Skip to content

rhythmictech/ansible-role-ncpa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ansible-role-ncpa

Installs and configures the Nagios Cross-Platform Agent (NCPA) on RHEL-family Linux, along with a set of Nagios plugins and custom check scripts.

Supported platforms

  • RHEL / AlmaLinux / Rocky / Oracle Linux 7, 8, 9, 10
  • Amazon Linux 2 and 2023

The role supports both NCPA v2 (RHEL 6/7-era) and NCPA v3 (the current line, default on modern distros). The major version drives the service names and config layout automatically — see ncpa_version_major below.

NCPA v2 vs v3

The role adapts to the differences between the two major versions:

NCPA v2 NCPA v3
Service(s) ncpa_listener + ncpa_passive single ncpa service
uid/gid/pidfile [listener] section [general] section
ssl_version TLSv1 / TLSv1_1 / TLSv1_2 TLSv1_2 / TLSv1_3 only

The default ncpa_ssl_version is TLSv1_2, which is valid on both.

Monitoring-server compatibility (check_ncpa.py)

This role installs the agent. Your Nagios server polls it with the check_ncpa.py plugin, which lives on the monitoring server and is not managed here. The plugin itself is unchanged in NCPA v3 (still v1.2.5, identical flags and ?token= query-param auth), but upgrading agents v2 → v3 has three server-side implications worth checking before a fleet-wide rollout:

  1. TLS floor. The v3 agent requires TLS 1.2+ and refuses TLSv1/TLSv1.1. check_ncpa.py has no flag to pin a TLS version — it negotiates the highest the server's Python/OpenSSL supports. Any server with OpenSSL ≥ 1.0.1 (TLS 1.2 capable) is fine; only very old stacks (e.g. RHEL 6 / OpenSSL 1.0.0) will fail the handshake with no client-side workaround. Smoke-test one upgraded agent from the monitoring server before rolling out to the fleet.

  2. python interpreter. check_ncpa.py ships with #!/usr/bin/env python. RHEL/AlmaLinux 8+ and Amazon Linux 2023 have no python binary by default — install the python3-unversioned-command symlink or invoke it as python3 check_ncpa.py. (Not an issue on EL7, which still provides python.)

  3. Removed API paths. v3 dropped three endpoints deprecated since v2.0.0. Audit your Nagios check commands and replace any old -M paths:

    Old -M path (404 on v3) Replacement
    agent/plugin/<name> plugins/<name>
    service/<name> services?service=<name>
    process/<name> processes?name=<name>

Note for this environment: our Nagios server currently runs CentOS 7.9 (OpenSSL 1.0.2k, system Python 2.7.5 with TLS 1.2 backported). It supports TLS 1.2 and provides python, so points 1 and 2 above should not block polling v3 agents — but verify with a single agent first. Point 3 (API-path audit) still applies.

Role variables

Variable Default Description
ncpa_package_name ncpa NCPA package name.
ncpa_package_version "3.4.1" Pinned package version. Set to "" to install the repo's latest.
ncpa_version_major derived from the pin (else 3) Drives service name and config layout. Override when installing latest.
ncpa_repo_package_url per-distro from ncpa_repo_rpm_map Nagios repo RPM, selected by ansible_distribution_major_version.
ncpa_use_nagios_repo true Install the Nagios repo. Set false on AL2023 (no official repo).
ncpa_package_url "" Install NCPA directly from this RPM URL (used when no repo is available).
ncpa_use_fedora_repo false Pull nagios-plugins-* from a Fedora 36 archive repo (AL2023 has no EPEL).
ncpa_service_name derived from ncpa_version_major ncpa (v3) or ncpa_listener (v2).
ncpa_uid / ncpa_gid nagios Listener run-as user/group.
ncpa_ssl_version TLSv1_2 TLS version for the listener.
ncpa_certificate adhoc TLS certificate (adhoc = self-signed).
ncpa_listener_ip 0.0.0.0 Listener bind address.
ncpa_listener_port 5693 Listener port.
ncpa_plugin_path /usr/lib64/nagios/plugins/ Where NCPA looks for check plugins.
ncpa_community_string (empty) API token / community string clients authenticate with.
ncpa_sudoers postfix mailqueue check List of allowed_user / allowed_command sudoers entries.

Example: Amazon Linux 2023

AL2023 has no official Nagios repo and no EPEL nagios-plugins, so install NCPA from a direct URL and pull plugins from the Fedora archive repo:

- hosts: al2023
  roles:
    - role: ansible-role-ncpa
      vars:
        ncpa_use_nagios_repo: false
        ncpa_package_url: https://repo.nagios.com/...../ncpa-3.4.1.el9.x86_64.rpm
        ncpa_use_fedora_repo: true
        ncpa_community_string: "your-token"

Graviton / aarch64: The Fedora archive repo URL is built from ansible_architecture, so plugins resolve correctly on both x86_64 and aarch64 hosts. Just make sure ncpa_package_url, if you set it, points at an RPM matching the target architecture (e.g. ...ncpa-3.4.1.el9.aarch64.rpm on Graviton).

Example: AlmaLinux 10 (NCPA v3, default path)

- hosts: alma10
  roles:
    - role: ansible-role-ncpa
      vars:
        ncpa_community_string: "your-token"

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors