Hi Team,

Hoping someone can point me in the right direction, not sure if this is an issue with lxd and running nagio-nrpe-server inside it, running certain checks fails running it with the standard systemd init scripts, running it manually works fine.

Running with “/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f” the remote checks runs and all good.

When I start it with “systemctl start nagios-nrpe-server.service” I get:

“WARNING: my_system() seteuid(0): Operation not permitted”

Is there any setting I can enable in my lxd config that will make this work out of the box or some systemd issue?

Thank you in advance.

Cheers
Jonathan

What does systemctl cat nagios-nrpe-server show you?
It may be using some privilege dropping logic which then gets int the way.

Hi Stéphane,

systemctl cat nagios-nrpe-server

/lib/systemd/system/nagios-nrpe-server.service

[Unit]
Description=Nagios Remote Plugin Executor
Documentation=http://www.nagios.org/documentation
After=var-run.mount nss-lookup.target network.target local-fs.target remote-fs.target time-sync.target
Before=getty@tty1.service plymouth-quit.service xdm.service
Conflicts=nrpe.socket

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
Restart=on-abort
PIDFile=/run/nagios/nrpe.pid
EnvironmentFile=-/etc/default/nagios-nrpe-server
ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f $NRPE_OPTS
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /run/nagios/nrpe.pid
TimeoutStopSec=60
User=nagios
Group=nagios
PrivateTmp=true
OOMScoreAdjust=-500

/run/systemd/system/service.d/zzz-lxc-service.conf

[Service]
ProtectControlGroups=no
ProtectKernelTunables=no

After some more troubleshooting we narrowed it down to some files that are supposed to be read in the /tmp/ folder by the nagios user, the check basically uses that as a reference to check folder locations for stuck files in folders.

I moved the files to the nagios user $HOME folder and I still get the same error in the nagios debug, but the check completes at least and gives me the correct output. This used to run on a VM and was moved into a container, still not sure why /tmp/ gets treated differently inside the container running via systemd.

So I guess I found a workaround, but no the actual cause :).

Thanks for your time on this one.

Cheers
Jonathan

PrivateTmp=true may be doing something funny in this case.

You could try putting a unit override (systemctl edit nagios-nrpe-server) with something like:

[Service]
PrivateTmp=false

Then do systemctl daemon-reload and systemctl restart nagios-nrpe-server to apply it and see if that fixes things for you.

Thank you, I did think of that one and I suspect it will work but it feels wrong to change “defaults” but I will test that and then mark that as a potential solution for someone stuck with a similar issue. Thanks again for your time.