A fully IPv6 dual stack enabled network is monitored by Nagios 3.5.1 installed from EPEL on a CentOS 6.7 server. Monitored hosts run NRPE agents, all of which are configured to run as daemons (not via xinetd) with the configuration line
allowed_hosts=bombur.example.com
where bombur.example.com
is the Nagios server's FQDN which resolves in DNS to both the IPv4 and IPv6 addresses:
% host bombur
bombur.example.com has address 192.0.2.28
bombur.example.com has IPv6 address 2001:db8:f00:ba8::28
This works fine for hosts running NRPE releases before 2.15 which lack IPv6 support and ony accept IPv4 connections. But on hosts with NRPE 2.15, which does support IPv6, connections from the Nagios server are rejected with the log message:
nrpe[21665]: Host 2001:db8:f00:ba8::28 is not allowed to talk to us!
Apparently the allowed_hosts=<hostname>
directive allows only the IPv4 address of the given host, not its IPv6 address.
Is that deduction correct? Is there a way around this behaviour, preferably without hardcoding the numeric IPv6 address in all the NRPE agent configurations?
It seems that when NRPE starts, it looks up
bombur.example.com
and uses the first (IPv4 in this case) address for theallowed_host
entry.The simplest way around this is to just use two hostnames. E.g., make bombur4.example.com and bombur6.example.com that only resolve to the IPv4 and IPv6 addresses respectively.
If that were not an option for some reason, you'd have to just list both IPs explicitly (and hopefully use a config management system).