Agent download fails in distributed setup

edermi · January 24, 2023, 3:03pm

Hi,

sorry for warming this one up, but my issue sounds related and therefore this may be a good place to bring my issue up.

I was wondering if it possible to perform a remote registration via ansible?
When I tried the naive way, just changing the hostname and site name to the remote site in my existing (and for the central site, working) ansible config, the following error shows up:

TASK [tribe29.checkmk.agent : Debian Derivatives: Download GENERIC Checkmk CEE Agent.] ***************************************************************************************************************************************************************************************fatal: [***redacted - target where agent is supposed to be installed*** -> ***redacted - target where agent is supposed to be installed***]: FAILED! => {"changed": false, "connection": "close", "content_length": "222", "content_security_policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval' ssh: rdp:; img-src 'self' data: https://*.tile.openstreetmap.org/ ; connect-src 'self' https://crash.checkmk.com/ https://license.checkmk.com/api/upload ; frame-ancestors 'self' ; base-uri 'self'; form-action 'self' javascript: 'unsafe-inline'; object-src 'self'; worker-src 'self' blob:", "content_type": "application/problem+json", "date": "Tue, 24 Jan 2023 14:01:41 GMT", "elapsed": 0, "json": {"detail": "This endpoint is currently disabled via the 'Disable remote configuration' option in 'Distributed Monitoring'. You may be able to query the central site.", "status": 403, "title": "Forbidden: WATO is disabled"}, "msg": "Status code was 403 and not [200]: HTTP Error 403: FORBIDDEN", "path": "/tmp/check-mk-agent_2.1.0p13-generic.deb", "permissions_policy": "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), usb=()", "redirected": false, "referrer_policy": "origin-when-cross-origin", "server": "Apache", "status": 403, "url": "***redacted:hostname of remote site***:443/***redacted - remote site name***/check_mk/api/1.0/domain-types/agent/actions/download_by_host/invoke?os_type=linux_deb&agent_type=generic", "x_content_type_options": "nosniff", "x_frame_options": "sameorigin", "x_permitted_cross_domain_policies": "none", "x_xss_protection": "1; mode=block"}

So, I checked Github and found the following template: ansible-collection-tribe29.checkmk/remote-registration.yml at 846c9d69d9b2902e4cd09b9073b887b9316ddc2e · tribe29/ansible-collection-tribe29.checkmk · GitHub

I changed the following in my config:
checkmk_agent_server → central host
checkmk_agent_site → main site
checkmk_agent_registration_server → remote server
checkmk_agent_registration_site → remote site

Now, I’m facing the following error:

TASK [tribe29.checkmk.agent : Debian Derivatives: Download GENERIC Checkmk CEE Agent.] ***************************************************************************************************************************************************************************************fatal:  [***redacted - target where agent is supposed to be installed*** -> ***redacted - target where agent is supposed to be installed***]: FAILED! => {"changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [Errno -2] Name or service not known>", "path": "/tmp/check-mk-agent_2.1.0p13-generic.deb", "redirected": false, "status": -1, "url": "https://*** redacted - central host ***:443/*** redacted - central site ***/check_mk/api/1.0/domain-types/agent/actions/download_by_host/invoke?os_type=linux_deb&agent_type=generic"}

Which is a DNS issue - the nodes monitored remotely are not supposed to talk to the central system and cannot resolve its name either.

How do I set this up correctly? The server setup seems correct - when manually downloading and installing the package, I can register the agent and the updater against my remote site and everything works just fine.
As a workaround, I tried setting checkmk_agent_delegate_download to the hostname of the remote site’s server (which can reach the central site) to download the package and transfert it to the target afterwards, but unfortunately this fails with

TASK [tribe29.checkmk.agent : Debian Derivates: Transfer host-specific Checkmk CEE Agent.] ***********************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: If you are using a module and expect the file to exist on the remote, see the remote_src option
fatal: [***]: FAILED! => {"changed": false, "msg": "Could not find or access '/tmp/check-mk-agent_2.1.0p19-***.deb' on the Ansible Controller.\nIf you are using a module and expect the file to exist on the remote, see the remote_src option"}

I’m on 2.1.0p18 for all sites, ansible-collection-tribe29.checkmk is 0.16.0

robin.gierse · January 30, 2023, 7:28am

Hi @edermi and welcome to the forum!
I moved your post to a dedicated thread, because it looks rather different from the other thread.

The download from the remote site does not work currently, if you have Setup (formerly known as WATO) disabled there. There is already an internal ticket to fix that. So currently you either have to enable WATO at the remote site (which is obviously not a great solution, but it works) or download agents from the central site.

That being said, I am uncertain at this point, why the workaround you rightfully implemented does not work. I will keep you posted, once I got some time to investigate.

edermi · February 16, 2023, 10:11am

Hi @robin.gierse ,

have you had time to take a closer look at this? I’d like to deploy the agents, as the number of hosts is manageable, I’d perform the task manually if needed. I nevertheless think fixing the bug / documenting the intended way to perform this task with ansible is desirable, so I’m waiting for your feedback to be able to test your recommendations / fixes.

robin.gierse · February 16, 2023, 11:12am

Hi @edermi,

we are working on a solution within Checkmk to enable agent download from remote sites, but that might take some time.

Why the download through your control node does not work, I cannot say.
Double check for error messages and if you feel like it is a bug in the collection, please head over to Issues · tribe29/ansible-collection-tribe29.checkmk · GitHub.

system · February 16, 2024, 11:13am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.