given that systemd doesn’t support IPAccessAllow and IPAccessDeny until version 235 (which was released in 2017 but is still not that widely used ) checkmk follows the logic described here: Linux agent service: IP Access List support for systemd
However, this has one drawback:
Note : The feature “IP Access Lists” is supported by systemd versions >= 235 only. The agent installation will check for a sufficient version and prevent the systemd service/socket from being activated, if the check fails. Depending on the “Checkmk agent network service” configuration, the installation will try to fall back to the xinetd service, see also Werk #10431.
Now SUSE being SUSE has done something funny, Release Notes | SUSE Linux Enterprise Server 15 SP2 - they have patched/backported the IP Access List feature in SLES 15 SP 2 to Systemd 234.
And since a customer of ours only had SLES 15 SP2 systems, they had also removed xinetd, which meant:
the checkmk rpm postrans script checks
a) systemd present → yes AND systemctl --version >= 235, no
b) xinetd present → no
And then leaves the system without anything listening on port 6556, which is technically correct, but not helpful.
Since our customer only used SLES 15 SP2, we changed the posttrans scriplet to also enable the check_mk.socket in systemd for version 234, but this really is not a super clean solution.
So this topic is meant as
a) FYI - in case someone has manually enabled the check_mk.socket as we did and is then surprised that IPAccessDeny+Allow is being followed
b) a way to see if anyone has a cleverer solution than “fixing” the posttrans scriplet