0.14.0 #1333
mickem
announced in
Announcements
0.14.0
#1333
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Linux parity — native checks, real-time monitoring, first-class packaging, and a secure-by-default web server
This release brings Linux up to near-parity with Windows and completes the Linux
story that began in 0.13.0. On the checks side it adds a full suite of
Linux-native system checks (
CheckSystemUnix) sourced directly from/procand
/sys, event-driven real-time monitoring on Linux, Linux disk / file /mount support in
CheckDisk, and a round of cross-platformCheckNetimprovements — TLS for
check_tcp, a fullercheck_http, multi-record-type DNS,and two new network checks. Around the daemon it delivers first-class Linux
packaging (FHS layout, official
.deb/.rpm), a secure-by-default webserver, one-command installs via winget / Chocolatey / Scoop and
nscp web install-ui, a Lua CLI, and a broad set of security and reliabilityfixes. It also hardens plugin shutdown so a misbehaving module can no longer
crash the service on exit.
🌟 Highlights
CheckSystemUnix). New native checks —check_load,check_cpu_utilization,check_kernel_stats,check_swap_io,check_cpu_frequency,check_temperature,check_battery,check_network—plus overhauled
check_process(with process history / delta CPU) and a systemd-awarecheck_service. All read/procand/sysdirectly, with thresholds and syntax that match their Windows counterparts.CheckSystemUnixgains an event-driven real-time thread, so CPU, memory andprocess alerts can fire the moment a threshold is crossed rather than only on poll — the same real-time model
previously available only on Windows.
CheckDisk).CheckDiskis no longer Windows-only: free-space(
check_drivesize), file (check_files) and disk-I/O checks now run on Linux, with per-device I/O sampling from/proc/diskstats, LVM / device-mapper mapping, inode statistics, file-integrity checksums, and a newcheck_mount.CheckNet).check_tcpnow speaks TLS (ssl=true) with newSPOP/SIMAP/SSMTPpresets;
check_httpgains redirect policy, certificate-expiry reporting, Basic auth, SNI and non-GET methods;check_dnsqueries any record type against a custom resolver; and two new checks arrive —check_sshandcheck_nsclient_web_online.CMAKE_INSTALL_PREFIX, with official.deb/.rpmtargeting
/usr, and a Boost.Beast web backend by default.nscp web install-ui.check_ntcommand allow-listing and stricter external-script argument checks.
nscp lua execute, backed by Lua thread-safety hardening.that fails to unload can no longer take the service down on shutdown.
📖 Detailed changes
🐧 CheckSystemUnix — native Linux system checks
A new family of checks reads Linux kernel state directly. Thresholds and
detail-syntaxkeywords mirror the Windowschecks so alerts port across platforms.
check_load/proc/loadavgloadshortcut;percpu=truescalingcheck_cpu_utilization/proc/stat(~1s sample)user,system,iowait,steal,idle,totalcheck_kernel_stats/proc/stat,/proc/loadavgcheck_swap_io/proc/vmstatswap_in/swap_outpages/s and bytes/s)check_cpu_frequency/syscpufreqcheck_temperaturecheck_battery/syspower_supplycheck_network/proc/net/dev+ sysfs⚙️ CheckSystemUnix —
check_processhistory andcheck_serviceon systemdcheck_processnow tracks process history and computes delta CPU between samples (rather than lifetime CPU),and exposes memory keywords (
rss,vms), matching the Windows process semantics.check_servicenow inspects systemd units. The raw systemd state is mapped to a normalisedstatekeyword sothresholds read the same as on Windows, while the raw fields (
active,sub_state,preset) are exposed too. Thedefault critical expression is
( state not in ('running', 'oneshot', 'static') or active = 'failed' ) and preset != 'disabled'— so astopped-but-disabled unit stays OK while an enabled unit that failed is CRITICAL. Per-unit process metrics
(
rss,vms,cpu,tasks,age) are parsed from/procfor the unit's main process.check_os_versionnow parses/etc/os-releaseand reports the distribution and kernel details.⚡ CheckSystemUnix — real-time monitoring
CheckSystemUnixgains a real-time collection thread and real-time data model, bringing event-driven checks to Linux.CPU, memory and process real-time filters evaluate continuously and emit the moment a threshold is crossed, matching the
Windows real-time behaviour. See the Real-Time System Monitoring scenario, now cross-platform.
