Conntrack check does not work in LXD containers

Bug #1673064 reported by Sandor Zeestraten on 2017-03-15
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
NRPE Charm
Medium
Paul Gear

Bug Description

Juju 2.1.1
MAAS 2.1.3

Deploying NRPE rev. 13 to monitor the latest stable OpenStack charms (all but ceph-mon and ceph-osd) with Nagios rev. 15 ends up as critical with the status "NRPE: Unable to read output"
Other checks are all OK.

Running the local check_conntrack.sh on the unit results in the following output:

ubuntu@juju-1fabb0-0-lxd-0:/etc/nagios/nrpe.d$ /usr/local/lib/nagios/plugins/check_conntrack.sh -w 80 -c 90
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_max: No such file or directory
sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_count: No such file or directory
/usr/local/lib/nagios/plugins/check_conntrack.sh: 50: /usr/local/lib/nagios/plugins/check_conntrack.sh: arithmetic expression: division by zero: "current * 100 / max"

Is there a way to disable the check?

Related branches

description: updated
Changed in nrpe-charm:
status: New → Confirmed
importance: Undecided → Medium
tags: added: landscape
Paul Gear (paulgear) wrote :

I think the check should automatically detect when it should not apply (in this case, inside a container where /proc/sys/net/netfilter/nf_conntrack_{count,max} do not exist) and return an appropriate value. My initial inclination is to return 3 (UNKNOWN), with a second preference of 0 (OK). Do you have any thoughts/preferences regarding this?

Paul Gear (paulgear) wrote :

I've implemented a tentative fix for both returning UNKNOWN if the check can't determine the correct values, and for allowing manual disabling of checks by setting their configuration to the empty string at https://code.launchpad.net/~paulgear/nrpe-charm/+git/nrpe-charm/+merge/322170

This is untested at present; I'll report back with further info when I've had a chance to test.

Haw Loeung (hloeung) on 2017-04-07
Changed in nrpe-charm:
assignee: nobody → Paul Gear (paulgear)
status: Confirmed → In Progress
Paul Gear (paulgear) on 2017-04-07
summary: - Conntrack checks do not work
+ Conntrack check does not work in LXD containers
Fairbanks. (fairbanks) wrote :

@paulgear i have tested those changes on a large system, and it works very good.
Also the empty cmd_params is very nice, it removes the check totally from nagios.

With this i can deploy 2 sets of nrpe charms, one for bare-metal and one for lxd containers.
I say, push it to the charm-store so we can deploy ;)

Nobuto Murata (nobuto) wrote :

I found this and tested the attached branch. It works for me. It looks like the attached branch was approved but not (yet) merged. Is there any blocker to release it in the charm store?

Paul Gear (paulgear) wrote :

I've done some further light testing, fixed a minor issue, and pushed the result to cs:~nrpe-charmers/nrpe-8; I've requested promulgation to cs:nrpe, which hopefully will happen in the next day or so. Please note that due to bugs #1629127 and #1687348, existing installations will need manual cleanup of old checks in /etc/nagios/nrpe.d/.

Changed in nrpe-charm:
status: In Progress → Fix Committed
Paul Gear (paulgear) wrote :

Updated version released as https://jujucharms.com/nrpe/17 now.

Changed in nrpe-charm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers