allowed_hosts
Jun 22 09:18:03 stretch nrpe[17194]: Host 10.10.45.50 is asking for command 'check_load' to be run...
Jun 22 09:18:03 stretch nrpe[17194]: Running command: /usr/lib/nagios/plugins/check_load -w 1,2,3 -c 4,5,6
Jun 22 09:18:03 stretch nrpe[17194]: Command completed with return code 0 and output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe[17194]: Return Code: 0, Output: OK - load average: 0.28, 0.14, 0.05|load1=0.280;1.000;4.000;0; load5=0.140;2.000;5.000;0; load15=0.050;3.000;6.000;0;
Jun 22 09:18:03 stretch nrpe[17194]: Connection from 10.10.45.50 closed.

Update July 28th 2017: The deb package, containing the enabled command arguments, was updated to contain the SSL fixes. New file name: nagios-nrpe-server_3.0.1-3+deb9u1.1_amd64.stretch.deb. You can find the nagios-nrpe-server packages with command arguments enabled here: https://www.claudiokuenzler.com/downloads/nrpe/.

Update May 15th 2019: Added deb package for Debian 10 Buster, see NRPE downloads. Command arguments are still disabled in the default package. 

Update November 19th 2020: Added deb package for Debian 11 Bullseye, see NRPE downloads. Command arguments are still disabled in the default package. 

Update September 21st 2023: Added nagios-nrpe-server deb package for Debian 12 Bookworm, see NRPE downloads. Command arguments are still disabled in the default package. 

Add a comment

Show form to leave a comment

Comments (newest first)

Pierre from wrote on May 29th, 2024:

Thanks a lot! When I could narrow the issue to "only" the arguments part I found your page and could fix the problem in a few minutes!

---

Vytenis from Vilnius wrote on Apr 2nd, 2020:

Thank you. Again

---

ck from Switzerland wrote on Oct 15th, 2019:

Hi Cédric. Yes, all the nrpe packages in https://www.claudiokuenzler.com/downloads/nrpe/ accept arguments.

---

Cédric Meschin from wrote on Oct 14th, 2019:

Hi Claudio,
Thanks for those useful informations.
Is the package available on download page for Jessie is compiled to accept arguments?
regards
Cédric

---

Reno from France wrote on Oct 18th, 2017:

Very useful informations, thank you boss! :)

---

David Goodwin from United Kingdom wrote on Jul 15th, 2017:

The SSL issue appears to be fixed (it is for me anyway, where my nagios server is still on Jessie, but I upgraded one monitored server to Stretch and found that my checks failed)

Try :

apt-get install -t stretch-backports nagios-nrpe-server


See http://metadata.ftp-master.debian.org/changelogs/main/n/nagios-nrpe/nagios-nrpe_3.2.0-3~bpo9+1_changelog

---