💾 CheckDisk — now on Linux: disk metrics, inodes, checksums, and
check_mountCheckDiskis no longer Windows-only. Linux builds gain the core free-space and file checks (check_drivesize,check_files) plus disk-I/O sampling, and this release adds:check_disk_ioandcheck_disk_healthnow sample per-device I/O from/proc/diskstatsonce persecond on Linux (mirroring the Windows PDH path). LVM / device-mapper and RAID volumes are mapped back to their
backing devices via sysfs, so space and I/O join correctly for
/dev/mapper/…filesystems. The first query afterstartup can return UNKNOWN while the collector takes its first sample.
check_drivesizeexposesinodes_total,inodes_free,inodes_used,inodes_free_pctandinodes_used_pct, so you can catch inode exhaustion (free bytes but no free inodes).check_filesexposesmd5_checksum,sha1_checksum,sha256_checksum,sha384_checksumandsha512_checksum, computed lazily only when referenced.check_mount(new). Verifies a filesystem is mounted — and optionally that it is mounted with the expected typeand options — reading the live mount table (
/proc/self/mounts). A path that is not mounted is CRITICAL; afstypeor missing-
optionsmismatch is WARNING.(Some Windows-only legacy
CheckDiskcommands are not registered on Linux.)🔐 CheckNet — TLS for
check_tcpcheck_tcpcan now establish a TLS session over the connected socket (ssl=true), withtls-version(defaulttlsv1.2+),verify(defaultnone) andcaoptions, and aresponseregex to match the server's greeting. Threenew TLS service presets ship alongside the existing plaintext ones:
SPOP^\+OKSIMAP^\* OKSSMTP^220Peers that close the TLS session without a
close_notify(reported by OpenSSL asstream_truncated) are now treatedas a clean end-of-data rather than a read failure.
🌐 CheckNet —
check_httpfeaturescheck_httpgains the features needed for real service checks:onredirect=ok|follow(defaultok) withmax-redirs(default 15); follows301/302/303/307/308.ssl_expiry_days(days until the served certificate expires) for HTTPS targets.username/passwordsend an HTTP BasicAuthorizationheader.method=(HEAD/POST/…),post-data,content-type; supplyingpost-datawith a GETpromotes the request to POST.
sni=overrides the TLS server name / verification host.🔎 CheckNet —
check_dnsrecord types and custom servercheck_dnsnow queries any record type (type=A|AAAA|MX|TXT|NS|CNAME|SOA|PTR|SRV) and can direct the query at aspecific resolver (
server=), rather than only resolving an A record against the system resolver.🔑 CheckNet —
check_ssh(new)Connects to an SSH port and validates the protocol banner (implemented on top of the
check_tcpservice-presetmachinery). Flags a server that fails to present a valid
SSH-2.0/SSH-1.xidentification string.📡 CheckNet —
check_nsclient_web_online(new)Verifies that a remote NSClient++ agent's REST/WEB endpoint is reachable and that credentials authenticate — a
lightweight liveness probe for the agent's management interface. Reports the base URL and distinguishes "unreachable"
from "authentication failed (HTTP 401/403)".
🌙 Lua — run scripts straight from the command line
nscp lua executeruns a Lua script directly from the CLI — useful for developing and debugging check scripts withoutwiring them into the configuration first:
Lua also got thread-safety hardening (a proper GIL), new helpers for targeted and forwarded queries, clearer errors when
a script fails to load, and log lines that report the actual script line number.
🔏 TLS — outbound SNI and Op5 client options
SNI is now sent on outbound TLS connections (Graphite and the generic TLS client), so a TLS proxy hosting several
certificates returns the right one.
The Op5 client gained explicit TLS settings:
🔒 Security — secure-by-default web server and hardening
The web server refuses to run unencrypted by default. To stop NSClient++ from silently serving the REST API /
web UI over plain HTTP, the WEB server now refuses to start without a certificate unless you explicitly opt in
with
allow insecure = true(see Upgrade notes).check_ntcan now be restricted to specific commands. The legacycheck_ntprotocol is password-only (andsource-IP filtering is spoofable), so you can now limit which of its ten request codes are answered. The default is
any(unchanged behaviour):A request outside the list is rejected with
ERROR: Command not allowed.Stricter shell-metacharacter checks in external scripts. User-supplied argument values containing more shell
metacharacters are now rejected.
Graphite metric paths are sanitized before being written to the line protocol, preventing injection of extra
metrics.
