Installs and configures the Nagios Cross-Platform Agent (NCPA) on RHEL-family Linux, along with a set of Nagios plugins and custom check scripts.
- RHEL / AlmaLinux / Rocky / Oracle Linux 7, 8, 9, 10
- Amazon Linux 2 and 2023
The role supports both NCPA v2 (RHEL 6/7-era) and NCPA v3 (the current line,
default on modern distros). The major version drives the service names and config
layout automatically — see ncpa_version_major below.
The role adapts to the differences between the two major versions:
| NCPA v2 | NCPA v3 | |
|---|---|---|
| Service(s) | ncpa_listener + ncpa_passive |
single ncpa service |
uid/gid/pidfile |
[listener] section |
[general] section |
ssl_version |
TLSv1 / TLSv1_1 / TLSv1_2 |
TLSv1_2 / TLSv1_3 only |
The default ncpa_ssl_version is TLSv1_2, which is valid on both.
This role installs the agent. Your Nagios server polls it with the
check_ncpa.py plugin, which lives on the monitoring server and is not managed
here. The plugin itself is unchanged in NCPA v3 (still v1.2.5, identical flags and
?token= query-param auth), but upgrading agents v2 → v3 has three server-side
implications worth checking before a fleet-wide rollout:
-
TLS floor. The v3 agent requires TLS 1.2+ and refuses
TLSv1/TLSv1.1.check_ncpa.pyhas no flag to pin a TLS version — it negotiates the highest the server's Python/OpenSSL supports. Any server with OpenSSL ≥ 1.0.1 (TLS 1.2 capable) is fine; only very old stacks (e.g. RHEL 6 / OpenSSL 1.0.0) will fail the handshake with no client-side workaround. Smoke-test one upgraded agent from the monitoring server before rolling out to the fleet. -
pythoninterpreter.check_ncpa.pyships with#!/usr/bin/env python. RHEL/AlmaLinux 8+ and Amazon Linux 2023 have nopythonbinary by default — install thepython3-unversioned-commandsymlink or invoke it aspython3 check_ncpa.py. (Not an issue on EL7, which still providespython.) -
Removed API paths. v3 dropped three endpoints deprecated since v2.0.0. Audit your Nagios check commands and replace any old
-Mpaths:Old -Mpath (404 on v3)Replacement agent/plugin/<name>plugins/<name>service/<name>services?service=<name>process/<name>processes?name=<name>
Note for this environment: our Nagios server currently runs CentOS 7.9 (OpenSSL 1.0.2k, system Python 2.7.5 with TLS 1.2 backported). It supports TLS 1.2 and provides
python, so points 1 and 2 above should not block polling v3 agents — but verify with a single agent first. Point 3 (API-path audit) still applies.
| Variable | Default | Description |
|---|---|---|
ncpa_package_name |
ncpa |
NCPA package name. |
ncpa_package_version |
"3.4.1" |
Pinned package version. Set to "" to install the repo's latest. |
ncpa_version_major |
derived from the pin (else 3) |
Drives service name and config layout. Override when installing latest. |
ncpa_repo_package_url |
per-distro from ncpa_repo_rpm_map |
Nagios repo RPM, selected by ansible_distribution_major_version. |
ncpa_use_nagios_repo |
true |
Install the Nagios repo. Set false on AL2023 (no official repo). |
ncpa_package_url |
"" |
Install NCPA directly from this RPM URL (used when no repo is available). |
ncpa_use_fedora_repo |
false |
Pull nagios-plugins-* from a Fedora 36 archive repo (AL2023 has no EPEL). |
ncpa_service_name |
derived from ncpa_version_major |
ncpa (v3) or ncpa_listener (v2). |
ncpa_uid / ncpa_gid |
nagios |
Listener run-as user/group. |
ncpa_ssl_version |
TLSv1_2 |
TLS version for the listener. |
ncpa_certificate |
adhoc |
TLS certificate (adhoc = self-signed). |
ncpa_listener_ip |
0.0.0.0 |
Listener bind address. |
ncpa_listener_port |
5693 |
Listener port. |
ncpa_plugin_path |
/usr/lib64/nagios/plugins/ |
Where NCPA looks for check plugins. |
ncpa_community_string |
(empty) | API token / community string clients authenticate with. |
ncpa_sudoers |
postfix mailqueue check |
List of allowed_user / allowed_command sudoers entries. |
AL2023 has no official Nagios repo and no EPEL nagios-plugins, so install NCPA from
a direct URL and pull plugins from the Fedora archive repo:
- hosts: al2023
roles:
- role: ansible-role-ncpa
vars:
ncpa_use_nagios_repo: false
ncpa_package_url: https://repo.nagios.com/...../ncpa-3.4.1.el9.x86_64.rpm
ncpa_use_fedora_repo: true
ncpa_community_string: "your-token"Graviton / aarch64: The Fedora archive repo URL is built from
ansible_architecture, so plugins resolve correctly on bothx86_64andaarch64hosts. Just make surencpa_package_url, if you set it, points at an RPM matching the target architecture (e.g....ncpa-3.4.1.el9.aarch64.rpmon Graviton).
- hosts: alma10
roles:
- role: ansible-role-ncpa
vars:
ncpa_community_string: "your-token"