Python
sys.pathhandling hardened to prevent code-injection via path manipulation.🪟 Windows — winget / Chocolatey / Scoop packages
NSClient++ is now published to the common Windows package managers:
winget install Mickem.NSClient choco install nsclient scoop install nsclient # still pending approval📦 Linux packaging — FHS layout and install prefix
The Linux build honours
CMAKE_INSTALL_PREFIXlike a normal CMake project, and the official.deb/.rpmare built for/usr. The file layout is now:/usr/sbin/nscp/usr/lib/nsclient/modules/usr/lib/nsclient/etc/nsclient/var/lib/nsclient·/var/log/nsclientIf you previously patched hardcoded paths to build for a custom location, that is no longer needed — pass
-DCMAKE_INSTALL_PREFIX=/opt/nsclient(or the standardCMAKE_INSTALL_*DIRknobs) instead. To point analready-installed daemon at a
boot.iniin a non-standard place there is a new override:🖥️ Linux — web UI is a separate download (
.deb/.rpm)The Linux packages no longer bundle the React/Vite web frontend (Debian/Fedora policy forbids
npm installduringpackage builds). The daemon, REST API, NRPE/NSCA listeners and every check module are still in the package — only the
browser UI ships separately. After installing the package, fetch the matching UI bundle as root:
Until you do, the web port shows a small built-in placeholder page; the REST API and all listeners work normally
without it. The Windows MSI still bundles the UI inline.
🧩 Core — filter summary-variable rendering
All check filters now prefer summary variables during summary rendering. Previously a keyword that exists both
per-item and as a summary aggregate (notably
status) could render the last item's value in the summary line, makingthe overall status read incorrectly. Summary context now resolves to the summary value, so
top-syntaxreports theaggregate correctly.
🛡️ Service — safer plugin shutdown
The plugin manager now handles broken plugins defensively and prevents a module that misbehaves during teardown from
crashing the service on shutdown. Modules get a clean teardown path so listeners and background threads stop before
unload.
📈 collectd client — encoding and protocol fixes
Correct (little-endian) gauge encoding, working IPv6 multicast, a configurable send
interval(default 10s), andpreviously dropped metric types (counter / derive / absolute) are now mapped instead of discarded.
🐛 Bug fixes
check_ntp_offsetthreshold handling and improved default accuracy.check_connectionsperformance-data accuracy for total connections.check_process delta=true. The delta calculation for per-process CPU usageproduced inconsistent readings; it now returns stable, accurate values.
perf-config=nonereporting "Failed to parse syntax". Settingperf-config=noneto suppress performance-dataformatting no longer fails parsing.
IPV6_V6ONLYon Linux to avoid port conflicts with IPv4, and IPv6 address resolution wasimproved.
CommandClientnow shuts down gracefully on POSIX signals.🚚 Packaging & distribution notes
check_nsclientNagios plugin moved to its own repository (mickem/check_nsclient) and is pulled inat build time. This only matters if you build from source.
downloads.
libzip(instead of vendored Miniz), can use the systemGoogle Test, and degrades cleanly when an optional dependency is missing. Linux uses the Boost.Beast web backend by
default.
📚 Documentation and tests
Service & Process Monitoring and Real-Time System Monitoring scenarios.
docs/samples/usage examples and clarifying descriptions for every new command.CheckSystemUnix,CheckDiskunix,CheckNet) and REST-driven integration tests undertests/covering the new system, disk and network checks.A few defaults were tightened for security and the Linux packaging layout changed. None of these affect a normal Windows
MSI upgrade, but Linux users and anyone running the web server in cleartext should read this section.
The web server refuses to run unencrypted by default. If you intentionally run the web server in cleartext (e.g.
behind a TLS-terminating proxy, or on an isolated network), set
allow insecure = true:Otherwise, provide a certificate (
certificate = …). If you do nothing and the server has no certificate, it logs anerror and does not start the listener.
The web UI is a separate download on Linux (
.deb/.rpm). After installing the package, runsudo nscp web install-uito fetch the matching UI bundle. Until then the web port serves a built-in placeholder;the REST API and all listeners work normally without it. The Windows MSI still bundles the UI inline.
Linux install layout now follows the FHS / install prefix. The official
.deb/.rpminstall to/usr(daemon
/usr/sbin/nscp, config/etc/nsclient, state/logs under/var). If you patched hardcoded paths to buildfor a custom location, pass
-DCMAKE_INSTALL_PREFIX(and the standardCMAKE_INSTALL_*DIRknobs) instead.Linux
check_servicenow targets systemd. If you previously scripted around the old behaviour, note thenormalised
statekeyword and the default expression that keeps disabled units OK. Match units by unit name(e.g.
service=ssh), and usestate,active,sub_stateandpresetin thresholds.Linux
check_processreports delta CPU. CPU is now the usage between samples rather than lifetime CPU. Review anyCPU thresholds that assumed the old semantics.
Linux disk I/O needs one collector sample. The first
check_disk_io/check_disk_healthquery immediately afterstartup may return UNKNOWN ("collector still initializing"); this is invisible with a running service and normal in
one-shot testing.
check_tcp/check_httpbooleanssl. Enable TLS withssl=true. When verifying certificates, setverify=peerand provide aca=bundle; the default remainsverify=none.🙌 New Contributors
Full Changelog: 0.12.6...0.14.0
This discussion was created from the release 0.14.0.
Beta Was this translation helpful? Give feedback.
All reactions